[CERT-daily] Tageszusammenfassung - Mittwoch 2-03-2016

Wed Mar 2 18:20:55 CET 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 01-03-2016 18:00 − Mittwoch 02-03-2016 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter


*** Threat Actors Behind "Shrouded Crossbow" Create BIFROSE for UNIX ***
---------------------------------------------
We recently came across a variant of the BIFROSE malware that has been rewritten for UNIX and UNIX-like systems. This is the latest tool developed by attackers behind operation Shrouded Crossbow, which have produced other BIFROSE variants such as KIVARS and KIVARS x64. UNIX-based operating systems are widely used in servers, workstations, and even mobile devices. With a lot of highly confidential data found in these servers and devices, a UNIX version of BIFROSE can certainly be classified as a...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/m3eM40z3oI8/


*** Cachebleed-Angriff: CPU-Cache kann private Schlüssel verraten ***
---------------------------------------------
Forschern ist es gelungen, RSA-Verschlüsselungsoperationen von OpenSSL mittels eines Cache-Timing-Angriffs zu belauschen und so den privaten Key zu knacken. Der Cachebleed-Angriff nutzt dabei Zugriffskonflikte auf den Cache-Speicher.
---------------------------------------------
http://www.golem.de/news/cachebleed-angriff-cpu-cache-kann-private-schluessel-verraten-1603-119497-rss.html


*** Let's ride with TeslaCrypt ***
---------------------------------------------
TeslaCrypt is a ransomware spread by e-mails or exploit kits. It encrypts your files and asks you to pay in order to retrieve the decryption key. The current version is 3.0. Many analysis are already available on the Internet. In this article we are focusing on two aspects of TeslaCrypt: - The attack vector - The web callback...
---------------------------------------------
http://thisissecurity.net/2016/03/02/lets-ride-with-teslacrypt/


*** Security: Angebliche Locky-Warnung vom BKA ist ein Trojaner ***
---------------------------------------------
Die Angst vor Locky wird jetzt offenbar von Kriminellen ausgenutzt. In einer angeblich vom Bundeskriminalamt stammenden Mail wird vor dem Kryptotrojaner gewarnt und ein Werkzeug zur Entfernung angeboten - das selbst Malware enthält.
---------------------------------------------
http://www.golem.de/news/security-angebliche-locky-warnung-vom-bka-ist-ein-trojaner-1603-119525-rss.html


*** $17 smartwatch sends something to random Chinese IP address ***
---------------------------------------------
Samsung Gear 2 also has some problems, researcher says RSA bsides A cheap smart watch often peddled on eBay uses a pairing app for Android or iOS that contains a backdoor that quietly connects to an unknown Chinese IP address.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/03/02/chinese_backdoor_found_in_ebays_popular_cheap_smart_watch/


*** iPhone-Fingerabdruck lässt sich mit Plastilin austricksen ***
---------------------------------------------
Ein Hersteller von Fingerabdrucksensoren zeigt, wie einfach Apples Touch-ID mit gefälschten Fingerabdrücken zu umgehen ist.
---------------------------------------------
http://futurezone.at/produkte/iphone-fingerabdruck-laesst-sich-mit-plastilin-austricksen/184.429.253


*** Der DROWN Angriff auf SSL/TLS ***
---------------------------------------------
Es ist wieder soweit: Es gibt einen Presserummel rund um eine neu entdeckte Schwachstelle in SSL/TLS. Es gibt einen Namen (DROWN = Decrypting RSA with Obsolete and Weakened eNcryption) und ein fancy Logo. Nachzulesen ist alles unter: [...] Wir haben uns das angesehen und beschlossen, dazu keine offizielle Warnung zu publizieren. Das Problem ist nicht so dringend und dramatisch, wie manche...
---------------------------------------------
http://www.cert.at/services/blog/20160302151126-1688.html


*** Django Bugs Let Remote Users Conduct Redirect and Cross-Site Scripting Attacks and Determine Valid Usernames ***
---------------------------------------------
http://www.securitytracker.com/id/1035152


*** DFN-CERT-2016-0366: Perl: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes mit Benutzerrechten ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0366/


*** Intel Security - Security Bulletin: Protected resource access bypass vulnerability resolved in multiple McAfee endpoint products for Microsoft Windows ***
---------------------------------------------
Multiple McAfee endpoint products include a private mechanism to access settings and files protected by self-protection rules. This mechanism is not sufficiently secure and may be misused to access registry keys and files that should be protected from tampering. 
---------------------------------------------
https://kc.mcafee.com/corporate/index?page=content&id=SB10151


*** Schneider Electric Building Operation Application Server Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a vulnerability in servers programmed with Schneider Electric's StruxureWare Building Operation software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01


*** Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripiting ***
---------------------------------------------
This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766-L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site scripting vulnerability in Rockwell Automation's CompactLogix application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-02


*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco NX-OS Software TCP Netstack Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-netstack
---------------------------------------------
*** Cisco Nexus 3000 Series and 3500 Platform Switches Insecure Default Credentials Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-n3k
---------------------------------------------
*** Cisco Web Security Appliance HTTPS Packet Processing Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-wsa
---------------------------------------------
*** Cisco NX-OS Software SNMP Packet Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-n5ksnmp
---------------------------------------------
*** Cisco FireSIGHT System Software Convert Timing Channel Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-FireSIGHT1
---------------------------------------------
*** Cisco FireSIGHT System Software Device Management UI Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-FireSIGHT
---------------------------------------------


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Privileged Identity Manager Virtual Appliance (CVE-2015-7547) ***
http://www.ibm.com/support/docview.wss?uid=swg21978009
---------------------------------------------
*** IBM Security Bulletin: Lotus Protector for Mail affected by glibc, getaddrinfo stack-based buffer overflow (CVE-2015-7547) ***
http://www.ibm.com/support/docview.wss?uid=swg21977368
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Marketing Platform, IBM Campaign, IBM Predictive Insight, IBM Contact Optimization, IBM Marketing Operations (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21976886
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Tivoli Storage Manager Fastback for Workstations (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974685
---------------------------------------------
*** Security Bulletin: Vulnerabilities in OpenSSL and MD5 Signature and Hash Algorithm (CVE-2015-7575) affect IBM System Networking RackSwitch products. ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099210
---------------------------------------------
*** Security Bulletin: Multiple vulnerabilities, including MD5 Signature and Hash Algorithm (CVE-2015-7575), affect IBM Flex System Networking Switches ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099200
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in libpng affect IBM Cognos Metrics Manager (CVE-2015-8126, CVE-2015-8472, CVE-2015-8540) ***
http://www.ibm.com/support/docview.wss?uid=swg21976924
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Client Application Access (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21977618
---------------------------------------------