End-of-Shift report
Timeframe: Freitag 31-10-2014 18:00 − Montag 03-11-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
CVE-2014-4115 Analysis: Malicious USB Disks Allow For Possible Whole System Control
One of the bulletins that was part of the October 2014 Patch Tuesday cycle was MS14-063 which fixed a vulnerability in the FAT32 disk partition driver that could allow for an attacker to gain administrator rights on affected systems, with only a USB disk with a specially modified file system. This vulnerability as also designated...
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/E2Ur54TO5Qo/
CSAM Month of False Positives: Appropriately Weighting False and True Positives, (Fri, Oct 31st)
This is a guest diary submitted by Chris Sanders. We will gladly forward any responses or please use our comment/forum section to comment publicly.">">If you work with any type of IDS, IPS, or other">detection technology then you have to deal with false positives. One">common">mistake I see people make when managing their indicators and rules is">relying">solely on the rate of false positives that are observed. While...
https://isc.sans.edu/diary.html?storyid=18905&rss
CVE-2012-0158 continues to be used in targeted attacks
30-month old vulnerability still a popular way to infect systems.If all you have to worry about are zero-day vulnerabilities, you have got things pretty well sorted. Although it is true that sometimes zero-days are being used to deliver malware (such as the recent use of CVE-2014-4114 by the SandWorm group), in many cases even the more targeted attacks get away with using older, long patched vulnerabilities, exploiting the fact that many users and organisations dont patch as quickly as they
http://www.virusbtn.com/blog/2014/10_31a.xml?rss
Reversing D-Link's WPS Pin Algorithm
While perusing the latest firmware for D-Link's DIR-810L 80211ac router, I found an interesting bit of code in sbin/ncc, a binary which provides back-end services used by many other processes on the device, including the HTTP and UPnP servers: I first began examining this particular piece of code with the...
http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/
Adobe: Aktuelle Flash-Sicherheitslücken bereits in Exploit-Kits
Es wird wieder Zeit, sich bei Sicherheitslücken verstärkt um Adobes Flashplayer zu kümmern. Zwei gerade erst abgesicherte und gefährliche Sicherheitslöcher sind bereits in aktuelle Exploit-Kits integriert worden. Eset glaubt sogar, dass Flash nun wieder Java in der Beliebtheitsskala ablöst.
http://www.golem.de/news/adobe-aktuelle-flash-sicherheitsluecken-bereits-in-exploit-kits-1411-110247-rss.html
justniffer a Packet Analysis Tool, (Mon, Nov 3rd)
Are you looking for another packet sniffer? justniffer is a packet sniffer with some interesting features. According to the author, this packet sniffer can rebuild and save HTTP file content sent over the network. It uses portions of Linux kernel source code for handling all TCP/IP stuff. Precisely, it uses a slightly modified version of the libnids libraries that already include a modified version of Linux code in a more reusable way.[1] The tarball can be downloaded here and a package is
https://isc.sans.edu/diary.html?storyid=18907&rss
BE2 Custom Plugins, Router Abuse, and Target Profiles
The BlackEnergy malware is crimeware turned APT tool and is used in significant geopolitical operations lightly documented over the past year. An even more interesting part of the BlackEnergy story is the relatively unknown custom plugin capabilities to attack ARM...
http://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-target-profiles/
Security: Sicherheitslücke in Mac OS X 10.10 entdeckt
In Mac OS X 10.10 und 10.8.5 befindet sich eine Sicherheitslücke, die die Übernahme des gesamten Systems ermöglicht. Details hat ihr Entdecker noch nicht veröffentlicht - in Absprache mit Apple.
http://www.golem.de/news/security-sicherheitsluecke-in-mac-os-x-10-10-entdeckt-1411-110265-rss.html
OpenBSD 5.6 kickt OpenSSL
Mit der neuen Version des freien Unix steigen die OpenBSD-Macher von OpenSSL auf LibreSSL um. Dazu kommen zahlreiche kleinere Verbesserungen.
http://www.heise.de/newsticker/meldung/OpenBSD-5-6-kickt-OpenSSL-2441288.html/from/rss09?wt_mc=rss.ho.beitrag.rdf
Hacking Team: Handbücher zeigen Infektion Über Code Injection und WLAN
"Internetüberwachung leicht gemacht": Die italienische Firma Hacking Team gilt neben Finfisher als bekanntester Hersteller von Spionagesoftware. Nun veröffentlichte Handbücher zeigen die Möglichkeiten der Überwachung.
http://www.golem.de/news/hacking-team-handbuecher-zeigen-infektion-ueber-code-injection-und-wlan-1411-110272-rss.html
RDP Replay
Here at Context we work hard to keep our clients safe. During routine client monitoring our analysts noticed some suspicious RDP traffic. It was suspicious for two reasons. Firstly the client was not in the habit of using RDP, and secondly it had a Chinese keyboard layout. This information is available in the ClientData handshake message of non-SSL traffic, and can easily be seen in wireshark.
http://contextis.com/resources/blog/rdp-replay/
l+f: Analyse des Drupal-Desasters
Wie konnte das nur passieren? Müssen wir alle sterben?
http://www.heise.de/security/meldung/l-f-Analyse-des-Drupal-Desasters-2441484.html
Visa: Kreditkarten-Lücke ermöglicht Abbuchen von einer Million Dollar per NFC
Mittels präpariertem Terminal - Forscher stellen Leck auf Sicherheitskonferenz vor - Visa beschwichtigt
http://derstandard.at/2000007655779
Ongoing Sophisticated Malware Campaign Compromising ICS (Update A)
This alert update is a follow-up to the original NCCIC/ICS-CERT Alert titled ICS-ALERT-14-281-01 Ongoing Sophisticated Malware Campaign Compromising ICS that was published October 28, 2014, on the ICS-CERT web site.
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01A
Bugtraq: [SE-2014-01] Missing patches / inaccurate information regarding Oracle Oct CPU
http://www.securityfocus.com/archive/1/533862
HP CM3530 Color LaserJet Printer Lets Remote Users Access Data and Deny Service
http://www.securitytracker.com/id/1031153
CBI Referral Manager <= 1.2.1 Cross-Site Scripting (XSS)
2014-11-01T18:57:24
https://wpvulndb.com/vulnerabilities/7654
GB Gallery Slideshow 1.5 - SQL Injection
2014-11-02T13:12:44
https://wpvulndb.com/vulnerabilities/7655
Vuln: MantisBT Incomplete Fix Multiple SQL Injection Vulnerabilities
http://www.securityfocus.com/bid/70856
VU#210620: uIP and lwIP DNS resolver vulnerable to cache poisoning
Vulnerability Note VU#210620 uIP and lwIP DNS resolver vulnerable to cache poisoning Original Release date: 03 Nov 2014 | Last revised: 03 Nov 2014 Overview The DNS resolver implemented in uIP and lwIP is vulnerable to cache poisoning due to non-randomized transaction IDs (TXIDs) and source port reuse. Description CWE-330: Use of Insufficiently Random Values - CVE-2014-4883The DNS resolver implemented in all versions of uIP, as well as lwIP versions 1.4.1 and earlier, is vulnerable to cache...
http://www.kb.cert.org/vuls/id/210620
IBM Security Bulletin: Weaker than expected security with Liberty Repository affecting Rational Application Developer for WebSphere Software (CVE-2014-4767)
The WebSphere Application Server Liberty profile could provide weaker than expected security when installing features via the Liberty Repository. A remote attacker could exploit this vulnerability using a man-in-the-middle technique to cause the installation of malicious code. CVE(s): CVE-2014-4767 Affected product(s) and affected version(s): IBM Rational Application Developer for WebSphere Software 9.1.0.1 Refer to the following reference URLs for remediation and additional
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_weaker_than_expected_security_with_liberty_repository_affecting_rational_application_developer_for_websphere_software_cve_2014_4767?lang=en_us
IBM Security Bulletin: Multiple Security vulnerabilities found in WebSphere Commerce XML External Entity (XXE) Processing (CVE-2014-4834, CVE-2014-4769 )
IBM WebSphere Commerce Enterprise, Professional, Express and Developer is vulnerable to a denial of service, caused by issues with detecting recursion during entity expansion. CVE(s): CVE-2014-4834 and CVE-2014-4769 Affected product(s) and affected version(s): WebSphere Commerce V6.0 and V7.0 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin:
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_multiple_security_vulnerabilities_found_in_websphere_commerce_xml_external_entity_xxe_processing_cve_2014_4834_cve_2014_4769?lang=en_us
IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors
There are multiple vulnerabilities in OpenSSL that is used by IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139). These issues were disclosed on August 6, 2014 by the OpenSSL Project. CVE(s): CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512 and CVE-2014-5139 Affected...
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_multiple_vulnerabilities_in_openssl_affect_ibm_tivoli_netcool_system_service_monitors_application_service_monitors?lang=en_us
IBM Security Bulletin: IBM Notes Traveler for Android client explicit warning against use of HTTP (CVE-2014-6130)
The IBM Notes Traveler client for Android devices allows the end user to connect to their Traveler server over HTTPS (using SSL) or the open HTTP standard. At present, the client application does not explicitly warn the end user if the Traveler administrator has chosen the insecure HTTP variant as the transport medium. CVE(s): CVE-2014-6130 Affected product(s) and affected version(s): All releases of IBM Notes Traveler for Android prior to version 9.0.1.3. Refer to the following...
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_ibm_notes_traveler_for_android_client_explicit_warning_against_use_of_http_cve_2014_6130?lang=en_us
IBM Security Bulletin: IBM Tivoli NetView for z/OS (distributed components) affected by multiple vulnerabilities that have been identified in IBM Runtime Environment, Java Technology Edition, Versions 6 & 7 (CVE-2014-4263 and
Vulnerabilities have been identified in IBM Runtime Environment, Java Technology Edition, Versions 6 and 7, utilized by IBM Tivoli NetView for z/OS distributed components. CVE(s): CVE-2014-4263 and CVE-2014-4244 Affected product(s) and affected version(s): This vulnerability is known to affect IBM Tivoli NetView for z/OS v5.3, 5.4, 6.1, 6.2 & 6.2.1 in certain distributed components. Releases/systems/configurations not known to be affected: IBM Tivoli NetView for...
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_ibm_tivoli_netview_for_z_os_distributed_components_affected_by_multiple_vulnerabilities_that_have_been_identified_in_ibm_runtime_environment_java_technology_edition_versions_