[CERT-daily] Tageszusammenfassung - 17.10.2018

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 16-10-2018 18:00 − Mittwoch 17-10-2018 18:00
Handler:     Alexander Riepl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Injecting Code into Windows Protected Processes using COM - Part 1 ∗∗∗
---------------------------------------------
Posted by James Forshaw, Google Project ZeroAt Recon Montreal 2018 I presented "Unknown Known DLLs and other Code Integrity Trust Violations" with Alex Ionescu. We described the implementation of Microsoft Windows' Code Integrity mechanisms and how Microsoft implemented Protected Processes (PP). As part of that I demonstrated various ways of bypassing Protected Process Light (PPL), some requiring administrator privileges, others not.
---------------------------------------------
https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html


∗∗∗ Multiple D-Link Routers Open to Complete Takeover with Simple Attack ∗∗∗
---------------------------------------------
The vendor only plans to patch two of the eight impacted devices, according to a researcher.
---------------------------------------------
https://threatpost.com/multiple-d-link-routers-open-to-complete-takeover-with-simple-attack/138383/


∗∗∗ Party like its 1987... SVGA code bug haunts VMwares house, lets guests flee to host OS ∗∗∗
---------------------------------------------
Malicious code in VMs can leap over ESXi, Workstation, Fusion hypervisor security Get busy, VMware admins and users: the virtualisation virtuoso has patched a programming blunder in ESXi, Workstation Pro and Player, and Fusion and Fusion Pro products that can be exploited by malicious code to jump from guest OS to host machine.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2018/10/17/vmware_svga_guest_escape_critical_bug/


∗∗∗ Warnung vor gefälschtem A1-Update ∗∗∗
---------------------------------------------
Konsument/innen erhalten eine angebliche Nachricht von A1, in der es heißt, dass der Mobilfunkanbieter ein Update für sie bereit stellt. Kund/innen sollen es installieren, damit sie weiterhin das Mobilfunknetz des Anbieters nutzen können. Kommen sie der Aufforderung nach, installieren sie Schadsoftware auf ihrem Smartphone.
---------------------------------------------
https://www.watchlist-internet.at/news/warnung-vor-gefaelschtem-a1-update/


∗∗∗ IT-Sicherheit - 100.000 Geräte: "Netter" Hacker entfernt ungefragt Sicherheitslücken ∗∗∗
---------------------------------------------
Seit April sind verheerende Sicherheitslücken bei Routern der Marke Mikrotik bekannt - vom Hersteller gibt es kein Update
---------------------------------------------
https://derstandard.at/2000089517357/Netter-Hacker-entfernt-ungefragt-Sicherheitsluecken-bei-hunderttausend


∗∗∗ Persistent Credential Theft with Authorization Plugins ∗∗∗
---------------------------------------------
Credential theft is often one of the first tactics leveraged by attackers once they’ve escalated privileges on a victim’s machine. Credential theft on OSX has become more difficult with the introduction of System Integrity Protection (SIP). Attackers can no longer use methods such as extracting the master keys from the securityd process and decrypting the victim’s login keychain. An example of this can be seen here.
---------------------------------------------
https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Omron CX-Supervisor ∗∗∗
---------------------------------------------
This advisory includes mitigations for improper restriction of operations within the bounds of a memory buffer, out-of-bounds read, use-after-free, and incorrect type conversion or cast vulnerabilities in Omrons CX-Supervisor software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-18-290-01


∗∗∗ Authentication bypass in server code in libssh ∗∗∗
---------------------------------------------
There is a vulnerability within the server code which can enable a client to bypass the authentication process and set the internal state machine maintained by the library to authenticated, enabling the (otherwise prohibited) creation of channels.
---------------------------------------------
https://www.libssh.org/security/advisories/CVE-2018-10933.txt


∗∗∗ VMSA-2018-0026 ∗∗∗
---------------------------------------------
VMware ESXi, Workstation, and Fusion updates address an out-of-bounds read vulnerability
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2018-0026.html


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (tomcat), Debian (asterisk, graphicsmagick, and libpdfbox-java), openSUSE (apache2 and git), Oracle (tomcat), Red Hat (kernel and Satellite 6.4), Slackware (libssh), SUSE (binutils, ImageMagick, and libssh), and Ubuntu (clamav, libssh, moin, and paramiko).
---------------------------------------------
https://lwn.net/Articles/768617/


∗∗∗ Synology-SA-18:55 DSM ∗∗∗
---------------------------------------------
A vulnerability allows remote authenticated users to obtain sensitive information via a susceptible version of Synology Diskstation Manager (DSM).
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_18_55


∗∗∗ Oracle Critical Patch Update Advisory - October 2018 ∗∗∗
---------------------------------------------
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html


∗∗∗ Solaris Third Party Bulletin - October 2018 ∗∗∗
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/bulletinoct2018-5139632.html


∗∗∗ Security Advisory - Information Leak Vulnerability in Some Huawei Smart Phones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20181017-01-smartphone-en


∗∗∗ HPESBHF03891 rev.1 - HPE UIoT, Remote Unauthorized Access ∗∗∗
---------------------------------------------
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03891en_us

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily