End-of-Shift report
Timeframe: Freitag 06-11-2015 18:00 − Montag 09-11-2015 18:00
Handler: Robert Waldner
Co-Handler: n/a
ICYMI: Widespread Unserialize Vulnerability in Java, (Mon, Nov 9th)
On Friday, a blog post from Fox Glove Security was posted that details a widespread Java unserialize vulnerability that affects all the major flavors of middleware (WebSphere, WebLogic, et al). There is a lot of great details, including exploitation instructions for pentesters, in the post so go take a look. It didnt get much press because admittedly its complicated to explain. It also doesnt have a logo.
https://isc.sans.edu/diary.html?storyid=20353&rss
SSH-Client PuTTY 0.66 schließt Sicherheitslücke
Die neue Version des SSH- und Telnet-Clients bringt ein paar kleine Verbesserungen und Fehlerkorrekturen. Zudem wurde eine Sicherheitslücke geschlossen.
http://www.heise.de/newsticker/meldung/SSH-Client-PuTTY-0-66-schliesst-Sicherheitsluecke-2911302.html?wt_mc=rss.ho.beitrag.rdf
Gratis-WLAN: Welche Risiken es gibt und wie man sich schützt
Ein öffentliches Netzwerk ist praktisch, Nutzer sollten sich aber nicht blindlings einloggen
http://derstandard.at/2000025293625
Guide to application whitelisting
The National Institute of Standards and Technology (NIST) has published a guide to deploying automated application whitelisting to help thwart malicious software from gaining access to organizations' computer systems.
http://www.net-security.org/secworld.php?id=19079
Dangerous bugs leave open doors to SAP HANA systems
The most serious software flaws ever have been found in SAPs HANA platform, the in-memory database platform that underpins many of the German companys products used by large companies.Eight of the flaws are ranked critical, the highest severity rating ...
http://www.cio.com/article/3003054/dangerous-bugs-leave-open-doors-to-sap-hana-systems.html#tk.rss_security
Vbulletin 5.1.X Unserialize Preauth RCE Exploit
https://cxsecurity.com/issue/WLB-2015110060
Ransomware meets CMS / Linux
Ransomware am PC gibt es schon seit Jahren: Die Malware sperrt/verschlüsselt den infizierten PC und verlangt Lösegeld dafür, damit der User weiterarbeiten kann.Dass schlecht gewartete Webseiten mit Joomla, Wordpress, Drupal & co ein Fressen für Hacker sind, ist auch nichts neues. Wir sehen regelmäßig Wellen an Defacements und Exploitpacks, wenn mal wieder jemand das Ausnutzen einer Web-Schwachstelle automatisiert.
http://www.cert.at/services/blog/20151109095947-1618.html
Google AdWords API client libraries - XML eXternal Entity Injection (XXE)
Confirmed in googleads-php-lib <= 6.2.0 for PHP, AdWords libraries: googleads-java-lib for Java, and googleads-dotnet-lib for .NET are also likely to be affected.
http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injection-Vulnerability.txt
Closing the Open Door of Java Object Serialization
If you can communicate with a JVM using Java object serialization using java.io.ObjectInputStream, then you can send a class that can execute commands against the OS from inside of the readObject method, and thereby get shell access. Once you have shell access, you can modify the Java server however you feel like. This is a class of exploit called 'deserialization of untrusted data', aka CWE-502. It's a class of bug that has been encountered from Python, PHP, and from Rails.
https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/
Protecting Windows Networks - Defeating Pass-the-Hash
Pass-the-hash is popular attack technique to move laterally inside the network that relies on two components - the NTLM authentication protocol and ability to gain password hashes. This attack allows you to log in on the systems via stolen hash instead of providing clear text password, so there is no need to crack those hashes. To make use of this attack, attacker already has to have admin rights on the box, which is a plausible scenario in a modern "assume breach" mindset.
https://dfirblog.wordpress.com/2015/11/08/protecting-windows-networks-defeating-pass-the-hash/
Security Notice - Statement about Path Traversal Vulnerability in Huawei HG532 Routers Disclosed by CERT/CC
It is confirmed that some customized versions of Huawei HG532, HG532e, HG532n, and HG532s have this vulnerability. Huawei has prepared a fixed version for affected carriers and is working with them to release the fixed version.
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices/hw-460507.htm
No surprise here: Adobes Flash is a hackers favorite target
Adobe Systems Flash plugin gets no love from anyone in the security field these days. A new study released Monday shows just how much it is favored by cybercriminals to sneak their malware onto computers.
http://www.cio.com/article/3002668/no-surprise-here-adobes-flash-is-a-hackers-favorite-target.html#tk.rss_security
Joomla CMS - Bad Cryptography - Multiple Vulnerabilities
heres a complete enumeration of what Ive found:
- JCrypt: Silent fallback to a weak, userspace PRNG (which is very bad for cryptography purposes)
- JCryptCipherSimple: Homegrown weak cipher (XOR-ECB)
- JCryptCipher: Chosen ciphertext attacks (no authentication)
- JCryptCipher: Data corruption / padding oracle attack
- JCryptCipher: Static IV for CBC mode (stored with JCryptKey under the misnomer property, "public") -- this sort of defeats the purpose of using CBC mode
- JCryptPasswordSimple: PHP Non-Strict Type Comparison (a.k.a. Magic
Hash vulnerability)
http://www.openwall.com/lists/oss-security/2015/11/08/1
HTTP Evasions Explained - Part 7 - Lucky Numbers
This is part seven in a series which will explain the evasions done by HTTP Evader. This part will be about using the wrong or even invalid status codes to evade the analysis. For 30% of the firewalls in the tests reports Ive got it is enough to use a status code of 100 instead of 200 to bypass analysis and at least Chrome, IE and Edge will download the data even with this wrong status code:
http://noxxi.de/research/http-evader-explained-7-lucky-number.html
Security Advisory: Linux kernel vulnerability CVE-2014-9419
F5 Product Development has assigned ID 530413 (BIG-IP), ID 530553 (BIG-IQ), ID 530554 (Enterprise Manager), ID 520651 (FirePass), ID 461496 (ARX), and INSTALLER-1299 (Traffix) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17551.html?ref=rss
IBM Security Bulletins
Vulnerabilities in Qemu affect PowerKVM (Multiple Vulnerabilities)
http://www.ibm.com/support/docview.wss?uid=isg3T1022875
IBM Smart Analytics System 5600 is affected by vulnerabilities in IBM GPFS (CVE-2015-4974, CVE-2015-4981)
http://www.ibm.com/support/docview.wss?uid=swg21969198
Authentication Bypass vulnerability found in IBM Sterling B2B Integrator (CVE-2015-5019)
http://www.ibm.com/support/docview.wss?uid=swg21967781
IBM Smart Analytics System 5600 is affected by a vulnerability in BIND (CVE-2015-5722)
http://www.ibm.com/support/docview.wss?uid=swg21964962
Vulnerability in Net-SNMP affects PowerKVM (CVE-2015-5621)
http://www.ibm.com/support/docview.wss?uid=isg3T1022903
Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management, and IBM Emptoris Services Procurement.
http://www.ibm.com/support/docview.wss?uid=swg21969875
Multiple OpenSSL Vulnerabilities affect IBM WebSphere MQ 5.3 on HP NonStop (CVE-2015-1788) (CVE-2015-1789) (CVE-2015-1791)
http://www.ibm.com/support/docview.wss?uid=swg21966723
Multiple vulnerabilities in IBM Java Runtime affect Security Directory Integrator
https://www-304.ibm.com/support/docview.wss?uid=swg21969901