[CERT-daily] Tageszusammenfassung - Dienstag 14-07-2015

Tue Jul 14 18:18:16 CEST 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 13-07-2015 18:00 − Dienstag 14-07-2015 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter


*** Been hacked? Now to decide if you chase the WHO or the HOW ***
---------------------------------------------
Imagine a security researcher has plucked your customer invoice database from a command and control server. Youre nervous and angry. Your boss will soon be something worse and will probably want you to explain who pulled off the heist, and how. But only one of these questions, the how, is worth your precious resources; security experts say the who is an emotional distraction.
---------------------------------------------
http://www.theregister.co.uk/2015/07/14/attribution_feature/


*** Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems ***
---------------------------------------------
Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets' systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running. They have written a procedure specifically for Insyde BIOS (a very popular BIOS vendor for laptops). However, the code can very likely work on AMI BIOS as well. A Hacking Team slideshow...
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/


*** Lowering Defenses to Increase Security ***
---------------------------------------------
Starting at WhiteHat was a career change for me. I wasn't sure exactly what to expect, but I knew there was a lot of unfamiliar terminology: "MD5 signature", "base64", "cross-site request forgery", "'Referer' header", to name a few. When I started testing real websites, I was surprised that a lot of what I was doing...
---------------------------------------------
https://blog.whitehatsec.com/lowering-defenses-to-increase-security/


*** Adobe Updates Flash Player, Shockwave and PDF Reader, (Tue, Jul 14th) ***
---------------------------------------------
In a warm up to patch Tuesday, it looks like we have a new version for Adobe Flash Player, Shockwave Player and PDF Reader. Given that some of the exploits against the vulnerabilities patchedare public, you may want to expedite patching and review your Flash Player and browser configuration. the latest (patched) versions are (thanks Dave!): - FlashPlayer 18.0.0.209 - Flash Player EST 13.0.0.305 - Reader 10.1.15 - Reader 11.0.12 - Shockwave Player">12.1.9.159 Bulletins:
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19917&rss


*** Adobe: Look, honestly, we really do take Flash security seriously ***
*** Mozilla: Right, THATS IT. You, Flash, behind the shed with me. *snick snack* ***
*** FLASH MUST DIE, says Facebook security chief ***
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/adobe_response_to_security_holes/
http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/firefox_blocks_flash/
http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/facebook_flash_kill/


*** Security Bulletins Posted ***
---------------------------------------------
Security Bulletins for Adobe Acrobat and Reader (APSB15-15), Adobe Shockwave Player (APSB15-17) and Adobe Flash Player (APSB15-18) have been published. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1247


*** SSA-632547 (Last Update 2015-07-14): Authentication Bypass Vulnerability in SICAM MIC ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-632547.pdf


*** VU#919604: Kaseya Virtual System Administrator contains multiple vulnerabilities ***
---------------------------------------------
Vulnerability Note VU#919604 Kaseya Virtual System Administrator contains multiple vulnerabilities Original Release date: 13 Jul 2015 | Last revised: 13 Jul 2015   Overview Kaseya Virtual System Administrator (VSA), versions R9 and possibly earlier, contains arbitrary file download and open redirect vulnerabilities.   Description CWE-22: Improper Limitation of Pathname to a Restricted Directory (Path Traversal) - CVE-2015-2862Kaseya VSA is an IT management platform with a help desk ticketing
---------------------------------------------
http://www.kb.cert.org/vuls/id/919604


*** Cisco Vulnerability Alerts ***
---------------------------------------------

*** Cisco Identity Services Engine Cross-Frame Scripting Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39871

*** Cisco TelePresence Integrator C Series Multiple Request Parameter Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39880

*** Cisco Identity Services Engine Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39873

*** Cisco Unified Communications Manager Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39877

*** Cisco FireSIGHT Management Center Cross-Site Scripting Vulnerabilities ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39879

*** Cisco Unified Communications Manager ccmivr Page Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39905


*** IBM Security Bulletins ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us


*** Moodle Bugs Permit Cross-Site Scripting and Open Redirect Attacks and Let Remote Authenticated Users Modify Data ***
---------------------------------------------
http://www.securitytracker.com/id/1032877


*** F5 Security Advisory: Multiple PHP CDF vulnerabilities CVE-2014-0237 and CVE-2014-0238 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16954.html?ref=rss


*** DFN-CERT-2015-1009: Django: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1009/