[CERT-daily] Tageszusammenfassung - 22.06.2018

Daily end-of-shift report team at cert.at
Fri Jun 22 18:07:20 CEST 2018


=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 21-06-2018 18:00 − Freitag 22-06-2018 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ New GZipDe Malware Drops Metasploit Backdoor ∗∗∗
---------------------------------------------
Security researchers from AlienVault have discovered a new malware strain named GZipDe that appears to be part of a targeted attack —most likely a cyber-espionage campaign.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-gzipde-malware-drops-metasploit-backdoor/


∗∗∗ FIRST Releases Training to Help Companies Respond to Product Vulnerabilities ∗∗∗
---------------------------------------------
The Forum of Incident Security Response Teams, Inc. (FIRST) is pleased to release the final Product Security Incident Response Teams (PSIRT) Services Framework (PDF) and accompanying training video course. This framework and training video course were developed by a global team of PSIRT practitioners from FIRST members and relevant subject matter experts.
---------------------------------------------
https://www.first.org/newsroom/releases/20180621


∗∗∗ Detecting Kernel Memory Disclosure – Whitepaper ∗∗∗
---------------------------------------------
Since early 2017, we have been working on Bochspwn Reloaded – a piece of dynamic binary instrumentation built on top of the Bochs IA-32 software emulator, designed to identify memory disclosure vulnerabilities in operating system kernels. Over the course of the project, we successfully used it to discover and report over 70 previously unknown security issues in Windows, and more than 10 bugs in Linux.
---------------------------------------------
https://googleprojectzero.blogspot.com/2018/06/detecting-kernel-memory-disclosure.html


∗∗∗ Financial Services Sector Rife with Hidden Tunnels ∗∗∗
---------------------------------------------
Attackers use the approach to look like legitimate traffic and hide data exfiltration in plain sight.
---------------------------------------------
https://threatpost.com/financial-services-sector-rife-with-hidden-tunnels/132987/


∗∗∗ Wie Sie eine Baby-Cam erfolgreich hacken (Gwelltimes P2P Cloud) ∗∗∗
---------------------------------------------
Vor einiger Zeit wurde in den USA ein Fall bekannt, bei dem ein W-LAN-fähiges Babyphone gehackt worden sei. Jemand hätte die Mutter und ihr Baby überwacht. SEC Consult hat sich den Fall nun aus der technischen Perspektive angesehen.
---------------------------------------------
https://www.sec-consult.com/blog/2018/06/wie-sie-eine-babycam-erfolgreich-hacken/


∗∗∗ Documenting and Attacking a Windows Defender Application Control Feature the Hard Way - A Case Study in Security Research Methodology ∗∗∗
---------------------------------------------
As is typically the case for me, whenever a new Windows build is released, I diff the Windows Defender Application Control (WDAC, formerly Device Guard) code integrity policy schema (located in %windir%\schemas\CodeIntegrity\cipolicy.xsd) to see if there are any new, interesting features. I resort to doing this because new WDAC features are seldom documented [...]
---------------------------------------------
https://posts.specterops.io/documenting-and-attacking-a-windows-defender-application-control-feature-the-hard-way-a-case-73dd1e11be3a


∗∗∗ Why You Should Care about Website Security on Your Small Site ∗∗∗
---------------------------------------------
Most people assume that if their website has been compromised, there must have been an attacker evaluating their site and looking for a specific vulnerability to hack. Under most circumstances however, bad actors don’t manually hand-pick websites to attack since it’s a tedious and time consuming process. Instead, they rely on automation to identify vulnerable websites and execute their attacks.
---------------------------------------------
https://blog.sucuri.net/2018/06/why-you-should-care-about-website-security-on-your-small-site.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Delta Electronics Delta Industrial Automation COMMGR ∗∗∗
---------------------------------------------
This advisory includes mitigations for a stack-based buffer overflow vulnerability in the Delta Electronics Delta Industrial Automation COMMGR software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01


∗∗∗ Rockwell Automation Allen-Bradley CompactLogix and Compact GuardLogix ∗∗∗
---------------------------------------------
This advisory includes mitigation recommendations for an improper input validation vulnerability reported in Rockwell Automation Allen-Bradley CompactLogix and Compact GuardLogix controllers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-18-172-02


∗∗∗ PMASA-2018-4 ∗∗∗
---------------------------------------------
File inclusion and remote code execution attackAffected VersionsphpMyAdmin 4.8.0 and 4.8.1 are affected.CVE ID(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12613, uCVE-2018-12613)
---------------------------------------------
https://www.phpmyadmin.net/security/PMASA-2018-4/


∗∗∗ PMASA-2018-3 ∗∗∗
---------------------------------------------
XSS in Designer featureAffected VersionsphpMyAdmin versions prior to 4.8.2.CVE ID(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12581, uCVE-2018-12581)
---------------------------------------------
https://www.phpmyadmin.net/security/PMASA-2018-3/


∗∗∗ Security Advisory - FRP Bypass Vulnerability in Some Huawei Smart Phones ∗∗∗
---------------------------------------------
There is Factory Reset Protection (FRP) bypass vulnerability in some Huawei smart phones. An attacker gets some users smart phone and performs some special operations in the guide function. The attacker may exploit the vulnerability to bypass FRP function and use the phone normally. (Vulnerability ID: HWPSIRT-2018-04051)
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180622-01-bypass-en


∗∗∗ Security Advisory - Bluetooth Unlock Bypassing Vulnerability in Some Huawei Mobile Phones ∗∗∗
---------------------------------------------
Some Huawei mobile phones have a Bluetooth unlock bypassing vulnerability due to the lack of validation on Bluetooth devices. If a user has enabled the smart unlock function, an attacker can impersonate the users Bluetooth device to unlock the users mobile phone screen. (Vulnerability ID: HWPSIRT-2017-01088)
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170323-01-smartphone-en


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (php-horde-image), openSUSE (kernel), Scientific Linux (git), SUSE (bluez, kernel, mariadb, and mariadb, mariadb-connector-c, xtrabackup), and Ubuntu (openjdk-7).
---------------------------------------------
https://lwn.net/Articles/758024/


∗∗∗ Lazy FP state restore vulnerability CVE-2018-3665 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K21344224

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily





More information about the Daily mailing list