End-of-Shift report
Timeframe: Donnerstag 09-10-2014 18:00 − Freitag 10-10-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
Cisco addresses numerous vulnerabilities in ASA software
Many of the vulnerabilities can lead to a denial-of-service condition, but others could result in a full compromise of the affected system.
http://www.scmagazine.com/vulnerabilities-in-cisco-asa-software/article/376394/
CSAM: My servers started speaking IRC, and that is when I started to listen!, (Thu, Oct 9th)
Hassan submitted this story: While reviewing our IDS logs, we noticed an alert for IRC botnet traffic coming from multiple servers in a specific VLAN. Ouch! One thing I keep saying in our IDS Class: If your servers all for sudden start joining IRC channels, then they are either very bored, or very compromised. But lets see how it went for Hassan. Hassan had what every analyst wants: pcaps! So he looked at the full packet capture of the traffic: The traffic wasnt 100% IRC. But it looked...
https://isc.sans.edu/diary.html?storyid=18799&rss
Critical Patch Update - October 2014 Pre-Release Announcement
Critical Patch Update - October 2014 Pre-Release Announcement
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
MS14-OCT - Microsoft Security Bulletin Advance Notification for October 2014 - Version: 1.0
This is an advance notification of security bulletins that Microsoft is intending to release on October 14, 2014. This bulletin advance notification will be replaced with the October bulletin summary on October 14, 2014.
https://technet.microsoft.com/en-us/library/security/MS14-OCT
Signed Malware = Expensive "Oops" for HP
Computer and software industry maker HP is in the process of notifying customers about a seemingly harmless security incident in 2010 that nevertheless could prove expensive for the company to fix and present unique support problems for users of its older products.
http://krebsonsecurity.com/2014/10/signed-malware-is-expensive-oops-for-hp/
Malware analysts tell crooks to shape up and write decent code
Who writes their own crypto these days? Seriously! Blackhats beware: reverse engineers are laughing at your buggy advanced persistent threat (APT) malware.
http://go.theregister.com/feed/www.theregister.co.uk/2014/10/10/writing_better_malware_with_fireeye/
Zwei-Faktor-Authentifizierung: Apple erhöht die Sicherheit für iCloud
Apple weitet die Zwei-Faktor-Authentifizierung aus. Ab sofort sind anwendungsspezifische Passwörter für den Zugriff auf iCloud-Daten Pflicht.
http://www.golem.de/news/zwei-faktor-authentifizierung-apple-erhoeht-die-sicherheit-fuer-icloud-1410-109750-rss.html
Crims zapped mobes, slabs we collared for evidence, wail cops
Dont worry, sarge, we got all the ... oh, WTF! You know that nifty remote wipe function that takes all the photos off your phone when it gets lost? Turns out criminals know about it too, and theyre using it to wipe phones taken by police as evidence.
http://go.theregister.com/feed/www.theregister.co.uk/2014/10/10/police_say_criminals_remotely_wiping_seized_mobes/
WordPress Websites Continue to Get Hacked via MailPoet Plugin Vulnerability
The popular Mailpoet(wysija-newsletters) WordPress plugin had a serious file upload vulnerability a few months back, allowing an attacker to upload files to the vulnerable site. This issue was disclosed months ago, the MailPoet team patched it promptly. It seems though that many are still not getting the word, or blatantly not updating, because we areRead More
http://blog.sucuri.net/2014/10/wordpress-websites-continue-to-get-hacked-via-mailpoet-plugin-vulnerability.html
May-August 2014
The NCCIC/ICS-CERT Monitor for May-August 2014 is a summary of ICS-CERT activities for that period of time.
https://ics-cert.us-cert.gov//monitors/ICS-MM201408
TWiki Sandbox.pm File Validation Flaw Lets Remote Authenticated Users Upload Arbitrary Windows Apache Configuration Files
http://www.securitytracker.com/id/1030982
TWiki debugenableplugins Parameter Lets Remote Users View and Modify Files
http://www.securitytracker.com/id/1030981
VMSA-2014-0006.11
VMware product updates address OpenSSL security vulnerabilities
http://www.vmware.com/security/advisories/VMSA-2014-0006.html
PayPal Inc BB #85 MB iOS 4.6 - Auth Bypass Vulnerability
The Vulnerability Laboratory Research Team discovered a security auth protection mechanism bypass vulnerability in the PayPal Inc iOS Mobile Application.
http://www.vulnerability-lab.com/get_content.php?id=895
Cisco Security Notices for Autonomic Networking Infrastructure
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3403
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3404
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3405
HPSBHF03136 rev.1 - HP TippingPoint NGFW running OpenSSL, Remote Disclosure of Information
A potential security vulnerability has been identified with HP TippingPoint NGFW running OpenSSL. This is the OpenSSL vulnerability known as "Heartbleed" which could be exploited remotely resulting in disclosure of information.
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04475466
HPSBMU02895 SSRT101253 rev.4 - HP Data Protector, Remote Increase of Privilege, Denial of Service (DoS), Execution of Arbitrary Code
Potential security vulnerabilities have been identified with HP Data Protector. These vulnerabilities could be remotely exploited to allow an increase of privilege, create a Denial of Service (DoS), or execute arbitrary code.
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422
HPSBNS03130 rev.1 - HP NonStop Development Environment for Eclipse (NSDEE) running Bash Shell, Remote Code Execution
A potential security vulnerability has been identified with HP NonStop Development Environment for Eclipse (NSDEE) running Bash Shell . This is the Bash Shell vulnerability known as "ShellShock" which could be exploited remotely to allow execution of code.
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04474252
HPSBST03122 rev.1 - HP StoreAll Operating System Software running Bash Shell, Remote Code Execution
A potential security vulnerability has been identified with HP StoreAll Operating System Software running Bash Shell. This is the Bash Shell vulnerability known as "Shellshock" which could be exploited remotely to allow execution of code.
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04471532
IBM Security Bulletin: Seven (7) Vulnerabilities in OpenSSL affect IBM FlashSystem 840 and V840 (CVEs)
OpenSSL vulnerabilities affect the IBM FlashSystem 840 and V840 products. These vulnerabilities could allow a remote attacker to execute arbitrary code on the system, to obtain sensitive information, or cause of denial of service. CVE(s): CVE-2014-3509, CVE-2014-3506, CVE-2014-3507, CVE-2014-3511, CVE-2014-3505, CVE-2014-3510 and CVE-2014-3508 Affected product(s) and affected version(s): IBM FlashSystem 840: Machine Type 9840, model -AE1 (all supported releases before 1.1.2.7) Machine Type...
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_seven_7_vulnerabilities_in_openssl_affect_ibm_flashsystem_840_and_v840_cves?lang=en_us
IBM Security Bulletin: Six (6) Vulnerabilities in Network Security Services (NSS) & Netscape Portable Runtime (NSPR) affect IBM FlashSystem 840 and V840 (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-1544, CVE-2014-1545)
NSS & NSPR vulnerabilities affect the IBM FlashSystem 840 and V840 products. These vulnerabilities could allow a remote attacker to execute arbitrary code, on the system, to obtain sensitive information, or cause Denial of Service. CVE(s): CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-1544 and CVE-2014-1545 Affected product(s) and affected version(s): IBM FlashSystem 840: Machine Type 9840, model -AE1 (all supported releases before 1.1.2.7) Machine Type 9843,...
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_six_6_vulnerabilities_in_network_security_services_nss_amp_netscape_portable_runtime_nspr_affect_ibm_flashsystem_840_and_v840_cve_2013_1740_cve_2014_1490_cve_2014_1491_cve_20
IBM Security Bulletin: IBM WebSphere MQ Telemetry Component - Potential authentication bypass vulnerability when using the JAASConfig property (CVE-2014-6116)
IBM WebSphere MQ contains a vulnerability in which authentication is bypassed by MQTT clients with the "JAASConfig" configuration property set. CVE(s): CVE-2014-6116 Affected product(s) and affected version(s): IBM WebSphere MQ Telemetry Component WebSphere MQ 8.0.0.1 downloaded prior to 24th September 2014 (Level: p000-001-L140910). To check your fix pack level, issue the command dspmqver and check the output of the Level option.
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_ibm_websphere_mq_telemetry_component_potential_authentication_bypass_vulnerability_when_using_the_jaasconfig_property_cve_2014_6116?lang=en_us
IBM Security Bulletin: Proventia Network Security Controller is affected by multiple OpenSSL vulnerabilities
Security vulnerabilities have been discovered in OpenSSL that were reported by the OpenSSL Project (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, CVE-2014-0160, CVE-2014-0076, CVE-2014-3508, CVE-2014-5139, CVE-2014-3509, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512) CVE(s): CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, CVE-2014-0160, CVE-2014-0076, CVE-2014-3508,...
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_proventia_network_security_controller_is_affected_by_multiple_openssl_vulnerabilities?lang=en_us
IBM Security Bulletin: Remote Code Execution Vulnerability Security Bulletin: TRIRIGA Application Platform (CVE-2014-4840)
IBM TRIRIGA Application Platform could allow an attacker to execute code on the vulnerable server. An attacker could send a specially crafted URL to the server that would execute commands as the privileges of the unprivileged user running the server. CVE(s): CVE-2014-4840 Affected product(s) and affected version(s): The following Application Platform versions are affected. IBM TRIRIGA Application Platform 3.4.0 IBM TRIRIGA Application Platform 3.3.2 and 3.3.2.1 fix pack...
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_remote_code_execution_vulnerability_security_bulletin_tririga_application_platform_cve_2014_4840?lang=en_us
IBM Security Bulletins for Products affected by Vulnerabilities in Bash
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_vulnerabilities_in_bash_affect_the_ibm_hyper_scale_manager_component_of_the_xiv_management_tools_cve_2014_6271_cve_2014_7169_cve_2014_7186_cve_2014_7187_cve_2014_6277_cve_201
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_vulnerabilities_in_bash_affect_ibm_netezza_host_management_cve_2014_6271_cve_2014_7169_cve_2014_7186_cve_2014_7187_cve_2014_6277_cve_2014_6278?lang=en_us
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_vulnerabilities_in_bash_affect_virtual_server_protection_for_vmware_cve_2014_6271_cve_2014_7169_cve_2014_7186_cve_2014_7187_cve_2014_6277_cve_2014_6278?lang=en_us
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_vulnerabilities_in_bash_affect_ibm_pureapplication_system_cve_2014_6271_cve_2014_7169_cve_2014_7186_cve_2014_7187_cve_2014_6277_cve_2014_6278?lang=en_us
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_vulnerabilities_in_bash_affect_protectier_cve_2014_6271_cve_2014_7169_cve_2014_7186_cve_2014_7187_cve_2014_6277_cve_2014_6278?lang=en_us
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_vulnerabilities_in_bash_affect_ibm_flashsystem_840_and_v840_cve_2014_6271_cve_2014_7169_cve_2014_7186_cve_2014_7187_cve_2014_6277_cve_2014_6278?lang=en_us