[CERT-daily] Tageszusammenfassung - Donnerstag 14-07-2016

Thu Jul 14 18:22:05 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 13-07-2016 18:00 − Donnerstag 14-07-2016 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter


*** Troldesh ransomware influenced by (the) Da Vinci code ***
---------------------------------------------
We at the MMPC are constantly tracking new and emerging ransomware threats so we can be one step ahead of active campaigns and help protect our users. As part of these efforts, we recently came across a new variant of the Win32/Troldesh ransomware family. Ransomware, like most malware, is constantly trying to change itself in...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/


*** The Power of Web Shells, (Wed, Jul 13th) ***
---------------------------------------------
[Warning: this diary contains many pictures and may take some time to load on slow links] Web shellsare not new in the threats landscape. A web shell is a script (written in PHP, ASL, Perl, ... - depending on the available environment) that can be uploaded to a web server to enable remote administration. If web shells are usually installed for good purposes, many of them are installed on compromisedservers. Once in place, the web shell will allow a complete takeover of the victims server but it...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21257&rss


*** PCI for SMB - Requirement 2- Do Not Use Defaults ***
---------------------------------------------
In this series of articles, we talk about PCI and how it affects SMBs (small/medium sized businesses) that are going through the compliance process using the PCI SAQ's (Self Assessment Questionaries).
---------------------------------------------
https://blog.sucuri.net/2016/07/pci-for-smb-requirement-2-do-not-use-defaults.html


*** Beware of ws-xmlrpc library in your Java App ***
---------------------------------------------
Apache XML-RPC is a XML-RPC library for Java. XML-RPC is a protocol for making remote procedure call via HTTP with the help of XML. Apache XML-RPC can be used on the client's side to make XML-RPC calls as well as on the server's side to expose some functionality via XML-RPC. Now ws-xmlrpc library is not supported by Apache. Last version is 3.1.3 which was released in 2013. However, many applications still use ws-xmlrpc library. Among them are Apache Continuum and Apache Archiva.
---------------------------------------------
https://0ang3el.blogspot.co.at/2016/07/beware-of-ws-xmlrpc-library-in-your.html


*** Join ENISA study on cloud security and eHealth ***
---------------------------------------------
ENISA, using its prior knowledge on cloud security, launches a study on cloud and eHealth.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/join-enisa-study-on-cloud-security-and-ehealth


*** DLL Hijacking Attacks Revisited ***
---------------------------------------------
This article is all about different DLL hijacking attacks techniques used by malware to achieve persistence. We will be discussing DLL search order hijacking, DLL Side loading, and Phantom DLL Hijacking techniques. Also, we will see how can we detect it and prevent the DLL hijacking attack. What is DLL hijacking? DLL provide common code...
---------------------------------------------
http://resources.infosecinstitute.com/dll-hijacking-attacks-revisited/


*** Github Engineering: SYN Flood Mitigation with synsanity ***
---------------------------------------------
In an effort to reduce the impact of these attacks, we began work on a series of additional mitigation strategies and systems to better prepare us for a future attack of a similar nature. Today we're sharing our mitigation for one of the attacks we received: synsanity, a SYN flood DDoS mitigation module for Linux 3.x.
---------------------------------------------
http://githubengineering.com/syn-flood-mitigation-with-synsanity/


*** The Value of a Hacked Company ***
---------------------------------------------
Most organizations only grow in security maturity the hard way -- that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organizations overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised.
---------------------------------------------
http://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/


*** Warnung vor der Verschlüsselungssoftware "Cerber" ***
---------------------------------------------
[...] Die Ransomware „Cerber“ wird aktuell durch gefälschte Bewerbungsschreiben verbreitet. Die Täter antworten auf Stellenangebote im Internet und versenden den Schadcode mit den beigefügten Dateien, die beispielsweise als Lebenslauf getarnt sind. Dadurch verleihen sie ihren Emails eine erhöhte Plausibilität und Glaubwürdigkeit. Beim Öffnen der Datei wird der Schadcode ausgeführt bzw. aus dem Internet nachgeladen. In weiterer Folge werden Daten auf sämtlichen im Netzwerk befindlichen Computern und Laufwerken verschlüsselt.
---------------------------------------------
http://www.bmi.gv.at/cms/BK/betrug/files/C4_Newsletter_Ransomware_Cerber.pdf


*** LibTIFF Buffer Index Error in TIFFReadRawStrip1() and TIFFReadRawTile1() Lets Remote Users Obtain Potentially Sensitive Information on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1036300


*** Bugtraq: [ERPSCAN-16-021] SAP xMII - Reflected XSS vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538900


*** Bugtraq: [ERPSCAN-16-020] SAP NetWeaver AS JAVA UDDI component - XXE vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538901


*** Bugtraq: [ERPSCAN-16-019] SAP NetWeaver Enqueue Server - DoS vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538902


*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect StoredIQ (CVE-2016-2107) ***
---------------------------------------------
OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by StoredIQ. StoredIQ has addressed the applicable CVEs. CVE(s): CVE-2016-2107 Affected product(s) and affected version(s): StoredIQ v7.6 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21985359X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/112854
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21985359


*** IBM Security Bulletin: A JMX component vulnerability in IBM Java SDK and IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement (CVE-2016-3427) ***
---------------------------------------------
The IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement products are affected by a JMX component security vulnerability that exists in IBM SDK Java Technology Edition and IBM WebSphere Application Server. This issue was disclosed as part of the IBM Java SDK updates in April 2016. CVE(s): CVE-2016-3427 Affected product(s) and affected...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21986797


*** IBM Security Bulletin: IBM Traveler installer impacted by vulnerability in InstallAnywhere (CVE-2016-2542) ***
---------------------------------------------
IBM Traveler installer utilizes a version of Flexera InstallAnywhere which could allow a local attacker to gain elevated privileges on the system. CVE(s): CVE-2016-2542 Affected product(s) and affected version(s): IBM Traveler 8.5.3 IBM Traveler 9.0 IBM Traveler 9.0.1 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21984632X-Force Database:
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21984632


*** IBM Security Bulletin: Vulnerability in InstallAnywhere affects IBM License Metric Tool v7.5 & v7.2.2, IBM Tivoli Asset Discovery for Distributed and IBM Endpoint Manger for Software Use Analysis v2.2 (CVE-2016-4560) ***
---------------------------------------------
A vulnerability in InstallAnywhere on Windows systems affects IBM License Metric Tool v7.5 & v7.2.2, IBM Tivoli Asset Discovery for Distributed and IBM Endpoint Manger for Software Use Analysis v2.2. CVE(s): CVE-2016-4560 Affected product(s) and affected version(s): IBM License Metric Tool v7.5 & v7.2.2 IBM Tivoli Asset Discovery for Distributed IBM Endpoint Manger for Software...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21983503


*** USN-3032-1: eCryptfs vulnerability ***
---------------------------------------------
Ubuntu Security Notice USN-3032-114th July, 2016ecryptfs-utils vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 15.10SummaryeCryptfs could be made to expose sensitive information.Software description ecryptfs-utils - eCryptfs cryptographic filesystem utilities  DetailsIt was discovered that eCryptfs incorrectly configured the encrypted swappartition for certain drive types. An attacker could use this issue to discoversensitive...
---------------------------------------------
http://www.ubuntu.com/usn/usn-3032-1/


*** VU#665280: Accela Civic Platform Citizen Access portal contains multiple vulnerabilities ***
---------------------------------------------
Vulnerability Note VU#665280 Accela Civic Platform Citizen Access portal contains multiple vulnerabilities Original Release date: 13 Jul 2016 | Last revised: 13 Jul 2016   Overview Accela Civic Platform Citizen Access portal contains cross-site scripting and arbitrary file upload vulnerabilities.  Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) - CVE-2016-5660Accela Civic Platform Citizen Access portal contains a cross-site scripting (XSS)
---------------------------------------------
http://www.kb.cert.org/vuls/id/665280


*** Cisco ASR 5000 Series SNMP Community String Disclosure Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160713-asr


*** Cisco IOS XR Software Command Injection Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-ios-xr


*** Cisco IOS XR for NCS 6000 Packet Timer Leak Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160713-ncs6k


*** RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2016-040Project: RESTful Web Services (third-party module)Version: 7.xDate: 2016-July-13Security risk: 22/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescriptionThis module enables you to expose Drupal entities as RESTful web services.RESTWS alters the default page callbacks for entities to provide additional functionality.A vulnerability in this approach allows an attacker to send specially...
---------------------------------------------
https://www.drupal.org/node/2765567


*** Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2016-039Project: Coder (third-party module)Version: 7.xDate: 2016-July-13Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescriptionThe Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.The module doesnt sufficiently validate user inputs in a script file that has...
---------------------------------------------
https://www.drupal.org/node/2765575


*** Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2016-038Project: Webform Multiple File Upload (third-party module)Version: 7.xDate: 2016-July-13Security risk: 17/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescriptionThe Webform Multiple File Upload module allows users to upload multiple files on a Webform.The Webform Multifile File Upload module contains a Remote Code Execution (RCE) vulnerability where form inputs will be unserialized and a...
---------------------------------------------
https://www.drupal.org/node/2765573


*** sol08440897: Linux kernel vulnerability CVE-2016-0774 ***
---------------------------------------------
Impact: A local unprivileged user may be able to leak kernel memory to user space or cause a denial-of-service (DoS).
---------------------------------------------
https://support.f5.com/kb/en-us/solutions/public/k/08/sol08440897.html?ref=rss


*** sol55181425: Wget vulnerability CVE-2016-4971 ***
---------------------------------------------
Impact: An attacker with local access may be able to upload arbitrary files to the system. Product/Versions known to be vulnerable: ARX 6.2.0 - 6.4.0, Traffix SDC 5.0.0, 4.0.0 - 4.4.0
---------------------------------------------
https://support.f5.com/kb/en-us/solutions/public/k/55/sol55181425.html?ref=rss


*** sol55922302: XSS in F5 WebSafe Dashboard vulnerability CVE-2016-5236 ***
---------------------------------------------
Cross-Site-Scripting (XSS) vulnerabilities in F5 WebSafe Dashboard allow privileged authenticated user to inject arbitrary web script or HTML when creating a new user, account or signature. (CVE-2016-5236)
---------------------------------------------
https://support.f5.com/kb/en-us/solutions/public/k/55/sol55922302.html?ref=rss


*** Juniper Security Advisories ***
---------------------------------------------
*** JSA10751 - 2016-07 Security Bulletin: SRX Series: On High-End SRX-Series, ALGs applied to in-transit traffic may trigger high CP (central point) utilization leading to denial of services. (CVE-2016-1276) ***
http://kb.juniper.net/index?page=content&id=JSA10751&actp=RSS
---------------------------------------------
*** JSA10758 - 2016-07 Security Bulletin: Junos: Crafted UDP packet can lead to kernel crash on 64-bit platforms (CVE-2016-1263) ***
http://kb.juniper.net/index?page=content&id=JSA10758&actp=RSS
---------------------------------------------
*** JSA10756 - 2016-07 Security Bulletin: Junos: FreeBSD-SA-09:07.libc - Information leak in db(3) (CVE-2009-0590) ***
http://kb.juniper.net/index?page=content&id=JSA10756&actp=RSS
---------------------------------------------
*** JSA10755 - 2016-07 Security Bulletin: Junos: Self-signed certificate with spoofed trusted Issuer CN accepted as valid (CVE-2016-1280) ***
http://kb.juniper.net/index?page=content&id=JSA10755&actp=RSS
---------------------------------------------
*** JSA10754 - 2016-07 Security Bulletin: Junos J-Web: Privilege Escalation due to information leak (CVE-2016-1279) ***
http://kb.juniper.net/index?page=content&id=JSA10754&actp=RSS
---------------------------------------------
*** JSA10750 - 2016-07 Security Bulletin: Junos: mbuf leak when flooding new IPv6 MAC addresses received via VPLS instances (CVE-2016-1275) ***
http://kb.juniper.net/index?page=content&id=JSA10750&actp=RSS
---------------------------------------------
*** JSA10753 - 2016-07 Security Bulletin: SRX Series: Upgrades using partition option may allow unauthenticated root login (CVE-2016-1278) ***
http://kb.juniper.net/index?page=content&id=JSA10753&actp=RSS
---------------------------------------------
*** JSA10752 - 2016-07 Security Bulletin: Junos: Kernel crash with crafted ICMP packet (CVE-2016-1277) ***
http://kb.juniper.net/index?page=content&id=JSA10752&actp=RSS
---------------------------------------------
*** JSA10756 - 2016-07 Security Bulletin: Junos: FreeBSD-SA-09:07.libc - Information leak in db(3) (CVE-2009-1436) ***
http://kb.juniper.net/index?page=content&id=JSA10756&actp=RSS
---------------------------------------------