[CERT-daily] Tageszusammenfassung - 22.05.2020

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 20-05-2020 18:00 − Freitag 22-05-2020 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Drahtlos-Standard: Bluetooth-Sicherheitslücke betrifft praktisch alle Geräte ∗∗∗
---------------------------------------------
Bluetooth erfordert beim Verbindungsaufbau keine beidseitige Authentifizierung. Der Angriff Bias funktioniert als Master und als Slave.
---------------------------------------------
https://www.golem.de/news/drahtlos-standard-bluetooth-sicherheitsluecke-betrifft-praktisch-alle-geraete-2005-148659-rss.html


∗∗∗ Sarwent Malware Continues to Evolve With Updated Command Functions ∗∗∗
---------------------------------------------
Sarwent has received little attention from researchers, but this backdoor malware is still being actively developed, with new commands and a focus on RDP.
---------------------------------------------
https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/


∗∗∗ Shining a light on “Silent Night” Zloader/Zbot ∗∗∗
---------------------------------------------
The latest Malwarebytes Threat Intel report focuses on Silent Night, a new banking Trojan recently tracked as Zloader/Zbot.
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2020/05/the-silent-night-zloader-zbot/


∗∗∗ Vulnerability Spotlight: Memory corruption vulnerability in GNU Glibc leaves smart vehicles open to attack ∗∗∗
---------------------------------------------
Modern automobiles are complex machines, merging both mechanical and computer systems under one roof. As automobiles become more advanced, additional sensors and devices are added to help the vehicle understand its internal and external environments. These sensors provide drivers with real-time information, connect the vehicle to the global fleet network and, in some cases, actively use and interpret this telemetry data to drive the [...]
---------------------------------------------
https://blog.talosintelligence.com/2020/05/cve-2020-6096.html


∗∗∗ Bequemlichkeit vs. Sicherheit bei Smart‑Home Geräten ∗∗∗
---------------------------------------------
Trotz der wachsenden Akzeptanz von Smart-Home-Geräten, sollten wir unsere Privatsphäre und Sicherheit nicht der Bequemlichkeit opfern.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2020/05/20/bequemlichkeit-vs-sicherheit-bei-smart-home-geraeten/


∗∗∗ Tools Used in GhostDNS Router Hijack Campaigns Dissected ∗∗∗
---------------------------------------------
The source code of the GhostDNS exploit kit (EK) has been obtained and analyzed by researchers. GhostDNS is used to compromise a wide range of routers to facilitate phishing -- perhaps more accurately, pharming -- for banking credentials. Target routers are mostly, but not solely, located in Latin America.
---------------------------------------------
https://www.securityweek.com/tools-used-ghostdns-router-hijack-campaigns-dissected


∗∗∗ Ragnar Locker Ransomware Uses Virtual Machines for Evasion ∗∗∗
---------------------------------------------
The Ragnar Locker ransomware has been deploying a full virtual machine to ensure that it can evade detection, Sophos reveals.
---------------------------------------------
https://www.securityweek.com/ragnar-locker-ransomware-uses-virtual-machines-evasion


∗∗∗ Free ImmuniWeb Tool Allows Organizations to Check Dark Web Exposure ∗∗∗
---------------------------------------------
Web security company ImmuniWeb this week announced a free tool that allows businesses and government organizations to check their dark web exposure.
---------------------------------------------
https://www.securityweek.com/free-immuniweb-tool-allows-organizations-check-dark-web-exposure


∗∗∗ Wahre Liebe oder Betrug? So finden Sie es heraus! ∗∗∗
---------------------------------------------
Egal ob auf Sozialen Netzwerken wie Facebook oder Instagram, auf Online-Partnerbörsen oder einfach per Mail - immer wieder melden uns LeserInnen sogenannte Love- oder Romance-Scammer. Durch Liebesbeteuerungen und Geschichten aus Ihrem Alltag erschleichen sich die BetrügerInnen das Vertrauen der Opfer. Tatsächlich geht es aber auch bei dieser Betrugsmasche nur um eines: Geld.
---------------------------------------------
https://www.watchlist-internet.at/news/wahre-liebe-oder-betrug-so-finden-sie-es-heraus/


∗∗∗ Spectra: Neuartiger Angriff überwindet Trennung von WLAN und Bluetooth ∗∗∗
---------------------------------------------
Er richtet sich gegen Combo-Chips der Hersteller Broadcom und Cypress. Sie finden sich unter anderem in iPhones, MacBooks und Galaxy-S-Smartphones. Spectra nutzt Schwachstellen in einer Funktion, die einen schnellen Wechsel von einer Funktechnik zur anderen erlaubt.
---------------------------------------------
https://www.zdnet.de/88380022/spectra-neuartiger-angriff-ueberwindet-trennung-von-wlan-und-bluetooth/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Drupal core - Moderately critical - Open Redirect - SA-CORE-2020-003 ∗∗∗
---------------------------------------------
Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function.
---------------------------------------------
https://www.drupal.org/sa-core-2020-003


∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002 ∗∗∗
---------------------------------------------
The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are [...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others.
---------------------------------------------
https://www.drupal.org/sa-core-2020-002


∗∗∗ Apple Security Update: Xcode 11.5 ∗∗∗
---------------------------------------------
Impact: A crafted git URL that contains a newline in it may cause credential information to be provided for the wrong host
---------------------------------------------
https://support.apple.com/en-us/HT211183


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (keycloak, qemu, and thunderbird), Debian (dovecot), Fedora (abcm2ps and oddjob), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, and kernel-rt), SUSE (ant, bind, and freetype2), and Ubuntu (bind9 and linux, linux-aws, linux-aws-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3,linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2 ).
---------------------------------------------
https://lwn.net/Articles/821093/


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox, ipmitool, kernel, squid, and thunderbird), Debian (pdns-recursor), Fedora (php and ruby), Red Hat (dotnet and dotnet3.1), SUSE (dom4j, dovecot23, memcached, and tomcat), and Ubuntu (clamav, libvirt, and qemu).
---------------------------------------------
https://lwn.net/Articles/821205/


∗∗∗ Hackers Can Target Rockwell Industrial Software With Malicious EDS Files ∗∗∗
---------------------------------------------
Rockwell Automation recently patched two vulnerabilities related to EDS files that can allow malicious actors to expand their access within a targeted organization’s OT network.
---------------------------------------------
https://www.securityweek.com/hackers-can-target-rockwell-industrial-software-malicious-eds-files


∗∗∗ 2020-05-21: SECURITY ABB Device Library Wizard Information Disclosure Vulnerability (2PAA121681) ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=2PAA121681&LanguageCode=en&DocumentPartId=&Action=Launch


∗∗∗ Cisco AMP for Endpoints Linux Connector and AMP for Endpoints Mac Connector Software Memory Buffer Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-amp4elinux-h33dkrvb


∗∗∗ Cisco Unified Contact Center Express Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-rce-GMSC6RKN


∗∗∗ Cisco Prime Collaboration Provisioning Software SQL Injection Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pcp-sql-inj-22Auwt66


∗∗∗ Cisco Prime Network Registrar DHCP Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cpnr-dhcp-dos-BkEZfhLP


∗∗∗ Cisco AMP for Endpoints Mac Connector Software File Scan Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-amp4emac-dos-kfKjUGtM


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ [webapps] PHPFusion 9.03.50 - Persistent Cross-Site Scripting ∗∗∗
---------------------------------------------
https://www.exploit-db.com/exploits/48497


∗∗∗ CVE-2004-0230 Blind Reset Attack Using the RST/SYN Bit ∗∗∗
---------------------------------------------
https://fortiguard.com/psirt/FG-IR-16-039


∗∗∗ Linux kernel vulnerability CVE-2019-19059 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K06554372


∗∗∗ Linux kernel vulnerability CVE-2019-19062 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K84797753

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily