Tageszusammenfassung - Freitag 2-10-2015

End-of-Shift report

Timeframe: Donnerstag 01-10-2015 18:00 − Freitag 02-10-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a

Multiple XSS vulnerabilities in FortiSandbox WebUI

http://www.fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortisandbox-webui

---

ZebOS routing remote shell service enabled

http://www.fortiguard.com/advisory/zebos-routing-remote-shell-service-enabled

---

Security advisory: Stored XSS in Jetpack

During a routine audit for our WAF, we discovered a critical stored XSS affecting the Jetpack WordPress plugin, one of the most popular plugins in the WordPress ecosystem.

https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-jetpack.html

---

When Security Experts Gather to Talk Consensus, Chaos Ensues

Tension between researchers and vendors over the disclosure of software security vulnerabilities has raged for two decades. A meeting to address that tension further highlighted the tension.

http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chaos-ensues/

---

Avast Antivirus X.509 Error Rendering Command Execution

https://cxsecurity.com/issue/WLB-2015100017

---

T-Mobile USA: Millionen Kundendaten gehackt

Rund 15 Millionen Kunden von T-Mobile in den USA sind von einem Hack persönlicher Daten betroffen. Die Informationen wurden nicht bei T-Mobile direkt erbeutet, sondern bei Experian, einem Dienst zur Prüfung der Bonität potenzieller Kunden.

http://www.golem.de/news/t-mobile-usa-millionen-kundendaten-gehackt-1510-116647.html

---

FourQ: Microsofts kryptografischer Standard will besser sein

Microsoft steigt in die Elliptische-Kurven-Kryptografie ein und hat eine entsprechende Bibliothek veröffentlicht: FourQ soll teilweise deutlich schneller sein als bisherige Ansätze.

http://heise.de/-2836389

---

IoT-Malware: Freundlicher Virus verspricht mehr Sicherheit

Sicherheitstipps und deaktivierte Telnet-Daemons: Eine neue Malware möchte Internetnutzer erziehen. Die Entdecker raten trotzdem dazu, das Programm zu entfernen.

http://www.golem.de/news/iot-malware-freundlicher-virus-verspricht-mehr-sicherheit-1510-116654.html

---

Cisco Wireless LAN Controller Devices 802.11i Management Frame Denial of Service Vulnerability

http://tools.cisco.com/security/center/viewAlert.x?alertId=41249

---

Cisco Unified Communications Manager IM and Presence Service REST API Denial of Service Vulnerability

http://tools.cisco.com/security/center/viewAlert.x?alertId=41242

---

Omron Multiple Product Vulnerabilities

This advisory provides mitigation details for vulnerabilities in the Omron Corporation CX-Programmer software, CJ2M series programmable logic controller (PLC), and CJ2H series PLC.

https://ics-cert.us-cert.gov/advisories/ICSA-15-274-01

---

How Patreon got hacked

TL;DR, Patreon got hacked. We reported a specific Remote Code Execution to them due to a public debugger before they were breached. We believe this was the attack method due to the simplicity and availability of the vulnerable endpoint. This is how you prevent this from happening to you.

http://labs.detectify.com/post/130332638391/how-patreon-got-hacked-publicly-exposed-werkzeug