[CERT-daily] Tageszusammenfassung - 23.05.2019

Daily end-of-shift report team at cert.at
Thu May 23 18:10:06 CEST 2019


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 22-05-2019 18:00 − Donnerstag 23-05-2019 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ SandboxEscaper Drops Three More Windows Exploits, IE Zero-Day ∗∗∗
---------------------------------------------
SandboxEscaper held true to that promise, on Thursday releasing on GitHub the proof-of-concepts (PoCs) for another three Windows LPE flaws, and a sandbox-escape zero-day vulnerability impacting Internet Explorer 11. One of them however turns out to already be patched. 
...
Though SandboxEscaper released PoC demos for these last three flaws, researchers have not yet confirmed their validity.
---------------------------------------------
https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/145010/


∗∗∗ IT threat evolution Q1 2019 ∗∗∗
---------------------------------------------
Zebrocy and GreyEnergy, four zero-day vulnerabilities in Windows, attacks on cryptocurrency exchanges, a very old bug in WinRAR, attacks on smart devices and other events of the first quarter of 2019.
---------------------------------------------
https://securelist.com/it-threat-evolution-q1-2019/90978/


∗∗∗ Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903 ∗∗∗
---------------------------------------------
Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1903 (a.k.a., “19H1”), and for Windows Server version 1903.
---------------------------------------------
https://blogs.technet.microsoft.com/secguide/2019/05/23/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903/


∗∗∗ New Mirai Variant Uses Multiple Exploits to Target Routers and Other Devices ∗∗∗
---------------------------------------------
We discovered a new variant of Mirai that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campaign
---------------------------------------------
https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-uses-multiple-exploits-to-target-routers-and-other-devices/


∗∗∗ Jeder dritte RDP-Server Österreichs auf „BlueKeep“ anfällig ∗∗∗
---------------------------------------------
In einem überraschenden Schritt hat Microsoft vergangene Woche eine kritische Schwachstelle in den eigentlich nicht mehr unterstützten Betriebssystemen Windows XP und Server 2003 behoben. Die Remote Code Execution „BlueKeep“ (CVE-2019-0708) in der Fernwartungsfunktion Remote Desktop Service (RDP) ist für entfernte Angreifer direkt ausnutzbar und wird als kritisch eingestuft.
---------------------------------------------
https://www.offensity.com/de/blog/jeder-dritte-rdp-server-oesterreichs-auf-bluekeep-anfaellig/


∗∗∗ GetCrypt Ransomware Brute Forces Credentials, Decryptor Released ∗∗∗
---------------------------------------------
A new ransomware called GetCrypt is being installed through malvertising campaigns that redirect victims to the RIG exploit kit. ... If you were infected with the GetCrypt Ransomware, it is possible to get your files back for free. All you need is a original unencrypted copy of a file that has been encrypted.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/getcrypt-ransomware-brute-forces-credentials-decryptor-released/


∗∗∗ iX 6/2019: Follow-Up zu den Sicherheitsproblemen in Office 365 ∗∗∗
---------------------------------------------
Auf die von der iX aufgedeckten Sicherheitsproblemen in Office 365 reagierte Microsoft nun – zufriedenstellen konnten die Antworten aber nicht.
---------------------------------------------
https://heise.de/-4429020


∗∗∗ Apple behebt Firmwareproblem bei T2-Sicherheitschip ∗∗∗
---------------------------------------------
Der Konzern hat ein Zusatzupdate für macOS 10.14.5 freigegeben, das bestimmte MacBook-Pro-Modelle betrifft. Details sind noch rar.
---------------------------------------------
https://heise.de/-4429365


∗∗∗ Undurchsichtige Angebote auf retinollift.com und hyaluronicone.com ∗∗∗
---------------------------------------------
Auf retinollift.com und hyaluronicone.com werden diverse Beautyprodukte angeboten und auch ein besonderes Tagesangebot als „Today’s Special“ beworben. Dieses Spezialangebot enthält eine vermeintlich kostenlose Probe, lediglich der Versand muss per Kreditkarte bezahlt werden. Kurz darauf kommt es aber zu weiteren Abbuchungen, denen die verärgerten Konsument/innen nie bewusst zugestimmt haben.
---------------------------------------------
https://www.watchlist-internet.at/news/undurchsichtige-angebote-auf-retinolliftcom-und-hyaluroniconecom/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ WordPress plugin "WP Open Graph" vulnerable to cross-site request forgery ∗∗∗
---------------------------------------------
Description: WordPress plugin "WP Open Graph" provided by Custom4Web contains a cross-site request forgery vulnerability (CWE-352).
Impact: If a user views a malicious page while logged in, unintended operations may be performed.
---------------------------------------------
https://jvn.jp/en/jp/JVN33652328/


∗∗∗ Vuln: Apache Camel CVE-2019-0188 XML External Entity Injection Vulnerability ∗∗∗
---------------------------------------------
Apache Camel is prone to an XML External Entity injection vulnerability.
Attackers can exploit this issue to obtain potentially sensitive information. This may lead to further attacks.
---------------------------------------------
http://www.securityfocus.com/bid/108422


∗∗∗ Vuln: QEMU CVE-2019-12247 Integer Overflow Vulnerability ∗∗∗
---------------------------------------------
Attackers can exploit this issue to crash the QEMU instance, resulting in a denial-of-service condition. Due to the nature of this issue, code execution may be possible but this has not been confirmed.
---------------------------------------------
http://www.securityfocus.com/bid/108434


∗∗∗ WD My Cloud RCE ∗∗∗
---------------------------------------------
In this post I’ll explain how I discoverd several vulnerabilities in Western Digital NAS devices and used them together to execute code remotely, as root. To take control of the NAS an attacker needs to be in the same network and know its IP address.
---------------------------------------------
https://bnbdr.github.io/posts/wd/


∗∗∗ DoS Vulnerability in RTSP Module of Huawei Smart Phones ∗∗∗
---------------------------------------------
There is a DoS vulnerability in RTSP module of some Huawei smart phones. Remote attacker could trick the user into opening a malformed RTSP media stream to exploit this vulnerability. Successful exploit could cause the affected phone abnormal, leading to a DoS condition. ... CVE-2019-5284.
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190523-01-smartphone-en


∗∗∗ Tcl code injection security exposure ∗∗∗
---------------------------------------------
Certain coding practices may allow an attacker to inject arbitrary Tool Command Language (Tcl) commands, which could be executed in the security context of the target Tcl script.
---------------------------------------------
https://support.f5.com/csp/article/K15650046


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ffmpeg and firefox-esr), openSUSE (bzip2, chromium, and GraphicsMagick), Slackware (curl), SUSE (ucode-intel), and Ubuntu (curl and intel-microcode).
---------------------------------------------
https://lwn.net/Articles/789224/


∗∗∗ Synology-SA-19:25 Virtual Machine Manager ∗∗∗
---------------------------------------------
A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Virtual Machine Manager.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_19_25


∗∗∗ cURL: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
cURL ist eine Client-Software, die das Austauschen von Dateien mittels mehrerer Protokolle wie z. B. HTTP oder FTP erlaubt.
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in cURL ausnutzen, um einen Denial of Service Angriff durchzuführen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0444


∗∗∗ IBM Security Bulletin: IBM API Connect V5 is potentially impacted by a weak cipher (CVE-2019-4256) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-v5-is-potentially-impacted-by-a-weak-cipher-cve-2019-4256/


∗∗∗ IBM Security Bulletin: Vulnerability in Apache ActiveMQ Affects IBM Control Center (CVE-2019-0222) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-apache-activemq-affects-ibm-control-center-cve-2019-0222/


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ and IBM MQ Appliance ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-mq-and-ibm-mq-appliance-3/


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affects-ibm-infosphere-information-server-6/


∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium-is-affected-by-oracle-mysql-vulnerabilities/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list