[CERT-daily] Tageszusammenfassung - Montag 9-11-2015

Mon Nov 9 18:15:23 CET 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 06-11-2015 18:00 − Montag 09-11-2015 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

*** ICYMI: Widespread Unserialize Vulnerability in Java, (Mon, Nov 9th) ***
---------------------------------------------
On Friday, a blog post from Fox Glove Security was posted that details a widespread Java unserialize vulnerability that affects all the major flavors of middleware (WebSphere, WebLogic, et al). There is a lot of great details, including exploitation instructions for pentesters, in the post so go take a look. It didnt get much press because admittedly its complicated to explain. It also doesnt have a logo.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20353&rss


*** SSH-Client PuTTY 0.66 schließt Sicherheitslücke ***
---------------------------------------------
Die neue Version des SSH- und Telnet-Clients bringt ein paar kleine Verbesserungen und Fehlerkorrekturen. Zudem wurde eine Sicherheitslücke geschlossen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/SSH-Client-PuTTY-0-66-schliesst-Sicherheitsluecke-2911302.html?wt_mc=rss.ho.beitrag.rdf


*** Gratis-WLAN: Welche Risiken es gibt und wie man sich schützt ***
---------------------------------------------
Ein öffentliches Netzwerk ist praktisch, Nutzer sollten sich aber nicht blindlings einloggen
---------------------------------------------
http://derstandard.at/2000025293625


*** Guide to application whitelisting ***
---------------------------------------------
The National Institute of Standards and Technology (NIST) has published a guide to deploying automated application whitelisting to help thwart malicious software from gaining access to organizations' computer systems.
---------------------------------------------
http://www.net-security.org/secworld.php?id=19079


*** Dangerous bugs leave open doors to SAP HANA systems ***
---------------------------------------------
The most serious software flaws ever have been found in SAPs HANA platform, the in-memory database platform that underpins many of the German companys products used by large companies.Eight of the flaws are ranked critical, the highest severity rating ...
---------------------------------------------
http://www.cio.com/article/3003054/dangerous-bugs-leave-open-doors-to-sap-hana-systems.html#tk.rss_security


*** Vbulletin 5.1.X Unserialize Preauth RCE Exploit ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015110060


*** Ransomware meets CMS / Linux ***
---------------------------------------------
Ransomware am PC gibt es schon seit Jahren: Die Malware sperrt/verschlüsselt den infizierten PC und verlangt Lösegeld dafür, damit der User weiterarbeiten kann.Dass schlecht gewartete Webseiten mit Joomla, Wordpress, Drupal & co ein Fressen für Hacker sind, ist auch nichts neues. Wir sehen regelmäßig Wellen an Defacements und Exploitpacks, wenn mal wieder jemand das Ausnutzen einer Web-Schwachstelle automatisiert.
---------------------------------------------
http://www.cert.at/services/blog/20151109095947-1618.html


*** Google AdWords API client libraries - XML eXternal Entity Injection (XXE) ***
---------------------------------------------
Confirmed in googleads-php-lib <= 6.2.0 for PHP, AdWords libraries: googleads-java-lib for Java, and googleads-dotnet-lib for .NET are also likely to be affected.
---------------------------------------------
http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injection-Vulnerability.txt


*** Closing the Open Door of Java Object Serialization ***
---------------------------------------------
If you can communicate with a JVM using Java object serialization using java.io.ObjectInputStream, then you can send a class that can execute commands against the OS from inside of the readObject method, and thereby get shell access. Once you have shell access, you can modify the Java server however you feel like. This is a class of exploit called 'deserialization of untrusted data', aka CWE-502. It's a class of bug that has been encountered from Python, PHP, and from Rails.
---------------------------------------------
https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/


*** Protecting Windows Networks - Defeating Pass-the-Hash ***
---------------------------------------------
Pass-the-hash is popular attack technique to move laterally inside the network that relies on two components - the NTLM authentication protocol and ability to gain password hashes. This attack allows you to log in on the systems via stolen hash instead of providing clear text password, so there is no need to crack those hashes. To make use of this attack, attacker already has to have admin rights on the box, which is a plausible scenario in a modern "assume breach" mindset.
---------------------------------------------
https://dfirblog.wordpress.com/2015/11/08/protecting-windows-networks-defeating-pass-the-hash/


*** Security Notice - Statement about Path Traversal Vulnerability in Huawei HG532 Routers Disclosed by CERT/CC ***
---------------------------------------------
It is confirmed that some customized versions of Huawei HG532, HG532e, HG532n, and HG532s have this vulnerability. Huawei has prepared a fixed version for affected carriers and is working with them to release the fixed version.
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices/hw-460507.htm


*** No surprise here: Adobes Flash is a hackers favorite target ***
---------------------------------------------
Adobe Systems Flash plugin gets no love from anyone in the security field these days. A new study released Monday shows just how much it is favored by cybercriminals to sneak their malware onto computers.
---------------------------------------------
http://www.cio.com/article/3002668/no-surprise-here-adobes-flash-is-a-hackers-favorite-target.html#tk.rss_security


*** Joomla CMS - Bad Cryptography - Multiple Vulnerabilities ***
---------------------------------------------
heres a complete enumeration of what Ive found:
- JCrypt: Silent fallback to a weak, userspace PRNG (which is very bad for cryptography purposes)
- JCryptCipherSimple: Homegrown weak cipher (XOR-ECB)
- JCryptCipher: Chosen ciphertext attacks (no authentication)
- JCryptCipher: Data corruption / padding oracle attack
- JCryptCipher: Static IV for CBC mode (stored with JCryptKey under the misnomer property, "public") -- this sort of defeats the purpose of using CBC mode
- JCryptPasswordSimple: PHP Non-Strict Type Comparison (a.k.a. Magic
Hash vulnerability)
---------------------------------------------
http://www.openwall.com/lists/oss-security/2015/11/08/1


*** HTTP Evasions Explained - Part 7 - Lucky Numbers ***
---------------------------------------------
This is part seven in a series which will explain the evasions done by HTTP Evader. This part will be about using the wrong or even invalid status codes to evade the analysis. For 30% of the firewalls in the tests reports Ive got it is enough to use a status code of 100 instead of 200 to bypass analysis and at least Chrome, IE and Edge will download the data even with this wrong status code:
---------------------------------------------
http://noxxi.de/research/http-evader-explained-7-lucky-number.html


*** Security Advisory: Linux kernel vulnerability CVE-2014-9419 ***
---------------------------------------------
F5 Product Development has assigned ID 530413 (BIG-IP), ID 530553 (BIG-IQ), ID 530554 (Enterprise Manager), ID 520651 (FirePass), ID 461496 (ARX), and INSTALLER-1299 (Traffix) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17551.html?ref=rss


*** IBM Security Bulletins ***
---------------------------------------------
*** Vulnerabilities in Qemu affect PowerKVM (Multiple Vulnerabilities) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022875
---------------------------------------------
*** IBM Smart Analytics System 5600 is affected by vulnerabilities in IBM GPFS (CVE-2015-4974, CVE-2015-4981) ***
http://www.ibm.com/support/docview.wss?uid=swg21969198
---------------------------------------------
*** Authentication Bypass vulnerability found in IBM Sterling B2B Integrator (CVE-2015-5019) ***
http://www.ibm.com/support/docview.wss?uid=swg21967781
---------------------------------------------
*** IBM Smart Analytics System 5600 is affected by a vulnerability in BIND (CVE-2015-5722) ***
http://www.ibm.com/support/docview.wss?uid=swg21964962
---------------------------------------------
*** Vulnerability in Net-SNMP affects PowerKVM (CVE-2015-5621) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022903
---------------------------------------------
*** Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management, and IBM Emptoris Services Procurement. ***
http://www.ibm.com/support/docview.wss?uid=swg21969875
---------------------------------------------
*** Multiple OpenSSL Vulnerabilities affect IBM WebSphere MQ 5.3 on HP NonStop (CVE-2015-1788) (CVE-2015-1789) (CVE-2015-1791) ***
http://www.ibm.com/support/docview.wss?uid=swg21966723
---------------------------------------------
*** Multiple vulnerabilities in IBM Java Runtime affect Security Directory Integrator ***
https://www-304.ibm.com/support/docview.wss?uid=swg21969901
---------------------------------------------