[CERT-daily] Tageszusammenfassung - 09.12.2019

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 06-12-2019 18:00 − Montag 09-12-2019 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ SCshell: Fileless Lateral Movement Using Service Manager ∗∗∗
---------------------------------------------
During red team engagements, lateral movement in a network is crucial. In addition, as a critical part of exploit chains, security solutions put a lot of effort to detect this movement. Techniques such as remote WMI and PsExec are fairly well detected. In the case of WMI, WmiPrvSe.exe will be the parent process responsible for spawning the process, making the detection a bit easier. PsExec on its end will push a file on the remote system and register a new service.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scshell-fileless-lateral-movement-using-service-manager/


∗∗∗ We thought they were potatoes but they were beans (from Service Account to SYSTEM again) ∗∗∗
---------------------------------------------
Nevertheless, we decided to do some further research in order to understand if any bypass of the new OXID resolver restrictions, which in fact inhibits resolver requests over a port different to 135, is still possible.
---------------------------------------------
https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/


∗∗∗ Detecting unsafe path access patterns with PathAuditor ∗∗∗
---------------------------------------------
Posted by Marta Rożek, Google Summer Intern 2019, and Stephen Röttger, Software Engineer #!/bin/shcat /home/user/fooWhat can go wrong if this command runs as root? Does it change anything if foo is a symbolic link to /etc/shadow? How is the output going to be used? Depending on the answers to the questions above, accessing files this way could be a vulnerability. The vulnerability exists in syscalls that operate on file paths, such as open, rename, chmod, or exec.
---------------------------------------------
https://security.googleblog.com/2019/12/detecting-unsafe-path-access-patterns.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ NVIDIA Patches Severe Flaws in Mercedes Infotainment System Chips ∗∗∗
---------------------------------------------
NVIDIA released security updates for six high severity vulnerabilities found in the Tegra Linux Driver Package (L4T) for Jetson AGX Xavier, TK1, TX1, TX2, and Nano chips used in Mercedes-Benzs MBUX infotainment system and Bosch self-driving computer systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/nvidia-patches-severe-flaws-in-mercedes-infotainment-system-chips/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (SDL), Debian (htmldoc, librabbitmq, nss, openjdk-7, openslp-dfsg, and phpmyadmin), Fedora (chromium, community-mysql, kernel, libidn2, oniguruma, proftpd, and rabbitmq-server), Mageia (ansible, clamav, evince, firefox, graphicsmagick, icu, libcryptopp, libtasn1, libtiff, libvncserver, libvpx, lz4, nss, openexr, openjpeg2, openssl, phpmyadmin, python-psutil, python-twisted, QT, sdl2_image, SDL_image, sysstat, thunderbird, and tnef), Oracle (firefox), [...]
---------------------------------------------
https://lwn.net/Articles/806832/


∗∗∗ OpenSSL: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-1045


∗∗∗ [dos] Omron PLC 1.0.0 - Denial of Service (PoC) ∗∗∗
---------------------------------------------
https://www.exploit-db.com/exploits/47757


∗∗∗ [webapps] Alcatel-Lucent Omnivista 8770 - Remote Code Execution ∗∗∗
---------------------------------------------
https://www.exploit-db.com/exploits/47761


∗∗∗ [webapps] Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution ∗∗∗
---------------------------------------------
https://www.exploit-db.com/exploits/47760


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-5/


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-4/


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-3/


∗∗∗ Security Bulletin: IBM Planning Analytics Local is affected by security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-local-is-affected-by-security-vulnerabilities/


∗∗∗ Security Bulletin: Vulnerability affects IBM Watson Assistant for IBM Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-ibm-watson-assistant-for-ibm-cloud-pak-for-data/


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-2/


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind/


∗∗∗ Security Bulletin: IBM Transparent Could Tiering is affected by a vulnerability in Apache Commons Compress (CVE-2019-12402) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-could-tiering-is-affected-by-a-vulnerability-in-apache-commons-compress-cve-2019-12402/


∗∗∗ Security Bulletin: IBM Transparent Cloud Tiering is affected by Netty vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-cloud-tiering-is-affected-by-netty-vulnerability/


∗∗∗ Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Transparent Cloud Tiering ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-node-js-affect-ibm-transparent-cloud-tiering/


∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by multiple vulnerabilities in IBM® Runtime Environment Java™ Version 8 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transparent-cloud-tiering-is-affected-by-multiple-vulnerabilities-in-ibm-runtime-environment-java-version-8/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily