[CERT-daily] Tageszusammenfassung - Donnerstag 11-08-2016

Daily end-of-shift report team at cert.at
Thu Aug 11 18:12:16 CEST 2016


=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 10-08-2016 18:00 − Donnerstag 11-08-2016 18:00
Handler:     Stephan Richter
Co-Handler:  n/a




*** Sicherheitsforscher kapern HTTP-Verbindungen von Linux ***
---------------------------------------------
Eine Schwachstelle im Linux-Kernel gefährdet TCP-Verbindungen. Unter bestimmten Voraussetzungen konnten sich Sicherheitsforscher in Verbindungen einklinken und diese etwa lahmlegen und sogar manipulieren.
---------------------------------------------
http://heise.de/-3292257




*** Bing.VC Hijacks Browsers Using Legitimate Applications ***
---------------------------------------------
Browser hijackers are a type of malware that modifies a web browser's settings without the user's permission. Generally a browser hijacker injects unwanted advertising into the browser. It replaces the home page or search page with its own. It also steals cookies and can install a keylogger to fetch other sensitive information. McAfee Labs has recently...
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/bing-vc-hijacks-browser-using-legitimate-applications/




*** Profiling SSL Clients with tshark, (Wed, Aug 10th) ***
---------------------------------------------
Cisco recently published a paper showing how malicious SSL traffic sometimes uses very specific SSL options. Once you know what set of SSL options to look for, you will then be able to identify individual pieces of malware without having to decrypt the SSL traffic. (and before anybody complains: SSL does include TLS. I am just old fashioned that way) I wanted to see how well this applies to HTTPS traffic hitting the ISC website. I collected about 100 MB of traffic, which covered client hello...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21361&rss




*** Python-based TLS tester tool ***
---------------------------------------------
We at Oulu University Secure Programming Group, OUSPG for short, have been developing a neat little gadget called TryTLS. It is a systematic tester tool that checks the safety of TLS libraries. We think we have something of value here, as certificate handling is a very complex and overlooked issue. The tool and info on how to get started can be found here: https://github.com/ouspg/trytls We would really value your input if you could think of some good backends, tests or other resources that...
---------------------------------------------
http://www.reddit.com/r/netsec/comments/4x1z36/pythonbased_tls_tester_tool/




*** Linux Trojan Mines For Cryptocurrency Using Misconfigured Redis Servers ***
---------------------------------------------
An anonymous reader writes: In another installment of "Linux has malware too," security researchers have discovered a new trojan that targets Linux servers running Redis, where the trojan installs a cryptocurrency miner. The odd fact about this trojan is that it includes a wormable feature that allows it to spread on its own. The trojan, named Linux.Lady, will look for Redis servers that dont have an admin account password, access the database, and then download itself on the new...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/WKFxUVtVPG0/linux-trojan-mines-for-cryptocurrency-using-misconfigured-redis-servers




*** CRIME, TIME, BREACH and HEIST: A brief history of compression oracle attacks on HTTPS ***
---------------------------------------------
The HEIST vulnerability was presented at Black Hat USA 2016 by Mathy Vanhoef and Tom Van Goethem. In this presentation, new techniques were presented that enhanced previously presented padding oracle attacks on HTTPS, making them more practical. In a padding oracle attack, the attacker has partial control of part of a message that contains secret information, and is compressed, then encrypted before being sent over the network. An example of this is a web page...
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/11/compression-oracle-attacks-https/




*** Volkswagen-Hack: Mit dem Arduino 100 Millionen Autos öffnen ***
---------------------------------------------
Mit einem Arduino und Hardware im Wert von 40 US-Dollar lassen sich fast alle Modelle der VW-Gruppe aus den vergangenen 15 Jahren öffnen - sagen Sicherheitsforscher. Das Unternehmen hat die Lücke eingeräumt. 14 weitere Autohersteller sind betroffen.
---------------------------------------------
http://www.golem.de/news/hack-mit-dem-arduino-100-millionen-autos-oeffnen-1608-122641-rss.html




*** Road Warriors: Beware of "Video Jacking" ***
---------------------------------------------
A little-known feature of many modern smartphones is their ability to duplicate video on the devices screen so that it also shows up on a much larger display -- like a TV. However, new research shows that this feature may quietly expose users to a simple and cheap new form of digital eavesdropping. Dubbed "video jacking" by its masterminds, the attack uses custom electronics hidden inside what appears to be a USB charging station. As soon as you connect a vulnerable phone to the...
---------------------------------------------
http://krebsonsecurity.com/2016/08/road-warriors-beware-of-video-jacking/




*** EyeLock nano NXT 3.5 Remote Root Exploit ***
---------------------------------------------
EyeLocks nano NXT firmware latest version 3.5 (released 25.07.2016) suffers from multiple unauthenticated command injection vulnerabilities. The issue lies within the rpc.php script located in the /scripts directory and can be triggered when user supplied input is not correctly sanitized while updating the local time for the device and/or get info from remote time server. The vulnerable script has two REQUEST parameters timeserver and localtime that are called within a shell_exec() function for...
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5357.php




*** EyeLock nano NXT 3.5 Local File Disclosure Vulnerability ***
---------------------------------------------
nano NXT suffers from a file disclosure vulnerability when input passed thru the path parameter to logdownload.php script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5356.php




*** EyeLock Myris 3.3.2 SDK Service Unquoted Service Path Privilege Escalation ***
---------------------------------------------
The application suffers from an unquoted search path issue impacting the service MyrisService for Windows deployed as part of Myris solution. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application...
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5355.php




*** Bugtraq: [CORE-2016-0006] - SAP CAR Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539180




*** SSA-378531 (Last Update 2016-08-11): Vulnerabilities in SIMATIC WinCC, PCS 7 and WinCC Runtime Professional ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-378531.pdf




*** Security Advisory: BIG-IP file validation vulnerability CVE-2015-8022 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/12/sol12401251.html?ref=rss




*** Security Advisory: BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/10/sol10133477.html?ref=rss




*** Cisco IOS XR Software for Cisco ASR 9001 Aggregation Services Routers Fragmented Packet Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the driver processing functions of Cisco IOS XR Software for Cisco ASR 9001 Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a memory leak on the route processor (RP) of an affected device, which could cause the device to drop all control-plane protocols and lead to a denial of service condition (DoS) on a targeted system.The vulnerability is due to improper handling of crafted, fragmented packets that
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160810-iosxr




*** Cisco IP Phone 8800 Series Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web application of the Cisco IP Phone 8800 Series could allow an authenticated, remote attacker to perform a stored, cross-site scripting (XSS) attack.The vulnerability is due to insufficient sanitization of parameter values. An attacker could exploit this vulnerability by storing malicious code on a device and waiting for a user to access a web page that triggers execution of the code. An exploit could allow the attacker to execute arbitrary script code in the context of
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160810-ip-phone-8800




*** Cisco Connected Streaming Analytics Unauthorized Access Vulnerability ***
---------------------------------------------
A vulnerability in the administrative web interface of Cisco Connected Streaming Analytics could allow an authenticated, remote attacker to obtain sensitive information.The vulnerability is due to the inclusion of sensitive information in a server response when certain pages of the administrative web interface are accessed. An authenticated attacker who can view the affected configuration page of an affected system could obtain a service password used for event and report notification. This
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160810-csa




*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Redirect HTTP traffic vulnerability may affect IBM HTTP Server (CVE-2016-5387) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988019
---------------------------------------------
*** IBM Security Bulletin: IBM API Connect server credentials used for a specific restricted scenario may have been exposed (CVE-2016-3012) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988212
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Common Reporting (TCR) 2016Q2 Security Updater : IBM Tivoli Common Reporting is affected by multiple vulnerabilities ***
http://www-01.ibm.com/support/docview.wss?uid=swg21986669
---------------------------------------------
*** IBM Security Bulletin: Security Bulletin: IBM Connections Security Refresh for CVE-2016-0310 ***
http://www.ibm.com/support/docview.wss?uid=swg21988338
---------------------------------------------
*** IBM Security Bulletin: IBM Connections Security Refresh for CVE-2016-0305, CVE-2016-0307,CVE-2016-0308 ***
http://www.ibm.com/support/docview.wss?uid=swg21986770
---------------------------------------------
*** IBM Security Bulletin: Flexara InstallShield vulnerability affects IBM Mobile Connect (CVE-2016-2542) ***
http://www.ibm.com/support/docview.wss?uid=swg21986258
---------------------------------------------
*** IBM Security Bulletin: IBM Active Content Filtering Vunerability impacts IBM Docs (CVE-2016-0243 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21986626
---------------------------------------------


More information about the Daily mailing list