[CERT-daily] Tageszusammenfassung - Mittwoch 11-03-2015

Wed Mar 11 18:13:16 CET 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 10-03-2015 18:00 − Mittwoch 11-03-2015 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Inside the EquationDrug Espionage Platform ***
---------------------------------------------
EquationDrug represents the main espionage platform from the Equation Group. It's been in use for over 10 years, replacing EquationLaser until it was itself replaced itself by the even more sophisticated GrayFish platform.
---------------------------------------------
http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/


*** DroppedIn: Remotely Exploitable Vulnerability in the Dropbox SDK for Android ***
---------------------------------------------
The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim's knowledge or authorization. This is a serious flaw in the authentication mechanism within any Android app using a Dropbox SDK Version 1.5.4 through 1.6.1 (note: this vulnerability was resolved in Dropbox SDK for Android v1.6.2).
---------------------------------------------
http://securityintelligence.com/droppedin-remotely-exploitable-vulnerability-in-the-dropbox-sdk-for-android


*** Unpatched security vulnerabilities affecting Facebook ***
---------------------------------------------
A web security researcher from Portugal has discovered several vulnerabilities affecting Facebook that he considers to be serious, but hasnt had much success convincing the company of that, so he sha...
---------------------------------------------
http://www.net-security.org/secworld.php?id=18069


*** Reconnect tool for hacking Facebook is publicly available ***
---------------------------------------------
The security expert Egor Homakov from Sakurity firm has released the Reconnect tool that allows hackers to hijack accounts on sites that use Facebook logins. The security expert Security Egor Homakov has developed a hacking tool dubbed Reconnect that exploit a flaw in Facebook to hijack accounts on sites that use Facebook logins. Homakov, with works for...
---------------------------------------------
http://securityaffairs.co/wordpress/34705/hacking/reconnect-hacking-facebook.html


*** DDoS on UPNP Devices ***
---------------------------------------------
Denial of service (DOS) attack is an attempt to make a machine or a network resource unavailable to its users. It basically consists of methods to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet, and these attacks are sent by one person or a system. One common method of...
---------------------------------------------
http://resources.infosecinstitute.com/ddos-upnp-devices/


*** Full details on CVE-2015-0096 and the failed MS10-046 Stuxnet fix ***
---------------------------------------------
In early January 2015, researcher Michael Heerklotz approached the Zero Day Initiative with details of a vulnerability in the Microsoft Windows operating system. We track this issue as ZDI-15-086. Unless otherwise noted, the technical details in this blog post are based on his detailed research.
---------------------------------------------
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459


*** Threatglass has pcap files with exploit kit activity, (Tue, Mar 10th) ***
---------------------------------------------
Threatglassis a one way to find up-to-date examples of exploit kit traffic. Not all of it is exploit kit traffic, but all of it represents some sort of malicious activity. Threatglassdoesnt explain what type of traffic youre looking at from the pcaps the site provides. Letslook at a page from last week on Thursday, March 5th 2015 [1]. This one isexploit kit activity. In the image below, youll find a link to the packet capture in the lower right-hand corner" /> Download the pcap and open...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19433&rss


*** n00bs CTF Labs by Infosec Institute ***
---------------------------------------------
n00bs CTF (Capture the Flag) Labs is a web application presented by Infosec Institute. It has 15 mini Capture the Flag challenges intended for beginners and newbies in the information security field or for any average infosec enthusiasts who haven't attended hacker conventions yet. So what is a CTF? In hacker conventions, CTF or Capture...
---------------------------------------------
http://resources.infosecinstitute.com/n00bs-ctf-labs-infosec-institute/


*** Achtung: Panda-Virenscanner zerschießt Windows, nicht Neustarten! ***
---------------------------------------------
Die Antivirenschutz-Produkte von Panda Security haben wegen fehlerhaften Signaturen etliche Windows-Rechner lahm gelegt. Wer betroffen ist, soll die Füße still halten und das System nicht neu starten - da es unter Umständen nicht mehr hochfährt.
---------------------------------------------
http://heise.de/-2573233


*** Panda Antivirus: Gravierender Fehler im Virenscanner löscht Systemdateien ***
---------------------------------------------
Ein gravierender Fehler in Pandas Antivirensoftware kann unter Umständen zu einem vollkommen unbrauchbaren System führen. Panda bestätigt das Problem. Golem.de hat erste Hinweise erhalten, wie der Fehler zu stoppen ist. (Virenscanner, Applikationen)
---------------------------------------------
http://www.golem.de/news/panda-antivirus-gravierender-fehler-im-virenscanner-loescht-systemdateien-1503-112903-rss.html


*** Doctor Web: February 2015 virus activity review ***
---------------------------------------------
March 4, 2015 The shortest month of the year had its share of new malware. In early February, Doctor Web security researchers finished examining a complex multi-purpose malicious program for Linux, while at month's end, they published the results of their analysis of a new version of a backdoor for Mac OS X. As before, malicious programs for Android remained active throughout the month.  PRINCIPAL TRENDS IN JANUARY New Linux Trojans Virus makers are still showing an interest in Mac OS X.
---------------------------------------------
http://news.drweb.com/show/?i=9316&lng=en&c=9


*** Ein Blick in die Zukunft der Handy-Malware ***
---------------------------------------------
Kaspersky hat eine Analyse zu einer Android-Malware veröffentlicht, die zwar aktuell nur in Russland aktiv ist, aber einen Vorgeschmack gibt, was demnächst auch bei uns passieren könnte: Wichtige Punkte daraus: Das Teil ist inzwischen so modular und gut geschützt, wie typische Windows Malware Frameworks Es enthält Code zum Anmelden des Opfers bei diversen Premium-Services Dabei kann es automatisch...
---------------------------------------------
http://www.cert.at/services/blog/20150311102554-1454.html


*** DSA-3177 mod-gnutls - security update ***
---------------------------------------------
Thomas Klute discovered that in mod-gnutls, an Apache module providingSSL and TLS encryption with GnuTLS, a bug caused the servers clientverify mode not to be considered at all, in case the directorysconfiguration was unset. Clients with invalid certificates were thenable to leverage this flaw in order to get access to that directory.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3177


*** DSA-3182 libssh2 - security update ***
---------------------------------------------
Mariusz Ziulek reported that libssh2, a SSH2 client-side library, wasreading and using the SSH_MSG_KEXINIT packet without doing sufficientrange checks when negotiating a new SSH session with a remote server. Amalicious attacker could man in the middle a real server and cause aclient using the libssh2 library to crash (denial of service) orotherwise read and use unintended memory areas in this process.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3182


*** Manage Engine AD Audit Manager Plus Cross Site Scripting ***
---------------------------------------------
Topic: Manage Engine AD Audit Manager Plus Cross Site Scripting Risk: Low Text: # Title:- Reflected cross-site scripting(XSS) Vulnerability in Manage Engine AD Audit Manager Plus Admin Panel(Bui...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015030060


*** tcpdump Denial Of Service / Code Execution ***
---------------------------------------------
Topic: tcpdump Denial Of Service / Code Execution Risk: High Text:Hi, please find tcpdump 4.7.2 source code at: http://www.ca.tcpdump.org/beta/tcpdump-4.7.2.tar.gz http://www.ca.tcpdu...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015030064


*** Cisco Intrusion Prevention System MainApp Secure Socket Layer Denial of Service Vulnerability ***
---------------------------------------------
cisco-sa-20150311-ips
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150311-ips


*** Multiple Vulnerabilities in Cisco TelePresence Video Communication Server, Cisco Expressway, and Cisco TelePresence Conductor ***
---------------------------------------------
cisco-sa-20150311-vcs
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150311-vcs


*** IBM Security Bulletin: Multiple vulnerabilities fixed in Current Release of Liberty for Java for IBM Bluemix (CVE-2012-6153, CVE-2014-3577, CVE-2015-0178) ***
---------------------------------------------
2015-03-11T10:06:12-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21696864


*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities could, if exploited, allow ...
---------------------------------------------
http://support.citrix.com/article/CTX200484


*** HPSBNS03280 rev.1 - HP NonStop Servers running SAMBA, Remote Execution of Arbitrary Code ***
---------------------------------------------
A potential security vulnerability has been identified with HP NonStop Servers running SAMBA. The vulnerability could be exploited remotely resulting in execution of arbitrary code.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04583668


*** HPSBUX03281 SSRT101968 rev.1 - HP-UX running Java7, Remote Unauthorized Access, Disclosure of Information and Other Vulnerabilities ***
---------------------------------------------
Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04583581


*** USN-2524-1: eCryptfs vulnerability ***
---------------------------------------------
Ubuntu Security Notice USN-2524-110th March, 2015ecryptfs-utils vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTS Ubuntu 10.04 LTSSummarySensitive information in encrypted home and Private directories could beexposed if an attacker gained access to your files.Software description ecryptfs-utils - eCryptfs cryptographic filesystem utilities  DetailsSylvain Pelissier discovered that eCryptfs did not generate a random
---------------------------------------------
http://www.ubuntu.com/usn/usn-2524-1/


*** USN-2522-3: ICU vulnerabilities ***
---------------------------------------------
Ubuntu Security Notice USN-2522-310th March, 2015icu vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTSSummaryICU could be made to crash or run programs as your login if it processedspecially crafted data. Software description icu - International Components for Unicode library  DetailsUSN-2522-1 fixed vulnerabilities in ICU. On Ubuntu 12.04 LTS, the fontpatches caused a regression when using LibreOffice Calc. The patches havenow been updated
---------------------------------------------
http://www.ubuntu.com/usn/usn-2522-3/


*** VU#794095: Telerik Analytics Monitor Library allows DLL hijacking ***
---------------------------------------------
Vulnerability Note VU#794095 Telerik Analytics Monitor Library allows DLL hijacking Original Release date: 10 Mar 2015 | Last revised: 10 Mar 2015   Overview Telerik Analytics Monitor Library is a third-party application analytics service that collects detailed application metrics for vendors. Some versions of the Telerik library allow DLL hijacking, allowing an attacker to load malicious code in the context of the Telerik-based application.  Description CWE-114: Process ControlTelerik
---------------------------------------------
http://www.kb.cert.org/vuls/id/794095


*** WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7841