End-of-Shift report
Timeframe: Donnerstag 27-03-2014 18:00 − Freitag 28-03-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
New PGP keys
At CERT.at we had to phase out some old 1024 bit DSA keys as well as create new master-signing keys. This turned out to be a major effort. Key roll-overs are never easy.In order to easy the key roll-over pains, we created a key transition document. This document is signed by the old keys in order to prove authorship. ...
http://www.cert.at/services/blog/20140328155445-1086.html
NTP Amplification, SYN Floods Drive Up DDoS Attack Volumes
The potency of distributed denial of service attacks has increased steadily but dramatically over the last 14 months.
http://threatpost.com/ntp-amplification-syn-floods-drive-up-ddos-attack-volumes/105069
Schneider Electric Serial Modbus Driver Buffer Overflow
OVERVIEW Carsten Eiram of Risk-Based Security has identified a stack-based buffer overflow vulnerability in Schneider Electric’s Serial Modbus Driver that affects 11 Schneider Electric products. Schneider Electric has produced patches that mitigate this vulnerability. This vulnerability can be exploited remotely.
http://ics-cert.us-cert.gov/advisories/ICSA-14-086-01
Apple Credential Phishing via appleidconfirm.net, (Thu, Mar 27th)
ISC user Craig Cox wrote in alerting us of a fairly sophisticated phishing campaign that is currently in progress. The website appleidconfirm.net has a seemingly realistic Apple login page that is being sent out by email. The site even includes JavaScript code which validates your Apple ID as an email in an attempt to obtain only valid credentials. Upon submitting what it considers valid credentials, youre redirected to the /?2 page of the site which contains another form which appears to
http://isc.sans.edu/diary.html?storyid=17869&rss
SonicWALL Email Security Input Validation Flaw in License Management’ and ‘Advanced Pages Permits Cross-Site Scripting Attacks
A vulnerability was reported in SonicWALL Email Security. A remote user can conduct cross-site scripting attacks.
The 'License Management' and 'Advanced' pages do not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser.
http://www.securitytracker.com/id/1029965
Word and Excel Files Infected Using Windows PowerShell
Malware targeting Word and Excel files has been around for some time, but we recently encountered a new malware family, CRIGENT (also known as “Power Worm”) which brings several new techniques to the table. (We detect these files as W97M_CRIGENT.JER and X97M_CRIGENT.A.) Most significantly, instead of creating or including executable code, CRIGENT uses the Windows PowerShell
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/9hUmCpAOj9M/
OpenSSH 6.6 bypass SSHFP DNS RR checking by HostCertificate
I've been looking at handling host keys better, and tripped over this bug. Essentially, if the server offers a HostCertificate that the client doesn't accept, then the client doesn't then check for SSHFP records.
http://cxsecurity.com/issue/WLB-2014030239
[2014-03-28] Multiple vulnerabilities in Symantec LiveUpdate Administrator
Attackers are able to compromise Symantec LiveUpdate Administrator at the application and database levels because of vulnerable password reset functionality and SQL injection vulnerabilities. This enables access to credentials of update servers on the network without prior authentication.
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140328-0_Symantec_LiveUpdate_Administrator_Multiple_vulnerabilities_wo_poc_v10.txt
Python "os._get_masked_mode()" Race Condition Security Issue
A security issue has been reported in Python, which can be exploited by malicious, local users to potentially disclose or manipulate certain data.
The security issue is caused due to a race condition within the "os._get_masked_mode()" function (Lib/os.py), which can be exploited to cause certain application-created files to be world-accessible.
The security issue is reported in versions 3.4, 3.3, and 3.2.
https://secunia.com/advisories/57672
IBM Security Bulletin: IBM Operational Decision Manager and WebSphere ILOG JRules: Multiple security vulnerabilities in IBM JRE
This Security Bulletin addresses the security vulnerabilities that have shipped with the IBM Java Runtime Environment (JRE) included in IBM Operational Decision Manager and IBM ILOG JRules. IBM ODM and ILOG JRules now include the most recent version of the IBM JRE which fixes the security vulnerabilities reported in Oracles Critical Patch Update releases of January 2014. CVE(s): CVE-2014-0423, CVE-2014-0416 and CVE-2014-0411 Affected product(s) and affected version(s): IBM WebSphere ILOG
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_ibm_operational_decision_manager_and_websphere_ilog_jrules_multiple_security_vulnerabilities_in_ibm_jre1?lang=en_us
Cisco IOS Software High Priority Queue Denial of Service Vulnerability
A vulnerability in the packet driver code of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a reload of the affected device, resulting in a denial of service (DoS) condition.
CVE-2014-2131
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2131