[CERT-daily] Tageszusammenfassung - Donnerstag 28-04-2016

Thu Apr 28 18:16:12 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 27-04-2016 18:00 − Donnerstag 28-04-2016 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

*** Malware Takes Advantage of Windows "God Mode" ***
---------------------------------------------
Microsoft Windows has hidden an Easter Egg since Windows Vista. It allows users to create a specially named folder that acts as a shortcut to Windows settings and special folders, such as control panels, My Computer, or the printers folder. This "God Mode" can come in handy for admins, but attackers are now using this undocumented feature for evil ends. Files placed within one of these master control panel shortcuts are not easily accessible via Windows Explorer because the folders do...
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/malware-takes-advantage-of-windows-god-mode/

*** VB2016 Call for Papers Deadline ***
---------------------------------------------
You have until the early hours (GMT) of Monday 21 March to submit an abstract for VB2016! The VB2016 programme will be announced in the first week of April.
---------------------------------------------
https://www.virusbulletin.com/blog/2016/03/vb2016-call-papers-deadline/

*** How broken is SHA-1 really? ***
---------------------------------------------
SHA-1 collisions may be found in the next few months, but that doesnt mean that fake SHA-1-based certificates will be created in the near future. Nevertheless, it is time for everyone, and those working in security in particular, to move away from outdated hash functions.
---------------------------------------------
https://www.virusbulletin.com/blog/2016/03/how-broken-sha-1-really/

*** Firefox 46 Patches Critical Memory Vulnerabilities ***
---------------------------------------------
Mozilla released Firefox 46, which includes patches for one critical and four high-severity vulnerabilities, all of which can lead to remote code execution.
---------------------------------------------
http://threatpost.com/firefox-46-patches-critical-memory-vulnerabilities/117698/

*** DNS and DHCP Recon using Powershell, (Thu, Apr 28th) ***
---------------------------------------------
I recently had a client pose an interesting problem. They wanted to move all their thin clients to a separate VLAN. In order to do that, I needed to identify which switch port each was on. Since there were several device vendors involved, I couldnt use OUI portion of the MAC. Fortunately, they were using only a few patterns in their thin client hostnames, so that gives me an in. Great you say, use nmap -sn, sweep for the names, get the MAC addresses and map those to switch ports - easy right?
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20995&rss

*** Time for a patch: six vulns fixed in NTP daemon ***
---------------------------------------------
Whats the time? Its time to get ill. Unless you fix these beastly flaws Cisco has turned over a bunch of Network Time Protocol daemon (ntpd) vulnerabilities to the Linux Foundations Core Infrastructure Initiative.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/04/28/time_for_a_patch_six_vulns_fixed_in_ntp_daemon/

*** Handling security bugs, vulnerable infrastructure and a range of DDoS attacks: 22nd MELANI semi-annual report ***
---------------------------------------------
In the second half of 2015, there were once again some spectacular cyber-related incidents worldwide. These were primarily DDoS attacks, phishing attacks and attacks on industrial control systems. Published today, the 22nd MELANI semi-annual report features handling security vulnerabilities as its key topic.
---------------------------------------------
https://www.melani.admin.ch/melani/en/home/dokumentation/newsletter/semi-annual_report-2-2015.html

*** Binary Webshell Through OPcache in PHP 7 ***
---------------------------------------------
In this article, we will be looking at a new exploitation technique using the default OPcache engine from PHP 7. Using this attack vector, we can bypass certain hardening techniques that disallow the file write access in the web directory. This could be used by an attacker to execute his own malicious code in a hardened environment.
---------------------------------------------
http://blog.gosecure.ca/2016/04/27/binary-webshell-through-opcache-in-php-7/

*** Kaspersky DDoS Intelligence Report for Q1 2016 ***
---------------------------------------------
In Q1, resources in 74 countries were targeted by DDoS attacks. China, the US and South Korea remained the leaders in terms of number of DDoS attacks and number of targets. The longest DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days).
---------------------------------------------
http://securelist.com/analysis/quarterly-malware-reports/74550/kaspersky-ddos-intelligence-report-for-q1-2016/

*** Cyber Security Lecture given by Mozilla ***
---------------------------------------------
May 09, 2016 - 4:00 pm - 6:30 pm TU Wien Karlsplatz 13 1040 Wien 

Let’s Encrypt (J.C. Jones)
You can’t build a secure website without having a certificate, and getting a certificate is one of the hardest parts of setting up a secure website. Mozilla helped start up Let’s Encrypt to make getting a certificate easier and promote the security of the Web. In 16 months, Let’s Encrypt went from an idea...

Mozilla Security (Richard Barnes)
The Web is arguably the single largest platform for applications in the world. Securing a Web browser requires security expertise from across the field, including low-level program internals, network security, language design, and access controls. In this talk, we will discuss some of the critical Web...
---------------------------------------------
https://www.sba-research.org/events/cyber-security-lecture-given-by-mozilla/

*** PCI DSS 3.2 is out: What's new? ***
---------------------------------------------
The Payment Card Industry Security Standards Council has published the latest version of PCI DSS, the information security standard for organizations that handle customer credit cards. Changes and improvements in PCI DSS 3.2 include: Multi-factor authentication will be required for all administrative access into the cardholder data environment. Previously, use of multi-factor authentication was only a must when it was accessed remotely, by an untrusted user/device. This will not impact...
---------------------------------------------
https://www.helpnetsecurity.com/2016/04/28/pci-dss-3-2-whats-new/

*** Cisco Finds Backdoor Installed on 12 Million PCs ***
---------------------------------------------
UPDATED. Cisco's Talos security intelligence and research group has come across a piece of software that installed backdoors on 12 million computers around the world.
---------------------------------------------
http://www.securityweek.com/cisco-finds-backdoor-installed-12-million-pcs

*** Forthcoming OpenSSL releases ***
---------------------------------------------
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2h, 1.0.1t. These releases will be made available on 3rd May 2016 between approximately 1200-1500 UTC. They will fix several security defects with maximum severity "high".
---------------------------------------------
https://mta.openssl.org/pipermail/openssl-announce/2016-April/000069.html

*** VMSA-2015-0007.4 ***
---------------------------------------------
VMware vCenter and ESXi updates address critical security issues.
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0007.html

*** Bugtraq: CVE-2015-5207 - Bypass of Access Restrictions in Apache Cordova iOS ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538213

*** sol93532943: SSHD session.c vulnerability CVE-2016-3115 ***
---------------------------------------------
Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. (CVE-2016-3115)
---------------------------------------------
https://support.f5.com/kb/en-us/solutions/public/k/93/sol93532943.html?ref=rss

*** sol52349521: OpenSSL vulnerability CVE-2016-2842 ***
---------------------------------------------
The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799. (CVE-2016-2842)
---------------------------------------------
https://support.f5.com/kb/en-us/solutions/public/k/52/sol52349521.html?ref=rss

*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Application Policy Infrastructure Controller Enterprise Module Unauthorized Access Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-apic
---------------------------------------------
*** Cisco WebEx Meetings Server Open Redirect Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-cwms
---------------------------------------------
*** Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: April 2016 ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd
---------------------------------------------

*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Samba - including Badlock - Transformation Extender Hypervisor Edition ***
http://www.ibm.com/support/docview.wss?uid=swg21981057
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Samba including Badlock - affect IBM OS Images for Red Hat Linux Systems. ***
http://www.ibm.com/support/docview.wss?uid=swg21982097
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Samba, including Badlock, affect IBM i ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021296
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in php5 affect IBM Flex System Manager (FSM) (CVE-2015-6836, CVE-2015-6837, CVE-2015-6838) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023641
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in ISC BIND and Samba - including Badlock - affect IBM Netezza Host Management ***
http://www.ibm.com/support/docview.wss?uid=swg21979985
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilitiesin gnutls affect IBM Flex System Manager(FSM) (CVE-2015-2806, CVE-2015-8313) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023642
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in openLDAP affects IBM Flex System Manager(FSM) (CVE-2015-6908) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023640
---------------------------------------------
*** IBM Security Bulletin: Potential security vulnerability in IBM WebSphere Application Server for Bluemix if FIPS 140-2 is enabled (CVE-2016-0306) and multiple vulnerabilities in Samba - including Badlock (CVE-2016-2118) ***
http://www.ibm.com/support/docview.wss?uid=swg21982128
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux ***
http://www.ibm.com/support/docview.wss?uid=swg21981752
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition ***
http://www.ibm.com/support/docview.wss?uid=swg21980826
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities exist with Oracle Outside In Technology (OIT) in IBM FileNet Content Manager and IBM Content Foundation. ***
http://www.ibm.com/support/docview.wss?uid=swg21975822
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU - Jan 2016 - Includes Oracle Jan 2016 CPU + 3 IBM CVEs affects IBM Algorithmics One Core, Algo Risk Application, and Counterparty Credit Risk ***
http://www.ibm.com/support/docview.wss?uid=swg21981333
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in SQLite affects IBM Security Access Manager for Web (CVE-2015-3416) ***
http://www.ibm.com/support/docview.wss?uid=swg21981270
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in RSOC_APP_01 Frameable Response Potential Clickjacking (CSRF) affects IBM Algorithmics Algo Risk Application - CVE-2016-0207 ***
http://www.ibm.com/support/docview.wss?uid=swg21981322
---------------------------------------------