[CERT-daily] Tageszusammenfassung - 26.03.2018

Mon Mar 26 18:30:46 CEST 2018

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 23-03-2018 18:00 − Montag 26-03-2018 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Sicherheitslücke: Microsoft unterbindet RDP-Anfragen von ungepatchten Clients ∗∗∗
---------------------------------------------
Eine kritische Sicherheitslücke in Microsofts Credential Security Support Provider versetzt Angreifer in die Lage, beliebigen Code auszuführen. Deswegen unterbindet das Unternehmen demnächst Verbindungsversuche ungepatchter Clients, Admins sollten also schnell handeln.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-microsoft-unterbindet-rdp-anfragen-von-ungepatchten-clients-1803-133522-rss.html


∗∗∗ Threat Landscape for Industrial Automation Systems in H2 2017 ∗∗∗
---------------------------------------------
Kaspersky Lab ICS CERT publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second half of 2017. The main objective of these publications is to provide information support to incident response teams, enterprise information security staff and researchers in the area of industrial facility security.
---------------------------------------------
http://securelist.com/threat-landscape-for-industrial-automation-systems-in-h2-2017/85053/


∗∗∗ KVA Shadow: Mitigating Meltdown on Windows ∗∗∗
---------------------------------------------
On January 3rd, 2018, Microsoft released an advisory and security updates that relate to a new class of discovered hardware vulnerabilities, termed speculative execution side channels, that affect the design methodology and implementation decisions behind many modern microprocessors. This post dives into the technical details of Kernel Virtual Address (KVA) Shadow which is the Windows [...]
---------------------------------------------
https://blogs.technet.microsoft.com/srd/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/


∗∗∗ Adding Backdoors at the Chip Level ∗∗∗
---------------------------------------------
Interesting research into undetectably adding backdoors into computer chips during manufacture: "Stealthy dopant-level hardware Trojans: extended version," also available here:Abstract: In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical-infrastructure applications, could be maliciously manipulated during the manufacturing [...]
---------------------------------------------
https://www.schneier.com/blog/archives/2018/03/adding_backdoor.html


∗∗∗ Web Application Penetration Testing Cheat Sheet ∗∗∗
---------------------------------------------
This cheatsheet is intended to run down the typical steps performed when conducting a web application penetration test. I will break these steps down into sub-tasks and describe the tools I recommend using at each level.
---------------------------------------------
https://jdow.io/blog/2018/03/18/web-application-penetration-testing-methodology/


∗∗∗ Gefälschte A1-Mail fordert SIM-Karten-Aktualisierung ∗∗∗
---------------------------------------------
Kriminelle versenden eine gefälschte A1-Nachricht. Darin fordern sie Kund/innen dazu auf, dass sie ihre SIM-Karten-Details aktualisieren. Das soll auf einer gefälschten A1-Website geschehen. Kund/innen, die der Aufforderung nachkommen, übermitteln sensible Informationen an Kriminelle und werden Opfer eines Datendiebstahls.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-a1-mail-fordert-sim-karten-aktualisierung/


∗∗∗ Achtung vor gefälschter Klarna-Rechnung! ∗∗∗
---------------------------------------------
Unter dem Betreff "Offene Rechnung von Klarna" versenden Kriminelle gefälschte Rechnungen. EmpfängerInnen werden in der E-Mail aufgefordert eine angehängte ZIP-Datei zu öffnen, um weiterführende Informationen zu offenen Beträgen zu erhalten. Die ZIP-Datei enthält jedoch Schadsoftware, Betroffene dürfen die Datei daher nicht öffnen und sollten die E-Mail löschen.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-vor-gefaelschter-klarna-rechnung/


∗∗∗ Forgot About Default Accounts? No Worries, GoScanSSH Didn’t ∗∗∗
---------------------------------------------
This blog post was authored by Edmund Brumaghin, Andrew Williams, and Alain Zidouemba.Executive SummaryDuring a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go.
---------------------------------------------
http://blog.talosintelligence.com/2018/03/goscanssh-analysis.html


∗∗∗ One Year Later, Hackers Still Target Apache Struts Flaw ∗∗∗
---------------------------------------------
One year after researchers saw the first attempts to exploit a critical remote code execution flaw affecting the Apache Struts 2 framework, hackers continue to scan the Web for vulnerable servers. The vulnerability in question, tracked as CVE-2017-5638, affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10. The security hole was addressed on March 6, 2017 with the release of versions 2.3.32 and 2.5.10.1. The bug, caused due to improper handling of the Content-Type header, can be [...]
---------------------------------------------
https://www.securityweek.com/one-year-later-hackers-still-target-apache-struts-flaw


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (bchunk, thunderbird, and xerces-c), Debian (freeplane, icu, libvirt, and net-snmp), Fedora (monitorix, php-simplesamlphp-saml2, php-simplesamlphp-saml2_1, php-simplesamlphp-saml2_3, puppet, and qt5-qtwebengine), openSUSE (curl, libmodplug, libvorbis, mailman, nginx, opera, python-paramiko, and samba, talloc, tevent), Red Hat (python-paramiko, rh-maven35-slf4j, rh-mysql56-mysql, rh-mysql57-mysql, rh-ruby22-ruby, rh-ruby23-ruby, and [...]
---------------------------------------------
https://lwn.net/Articles/750150/


∗∗∗ Bugtraq: Cross-Site Scripting vulnerability in Zimbra Collaboration Suite due to the way it handles attachment links ∗∗∗
---------------------------------------------
http://www.securityfocus.com/archive/1/541891


∗∗∗ Norton App Lock Authentication Bypass ∗∗∗
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2018&suid=20180326_00


∗∗∗ DFN-CERT-2018-0566: Nmap: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2018-0566/


∗∗∗ DFN-CERT-2018-0569: Moodle: Zwei Schwachstellen ermöglichen u.a. einen Denial-of-Service-Angriff ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2018-0569/


∗∗∗ DFN-CERT-2018-0571: Mozilla Thunderbird: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2018-0571/


∗∗∗ DFN-CERT-2018-0570: Apache Software Foundation HTTP-Server (httpd): Mehrere Schwachstellen ermöglichen u.a. die Manipulation von Sitzungsdaten ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2018-0570/


∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in Business Space affects IBM Business Process Manager, WebSphere Process Server, and WebSphere Enterprise Service Bus (CVE-2018-1384) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22012604


∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (CVE-2017-1767) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22012396


∗∗∗ IBM Security Bulletin: Potential information leakage in IBM Business Process Manager (CVE-2017-1756) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22010796


∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability affects Rational Engineering Lifecycle Manager ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22014831

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily