[CERT-daily] Tageszusammenfassung - Dienstag 21-02-2017

Tue Feb 21 18:07:33 CET 2017

=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 20-02-2017 18:00 − Dienstag 21-02-2017 18:00
Handler:     Robert Waldner
Co-Handler:  n/a


*** Joomla Security - Pornography Spam Campaign in the Wild ***
---------------------------------------------
One of the worst experiences for a website owner is finding out that the search results for your site have turned into a pharmacy, a fashion outlet, or even a porn dump. Those unwanted keywords are a result of Search Engine Poisoning (SEP) attacks. This blackhat SEO technique is used by attackers to take advantage of your rankings on Search Engine Result Pages (SERPs).
---------------------------------------------
https://blog.sucuri.net/2017/02/joomla-security-pornography-spam-campaign-in-the-wild.html


*** Hardening Postfix Against FTP Relay Attacks, (Mon, Feb 20th) ***
---------------------------------------------
Yesterday, I read an interesting blog post about exploiting XXE (XML eXternal Entity) flaws to send e-mails. In short: It is possible to trick the application to connect to an FTP server, but since mail servers tend to be forgiving enough, they will just accept e-mail if you use the FTP client to connect to port 25 on a mail server. The mail server will of course initially see the USER and PASS commands, but it will ignore them. Initially, I considered thisa lesser issue.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22086&rss


*** New(ish) Mirai Spreader Poses New Risks ***
---------------------------------------------
A cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly. However, there is much information confused together, as if an entirely new IoT bot is spreading to and from Windows devices. This is not the case. Instead, an accurate assessment is that a previously active Windows botnet is spreading a Mirai bot variant. So let's make a level-headed assessment of what is really out there.
---------------------------------------------
https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/


*** Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway GCM nonce generation ***
---------------------------------------------
A flaw in NetScaler ADC and Gateway causes GCM nonces to be randomly generated, making it marginally easier for remote attackers to obtain ...
---------------------------------------------
https://support.citrix.com/article/CTX220329


*** DFN-CERT-2017-0317: Xen, QEMU: Eine Schwachstelle ermöglicht u.a. die Ausführung beliebigen Programmcodes ***
---------------------------------------------
Ein einfach authentifizierter Angreifer im benachbarten Netzwerk mit erweiterten Privilegien (Guest Administator) kann auf Speicher außerhalb von Speichergrenzen zugreifen (Out-of-Bounds Access) und dadurch einen Denial-of-Service (DoS)-Angriff durchführen oder möglicherweise beliebigen Programmcode zur Ausführung bringen. Die Schwachstelle betrifft QEMU in allen Versionen von Xen. Es stehen Sicherheitsupdates zur Verfügung.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0317/


*** Unstoppable JavaScript Attack Helps Ad Fraud, Tech Support Scams, 0-Day Attacks ***
---------------------------------------------
There are multiple issues and attack scenarios that Caballero discovered, but fortunately, they only affect Internet Explorer 11, but not Edge, or browsers from other vendors.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/unstoppable-javascript-attack-helps-ad-fraud-tech-support-scams-0-day-attacks/


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere MQ invalid requests cause denial of service to MQXR listener (CVE-2016-8986) ***
http://www.ibm.com/support/docview.wss?uid=swg21998648
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere MQ Invalid channel protocol flows cause denial of service on HP-UX (CVE-2016-8915) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21998649
---------------------------------------------
*** IBM Security Bulletin: Pivotal Spring Framework vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21999040
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere Application Server Liberty Profile vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2016-3092, CVE-2016-5986) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21998590
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere MQ Java clients might send a password in clear text (CVE-2016-3052) ***
http://www.ibm.com/support/docview.wss?uid=swg21998660
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere MQ Channel data conversion denial of service (CVE-2016-3013) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21998661
---------------------------------------------