[CERT-daily] Tageszusammenfassung - Donnerstag 7-01-2016

Thu Jan 7 18:22:34 CET 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 05-01-2016 18:00 − Donnerstag 07-01-2016 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter


*** Ab Dienstag: Aus für Internet Explorer 8, 9 und 10 ***
---------------------------------------------
Microsoft stellt ab dem 12. Jänner den Support für die veralteten Internet-Explorer-Versionen 8,9 und 10 ein. Diese erhalten künftig keine Updates mehr.
---------------------------------------------
http://futurezone.at/produkte/ab-dienstag-aus-fuer-internet-explorer-8-9-und-10/173.541.768
https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support


*** Site Updates: ISC/DShield API and ipinfo_ascii.html Page, (Wed, Jan 6th) ***
---------------------------------------------
We are planning a couple of updates to the ways data can be retrieved automatically from this site. The main reason for this is to make it easier for us to maintain and support some of these features. The main idea will be that we focus automatic data retrieval to our API (isc.sans.edu/api or dshield.org/api). It should be the only place that is used to have scripts retrieve data. In the past, we had a couple of other pages that supported automatic data retrieval. For example, ipinfo_ascii.html...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20577&rss


*** How long is your password? HTTPS Bicycle attack reveals that and more ***
---------------------------------------------
Get your 2FA on, slackers A new attack on supposedly secure communication streams raises questions over the resilience of passwords, security researchers warn.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/06/https_bicycle/


*** Mozilla warns Firefox fans its SHA-1 ban could bork their security ***
---------------------------------------------
Protection mechanism screws other protection mechanisms. What a tangled web we weave Mozilla has warned Firefox users they may be cut off from more of the web than expected - now that the browser rejects new HTTPS certificates that use the weak SHA-1 algorithm.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/07/mozilla_warns_firefox_users_that_sha1_ban_could_bork_their_security/
https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/


*** MD5/SHA1: Sloth-Angriffe nutzen alte Hash-Algorithmen aus ***
---------------------------------------------
Neue Angriffe gegen TLS: Krypto-Forscher präsentieren mit Sloth mehrere Schwächen in TLS-Implementierungen und im Protokoll selbst. Am kritischsten ist ein Angriff auf Client-Authentifizierungen mit RSA und MD5.
---------------------------------------------
http://www.golem.de/news/md5-sha1-sloth-angriffe-nutzen-alte-hash-algorithmen-aus-1601-118381-rss.html


*** Encrypted Blackphone Patches Serious Modem Flaw ***
---------------------------------------------
msm1267 writes: Silent Circle, makers of the security and privacy focused Blackphone, have patched a vulnerability that could allow a malicious mobile application or remote attacker to access the devices modem and perform any number of actions. Researchers at SentinelOne discovered an open socket on the Blackphone that an attacker could abuse to intercept calls, set call forwarding, read SMS messages, mute the phone and more. Blackphone is marketed toward privacy-conscious users; it includes...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/ocmLGjQf8XY/encrypted-blackphone-patches-serious-modem-flaw


*** OS-X-Security-and-Privacy-Guide ***
---------------------------------------------
This is a collection of thoughts on securing a modern Apple Mac computer using OS X 10.11 "El Capitan", as well as steps to improving online privacy. This guide is targeted to "power users" who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac.
---------------------------------------------
https://github.com/drduh/OS-X-Security-and-Privacy-Guide


*** Drupal - Insecure Update Process ***
---------------------------------------------
Just a few days after installing Drupal v7.39, I noticed there was a security update available: Drupal v7.41. This new version fixes an open redirect in the Drupal core. In spite of my Drupal update process checking for updates, according to my local instance, everything was up to date: Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.
---------------------------------------------
http://blog.ioactive.com/2016/01/drupal-insecure-update-process.html


*** Jetzt Update installieren: WordPress behebt XSS-Lücke ***
---------------------------------------------
Über eine Cross-Site-Scripting-Schwachstelle können Angreifer WordPress-Installationen kompromittieren. Betroffen sind alle Versionen bis einschließlich WordPress 4.4.
---------------------------------------------
http://heise.de/-3065193
https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/


*** AVM-Router: Fritzbox-Lücke erlaubt Telefonate auf fremde Kosten ***
---------------------------------------------
Durch eine kritische Lücke in den Fritzboxen können Angreifer etwa Telefonate auf fremde Rechnung führen und Code als Root ausführen. Die Lücke hat AVM bereits geschlossen, die Details wurden jedoch bis heute unter Verschluss gehalten.
---------------------------------------------
http://heise.de/-3065588


*** A new, open source tool proves: Even after patching, deserializing will still kill you ***
---------------------------------------------
Whats the problem here? ... When deserializing most objects, the code calls ObjectInputStream#resolveClass() as part of the process. This method is where all the patches and hardening against recent exploits take place. Because that method is never involved in deserializing Strings, anyone can use this to attack an application thats "fully patched" against the recent spate of attacks.
---------------------------------------------
https://www.contrastsecurity.com/security-influencers/java-deserializing-open-source-tool


*** rt-sa-2015-001 ***
---------------------------------------------
AVM FRITZ!Box: Remote Code Execution via Buffer Overflow
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2015-001.txt


*** rt-sa-2014-014 ***
---------------------------------------------
AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated Firmware Images
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2014-014.txt


*** Bugtraq: [SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499) ***
---------------------------------------------
[SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499)
---------------------------------------------
http://www.securityfocus.com/archive/1/537244


*** DFN-CERT-2016-0023: Node.js-WS: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0023/


*** DFN-CERT-2016-0028: Shotwell: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0028/


*** DFN-CERT-2016-0004: Mozilla Thunderbird, Debian Icedove: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
Version 3 (2016-01-05 17:52) | Debian stellt für die Distributionen Wheezy (old stable), Jessie (stable) und Stretch (testing) Sicherheitsupdates auf die Icedove Version 38.5.0 bereit. Die Schwachstellen CVE-2015-7210 und CVE-2015-7222 werden von diesen nicht adressiert.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0004/


*** Security Advisory: QEMU vulnerability CVE-2012-3515 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/13/sol13405416.html?ref=rss


*** Security Advisory: Out-of-bounds memory vulnerability with the BIG-IP APM system CVE-2015-8098 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/43/sol43552605.html?ref=rss


*** DSA-3435 git - security update ***
---------------------------------------------
Blake Burkhart discovered that the Git git-remote-ext helper incorrectlyhandled recursive clones of git repositories. A remote attacker couldpossibly use this issue to execute arbitary code by injecting commandsvia crafted URLs.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3435


*** Advantech EKI Vulnerabilities (Update B) ***
---------------------------------------------
This updated advisory is a follow-up to the updated advisory titled ICSA-15-344-01A Advantech EKI Vulnerabilities that was published December 15, 2015, on the NCCIC/ICS-CERT web site. This advisory provides information regarding several vulnerabilities in Advantech's EKI devices.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-344-01


*** D-Link DCS-931L Arbitrary File Upload ***
---------------------------------------------
Topic: D-Link DCS-931L Arbitrary File Upload Risk: High Text:## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-f...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016010028