[CERT-daily] Tageszusammenfassung - 20.08.2019

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 19-08-2019 18:00 − Dienstag 20-08-2019 18:00
Handler:     Dimitri Robl
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Kernel: Defekte Dateisysteme bringen Linux zum Stolpern ∗∗∗
---------------------------------------------
In einer Diskussion um die Aufnahme eines neuen Dateisystems in den Linux-Kernel wird klar, dass viele Dateisystemtreiber mit defekten Daten nicht klarkommen. Das kann nicht nur zu Abstürzen führen, sondern auch zu Sicherheitslücken.
...
Das Mounten von fremden Dateisystemen ist aber unter den gegebenen Umständen riskant. Wie die Diskussion zeigt, kann man sich nicht darauf verlassen, dass Linux-Dateisystemtreiber mit bösartigen Eingabedaten klarkommen.
---------------------------------------------
https://www.golem.de/news/kernel-defekte-dateisysteme-bringen-linux-zum-stolpern-1908-143323-rss.html


∗∗∗ Guildma malware is now accessing Facebook and YouTube to keep up-to-date, (Tue, Aug 20th) ∗∗∗
---------------------------------------------
A new variant of the information stealer Guildma (aka Astaroth) we analyzed last week is accessing Facebook and YouTube to get a fresh list of its C2 servers. The C2 list is encrypted and hosted in two Facebook and three YouTube profiles maintained and constantly updated by the cybercriminals.
---------------------------------------------
https://isc.sans.edu/diary/rss/25222


∗∗∗ GitHub Token Scanning—one billion tokens identified and five new partners ∗∗∗
---------------------------------------------
If you’ve ever accidentally shared a token or credentials in a GitHub repository, or read about someone who has, you know how damaging it could be if a malicious user finds and exploits it. About a year ago, we introduced token scanning to help scan pushed commits and prevent fraudulent use of any credentials that are shared accidentally.
---------------------------------------------
https://github.blog/2019-08-19-github-token-scanning-one-billion-tokens-identified-and-five-new-partners/


∗∗∗ GAME OVER: Detecting and Stopping an APT41 Operation ∗∗∗
---------------------------------------------
In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group, APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. APT41 is known to adapt quickly to changes and detections within victim environments, often recompiling malware within hours of incident responder activity. 
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html


∗∗∗ Falsche Versionsangaben: Mehrere Security Bulletins zu Apache Struts korrigiert ∗∗∗
---------------------------------------------
Struts-2-Anwender, die sich beim Updaten an offizielle Advisories halten, sollten erneut draufschauen – oder gleich zu Versionen ab 2.3.35 / 2.5.17 wechseln.
---------------------------------------------
https://heise.de/-4500834


∗∗∗ Erpressung mit Pädophilie per E-Mail ignorieren ∗∗∗
---------------------------------------------
Angeblich wurde Ihr Computer gehackt und Sie wurden beim Masturbieren gefilmt. Damit das Video nicht veröffentlicht wird, muss ein Schweigegeld bezahlt werden. Es besteht jedoch kein Grund zur Sorge, es handelt sich um eine Betrugsmasche. Weder wurde Ihre Webcam gehackt, noch wurden intime Videos über Sie angefertigt! Verschieben Sie dieses Mail in den Spam-Ordner.
---------------------------------------------
https://www.watchlist-internet.at/news/erpressung-mit-paedophilie-per-e-mail-ignorieren/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Severe Flaws in Kubernetes Expose All Servers to DoS Attacks ∗∗∗
---------------------------------------------
Two high severity security flaws impacting the Kubernetes open-source system for handling containerized apps can allow an unauthorized attacker to trigger a denial of services state remotely, without user interaction. 
---------------------------------------------
https://www.bleepingcomputer.com/news/security/severe-flaws-in-kubernetes-expose-all-servers-to-dos-attacks/


∗∗∗ Remote Code Execution: Doppelte Hintertür in Webmin ∗∗∗
---------------------------------------------
In der Systemkonfigurationssoftware Webmin waren offenbar für über ein Jahr Hintertüren, mit denen sich übers Netz Code ausführen lässt. Den Angreifern gelang es dabei offenbar, die Release-Dateien des Projekts zu manipulieren. 
---------------------------------------------
https://www.golem.de/news/remote-code-execution-doppelte-hintertuer-in-webmin-1908-143311-rss.html


∗∗∗ iOS 12.4 jailbreak released after Apple ‘accidentally un-patches’ an old flaw ∗∗∗
---------------------------------------------
A fully functional jailbreak has been released for the latest iOS 12.4 on the Internet, making it the first public jailbreak in a long time—thanks to Apple. Dubbed "unc0ver 3.5.0," the jailbreak works with the updated iPhones, iPads and iPod Touches by leveraging a vulnerability that Apple previously patched in iOS 12.3 but accidentally reintroduced in the latest iOS version 12.4.
---------------------------------------------
https://thehackernews.com/2019/08/ios-iphone-jailbreak.html


∗∗∗ SphinxSearch 0.0.0.0:9306 (CVE-2019-14511) ∗∗∗
---------------------------------------------
TL;DR: SphinxSearch comes with a insecure default configuration that opens a listener on port 9306. No auth required. Connections using a mysql client are possible.
---------------------------------------------
https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-14511/


∗∗∗ Security Bulletin VLC 3.0.8 ∗∗∗
---------------------------------------------
If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.
While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.
We have not seen exploits performing code execution through these vulnerabilities
---------------------------------------------
https://www.videolan.org/security/sb-vlc308.html


∗∗∗ Ruby rest-client 1.6.13 ∗∗∗
---------------------------------------------
It seems that rest-client 1.6.13 is uploaded to rubygems.org. I did review between 1.6.9 and 1.6.13 and it seems that latest version evaluate remote code from pastebin.com and sends information to mironanoru.zzz.com.ua
---------------------------------------------
https://github.com/rest-client/rest-client/issues/713


∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Aspose APIs ∗∗∗
---------------------------------------------
Cory Duplantis and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.Cisco Talos recently discovered multiple remote code execution vulnerabilities in various Aspose APIs. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs, Microsoft Word files and more. 
---------------------------------------------
https://blog.talosintelligence.com/2019/08/aspose-APIs-RCE-vulns-aug-2019.html


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (flask), openSUSE (clementine, dkgpg, libTMCG, openexr, and zstd), Oracle (kernel, mysql:8.0, redis:5, and subversion:1.10), SUSE (nodejs6, python-Django, and rubygem-rails-html-sanitizer), and Ubuntu (cups, docker, docker-credential-helpers, kconfig, kde4libs, libreoffice, nova, and openldap).
---------------------------------------------
https://lwn.net/Articles/796759/


∗∗∗ IBM Security Bulletin: IBM MQ is vulnerable to a denial of service attack within the error logging function (CVE-2019-4049) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-is-vulnerable-to-a-denial-of-service-attack-within-the-error-logging-function-cve-2019-4049/


∗∗∗ IBM Security Bulletin: A vulnerability in IBM Websphere Application Server affects IBM Cloud App Management ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ibm-websphere-application-server-affects-ibm-cloud-app-management/


∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM License Metric Tool v9 (CVE-2019-4046). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ibm-websphere-application-server-liberty-affects-ibm-license-metric-tool-v9-cve-2019-4046/


∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM License Key Server Administration & Reporting Tool and Agent ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vulnerabilities-in-ibm-websphere-application-server-liberty-affect-ibm-license-key-server-administration-reporting-tool-and-agent/


∗∗∗ IBM Security Bulletin: IBM MQ Appliance affected by an OpenSSH vulnerability (CVE-2019-6110) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-appliance-affected-by-an-openssh-vulnerability-cve-2019-6110/


∗∗∗ IBM Security Bulletin: Information disclosure for IBM Infosphere Global Name Management ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosure-for-ibm-infosphere-global-name-management/


∗∗∗ IBM Security Bulletin: Information disclosure for IBM Infosphere Identity Insight ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosure-for-ibm-infosphere-identity-insight/


∗∗∗ IBM Security Bulletin: Error Message Vulnerabilities Affect IBM Emptoris Sourcing, IBM Emptoris Contract Management and IBM Emptoris Spend Analysis. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-error-message-vulnerabilities-affect-ibm-emptoris-sourcing-ibm-emptoris-contract-management-and-ibm-emptoris-spend-analysis/


∗∗∗ IBM Security Bulletin: Cross-site Scripting Affects IBM Emptoris Spend Analysis (CVE-2019-4482) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-affects-ibm-emptoris-spend-analysis-cve-2019-4482/


∗∗∗ IBM Security Bulletin: SQL Injection Affects IBM Emptoris Spend Analysis and IBM Emptoris Contract Management (CVE-2019-4481, CVE-2019-4483) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-sql-injection-affects-ibm-emptoris-spend-analysis-and-ibm-emptoris-contract-management-cve-2019-4481-cve-2019-4483/


∗∗∗ IBM Security Bulletin: Multiple IBM MQ Security Vulnerabilities Affect IBM Sterling B2B Integrator ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-ibm-mq-security-vulnerabilities-affect-ibm-sterling-b2b-integrator/


∗∗∗ IBM Security Bulletin: API Connect V2018 (ova) is impacted by vulnerabilities in Ubuntu OS (CVE-2019-4504) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-ova-is-impacted-by-vulnerabilities-in-ubuntu-os-cve-2019-4504/


∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by a Kubernetes vulnerability(CVE-2019-11246) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-impacted-by-a-kubernetes-vulnerabilitycve-2019-11246/


∗∗∗ IBM Security Bulletin: IBM API Connect’s Developer Portal is impacted by a path traversal vulnerability. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-developer-portal-is-impacted-by-a-path-traversal-vulnerability/


∗∗∗ IBM Security Bulletin: IBM i is affected by networking BIND vulnerability CVE-2019-6471. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-i-is-affected-by-networking-bind-vulnerability-cve-2019-6471/


∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by a information disclosure vulnerability (CVE-2019-4437) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-impacted-by-a-information-disclosure-vulnerability-cve-2019-4437/


∗∗∗ IBM Security Bulletin: IBM Cloud Kubernetes Service is affected by Linux Kernel security vulnerabilities (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-kubernetes-service-is-affected-by-linux-kernel-security-vulnerabilities-cve-2019-11477-cve-2019-11478-cve-2019-11479/


∗∗∗ IBM Security Bulletin: XML External Entity Injection vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4424) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-xml-external-entity-injection-vulnerability-in-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2019-4424/


∗∗∗ IBM Security Bulletin: Reverse tabnabbing vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4425) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-reverse-tabnabbing-vulnerability-in-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2019-4425/


∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private – Docker (CVE-2018-15664) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerability-affects-ibm-cloud-private-docker-cve-2018-15664/


∗∗∗ IBM Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-multiple-security-vulnerabilities/


∗∗∗ IBM Security Bulletin: Vulnerability in NTP affects AIX (CVE-2019-8936) Security Bulletin ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ntp-affects-aix-cve-2019-8936-security-bulletin/


∗∗∗ IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2018 – Includes Oracle Jul 2018 CPU affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-jul-2018-includes-oracle-jul-2018-cpu-affects-db2-recovery-expert-for-linux-unix-and-windows/


∗∗∗ HTTP/2 Empty Frames Flood vulnerability CVE-2019-9518 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K46011592


∗∗∗ HTTP/2 Settings Flood vulnerability CVE-2019-9515 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K50233772


∗∗∗ HTTP/2 Ping Flood vulnerability CVE-2019-9512 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K98053339


∗∗∗ HTTP/2 Reset Flood vulnerability CVE-2019-9514 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K01988340

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily