[CERT-daily] Tageszusammenfassung - Montag 12-06-2017

Mon Jun 12 18:27:27 CEST 2017

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 09-06-2017 18:00 − Montag 12-06-2017 18:00
Handler:     Robert Waldner
Co-Handler:  n/a


*** Banking trojan executes when targets hover over link in PowerPoint doc ***
---------------------------------------------
Criminal hackers have started using a novel malware attack that infects people when their mouse hovers over a link embedded in a malicious PowerPoint file.
The method - which was used in a recent spam campaign that attempted to install a bank-fraud backdoor alternately known as Zusy, OTLARD, and Gootkit - is notable because it didn't rely on macros, visual basic scripts, or JavaScript to deliver its payload.
---------------------------------------------
https://arstechnica.com/security/2017/06/malicious-powerpoint-files-can-infect-targets-when-hovering-over-hyperlinks/


*** RSA Identity Management and Governance Input Validation Flaws Let Remote and Remote Authenticated Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1038648


*** FIRST announces availability of new Common Vulnerability Scoring System (CVSS) release ***
---------------------------------------------
Third version aims to make the system more applicable to modern concerns
---------------------------------------------
https://www.first.org/newsroom/releases/20150610


*** [remote] Logpoint < 5.6.4 - Unauthenticated Root Remote Code Execution ***
---------------------------------------------
https://www.exploit-db.com/exploits/42158/?rss


*** DFN-CERT-2017-0993/">libgcrypt: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ***
---------------------------------------------
Ein entfernter, nicht authentisierter Angreifer, der den EdDSA-Sitzungsschlüssel während eines Signaturprozesses in einer Seitenkanalattacke abgreifen kann, kann daraus den 'Long Term Secret Key' rekonstruieren und nachfolgend die Sicherheitsvorkehrung der Sitzungsverschlüsselung umgehen, um Informationen aus Sitzungen auszuspähen.
Der Hersteller stellt libgcrypt 1.7.7 als Sicherheitsupdate bereit.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0993/


*** Bugtraq: [security bulletin] HPESBUX03759 rev.1 - HP-UX CIFS Sever using Samba, Multiple Remote Vulnerabilities ***
---------------------------------------------
Potential security vulnerabilities have been identified in HPE HP-UX CIFS
server using Samba. The vulnerabilities can be exploited remotely to allow
authentication bypass, code execution, and unauthorized access.
References: CVE-2017-7494
---------------------------------------------
http://www.securityfocus.com/archive/1/540701


*** Bugtraq: [SECURITY] [DSA 3877-1] tor security update ***
---------------------------------------------
Package : tor
CVE ID : CVE-2017-0376
Debian Bug : 864424
It has been discovered that Tor, a connection-based low-latency
anonymous communication system, contain a flaw in the hidden service
code when receiving a BEGIN_DIR cell on a hidden service rendezvous
circuit. A remote attacker can take advantage of this flaw to cause a
hidden service to crash with an assertion failure (TROVE-2017-005).
---------------------------------------------
http://www.securityfocus.com/archive/1/540705


*** Bugtraq: [security bulletin] HPESBHF03730 rev.2 - HPE Aruba ClearPass Policy Manager, Multiple Vulnerabilities ***
---------------------------------------------
Potential security vulnerabilities have been identified in HPE Aruba
ClearPass Policy Manager. The vulnerabilities could be remotely exploited to allow access restriction bypass, arbitrary command execution, cross site
scripting (XSS), escalation of privilege and disclosure of information.
References: CVE-2017-5824, CVE-2017-5825, CVE-2017-5826, CVE-2017-582, CVE-2017-5828, CVE-2017-5829, CVE-2017-5647
---------------------------------------------
http://www.securityfocus.com/archive/1/540704


*** Security Advisory - Memory Double Free Vulnerability in Touch Panel Driver of Some Huawei Smart Phones ***
---------------------------------------------
The Touch Panel (TP) driver of some Huawei smart phones has a memory double free vulnerability. An attacker with the root privilege of the Android system tricks a user into installing a malicious application, and the application can start multiple threads and try to free specific memory, which could triggers double free and causes a system crash or arbitrary code execution. (Vulnerability ID: HWPSIRT-2017-04111)
CVE-2017-8141.
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170612-01-smartphone-en


*** Security Advisory - Multiple Vulnerabilities in UMA Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170612-01-uma-en


*** Linux Muldrop.14: Cryptomining-Malware befällt ungeschützte Raspberry Pi ***
---------------------------------------------
Eine neue Malware befällt ausschließlich Raspberry Pi und nutzt die Geräte, um Cryptowährungen zu minen. Nutzer können sich relativ leicht dagegen schützen. (Security, Malware)
---------------------------------------------
https://www.golem.de/news/linux-muldrop-14-cryptomining-malware-befaellt-ungeschuetzte-raspberry-pi-1706-128321-rss.html


*** Vuln: VMware Horizon View Client CVE-2017-4918 Command Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/98984


*** DFN-CERT-2017-1012/">Sophos UTM: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ***
---------------------------------------------
Mehrere Schwachstellen in den Komponenten BIND, Kernel, NTP, OpenSSL und OpenVPN ermöglichen einem entfernten, in vielen Fällen nicht authentisierten Angreifer verschiedene Denial-of-Service (DoS)-Angriffe auf Sophos UTM.
Sophos veröffentlicht die Sophos UTM Software in Version 9.501 als Maintenance Release zur Behebung der genannten Schwachstellen. Darüber hinaus werden verschiedene weitere Programmfehler aus den Bereichen AWS, Basesystem, Confd, Email, Network, Reporting, RESTD, Sandboxd, WAF, Web, WebAdmin und WiFi behoben.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1012/


*** Pwn2Own: Safari sandbox part 1 - Mount yourself a root shell ***
---------------------------------------------
Today we have CVE-2017-2533 / ZDI-17-357 for you, a race condition in a macOS system service which could be used to escalate privileges from local admin to root. We used it in combination with other logic bugs to escape the Safari sandbox at this year's Pwn2Own competition.
---------------------------------------------
https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc


*** Industroyer: Fortgeschrittene Malware soll Energieversorgung der Ukraine gekappt haben ***
---------------------------------------------
Sicherheitsforscher haben nach eigenen Angaben eine Art zweites Stuxnet entdeckt: Einen Trojaner, der auf die Steuerung von Umspannwerken zugeschnitten ist. Er soll für Angriffe auf den ukrainischen Stromversorger Ukrenergo verantwortlich sein.
---------------------------------------------
https://heise.de/-3740606


*** CSIRT maturity evaluation process - How is CSIRT maturity assessed? ***
---------------------------------------------
ENISA has published a new practical guide for CSIRTs so that they are better prepared to protect their constituencies and improve teams maturity.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/csirt-maturity-evaluation-process-how-is-csirt-maturity-assessed


*** Vuln: D-Link DIR-615 Wireless N 300 Router CVE-2017-9542 Authentication Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/98992


*** Healthcare Industry Cybersecurity Report ***
---------------------------------------------
New US government report: "Report on Improving Cybersecurity in the Health Care Industry." Its pretty scathing, but nothing in it will surprise regular readers of this blog.Its worth reading the executive summary, and then skimming the recommendations. Recommendations are in six areas.The Task Force identified six high-level imperatives by which to organize its recommendations and action items. The imperatives are:Define and streamline leadership, governance, and expectations for
---------------------------------------------
https://www.schneier.com/blog/archives/2017/06/healthcare_indu.html


*** Behind the CARBANAK Backdoor ***
---------------------------------------------
In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK (aka Anunak). Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution. With these details, we will then draw some conclusions about the operators of CARBANAK. For some additional background on the CARBANAK backdoor, see the papers by Kaspersky and Group-IB and Fox-It.
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html


*** Erste SambaCry-Angriffe: Trojaner schürft Kryptowährung auf Linux-Servern ***
---------------------------------------------
Sicherheitsforscher haben einen Trojaner entdeckt, der durch die vor kurzem entdeckte Samba-Lücke in Linux-Server einbricht und dann mit deren Hardware Kryptogeld erzeugt.
---------------------------------------------
https://heise.de/-3740976


*** OSX/MacRansom; analyzing the latest ransomware to target macs ***
---------------------------------------------
Looks like somebody on the dark web is offering Ransomware as a Service...that's designed to infect Macs!
---------------------------------------------
https://objective-see.com/blog/blog_0x1E.html


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology ***
http://www.ibm.com/support/docview.wss?uid=swg22004534
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Insight ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003367
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Reporting for Development Intelligence ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003366
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Management Module (IMM) for System x & BladeCenter ***
http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5099597
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integrated Management Module (IMM) for System x & BladeCenter ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5099595
---------------------------------------------
*** IBM Security Bulletin: Cross-site scripting vulnerabilities affect IBM Rational Quality Manager ***
http://www.ibm.com/support/docview.wss?uid=swg22004428
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management could allow a remote authenticated attacker to execute arbitrary commands on the system as administrator (CVE-2016-9984) ***
http://www.ibm.com/support/docview.wss?uid=swg21998608
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-5597 CVE-2016-5546 CVE-2016-5548 CVE-2016-5549 CVE-2016-5547 CVE-2016-2183) ***
http://www.ibm.com/support/docview.wss?uid=swg21998779
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-9736, CVE-2016-8934, CVE-2016-8919) ***
http://www.ibm.com/support/docview.wss?uid=swg21999544
---------------------------------------------
*** IBM Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0636) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010085
---------------------------------------------
*** IBM Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0603) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010086
---------------------------------------------