[CERT-daily] Tageszusammenfassung - Mittwoch 5-04-2017

Daily end-of-shift report team at cert.at
Wed Apr 5 19:01:18 CEST 2017


=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 04-04-2017 18:00 − Mittwoch 05-04-2017 18:00
Handler:     Stephan Richter
Co-Handler:  n/a




*** WordPress Security - Unwanted Redirects via Infected JavaScript Files ***
---------------------------------------------
We've been watching a specific WordPress infection for several months and would like to share details about it. The attacks inject malicious JavaScript code into almost every .js file it can find. Previous versions of this malware injected only jquery.js files, but now we remove this code from hundreds of infected files. Due to a bug in the injector code, it also infects files whose extensions contain ".js" (such as .js.php or .json).
---------------------------------------------
https://blog.sucuri.net/2017/04/wordpress-security-unwanted-redirects-via-infected-javascript-files.html




*** Encryption inside Utility Industrial Control Systems (ICS) communication protocols: a must to preserve the confidentiality of information and reliability of the industrial process, (Tue, Apr 4th) ***
---------------------------------------------
Industrial control systems are sensitive systems that must make decisions in real time to ensure the operation of the industrial process they govern. The latency and reliability in packet transmission is fundamental, since the protocols are connection-oriented but because of the main speed goal, many of them do not have included error recovery schemes other than those included in the TCP / IP stack. Where is it possible to use encryption without affecting the operation of the industrial control...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22260&rss




*** Schneider Electric still shipping passwords in firmware ***
---------------------------------------------
Youd think a vendor of critical infrastructure would at least pretend to care about security That "dont use hard-coded passwords" infosec rule? Someone needs to use a needle to write it on the corner of Schneider Electrics developers eyes so they dont forget it.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/schneider_istilli_shipping_passwords_in_firmware/




*** Internetplattform unterstützt Opfer von digitaler Erpressung ***
---------------------------------------------
Für Betroffene von digitaler Erpressung ist es besonders wichtig, ihre Dateien schnell und einfach wiederherzustellen. Unter www.nomoreransom.org können verschiedene Entschlüsselungstools nun auch auf Deutsch aufgerufen werden.
---------------------------------------------
http://www.bmi.gv.at/cms/bmi/_news/bmi.aspx?id=537A58584930536354666F3D&page=0&view=1




*** 500.000 US-Dollar Lösegeld: Ransomware-Gangs nehmen Unternehmen aufs Korn ***
---------------------------------------------
Sicherheitsforscher haben mindestens acht Gruppen ausgemacht, die sich auf Ransomware-Attacken auf Unternehmen spezialisiert haben. Je nach Anzahl der infizierten PCs und Server steigt das Lösegeld. Summen von bis zu 500.000 US-Dollar sind im Spiel.
---------------------------------------------
https://heise.de/-3675612




*** Whitelists: The Holy Grail of Attackers, (Wed, Apr 5th) ***
---------------------------------------------
As a defender, take the time to put yourself in the place of a bad guy for a few minutes. Youre writing some malicious code and you need to download payloads from the Internet or hide your code on a website. Once your malicious code spread in the wild, it will be quickly captured by honeypots, IDS, ... (name your best tool) and analysed automatically of manually by the good guys. Their goal of this is to extract abehavioural analysis of the code and generate indicators (IOCs) which will help to...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22262&rss




*** Broadcom-Sicherheitslücke: Angriff über den WLAN-Chip ***
---------------------------------------------
Googles Project Zero zeigt, wie man ein Smartphone per WLAN übernehmen kann. WLAN-Chips haben heute eigene Betriebssysteme, denen jedoch alle modernen Sicherheitsmechanismen fehlen.
---------------------------------------------
https://www.golem.de/news/broadcom-sicherheitsluecke-angriff-ueber-den-wlan-chip-1704-127151-rss.html




*** Report: 30% of malware is zero-day, missed by legacy antivirus ***
---------------------------------------------
At least 30 percent of malware today is new, zero-day malware that is missed by traditional antivirus defenses, according to a new report."Were gathering threat data from hundreds of thousands of customers and network security appliances," said Corey Nachreiner, CTO at WatchGuard Technologies. "We have different types of malware detection services, including a signature and heuristic-based gateway antivirus. What we found was that 30 percent of the malware would have been missed...
---------------------------------------------
http://www.cio.com/article/3187734/network-security/report-30-of-malware-is-zero-day-missed-by-legacy-antivirus.html#tk.rss_security




*** Changes coming to TLS: Part Two ***
---------------------------------------------
In the first part of this two-part blog we covered certain performance improving features of TLS 1.3, namely 1-RTT handshakes and 0-RTT session resumption. In this part we shall discuss some security and privacy improvements.Remove Obsolete and insecure cryptographic primitivesRemove RSA HandshakesWhen RSA is used for key establishment there is no forward secrecy, which basically means that an adversary can record the encrypted conversation between the client and the server and later if it is...
---------------------------------------------
https://access.redhat.com/blogs/766093/posts/2978671




*** Broadcom: Heap overflow in TDLS Teardown Request while handling Fast Transition IE ***
---------------------------------------------
[...] Then, if the IE is present, its contents are copied into a heap-allocated buffer of length 256. The copy is performed using the length field present in the IE, and at a fixed offset from the buffers start address. Since the length of the FTIE is not verified prior to the copy, this allows an attacker to include a large FTIE (e.g., with a length field of 255), causing the memcpy to overflow the heap-allocated buffer.
---------------------------------------------
https://bugs.chromium.org/p/project-zero/issues/detail?id=1046




*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security issues have been identified within Citrix XenServer. The most significant of these issues could, if exploited, allow a malicious administrator of a 64-bit PV guest VM to compromise the host.
---------------------------------------------
https://support.citrix.com/article/CTX222565




*** Django Input Validation Flaws Let Remote Users Conduct Cross-Site Scripting and Open Redirect Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1038177




*** HPE Business Process Monitor Unspecified Flaw Lets Remote Users Access Data on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1038176




*** Asterisk Buffer Overflow in Processing CDR User Data Lets Remote Authenticated Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1038175




*** Security Advisory - Multiple Buffer Overflow Vulnerabilities in Bastet of Huawei Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170405-01-smartphone-en




*** Security Advisory - Information Leak Vulnerability in Some Huawei Smart Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170405-02-smartphone-en




*** Schneider Electric Interactive Graphical SCADA System Software ***
---------------------------------------------
This advisory contains mitigation details for a DLL hijacking vulnerability in Schneider Electric's Interactive Graphical SCADA System Software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-094-01




*** Marel Food Processing Systems ***
---------------------------------------------
This advisory contains mitigation details for hard-coded passwords and unrestricted upload vulnerabilities in Marel's Food Processing Systems.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-094-02




*** Rockwell Automation Allen-Bradley Stratix and Allen-Bradley ArmorStratix ***
---------------------------------------------
This advisory contains mitigation details for an improper input validation vulnerability in Rockwell Automation's Allen-Bradley Stratix and ArmorStratix Industrial Ethernet and Distribution switches.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-094-03




*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Struts affects IBM Opportunity Detect (CVE-2017-5638) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001388
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium is affected by Open Source Oracle MySQL Vulnerability (CVE-2017-3302) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21999203
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium is affected by Open Source Oracle MySQL Vulnerabilities (multiple CVEs) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21999202
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Database Activity Monitor ***
http://www-01.ibm.com/support/docview.wss?uid=swg21999580
---------------------------------------------




*** Fortinet PSIRT Advisories ***
---------------------------------------------
*** FortiClient SSLVPN Linux - Root privilege escalation with subproc ***
http://fortiguard.com/psirt/FG-IR-16-041
---------------------------------------------
*** FortiClient SSLVPN Linux - Arbitrary write to log file ***
http://fortiguard.com/psirt/FG-IR-16-069
---------------------------------------------
*** Multiple vulnerabilities in Linux kernels through 4.6.3 ***
http://fortiguard.com/psirt/FG-IR-16-052
---------------------------------------------
*** Unauthenticated XSS (Cross Site Scripting) in FortiMail ***
http://fortiguard.com/psirt/FG-IR-17-011
---------------------------------------------
*** Linux kernel - challenge ack information leak ***
http://fortiguard.com/psirt/FG-IR-16-047
---------------------------------------------




*** F5 Security Advisories ***
---------------------------------------------
*** BIG-IP file validation vulnerability CVE-2015-8022 ***
https://support.f5.com/csp/article/K12401251
---------------------------------------------
*** OpenSSL vulnerability CVE-2015-3195 ***
https://support.f5.com/csp/article/K12824341
---------------------------------------------
*** OpenSSH vulnerability CVE-2016-6210 ***
https://support.f5.com/csp/article/K14845276
---------------------------------------------
*** Expat XML library vulnerability CVE-2015-1283 ***
https://support.f5.com/csp/article/K15104541
---------------------------------------------
*** glibc vulnerability CVE-2016-3075 ***
https://support.f5.com/csp/article/K15439022
---------------------------------------------
*** libxml2 vulnerability CVE-2016-1834 ***
https://support.f5.com/csp/article/K16712298
---------------------------------------------
*** glibc vulnerability CVE-2016-4429 ***
https://support.f5.com/csp/article/K17075474
---------------------------------------------
*** TMM vulnerability CVE-2016-5023 ***
https://support.f5.com/csp/article/K19784568
---------------------------------------------
*** Linux kernel vulnerability CVE-2013-7446 ***
https://support.f5.com/csp/article/K20022580
---------------------------------------------
*** OpenSSH vulnerability CVE-2015-8325 ***
https://support.f5.com/csp/article/K20911042
---------------------------------------------
*** NTP vulnerability CVE-2015-7976 ***
https://support.f5.com/csp/article/K21230183
---------------------------------------------
*** Linux kernel vulnerability CVE-2011-5321 ***
https://support.f5.com/csp/article/K21632201
---------------------------------------------
*** TMM vulnerability CVE-2016-9245 ***
https://support.f5.com/csp/article/K22216037
---------------------------------------------
*** glibc vulnerability CVE-2015-8776 ***
https://support.f5.com/csp/article/K23946311
---------------------------------------------
*** OpenSSL vulnerability CVE-2016-0800 ***
https://support.f5.com/csp/article/K23196136
---------------------------------------------
*** libarchive vulnerability CVE-2016-5844 ***
https://support.f5.com/csp/article/K24036027
---------------------------------------------
*** ISC DHCP vulnerability CVE-2016-2774 ***
https://support.f5.com/csp/article/K30409575
---------------------------------------------
*** Java commons-collections library vulnerability CVE-2015-4852 ***
https://support.f5.com/csp/article/K30518307
---------------------------------------------
*** PHP vulnerability CVE-2016-4070 ***
https://support.f5.com/csp/article/K42065024
---------------------------------------------
*** NTP vulnerability CVE-2016-2519 ***
https://support.f5.com/csp/article/K41613034
---------------------------------------------
*** GnuPG vulnerability CVE-2013-4402 ***
https://support.f5.com/csp/article/K40131068
---------------------------------------------
*** libarchive vulnerability CVE-2016-8688 ***
https://support.f5.com/csp/article/K35263486
---------------------------------------------
*** PHP vulnerability CVE-2016-3074 ***
https://support.f5.com/csp/article/K34958244
---------------------------------------------
*** OpenSSL vulnerability CVE-2016-7056 ***
https://support.f5.com/csp/article/K32743437
---------------------------------------------
*** OpenSSH vulnerability CVE-2016-10009 ***
https://support.f5.com/csp/article/K31440025
---------------------------------------------
*** BIG-IP APM access logs vulnerability CVE-2016-1497 ***
https://support.f5.com/csp/article/K31925518
---------------------------------------------


More information about the Daily mailing list