End-of-Shift report
Timeframe: Donnerstag 13-03-2014 18:00 − Freitag 14-03-2014 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
Bugtraq: [ MDVSA-2014:057 ] mediawiki
Updated mediawiki packages fix multiple vulnerabilities:
http://www.securityfocus.com/archive/1/531452
Vuln: Mutt Mailreader mutt_copy_hdr() Function Heap Based Buffer Overflow Vulnerability
Mutt mailreader is prone to a heap-based buffer-overflow vulnerability.
Successful exploitation of this issue allow an attacker to execute arbitrary code in the context of the application, failed attempts lead to denial-of-service.
Mutt prior to 1.5.23 are vulnerable.
http://www.securityfocus.com/bid/66165
Schneider Electric StruxureWare SCADA Expert ClearSCADA Parsing Vulnerability
OVERVIEW
Andrew Brooks identified and reported to The Zero Day Initiative (ZDI) a File Parsing Vulnerability: Schneider Electric StruxureWare SCADA Expert ClearSCADA ServerMain.exe OPF File Parsing Vulnerability. Schneider Electric has prepared workarounds and helped develop security upgrades for a third‑party component that is affected.AFFECTED PRODUCTSThe following SCADA Expert ClearSCADA versions are affected:
http://ics-cert.us-cert.gov/advisories/ICSA-14-072-01
VU#807134: WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability
Vulnerability Note VU#807134 WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability
...
Overview WatchGuard Fireware XTM 11.8.1, and possibly earlier versions, contains a cross-site scripting vulnerability.
http://www.kb.cert.org/vuls/id/807134
Squid Flaw in SSL-Bump Lets Remote Users Deny Service
A remote user can send HTTPS requests to trigger a flaw in SSL-Bump and cause the target service to crash.
Specially crafted requests are not required to trigger this vulnerability.
http://www.securitytracker.com/id/1029908
Wireshark NFS/M3UA/RLC Dissector Bugs Let Remote Users Deny Service and MPEG Buffer Overflow Lets Remote Users Execute Arbitrary Code
Several vulnerabilities were reported in Wireshark. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions.
http://www.securitytracker.com/id/1029907
Blogs of War: Don’t Be Cannon Fodder
On Wednesday, KrebsOnSecurity was hit with a fairly large attack which leveraged a feature in more than 42,000 blogs running the popular WordPress content management system (this blog runs on WordPress). This post is an effort to spread the word to other WordPress users to ensure their blogs arent used in attacks going forward.
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/TMHH3NsEOxo/
Cisco Cloud Portal Discloses Cryptographic Material That Lets Remote Users Decrypt Data
A vulnerability was reported in Cisco Cloud Portal. A local user can obtain cryptographic material. A remote user with access to the cryptographic material can then decrypt data.
The Cisco Intelligent Automation for Cloud (Cisco IAC) binaries include fixed cryptographic material. A remote user that can access encrypted data from the target Cisco IAC installation can decrypt the data.
http://www.securitytracker.com/id/1029915
Google Docs Users Targeted by Sophisticated Phishing Scam
We see millions of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users.The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link.read more
http://www.symantec.com/connect/blogs/google-docs-users-targeted-sophisticated-phishing-scam
McAfee Email Gateway Input Validation Flaws Let Remote Authenticated Users Inject SQL and Operating System Commands
Several vulnerabilities were reported in McAfee Email Gateway. A remote authenticated user can execute arbitrary operating system commands on the target system. A remote authenticated user can inject SQL commands.
http://www.securitytracker.com/id/1029916
Firefox Exec Shellcode From Privileged Javascript Shell
Topic: Firefox Exec Shellcode From Privileged Javascript Shell
Risk: Medium
http://cxsecurity.com/issue/WLB-2014030113
A decade of securing Europe’s cyber future. The EU’s cyber security Agency ENISA is turning ten, and is looking at future challenges.
In the “eternal marathon” against cyber criminals, there is a “constant, increasing need for ENISA”.
http://www.enisa.europa.eu/media/press-releases/a-decade-of-securing-europe2019s-cyber-future-the-eu2019s-cyber-security-agency-enisa-is-turning-ten-and-is-looking-at-future-challenges
lighttpd Directory Traversal and SQL Injection Vulnerabilities
Two vulnerabilities have been reported in lighttpd, which can be exploited by malicious people to disclose potentially sensitive information and conduct SQL injection attacks.
...
Successful exploitation requires mod_evhost and/or mod_simple_vhost modules to be enabled.
https://secunia.com/advisories/57333
Samsung Backdoor May Not Be as Wide Open as Initially Thought
... As demonstrated in a proof-of-concept attack, this allowed certain baseband code to gain access to a device’s storage under a specific set of circumstances. But upon closer inspection, this backdoor is most likely not as bad as it was initially made out to be.
http://www.xda-developers.com/android/samsung-backdoor-may-not-be-as-wide-open-as-initially-thought/
EU-Parlament stimmt für Meldepflicht von Cyberangriffen
Die Abgeordneten haben mit großer Mehrheit, aber einigen Änderungen einen Richtlinienentwurf der EU-Kommission zur Netz- und Informationssicherheit beschlossen. Mitgliedsländer sollen ihre Kooperationen stärken.
http://www.heise.de/newsticker/meldung/EU-Parlament-stimmt-fuer-Meldepflicht-von-Cyberangriffen-2145107.html/from/rss09?wt_mc=rss.ho.beitrag.rdf
Gameover ZeuS Jumps on the Bitcoin Bandwagon
Were always asking our analysts the following question: seen anything interesting? And yesterday, the answer to our query was this: Gameover ZeuS has some additional strings.Very interesting, indeed.Heres a screenshot of the decrypted strings: • aBitcoinQt_exe • aBitcoind_exe • aWallet_dat • aBitcoinWallet • aBitcoinWalle_0Bitcoin wallet stealing has really moved up from the bush leagues. Gameover ZeuS is a pro.Analysis is ongoing.Heres the SHA1:
http://www.f-secure.com/weblog/archives/00002685.html
Target staff IGNORED security alerts as hackers slurped 40m customers card details
Reports say staff dithered while hackers went to town Staff at US retailer Target failed to stop the theft of 40 million credit card records last December despite an escalating series of alarms from the companys security systems.…
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/14/target_failed_to_act_on_security_alerts/
Debian Security Advisory DSA-2879-1 libssh -- security update
It was discovered that libssh, a tiny C SSH library, did not reset the state of the PRNG after accepting a connection. A server mode application that forks itself to handle incoming connections could see its children sharing the same PRNG state, resulting in a cryptographic weakness and possibly the recovery of the private key.
http://www.debian.org/security/2014/dsa-2879
Sophos UTM TCP Stack Memory Leak Denial of Service Vulnerability
A vulnerability has been reported in Sophos UTM, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within TCP stack and can be exploited to cause a memory leak.
The vulnerability is reported in versions prior to 9.109.
https://secunia.com/advisories/57344
Blog: Analysis of, Malware from the MtGox leak archive
A few days ago the personal blog and Reddit account of MTgox CEO, Mark Karpeles, were hacked. Attackers used them to post a file, MtGox2014Leak.zip, which they claim contains valuable database dumps and specialized software for remote access to MtGox data. But this application is actually malware created to search and steal Bitcoin wallet files from their victims. It seems that the whole leak was invented to infect computers with Bitcoin-stealer malware that takes advantage of people keen interest in the MtGox topic.
http://www.securelist.com/en/blog/8196/Analysis_of_Malware_from_the_MtGox_leak_archive