[CERT-daily] Tageszusammenfassung - Dienstag 30-06-2015

Tue Jun 30 18:15:21 CEST 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 29-06-2015 18:00 − Dienstag 30-06-2015 18:00
Handler:     Robert Waldner
Co-Handler:  n/a


*** Windows kerberos ticket theft and exploitation on other platforms ***
---------------------------------------------
I decided to take a look at how the kerberos tickets can be dumped from a Windows target and re-used on Linux. It was surprisingly easy to accomplish.
---------------------------------------------
https://mikkolehtisalo.wordpress.com/2015/06/29/copying-windows-kerberos-tickets-to-linux/


*** Why vulnerability disclosure shouldn't be a marketing tool ***
---------------------------------------------
So now we have three approaches to vulnerability disclosure: full disclosure, responsible disclosure, and marketing disclosure. My concern with the latter is that by its very nature it will get more coverage in both the IT industry and mainstream media. 
... 
In the cases where the vulnerability does affect the organization, the security team is called into action to remediate it, but this remediation may be based more on the impact the vulnerability has had on the news headlines rather than on the impact it actually may have on the environment, This results in already overstretched security teams being distracted from other core tasks.
---------------------------------------------
http://www.net-security.org/article.php?id=2318


*** DSA-3297 unattended-upgrades - security update ***
---------------------------------------------
It was discovered that unattended-upgrades, a script for automaticinstallation of security upgrades, did not properly authenticatedownloaded packages when the force-confold or force-confnew dpkg optionswere enabled via the DPkg::Options::* apt configuration.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3297


*** How Malware Campaigns Employ Google Redirects and Analytics, (Tue, Jun 30th) ***
---------------------------------------------
The email message sent to the bank employee claimed that the sender received a wire transfer from the recipients organization and that the sender wanted to confirm that the payment went through without issues. The victim was encouraged to click a link that many people would considersafe, in part because it began with https://www.google.com/.
How would you examine the nature of this email? Examining MSG and EML Files on Linux One way to analyze the suspicious message saved as an Outlook .msg file
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19843&rss


*** Tearing Apart a Datto ***
---------------------------------------------
Datto devices are becoming a popular backup solution for small to medium sized businesses. They are easy to use and well equipped out of the box. We recently found ourselves in an engagement where one of these devices was accessible via the LAN. Gaining access to backups is a bit of a goldmine during an assessment; unrestricted access to file shares, configuration information, extracting hashes from the NTDS.dit file, and a multitude of other things.
---------------------------------------------
http://silentbreaksecurity.com/tearing-apart-a-datto/


*** Vulnerability in Citrix NetScaler Application Deliver Controller and NetScaler Gateway Management Interface Could Result in Arbitrary Command Injection ***
---------------------------------------------
A vulnerability has been identified in Citrix NetScaler Application Delivery Controller (ADC) and Citrix NetScaler Gateway Management Interface that could allow an authenticated malicious user to execute shell commands on the appliance.
CVE: CVE-2015-5080
---------------------------------------------
http://support.citrix.com/article/CTX201149


*** Viele Android-Geräte über Debugger angreifbar ***
---------------------------------------------
Über eine Schwachstelle im Debugger können Angreifer den Inhalt des Hauptspeichers von über 90 Prozent aller Android-Geräte auslesen und so weitere Attacken fahren.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Viele-Android-Geraete-ueber-Debugger-angreifbar-2731739.html?wt_mc=rss.ho.beitrag.rdf


*** Analyzing a Facebook Clickbait Worm ***
---------------------------------------------
Here at Sucuri we suspect everything, especially when your friends start to share content written in another language with clickbait headlines. 
If you are not familiar with the term, clickbait is when web content is created in a way that psychologically exploits the reader's curiosity using compelling headlines. When someone clicks on the article to read it, the service promoting the article generates online advertisement revenue.
---------------------------------------------
https://blog.sucuri.net/2015/06/analyzing-a-facebook-clickbait-worm.html


*** Vulnerabilities in Cisco products***
---------------------------------------------
Cisco Unified IP Phones 9900 Series Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39554
---------------------------------------------
Cisco Unified Communications Domain Manager Information Disclosure Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39557
---------------------------------------------


*** Vulnerabilities in IBM products***
---------------------------------------------
Security Bulletin: Vulnerabilities in libxml2 affect System Networking Products (CVE-2014-0191, CVE-2013-2877, CVE-2014-3660)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098306
---------------------------------------------
Security Bulletin: Vulnerabilities in OpenSSL affect Flex System FC3171 8Gb SAN Switch and Flex System FC3171 8Gb SAN Pass-thru (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098265
---------------------------------------------
Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Flex System Manager (FSM) SMIA Configuration Tool (CVE-2015-4000)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098403
---------------------------------------------
Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware. (CVE-2015-2808)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098314
---------------------------------------------
Security Bulletin: Vulnerability in RC4 stream cipher affects IBM System Networking RackSwitch (CVE-2015-2808)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098302
---------------------------------------------Security Bulletin: Vulnerability in RC4 stream cipher affects IBM BladeCenter Switches (CVE-2015-2808)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098303
---------------------------------------------
Security Bulletin: Multiple vulnerabilities in xorg-x11-server affect IBM Flex System Manger (FSM)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098372
---------------------------------------------
Security Bulletin: GNU C library (glibc) vulnerability affects IBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware (CVE-2015-0235)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098317
---------------------------------------------
Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098358
---------------------------------------------
Security Bulletin: Vulnerabilities in OpenSSL affect IBM System x, BladeCenter and Flex Systems Unified Extensible Firmware Interface (UEFI) (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098339
---------------------------------------------
IBM Security Bulletin: IBM SmartCloud Analytics - Log Analysis is affected by Open Source Python Vulnerability (CVE-2014-9365)
http://www.ibm.com/support/docview.wss?uid=swg21958936
---------------------------------------------
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Endpoint Manager for Remote Control
http://www.ibm.com/support/docview.wss?uid=swg21903374
---------------------------------------------
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime, affect Tivoli Endpoint Manager for Remote Control.
http://www.ibm.com/support/docview.wss?uid=swg21903373
---------------------------------------------
IBM Security Bulletin: A vulnerability in cURL libcURL affects IBM Tivoli Composite Application Manager for Transactions (CVE-2014-8150)
http://www.ibm.com/support/docview.wss?uid=swg21697198
---------------------------------------------