[CERT-daily] Tageszusammenfassung - Montag 3-07-2017
Daily end-of-shift report
team at cert.at
Mon Jul 3 18:13:23 CEST 2017
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 30-06-2017 18:00 − Montag 03-07-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** From Pass-the-Hash to Pass-the-Ticket with No Pain ***
---------------------------------------------
We are all grateful to the Microsoft which gave us the possibility to use the "Pass the Hash" technique! In short: if we have the NTLM hashes of the user password, we can authenticate against the remote system without knowing the real password, just using the hashes. Things were (finally) changing, starting from Windows 7, [...]
---------------------------------------------
http://resources.infosecinstitute.com/pass-hash-pass-ticket-no-pain/
*** SQL Injection Vulnerability in WP Statistics ***
---------------------------------------------
As part of a vulnerability research project for our Sucuri Firewall, we have been auditing popular open source projects looking for security issues. While working on the WordPress plugin WP Statistics, we discovered a SQL Injection vulnerability. This plugin is currently installed on 300,000+ websites. Are You at Risk? This vulnerability is caused by the lack of sanitization in user provided data. An attacker with at least a subscriber account could leak sensitive data and under the right [...]
---------------------------------------------
https://blog.sucuri.net/2017/06/sql-injection-vulnerability-wp-statistics.html
*** OutlawCountry Is CIAs Malware for Hacking Linux Systems ***
---------------------------------------------
WikiLeaks dumped today a manual describing a new CIA malware strain. Called OutlawCountry, this is malware designed for Linux operating systems. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/outlawcountry-is-cias-malware-for-hacking-linux-systems/
*** So You Think You Can Spot a Skimmer? ***
---------------------------------------------
This week marks the 50th anniversary of the automated teller machine -- better known to most people as the ATM or cash machine. Thanks to the myriad methods thieves have devised to fleece unsuspecting cash machine users over the years, there are now more ways than ever to get ripped off at the ATM. Think youre good at spotting the various scams? A newly released ATM fraud inspection guide may help you test your knowledge.
---------------------------------------------
https://krebsonsecurity.com/2017/06/so-you-think-you-can-spot-a-skimmer/
*** PE Section Name Descriptions, (Sun, Jul 2nd) ***
---------------------------------------------
PE files (.exe, .dll, ...) have sections: a section with code, one with data, ... Each section has a name, and different compilers use different section names. Section names can help us identify the compiler and the type of PE file we are analyzing.
---------------------------------------------
https://isc.sans.edu/diary/rss/22576
*** TLS security: Past, present and future ***
---------------------------------------------
The Transport Layer Security (TLS) protocol as it stands today has evolved from the Secure Sockets Layer (SSL) protocol from Netscape Communications and the Private Communication Technology (PCT) protocol from Microsoft that were developed in the 1990s, mainly to secure credit card transactions over the Internet. It soon became clear that a unified standard was required, and an IETF TLS WG was tasked. As a result, TLS 1.0 was specified in 1999, TLS 1.1 in [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/07/03/tls-security/
*** Achtung, Fake: Nein, Billa verlost keinen 250-Euro-Gutschein auf Whatsapp ***
---------------------------------------------
Der Kettenbrief verbreitet sich momentan rasant - Verlinkung auf mysteriöse Seite
---------------------------------------------
http://derstandard.at/2000060650645
*** WSUSpendu? What for? ***
---------------------------------------------
At BlackHat USA 2015, the WSUSpect attack scenario has been released. Approximately at the same time, some french engineers have been wondering if it would be possible to use a compromised WSUS server to extend the compromise to its clients, similarly to this WSUSpect attack. After letting this topic rest for almost two years, weve been able, at Alsid and ANSSI, to demonstrate this attack.
---------------------------------------------
https://github.com/AlsidOfficial/WSUSpendu
*** SB17-184: Vulnerability Summary for the Week of June 26, 2017 ***
---------------------------------------------
Original release date: July 03, 2017 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit [...]
---------------------------------------------
https://www.us-cert.gov/ncas/bulletins/SB17-184
*** DSA-3901 libgcrypt20 - security update ***
---------------------------------------------
Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon GrootBruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal andYuval Yarom discovered that Libgcrypt is prone to a local side-channelattack allowing full key recovery for RSA-1024.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3901
*** Bugtraq: [CVE-2017-9313] Webmin 1.840 Multiple XSS Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540794
*** Microsoft Dynamics CRM Input Validation Flaw in SyncFilterPage.aspx Lets Remote Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1038813
*** FortiWLM upgrade user account hard-coded credentials ***
---------------------------------------------
FortiWLM has a hard-coded password for its "upgrade" user account, which it uses to transfer files to and from the FortiWLC controller. Having the upgrade account credentials would allow an attacker to transfer files to any attached or previously attached controllers as an admin user, thus raising potential further security issues.
---------------------------------------------
http://fortiguard.com/psirt/FG-IR-17-115
*** F5 Security Advisories ***
---------------------------------------------
*** BIND vulnerability CVE-2017-3142 ***
https://support.f5.com/csp/article/K59448931
---------------------------------------------
*** BIND vulnerability CVE-2017-3143 ***
https://support.f5.com/csp/article/K02230327
---------------------------------------------
*** GnuTLS vulnerability CVE-2017-7507 ***
https://support.f5.com/csp/article/K37830055
---------------------------------------------
*** Novell Patches ***
---------------------------------------------
*** Sentinel 8.1 (Sentinel 8.1.0.0) Build 3732 ***
https://download.novell.com/Download?buildid=SISjocZzgJM~
---------------------------------------------
*** eDirectory 9.0.3 Patch 1 (9.0.3.1) ***
https://download.novell.com/Download?buildid=_f8Eq87R-gs~
---------------------------------------------
*** eDirectory 8.8 SP8 Patch 10 HotFix 1 ***
https://download.novell.com/Download?buildid=z1R5CZBTHBM~
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Improper Authentication vulnerability affects IBM Security Guardium (CVE-2017-1264) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004425
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium is affected by XML External Entity vulnerability (CVE-2017-1254) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004463
---------------------------------------------
*** IBM Security Bulletin: OS Command Injection vulnerability affects IBM Security Guardium (CVE-2017-1253 ) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004426
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management could allow a local user to obtain sensitive information due to inappropriate data retention of attachments(CVE-2017-1176) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22005210
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to SQL injection(CVE-2017-1175) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22005212
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting(CVE-2017-1208) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22005243
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect the Report Builder that is shipped with Jazz Reporting Service ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001007
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM's Jazz technology ***
http://www.ibm.com/support/docview.wss?uid=swg21999760
---------------------------------------------
*** IBM Security Bulletin: Cross-site scripting vulnerabilities affect IBM Rational Team Concert ***
http://www.ibm.com/support/docview.wss?uid=swg22004611
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in NTP and OpenSSL affect IBM Netezza Firmware Diagnostics ***
http://www-01.ibm.com/support/docview.wss?uid=swg21997020
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect SmartCloud Entry ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025357
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker and IBM Integration Bus ***
http://www.ibm.com/support/docview.wss?uid=swg22005345
---------------------------------------------
*** IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Information Disclosure vulnerability ***
http://www.ibm.com/support/docview.wss?uid=swg22005382
---------------------------------------------
*** IBM Security Bulletin: IBM Integration Bus and WebSphere Message Broker are affected by Unquoted Search Path or Element (CWE-428) Vulnerability on Windows ***
http://www.ibm.com/support/docview.wss?uid=swg22005383
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus ***
http://www.ibm.com/support/docview.wss?uid=swg22005335
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Open Source Botan affects IBM Netezza Platform Software clients (CVE-2016-2849). ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001108
---------------------------------------------
*** IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Open Source Tomcat vulnerability ***
http://www.ibm.com/support/docview.wss?uid=swg22005331
---------------------------------------------
More information about the Daily
mailing list