[CERT-daily] Tageszusammenfassung - Freitag 12-08-2016

Fri Aug 12 18:14:59 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 11-08-2016 18:00 − Freitag 12-08-2016 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** An ATM hack and a PIN-pad hack show chip cards aren't impervious to fraud ***
---------------------------------------------
The good news? Hacks are limited for now. The bad news? Hackers will get better.
---------------------------------------------
http://arstechnica.com/security/2016/08/an-atm-hack-and-a-pin-pad-hack-show-chip-cards-arent-impervious-to-fraud/


*** Four free tools for handling Amazon Web Services security incident response ***
---------------------------------------------
Responding to security incidents that involve deployments within Amazon Web Services is a lot different from responding to incidents that happen on corporate-owned gear, and two researchers have come up with free tools to make that process easier.Obtaining forensic evidence is different, primarily because security pros can't obtain physical access to the machines on which their AWS instances are running.+More on Network World: Black Hat: 9 free security tools for defense...
---------------------------------------------
http://www.cio.com/article/3106302/security/four-free-tools-for-handling-amazon-web-services-security-incident-response.html#tk.rss_security


*** Looking for the insider: Forensic Artifacts on iOS Messaging App, (Thu, Aug 11th) ***
---------------------------------------------
Most of the times we care about and focus on external threats, looking for actors that may attack us via phishing emails, vulnerable web services, misconfigured network devices, etc. However, sometimes the threat may come from the inside. In fact, it is not so uncommon to have disloyal/disgruntled employees exfiltrating information from the company (e.g. Intellectual Property to competitors, confidential information to the press, etc.). In such situations, a full forensics analysis of the...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21363&rss


*** Decrypting Chimera ransomware ***
---------------------------------------------
We take a technical look at validating the leaked Chimera ransomware keys as well as if we can decrypt files with these keys.
---------------------------------------------
https://blog.malwarebytes.com/cybercrime/2016/08/decrypting-chimera-ransomware/


*** Ransomware Decryption Tools ***
---------------------------------------------
IMPORTANT! Before downloading and starting the solution, read the how-to guide. Make sure you remove the malware from your system first, otherwise it will repeatedly lock your system or encrypt files.
---------------------------------------------
https://www.nomoreransom.org/decryption-tools.html


*** Analyzing and Cleaning Hijacked Google SEO Spam Results ***
---------------------------------------------
Blackhat SEO spam comes in many forms, and one of the most nefarious is hijacked search results. This happens when search engines crawl and display unwanted content in the title and description of infected web pages. The negative impact to the infected website cannot be understated. This harms the website's reputation with visitors and will...
---------------------------------------------
https://blog.sucuri.net/2016/08/cleaning-hijacked-google-seo-spam-results.html


*** Microsofts compromised Secure Boot implementation ***
---------------------------------------------
Theres been a bunch of coverage of this attack on Microsofts Secure Boot implementation, a lot of which has been somewhat confused or misleading. Heres my understanding of the situation.Windows RT devices were shipped without the ability to disable Secure Boot. Secure Boot is the root of trust for Microsofts User Mode Code Integrity (UMCI) feature, which is what restricts Windows RT devices to running applications signed by Microsoft. This restriction is somewhat inconvenient for developers, so...
---------------------------------------------
http://mjg59.dreamwidth.org/44223.html


*** Security-Fixes für Ruby on Rails verfügbar ***
---------------------------------------------
Die Updates verhindern Cross-Site-Scritping-Attacken über html_safe in den Hauptversionen 3, 4 und 5 sowie die Möglichkeit, Queries in Rails 4.2.x zu manipulieren.
---------------------------------------------
http://heise.de/-3293426


*** This is strictly a violation of the TCP specification ***
---------------------------------------------
I was asked to debug another weird issue on our network. Apparently every now and then a connection going through CloudFlare would time out with 522 HTTP error. 522 error on CloudFlare indicates a connection issue between our edge server and the...
---------------------------------------------
https://blog.cloudflare.com/this-is-strictly-a-violation-of-the-tcp-specification/


*** Finding and Enumerating Processes within Memory: Memory and Volatility ***
---------------------------------------------
In this article series, we will learn about how processes reside in memory and various ways to find and enumerate them. I will be using Volatility plugins to find processes in memory. Once we know how to find processes within memory, in Part 2 we will see how to enumerate through them. Note: The scope...
---------------------------------------------
http://resources.infosecinstitute.com/finding-and-enumerating-processes-within-memory-part-1/


*** VU#301735: ZModo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials ***
---------------------------------------------
Vulnerability Note VU#301735 ZModo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials Original Release date: 12 Aug 2016 | Last revised: 12 Aug 2016   Overview The ZModo ZP-NE14-S DVR and ZP-IBH-13W cameras contain hard-coded credentials and run telnet by default.  Description CWE-798: Use of Hard-coded Credentials - CVE-2016-5081According to the reporter, the Zmodo ZP-NE14-S DVR and ZP-IBH-13W cameras contain undocumented credentials for accessing the device via telnet.
---------------------------------------------
http://www.kb.cert.org/vuls/id/301735


*** HPSBHF03440 rev.1 - HPE iLO 3 using JQuery, Remote Cross-Site Scripting (XSS) ***
---------------------------------------------
A potential security vulnerability in JQuery was addressed by HPE Integrated Lights-Out 3. The vulnerability could be remotely exploited to allow Cross-Site Scripting (XSS).
---------------------------------------------
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05232730


*** HPSBGN03630 rev.2 - HP Operations Manager for Unix, Solaris, and Linux using Apache Commons Collections (ACC), Remote Code Execution ***
---------------------------------------------
A vulnerability in Apache Commons Collections (ACC) for handling Java object deserialization was addressed in the AdminUI of HP Operations Manager for Unix, Solaris and Linux. The vulnerability could be exploited remotely to allow remote code execution.
---------------------------------------------
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05206507


*** IDM 4.5 SOAP Driver Version 4.0.0.4 ***
---------------------------------------------
Abstract: Patch update for the Novell Identity Manager SOAP driver. The patch will take the driver version to 4.0.0.4. You must have IDM 4.0.2 or later to use this driver.  Document ID: 5251690Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:IDM45_SOAP_4004.zip (161.66 kB)Products:Identity Manager 4.5Superceded Patches:IDM 4.5 SOAP Driver Version 4.0.0.3
---------------------------------------------
https://download.novell.com/Download?buildid=95cHErCKIOQ~


*** F5 Security Advisory: libssh2 vulnerability CVE-2016-0787 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/21/sol21531693.html?ref=rss


*** F5 Security Advisory: TMM vulnerability CVE-2016-5023 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/19/sol19784568.html?ref=rss


*** VU#332115: D-Link routers contain buffer overflow vulnerability ***
---------------------------------------------
Vulnerability Note VU#332115 D-Link routers contain buffer overflow vulnerability Original Release date: 11 Aug 2016 | Last revised: 11 Aug 2016   Overview D-Link DIR routers contain a stack-based buffer overflow vulnerability, which may allow a remote attack to execute arbitrary code.  Description CWE-121: Stack-based Buffer Overflow - CVE-2016-5681A stack-based buffer overflow occurs in the function within the cgibin binary which validates the session cookie.This function is used by a service...
---------------------------------------------
http://www.kb.cert.org/vuls/id/332115


*** Rockwell Automation MicroLogix 1400 SNMP Credentials Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a privileged simple network management protocol vulnerability in Rockwell Automation's MicroLogix 1400 programmable logic controllers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-224-01


*** DSA-3646 postgresql-9.4 - security update ***
---------------------------------------------
Several vulnerabilities have been found in PostgreSQL-9.4, a SQLdatabase system.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3646


*** FortiVoice 5.0 Filter Bypass & Persistent Web Vulnerabilities ***
---------------------------------------------
A vulnerablity in FortiVoice 5.0 web-application could allow malicious script being injected in the affected module; this potentially enables XSS attacks.
---------------------------------------------
http://fortiguard.com/advisory/fortivoice-5-0-filter-bypass-persistent-web-vulnerabilities


*** Cisco Aironet 1800, 2800, and 3800 Series Access Point Platforms ARP Request Handling Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability exists in Cisco Access Point (AP) platforms when processing Address Resolution Protocol (ARP) packets that could allow an unauthenticated, adjacent attacker to inject crafted entries into the ARP table and eventually cause a reload of the affected device.The vulnerability is due to improper processing of illegal ARP packets. An attacker could exploit this vulnerability by sending crafted ARP packets to be processed by an affected device. An exploit could allow the attacker to...
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160608-aironet


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager for Web is affected by vulnerabilities in OpenSSL ***
http://www.ibm.com/support/docview.wss?uid=swg21987903
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, CVE-2016-2176). ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988350
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server and bundling products shipped with IBM Cloud Orchestrator (CVE-2016-3426, CVE-2016-3427) ***
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000178
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by vulnerabilities in OpenSSH (CVE-2016-3115, CVE-2016-1908) ***
http://www.ibm.com/support/docview.wss?uid=swg21987636
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager for Web is affected by vulnerabilities in OpenSSH (CVE-2016-3115, CVE-2016-1908) ***
http://www.ibm.com/support/docview.wss?uid=swg21987638
---------------------------------------------
*** IBM Security Bulletin: IBM Netezza SQL Extensions is vulnerable to an OpenSource PCRE Vulnerability (CVE-2016-1283, CVE-2016-3191) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21985982
---------------------------------------------


Next End-of-Shift report: 2016-08-16