End-of-Shift report
Timeframe: Mittwoch 02-12-2015 18:00 − Donnerstag 03-12-2015 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
Botconf 2015 Wrap-Up Day #1
[The post Botconf 2015 Wrap-Up Day #1 has been first published on /dev/random]Here we go for a new edition of the Botconf edition. Already the third one. This conference is moving every year across France and, after Nantes and Nancy, the organizers chose Paris and more precisely the Google France venue!
https://blog.rootshell.be/2015/12/02/botconf-2015-wrap-up-day-1/
ElasticZombie Botnet - Exploiting Elasticsearch Vulnerabilities
With the rise of inexpensive Virtual Servers and popular services that install insecurely by default, coupled with some juicy vulnerabilities (read: RCE - Remote Code Execution), like CVE-2015-5377 and CVE-2015-1427, this year will be an interesting one for Elasticsearch.
https://www.alienvault.com/open-threat-exchange/blog/elasticzombie-botnet-exploiting-elasticsearch-vulnerabilities
Industrial control system gateway fix opens Heartbleed, Shellshock
Metasploit module released to make 0day pwnage easy Rapid 7 security man Todd Beardsley says new firmware released to patch hardcoded SSH keys in Advantech EKI industrial control system gateways contains known brutal flaws including Shellshock, Heartbleed, and buffer overflows.
http://go.theregister.com/feed/www.theregister.co.uk/2015/12/03/industrial_control_system_gateway_fix_opens_heartbleed_shellshock/
DSA-3411 cups-filters - security update
Michal Kowalczyk discovered that missing input sanitising in thefoomatic-rip print filter might result in the execution of arbitrarycommands.
https://www.debian.org/security/2015/dsa-3411
DFN-CERT-2015-1857/">Red Hat JBoss Enterprise Application Platform: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1857/
3G/4G cellural USB modems are full of critical security flaws, many 0-days
An analysis of popular 3G and 4G cellural USB modems and routers used around the world revealed a myriad of serious vulnerabilities in each of them.
http://www.net-security.org/secworld.php?id=19182
Kaspersky Security Bulletin 2015. Top security stories
The end of the year is traditionally a time for reflection - for taking stock of our lives before considering what lies ahead. We'd like to offer our customary retrospective of the key events that have shaped the threat landscape in 2015.
http://securelist.com/analysis/kaspersky-security-bulletin/72886/kaspersky-security-bulletin-2015-top-security-stories/
A Case Study of Information Stealers: Part I
Introduction: A stealer is a type of malware that looks for passwords stored on the machine and sends them remotely (e.g. mail, HTTP) to an attacker. Most stealers use a web interface to facilitate browsing the data, especially if the targeted number of victims is important.
http://resources.infosecinstitute.com/a-case-study-of-information-stealers-part-i/
Report: Scripting languages most vulnerable, mobile apps need better crypto
According to an analysis of over 200,000 applications, PHP is the programming language with the most vulnerabilities, mobile apps suffer from cryptography problems, and developers are more likely to fix errors found with static instead of dynamic analysis.
http://www.cio.com/article/3011668/encryption/report-scripting-languages-most-vulnerable-mobile-apps-need-better-crypto.html#tk.rss_security
Botnetzbetreiber nutzen Dropbox als toten Briefkasten
Die Malware Lowball soll Dropbox-Accounts missbrauchen, um infizierte Rechner in einem Botnetz anzusteuern. So wollen Online-Kriminelle Ermittlern die Spurensuche erschweren.
http://heise.de/-3030993
Worldwide Cryptographic Products Survey: Edits and Additions Wanted
Back in September, I announced my intention to survey the world market of cryptographic products. The goal is to compile a list of both free and commercial encryption products that can be used to protect arbitrary data and messages.
https://www.schneier.com/blog/archives/2015/12/worldwide_crypt.html
Week of Continuous Intrusion Tools - Day 4 - Common Abuse Set, Lateral Movement and Post Exploitation
Welcome to Day 4 of Week of Continuous Intrusion tools. We are discussing security of Continuous Integration (CI) tools in this series of blog posts.
http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-4.html
Bugtraq: ESA-2015-171 EMC NetWorker Denial-of-service Vulnerability
EMC NetWorker contains a resolution for a Denial-of-service vulnerability. The vulnerability when exploited may allow malicious users to disrupt NetWorker services on affected systems.
http://www.securityfocus.com/archive/1/537037
OpenSSL Security Advisory [3 Dec 2015]
BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) Certificate verify crash with missing PSS parameter (CVE-2015-3194) X509_ATTRIBUTE memory leak (CVE-2015-3195) Race condition handling PSK identify hint (CVE-2015-3196)
https://openssl.org/news/secadv/20151203.txt
Security Advisory: Linux libuser vulnerability CVE-2015-3246
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges. (CVE-2015-3246)
https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05770600.html?ref=rss
Cisco SIP Phone 3905 Resource Limitation Denial of Service Vulnerability
A vulnerability in the Cisco Unified SIP Phone 3905 could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151202-sip
Cisco Unity Connection Cross-Site Scripting Vulnerability
A vulnerability in the HTTP web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected system.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151202-pca
Cisco IOS-XE 3S Platforms Series Root Shell License Bypass Vulnerability
A vulnerability in the way software packages are loaded in the Cisco IOS-XE Operating System for the Cisco IOS-XE 3S platforms could allow an authenticated, local attacker to gain restricted root shell access.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151130-iosxe3s
IBM Security Bulletin
Vulnerability in Apache Commons affects IBM InfoSphere Discovery (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971529
Vulnerabilities in GSKit affect IBM MQ Appliance (CVE-2015-7421, CVE-2015-7420)
http://www.ibm.com/support/docview.wss?uid=swg21971500
Vulnerabilities in GSKit 8 affect Tivoli Directory Server and IBM Security Directory Server (CVE-2015-7421, CVE-2015-7420)
http://www.ibm.com/support/docview.wss?uid=swg21972076
IBM Spectrum Scale (GPFS) Hadoop connector is affected by a security vulnerability (CVE-2015-7430)
http://www.ibm.com/support/docview.wss?uid=isg3T1022979
IBM Spectrum Scale (GPFS) Hadoop connector is affected by a security vulnerability (CVE-2015-7430)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005461
A vulnerability in IBM Java Runtime affects IBM Cognos Metrics Manager (CVE-2015-4872)
http://www.ibm.com/support/docview.wss?uid=swg21971753
Multiple vulnerabilities in IBM Java Runtime affect IBM WebSphere Appliance Management Center (CVE-2015-4872)
http://www.ibm.com/support/docview.wss?uid=swg21971515
Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime, affect IBM Endpoint Manager for Remote Control
http://www.ibm.com/support/docview.wss?uid=swg21971798
Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA (October 2015: CVE-2015-4872, CVE-2015-4911, CVE-2015-5006)
http://www.ibm.com/support/docview.wss?uid=swg21972112
Multiple vulnerabilities in IBM Java SDK affect Rational Method Composer (CVE-2015-4872)
http://www.ibm.com/support/docview.wss?uid=swg21971419
Vulnerability in Apache Commons affects IBM i (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=nas8N1021018
Vulnerability in Apache Commons affects IBM Lotus Mashups (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971925
Infosphere BigInsights is affected by vulnerabilities in Apache HBase and Hive that could allow a remote attacker to gain unauthorized access to the system or authenticate with improper credentials (CVE-2015-1772,
http://www.ibm.com/support/docview.wss?uid=swg21969546
Vulnerability in Apache Commons affects RIT and RTCP in Rational Test Workbench, RTCP and RIT Agent in Rational Test Virtualization Server, and RIT Agent in Rational Performance Test Server (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971818
Vulnerability in Apache Commons affects IBM Emptoris Strategic Supply Management, and IBM Emptoris Services Procurement. (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971731
Vulnerability in Apache Commons affects Enterprise Records
http://www.ibm.com/support/docview.wss?uid=swg21971268
Vulnerability in Apache Commons affects IBM Sterling B2B Integrator (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971758
Vulnerability in Apache Commons affects IBM InfoSphere Information Server (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971410
Vulnerability in Apache Commons affects IBM WebSphere Service Registry and Repository (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971580
Vulnerability in Apache Commons affects IBM Algo Credit Administrator (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971240
Vulnerability in Apache Commons Collections affects IBM Forms Experience Builder (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971536
Vulnerability in Apache Commons affects IBM Application Server on Cloud (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21972179
Multiple vulnerabilities in bundled components affects IBM SPSS Collaboration and Deployment Services (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971599
Vulnerability in Apache Commons affects IBM MQ Appliance (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971498
Vulnerability in Apache Commons affects IBM WebSphere Appliance Management Center (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971506
IBM Vulnerability in Apache Commons affects IBM WebSphere Application Server Community Edition v3.0.0.4 (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21972094
Vulnerability in Apache Commons affects IBM WebSphere Service Registry and Repository Studio (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971579
Vulnerability in Apache Commons affects IBM Cognos Metrics Manager (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21971382
Vulnerabilities in Apache Commons Collections and Apache Groovy affect IBM UrbanCode Deploy and IBM UrbanCode Deploy with Patterns (CVE-2015-4852, CVE-2015-3253)
http://www.ibm.com/support/docview.wss?uid=swg21971291
Vulnerability in Apache Commons affects IBM Tivoli Composite Application Manager Agent for WebSphere Applications (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21972216
Fix Available for Security Vulnerabilities in IBM WebSphere Portal (CVE-2015-4993, CVE-2015-4998, CVE-2015-5001, CVE-2015-7413)
http://www.ibm.com/support/docview.wss?uid=swg21970176