[CERT-daily] Tageszusammenfassung - 18.06.2019

Daily end-of-shift report team at cert.at
Tue Jun 18 18:10:25 CEST 2019


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 17-06-2019 18:00 − Dienstag 18-06-2019 18:00
Handler:     Dimitri Robl
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Security Alert: Booking.Com Fake Emails Infect Computers with Sodinokibi Ransomware ∗∗∗
---------------------------------------------
A new spam campaign pretending to be from Booking.com is now targeting users. The emails carry a document containing macro code. If someone clicks on the document, opens it, and allows the execution of the macro code, a loader will be spawned. This will download and run ransomware of the Sodinokibi class.
---------------------------------------------
https://heimdalsecurity.com/blog/booking-com-fake-emails-sodinokibi-ransomware/


∗∗∗ Plurox: Modular backdoor ∗∗∗
---------------------------------------------
The analysis showed the Backdoor.Win32.Plurox to have a few quite unpleasant features. What’s more, the backdoor is modular, which means that its functionality can be expanded with the aid of plugins.
---------------------------------------------
https://securelist.com/plurox-modular-backdoor/91213/


∗∗∗ Malware sidesteps Google permissions policy with new 2FA bypass technique ∗∗∗
---------------------------------------------
When Google restricted the use of SMS and Call Log permissions in Android apps in March 2019, one of the positive effects was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based two-factor authentication (2FA) mechanisms.
We have now discovered malicious apps capable of accessing one-time passwords (OTPs) in SMS 2FA messages without using SMS permissions, circumventing Google’s recent restrictions. As a bonus, this technique also works to obtain OTPs from some email-based 2FA systems.
---------------------------------------------
https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/


∗∗∗ Sharing the Secrets: Pwning an industrial IoT router ∗∗∗
---------------------------------------------
I get involved in a lot of IoT and ICS pen tests and found an interesting device on one of them. I didn’t have enough time on the job to go as deep as I wanted, so got PTP to buy a couple to play with. eBay FTW! It’s an Ewon Flexy IoT Router.
---------------------------------------------
https://www.pentestpartners.com/security-blog/sharing-the-secrets-pwning-an-industrial-iot-router/


∗∗∗ Bestellen Sie nicht bei lastore.net ∗∗∗
---------------------------------------------
Auch wenn die Preise bei lastore.net sehr verlockend sind, raten wir von einer Bestellung ab. Denn lastore.net ist ein Fake-Shop, der trotz Bezahlung keine Ware liefert!
---------------------------------------------
https://www.watchlist-internet.at/news/bestellen-sie-nicht-bei-lastorenet/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ TCP SACK PANIC: Linux- und FreeBSD-Kernel lassen sich aus der Ferne angreifen ∗∗∗
---------------------------------------------
Netflix hat einige Sicherheitsprobleme im Netzwerk-Stack von Linux- und FreeBSD-Kerneln entdeckt, die sich für Denial-of-Service-Attacken eignen.
---------------------------------------------
https://heise.de/-4449183


∗∗∗ Vulnerability Spotlight: Two bugs in KCodes NetUSB affect some NETGEAR routers ∗∗∗
---------------------------------------------
KCodes’ NetUSB kernel module contains two vulnerabilities that could allow an attacker to inappropriately access information on some NETGEAR wireless routers. Specific models of these routers utilize the kernel module from KCodes, a Taiwanese company. The module is custom-made for each device, but they all contain similar functions.
---------------------------------------------
https://blog.talosintelligence.com/2019/06/vulnerability-spotlight-two-bugs-in.html


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (linux-hardened), Debian (kdepim, kernel, linux-4.9, and phpmyadmin), Fedora (ansible and glib2), openSUSE (kernel and vim), Oracle (bind and kernel), Red Hat (kernel and kernel-rt), Scientific Linux (bind and kernel), SUSE (dbus-1, ImageMagick, kernel, netpbm, openssh, and sqlite3), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon and linux,
---------------------------------------------
https://lwn.net/Articles/791370/


∗∗∗ Critical Flaw Exposes TP-Link Wi-Fi Extenders to Remote Attacks ∗∗∗
---------------------------------------------
A critical remote code execution vulnerability discovered by an IBM X-Force researcher allows an unauthenticated attacker to take complete control of some TP-Link Wi-Fi extenders. Firmware updates that should patch the flaw have been made available by the vendor.
---------------------------------------------
https://www.securityweek.com/critical-flaw-exposes-tp-link-wi-fi-extenders-remote-attacks


∗∗∗ MISP: Schwachstelle ermöglicht Codeausführung ∗∗∗
---------------------------------------------
MISP ist eine Open-Source-Plattform für den Informationsaustausch über Bedrohungen.
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in MISP ausnutzen, um beliebigen Programmcode auszuführen.
CVE Liste: 	CVE-2019-12868
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0515


∗∗∗ Improper Access Control Vulnerability in AppDNA ∗∗∗
---------------------------------------------
A vulnerability has been identified in AppDNA that could result in access controls not being enforced when accessing the web console potentially allowing privilege escalation and remote code execution.
---------------------------------------------
https://support.citrix.com/article/CTX253828


∗∗∗ IBM Security Bulletin: Password exposure via job log in IBM Spectrum Protect Plus (CVE-2019-4385) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-exposure-via-job-log-in-ibm-spectrum-protect-plus-cve-2019-4385/


∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to CSV Injection (CVE-2019-4364) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-csv-injection-cve-2019-4364/


∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4303) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-cross-site-scripting-cve-2019-4303/


∗∗∗ IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Tivoli System Automation for Multiplatforms April 2019 CPU (CVE-2019-2684) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ibm-java-sdk-affects-ibm-tivoli-system-automation-for-multiplatforms-april-2019-cpu-cve-2019-2684/


∗∗∗ IBM Security Bulletin: IBM i is affected by networking BIND vulnerability CVE-2018-5743 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-i-is-affected-by-networking-bind-vulnerability-cve-2018-5743/


∗∗∗ IBM Security Bulletin: An Arbitrary Download Vulnerability Affects IBM Campaign (CVE-2019-4384) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-an-arbitrary-download-vulnerability-affects-ibm-campaign-cve-2019-4384/


∗∗∗ IBM Security Bulletin: Information Disclosure Vulnerability Affects IBM Marketing Platform (CVE-2017-1107) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosure-vulnerability-affects-ibm-marketing-platform-cve-2017-1107/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list