[CERT-daily] Tageszusammenfassung - 18.11.2019

Daily end-of-shift report team at cert.at
Mon Nov 18 18:12:14 CET 2019 

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 15-11-2019 18:00 − Montag 18-11-2019 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ New NextCry Ransomware Encrypts Data on NextCloud Linux Servers ∗∗∗
---------------------------------------------
On October 24, Nextcloud released an urgent alert about a remote code execution vulnerability that impacts the default Nextcloud NGINX configuration. Tracked as CVE-2019-11043, the flaw is in the PHP-FPM (FastCGI Process Manager) component, included by some hosting providers like Nextcloud in their default setup. A public exploit exists and has been leveraged to compromised servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/


∗∗∗ Powershell ConstrainedLanguage Mode ∗∗∗
---------------------------------------------
Gastbeitrag vom milCERT - Philipp Thaller und Stefan Bachmair - Bei der Analyse von aktueller Malware stellte sich heraus dass viele der aktuellen Exemplare (inkl. Emotet ) auf die PowerShell angewiesen sind um ihr schadhaftes Potential entfalten zu können. Schränkt man die PowerShell entsprechend ein, ist eine Ausführung des eigentlichen Schadcodes oft gar nicht möglich.
---------------------------------------------
https://cert.at/de/blog/2019/11/201911-powershell-constrainedlanguage


∗∗∗ Willhaben warnt vor betrügerischer Phishing-SMS ∗∗∗
---------------------------------------------
Wer von der Verkaufsplattform Willhaben eine SMS mit Zahlungsinformationen bekommt, soll den Link keinesfalls anklicken.
---------------------------------------------
https://futurezone.at/apps/willhaben-warnt-vor-betruegerischer-phishing-sms/400678661


∗∗∗ pax: Exploit padding oracles for fun and profit ∗∗∗
---------------------------------------------
Pax (PAdding oracle eXploiter) is a tool for exploiting padding oracles in order to: - Obtain plaintext for a given piece of CBC encrypted data. - Obtain encrypted bytes for a given piece of plaintext, using the unknown encryption algorithm used by the oracle.
---------------------------------------------
https://github.com/liamg/pax


∗∗∗ RdpThief: Extracting Clear-text Credentials from Remote Desktop Clients ∗∗∗
---------------------------------------------
In this blogpost I will describe the process I followed to write a tool that will extract clear-text credentials from the Microsoft RDP client using API hooking. Using this approach, if you are already operating under the privileges of the compromised user (e.g. as a result of a phish) and the user has an RDP session open, you are able to extract the clear-text credentials without privilege escalation.
---------------------------------------------
https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients/


∗∗∗ Medica 2019: BSI-Leitfaden zur Cyber-Sicherheit von Medizinprodukten ∗∗∗
---------------------------------------------
Im Kontext der sicheren Digitalisierung im Gesundheitswesen hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) im Rahmen der Messe "Medica" in Düsseldorf einen neuen Leitfaden "Sicherheit von Medizinprodukten – Leitfaden zur Nutzung des MDS2 aus 2019" (Manufacturer Disclosure Statement for Medical Device Security) veröffentlicht.
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Leitfaden_Med-Produkte_231019.html


∗∗∗ Google patches ‘awesome’ XSS vulnerability in Gmail dynamic email feature ∗∗∗
---------------------------------------------
The bug bounty hunter who disclosed the issue says the bug is a prime example of DOM Clobbering.
---------------------------------------------
https://www.zdnet.com/article/google-patches-awesome-xss-vulnerability-in-gmail/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (angular.js, libapache2-mod-auth-openidc, mosquitto, postgresql-common, and thunderbird), Fedora (chromium, djvulibre, freetds, ghostscript, java-1.8.0-openjdk-aarch32, samba, thunderbird-enigmail, wpa_supplicant, and xen), openSUSE (go1.12, ImageMagick, and ucode-intel), Oracle (ghostscript and kernel), Red Hat (libcomps and sudo), Slackware (kernel), SUSE (microcode_ctl, slurm, and ucode-intel), and Ubuntu (mysql-5.7, mysql-8.0 and python-ecdsa).
---------------------------------------------
https://lwn.net/Articles/805083/


∗∗∗ Security Bulletin: Denial of Service vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2019-4096) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnerability-in-websphere-application-server-liberty-affects-ibm-spectrum-protect-operations-center-cve-2019-4096/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

More information about the Daily mailing list