[CERT-daily] Tageszusammenfassung - Montag 4-01-2016

Mon Jan 4 18:35:18 CET 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 31-12-2015 18:00 − Montag 04-01-2016 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Identische SSH-Schlüssel auf Hetzner-Servern ***
---------------------------------------------
Aufgrund identischer SSH-Schlüssel können Angreifer verschlüsselte Verbindungen von Servern von Hetzner belauschen.
---------------------------------------------
http://heise.de/-3057777


*** Difficult to block JavaScript-based ransomware can hit all operating systems ***
---------------------------------------------
A new type of ransomware that still goes undetected by the great majority of AV solutions has been spotted and analyzed by Emsisoft researchers (via Google Translate). Ransom32 is delivered on the ...
---------------------------------------------
http://www.net-security.org/malware_news.php?id=3184
http://blog.emsisoft.com/de/2016/01/01/meet-ransom32-the-first-javascript-ransomware/


*** Apple had more CVEs than any single MS product in 2015, but it doesnt really matter ***
---------------------------------------------
Meaningless league table sparks silly schadenfreude A count of the number of CVEs issues on different platforms in 2015 has concluded that Apple was the most-advisoried operating system of the year, leading to gloating headlines that OS X is the "most vulnerable" of the lot.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/04/apple_had_more_cves_than_any_single_ms_product_in_2015_but_it_doesnt_really_matter/


*** Cisco Jabbers in the clear due to STARTTLS bug ***
---------------------------------------------
Sysadmins get a belated Christmas present Twas the night before Christmas, when sysadmins probably werent watching their advisory feeds, that Cisco announced a vulnerability in its Jabber for Windows.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/04/cisco_jabbers_in_the_clear_due_to_starttls_bug/


*** BlackEnergy cyberespionage group adds disk wiper and SSH backdoor to its arsenal ***
---------------------------------------------
A cyberespionage group focused on companies and organizations in the energy sector has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server.The group is known in the security community as Sandworm or BlackEnergy, after its primary malware tool, and has been active for several years. It has primarily targeted companies that operate industrial control systems, especially in the energy sector, but has also gone after high-level government organizations,...
---------------------------------------------
http://www.cio.com/article/3018790/blackenergy-cyberespionage-group-adds-disk-wiper-and-ssh-backdoor-to-its-arsenal.html#tk.rss_security


*** The current state of boot security ***
---------------------------------------------
I gave a presentation at 32C3 this week. One of the things I said was "If any of you are doing seriously confidential work on Apple laptops, stop. For the love of god, please stop." I didnt really have time to go into the details of that at the time, but right now Im sitting on a plane with a ridiculous sinus headache and the pseudoephedrine hasnt kicked in yet so here we go.The basic premise of my presentation was that its very difficult to determine whether your system is in a...
---------------------------------------------
http://mjg59.dreamwidth.org/39339.html


*** A Tip For The Analysis Of MIME Files, (Sat, Jan 2nd) ***
---------------------------------------------
Ive written a diary entry about malicious MS Office documents stored as MIME files. A few days ago a reader contacted me for a problem he had analyzing such a maldoc MIME file. When he used emldump to analyze his sample (f67aa5a3ede3d31c5a68494c0678e2ee), it was not a multipart:  $ ./emldump.py f67aa5a3ede3d31c5a68494c0678e2ee.vir 1: boundary=----=_NextPart_Jm9Ovypy.uUh6MCk charset=us-ascii $  You can make emldump skip this first line with option -H:  $ ./emldump.py -H...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20561&rss


*** More Internet of Things irony: a security alarm with alarming security ***
---------------------------------------------
Imagine that a crook could change the text ALARM STATUS RED in your intruder alarm alerts to say ALARM STATUS GREEN...
---------------------------------------------
https://nakedsecurity.sophos.com/2016/01/03/more-internet-of-things-irony-a-security-alarm-with-alarming-security/


*** DFN-CERT-2016-0001: Mozilla Firefox, Network Security Services: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
Bitte beachten Sie: Zur Behebung der hier genannten Schwachstelle hat Mozilla am 28. Dezember 2015 das Security Advisory MFSA2015-150 veröffentlicht, dieses aber kurze Zeit später, ohne Angaben von Gründen, wieder zurückgezogen. Zeitgleich wurde die Firefox Version 43.0.3 bereitgestellt. Ob die hier genannte Schwachstelle in der Version also tatsächlich behoben ist, ist unklar. In den Release Notes zur Firefox Version 43.0.3 wird die Schwachstelle nicht genannt. 
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0001/


*** Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1034541


*** DFN-CERT-2016-0004: Mozilla Thunderbird: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0004/


*** Bugtraq: OSS-2016-03: Insufficient Integrity Protection in Winkhaus Bluesmart locking systems using Hitag S ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537223


*** Bugtraq: OSS-2016-02: Weak authentication in NXP Hitag S transponder allows an attacker to read, write and clone any tag ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537224


*** Bugtraq: Confluence Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537232


*** DSA-3433 samba - security update ***
---------------------------------------------
Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,print, and login server for Unix. The Common Vulnerabilities andExposures project identifies the following issues:
---------------------------------------------
https://www.debian.org/security/2016/dsa-3433


*** PCRE Heap Overflow in pcre_compile2() in Processing Certain Regex Patterns May Let Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1034555


*** #2015-012 Ganeti multiple issues ***
---------------------------------------------
Ganeti, an open source virtualization manager, suffers from multiple issues in its RESTful control interface (RAPI).
---------------------------------------------
http://www.ocert.org/advisories/ocert-2015-012.html