Tageszusammenfassung - Montag 15-12-2014

End-of-Shift report

Timeframe: Freitag 12-12-2014 18:00 − Montag 15-12-2014 18:00 Handler: Stephan Richter Co-Handler: n/a

ICS-CERT: BlackEnergy may be infecting WinCC systems lacking recent patch

BlackEnergy malware may be exploiting a vulnerability in Siemens SIMATIC WinCC software that was patched in early November.

http://www.scmagazine.com/ics-cert-urges-wincc-users-others-to-update-software/article/388176/

BGP Hijacking Continues, Despite the Ability To Prevent It

An anonymous reader writes: BGPMon reports on a recent route hijacking event by Syria. These events continue, despite the ability to detect and prevent improper route origination: Resource Public Key Infrastructure. RPKI is technology that allows an operator to validate the proper relationship between an IP prefix and an Autonomous System. That is, assuming you can collect the certificates. ARIN requires operators accept something called the Relying Party Agreement. But the provider community...

http://rss.slashdot.org/~r/Slashdot/slashdot/~3/hl_eP152_h0/story01.htm

Batten down the patches: New vuln found in Docker container tech

Last months patch brought new privilege escalation flaw More security woes plagued users of the Docker application containerization tech for Linux this week, after an earlier security patch was found to have introduced a brand-new critical vulnerability in the software.

http://go.theregister.com/feed/www.theregister.co.uk/2014/12/12/docker_vulnerability/

Cisco to release flying pig - Snort 3.0

Sourcefires been making bacon, now wants you to fry it Ciscos going to release a flying pig.

http://go.theregister.com/feed/www.theregister.co.uk/2014/12/12/cisco_to_release_flying_pig/

Worm Backdoors and Secures QNAP Network Storage Devices, (Sun, Dec 14th)

Shellshock is far from over, with many devices still not patched andout there ready for exploitation. One set of thedevices receiving a lot of attention recently are QNAP disk storage systems. QNAP released a patch in early October, but applying the patch is not automatic and far from trivial for many users[1]. Our reader Erichsubmitted a link to an interesting Pastebin post with code commonly used in these scans [2] The attack targets a QNAP CGI script, /cgi-bin/authLogin.cgi, a well known...

https://isc.sans.edu/diary.html?storyid=19061&rss

SoakSoak Malware Compromises 100,000+ WordPress Websites

This Sunday has started with a bang. Google has blacklisted over 11,000 domains with this latest malware campaign from SoakSoak.ru: Our analysis is showing impacts in the order of 100s of thousands of WordPress specific websites. We cannot confirm the exact vector, but preliminary analysis is showing correlation with the Revslider vulnerability we reported a...

http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html

Man in the Middle attack vs. Cloudflares Universal SSL

MitM attacks are a class of security attacks that involve the compromise of the authentication of a secure connection. In essence, an attacker builds a transparent tunnel between the client and the server, but makes sure that the client negotiates the secure connection with the attacker, instead of the intended server. Thus the client instead of having a secure connection to the server, has a secure connection to the attacker, which in turn has set up its own secure connection to the server, so...

http://blog.ricardomacas.com/index.php?controller=post&action=view&id_post=4

10th Annual ICS Security Summit - Orlando

For SCADA, Industrial Automation, and Control System Security Join us for the 10th anniversary of the Annual SANS ICS Security Summit. The Summit is the premier event to attend in 2015 for ICS cybersecurity practitioners and managers. This years summit will feature hands-on training courses focused on Attacking and Defending ICS environments, Industry specific pre-summit events, and an action packed summit agenda with the release of ICS security tools and the popular security kit for Summit

https://www.sans.org/event/ics-security-summit-2015

Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712)

V3.0 (December 12, 2014): Rereleased bulletin to announce the reoffering of Microsoft security update 2986475 for Microsoft Exchange Server 2010 Service Pack 3. The rereleased update addresses a known issue in the original offering. Customers who uninstalled the original update should install the updated version of 2986475 at the earliest opportunity.

https://technet.microsoft.com/en-us/library/security/MS14-075

Two newcomers in the exploit kit market

Exploit kits are a great means to an end for malware distributors, who either buy them or rent them in order to widely disseminate their malicious wares. Its no wonder then that unscrupulous developers are always trying to enter the market currently cornered by Angler, Nuclear, FlashEK, Fiesta, SweetOrange, and others popular exploit kits.

http://www.net-security.org/malware_news.php?id=2929

RSA Authentication Manager 8.0 / 8.1 Unvalidated Redirect

Topic: RSA Authentication Manager 8.0 / 8.1 Unvalidated Redirect Risk: Low Text:ESA-2014-173: RSA Authentication Manager Unvalidated Redirect Vulnerability EMC Identifier: ESA-2014-173 CVE Identifier:...

http://cxsecurity.com/issue/WLB-2014120080

RSA Archer GRC Platform 5.x Cross Site Scripting

Topic: RSA Archer GRC Platform 5.x Cross Site Scripting Risk: Low Text:ESA-2014-163: RSA Archer GRC Platform Multiple Vulnerabilities EMC Identifier: ESA-2014-163 CVE Identifier: See b...

http://cxsecurity.com/issue/WLB-2014120079

EMC Isilon InsightIQ Cross Site Scripting

Topic: EMC Isilon InsightIQ Cross Site Scripting Risk: Low Text:ESA-2014-164: EMC Isilon InsightIQ Cross-Site Scripting Vulnerability EMC Identifier: ESA-2014-164 CVE Identifier: CVE-...

http://cxsecurity.com/issue/WLB-2014120078

Cisco Prime Security Manager Cross-Site Scripting Vulnerability

CVE-2014-3364

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3364

Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass

Topic: Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass Risk: Medium Text:Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass Exploit Vendor: Soitec Product web page: http://ww...

http://cxsecurity.com/issue/WLB-2014120086

Multiple vulnerabilities in InfiniteWP Admin Panel

InfiniteWP (http://www.infinitewp.com/) allows an administrator to manage multiple Wordpress sites from one control panel. According to the InfiniteWP homepage, it is used on over 317,000 Wordpress sites. The InfiniteWP Admin Panel contains a number of vulnerabilities that can be exploited by an unauthenticated remote attacker. These vulnerabilities allow taking over managed Wordpress sites by leaking secret InfiniteWP client keys, allow SQL injection, allow cracking of InfiniteWP admin

http://seclists.org/fulldisclosure/2014/Dec/43

Bugtraq: Vulnerabilities in Ekahau Real-Time Location Tracking System [MZ-14-01]

http://www.securityfocus.com/archive/1/534241

[dos] - phpMyAdmin 4.0.x, 4.1.x, 4.2.x - DoS

http://www.exploit-db.com/exploits/35539

Multiple vulnerabilities in BibTex Publications (si_bibtex)

It has been discovered that the extension "BibTex Publications" (si_bibtex) is susceptible to Cross-Site Scripting and SQL Injection.

http://www.typo3.org/news/article/multiple-vulnerabilities-in-bibtex-publications-si-bibtex/

Multiple vulnerabilities in Drag Drop Mass Upload (ameos_dragndropupload)

It has been discovered that the extension "Drag Drop Mass Upload" (ameos_dragndropupload) is susceptible to Cross-Site Scripting, Cross-Site Request Forgery and Improper Access Control.

http://www.typo3.org/news/article/improper-access-control-in-drag-drop-mass-upload-ameos-dragndropupload/

Security Advisory-SSLv3 POODLE Vulnerability in Huawei Products

Dec 15, 2014 18:30

http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-405500.htm

Bugtraq: CVE-2014-2026 Reflected Cross-Site Scripting (XSS) in "Intrexx Professional"

http://www.securityfocus.com/archive/1/534230

Bugtraq: CVE-2014-2025 Remote Code Execution (RCE) in "Intrexx Professional"

http://www.securityfocus.com/archive/1/534229