Tageszusammenfassung - Dienstag 16-12-2014

End-of-Shift report

Timeframe: Montag 15-12-2014 18:00 − Dienstag 16-12-2014 18:00 Handler: Stephan Richter Co-Handler: n/a

Is POODLE Back for Another Byte?

[...] The problem is a number of other TLS implementations are optimized for performance by verifying only that the first byte of padding matches the number of padding bytes. Such implementations would accept any value for the second and subsequent padding bytes. What's worse is that the adversary doesn't need to artificially downgrade the connection to SSLv3 to exploit this issue, so the barriers to execution are lower.

https://www.fireeye.com/blog/threat-research/2014/12/is_poodle_back_fora.html

RevSlider Vulnerability Leads To Massive WordPress SoakSoak Compromise

Yesterday we disclosed a large malware campaign targeting and compromising over 100,000 WordPress sites, and growing by the hour. It was named SoakSoak due to the first domain used in the malware redirection path (soaksoak.ru). After a bit more time investigating this issue, we were able to confirm that the attack vector is the RevSlider...

http://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html

SoakSoak: Payload Analysis - Evolution of Compromised Sites - IE 11

Thousands of WordPress sites has been hit by the SoakSoak attack lately. At this moment we know quite a lot about it. It uses the RevSlider vulnerability as a point of penetration. Then uploads a backdoor and infects all websites that share the same server account (so sites that don't use the RevSlider plugin can...

http://blog.sucuri.net/2014/12/soaksoak-payload-analysis-evolution-of-compromised-sites-ie-11.html

Google Blacklists WordPress Sites Peddling SoakSoak Malware

Up to 100,000 sites hosted on WordPress may be vulnerable to new campaign thats pushing malware and multiple exploit kits to the browser.

http://threatpost.com/google-blacklists-wordpress-sites-peddling-soaksoak-malware/109884

Safari 8.0.2 Still Supporting SSLv3 with Block Ciphers, (Mon, Dec 15th)

In October, Apple released Security Update 2014-005, specifically with the intend to address the POODLE issue [1]. The description with the update stated: There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection...

https://isc.sans.edu/diary.html?storyid=19067&rss

ENISA CERT training programme now available online

ENISA has launched a new section on its website introducing the ENISA CERT training programme. In the new section, you can find all the publicly available training resources and the training courses currently provided by ENISA.

http://www.enisa.europa.eu/media/news-items/enisa-cert-training-programme-now-available-online

SSL-TLS Implementations Cipher Block Chaining Padding Information Disclosure Vulnerability

CVE-2014-8730

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8730

Internet-Sicherheit: Auch Cisco mit Poodle-Problemen

Ausgerechnet Firewalls und Load-Balancing-Erweiterungen des Netzwerkgeräte-Herstellers pfuschen bei der Umsetzung von TLS - und werden damit ebenfalls anfällig für Poodle-Angriffe auf die Verschlüsselung.

http://www.heise.de/security/meldung/Internet-Sicherheit-Auch-Cisco-mit-Poodle-Problemen-2497965.html

Android Hacking and Security, Part 16: Broken Cryptography

Introduction In this article, we will discuss broken cryptography in Android applications. Broken cryptography attacks come into the picture when an app developer wants to take advantage of encryption in his application. This article covers the possible ways where vulnerabilities associated with broken cryptography may be introduced in Android apps. [...]The post Android Hacking and Security, Part 16: Broken Cryptography appeared first on InfoSec Institute.

http://resources.infosecinstitute.com/android-hacking-security-part-16-broken-cryptography/

F5 Security Advisory: Linux kernel SCTP vulnerabilities CVE-2014-3673 and CVE-2014-3687

(SOL15910) - Remote attackers may be able to cause a denial-of-service (DoS) using malformed or duplicate ASCONF chunk.

https://support.f5.com:443/kb/en-us/solutions/public/15000/900/sol15910.html

Security Advisory 2014-06: Incomplete Access Control

An attacker with valid OTRS credentials could access and manipulate ticket data of other users via the GenericInterface, if a ticket webservice is configured and not additionally secured.

https://www.otrs.com/security-advisory-2014-06-incomplete-access-control/

Apache Buffer Overflow in mod_proxy_fcgi Lets Remote Users Deny Service

http://www.securitytracker.com/id/1031371

SSA-831997 (Last Update 2014-12-15): Denial-of-Service Vulnerability in Ruggedcom ROS-based Devices

https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-831997.pdf

CA Release Automation Multiple Flaws Permit Cross-Site Scripting, Cross-Site Request Forgery, and SQL Injection Attacks

http://www.securitytracker.com/id/1031375

DokuWiki conf/mime.conf cross-site scripting

http://xforce.iss.net/xforce/xfdb/99291

Python TLS security bypass

http://xforce.iss.net/xforce/xfdb/99294

CA LISA Multiple Vulns

Topic: CA LISA Multiple Vulns Risk: Medium Text:CA20141215-01: Security Notice for CA LISA Release Automation Issued: December 15, 2014 CA Technologies Support is alerti...

http://cxsecurity.com/issue/WLB-2014120097

Bugtraq: [Onapsis Security Advisory 2014-034] SAP Business Objects Search Token Privilege Escalation via CORBA

http://www.securityfocus.com/archive/1/534249