Tageszusammenfassung - Freitag 27-02-2015

End-of-Shift report

Timeframe: Donnerstag 26-02-2015 18:00 − Freitag 27-02-2015 18:00 Handler: Stephan Richter Co-Handler: n/a

#JetLeak: Jetty-Webserver gibt Verbindungsdaten preis

Der Jetty-Server steckt unter anderem in Hadoop, Heroku, Eclipse und der Google AppEngine. Angreifer können eine jetzt entdeckte Lücke dazu nutzen, Daten aus den Verbindungen anderer Nutzer auszuspionieren.

http://heise.de/-2560894

Spam Uses Default Passwords to Hack Routers

In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims. Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam...

http://krebsonsecurity.com/2015/02/spam-uses-default-passwords-to-hack-routers/

Adventures in Xen exploitation

tl;drThis post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217).This issue was patched in June 2012 and was dis ...

https://www.nccgroup.com/en/blog/2015/02/adventures-in-xen-exploitation/

Sicherheits-Tool PrivDog telefoniert nach Hause - unverschlüsselt

Das vermeintliche Sicherheits-Tool PrivDog steht erneut in der Kritik, denn es sendet alle besuchten URLs unverschlüsselt an den Hersteller.

http://heise.de/-2560926

Dridex Downloader Analysis

Introduction Yesterday I received in my company inbox an email with an attached .xlsm file named D92724446.xlsm coming from Clare588 at 78-83-77-53.spectrumnet.bg. Central and local AV engines did not find anything malicious, and a multiengine scan got 0/57 as result. I decided to investigate a little more in-depth in order to confirm that was a malicious file...

http://resources.infosecinstitute.com/dridex-downloader-analysis/

D-Link remote access vulnerabilities remain unpatched

D-Link routers have several unpatched vulnerabilities, the worst of which could allow an attacker to gain total control over a device, according to a systems engineer in Canada. Peter Adkins, who does security research in his free time, released details of the flaws on Thursday. Adkins said in a phone interview that he has been in intermittent contact with D-Link since Jan. 11 on the issues, but the company has not indicated when it might patch.

http://www.cio.com/article/2889994/dlink-remote-access-vulnerabilities-remain-unpatched.html

Microsoft Malware Protection Center assists in disrupting Ramnit

Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol's European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft's Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC). The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit - The...

http://blogs.technet.com/b/mmpc/archive/2015/02/25/microsoft-malware-protection-center-assists-in-disrupting-ramnit.aspx

The Evil CVE: CVE-666-666 - "Report Not Read"

I had an interesting discussion with a friend this morning. He explained that, when he is conducting a pentest, he does not hesitate to add sometimes in his report a specific finding regarding the lack of attention given to the previous reports. If some companies are motivated by good intentions and ask for regular pentests against their infrastructure or a specific application, what if they even don't...

http://blog.rootshell.be/2015/02/26/the-evil-cve-cve-666-666-report-not-read/

Weekly Metasploit Wrapup

https://community.rapid7.com/community/metasploit/blog/2015/02/26/weekly-metasploit-wrapup

Threatpost News Wrap, February 27, 2015

Mike Mimoso and Dennis Fisher discuss the news of the last week, including the Superfish fiasco, the Gemalto SIM hack controversy and the continuing NSA drama.

http://threatpost.com/threatpost-news-wrap-february-27-2015/111312

VMSA-2015-0001.1

VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues

http://www.vmware.com/security/advisories/VMSA-2015-0001.html

Security Advisory: BIG-IP ASM cross-site scripting (XSS) vulnerability CVE-2015-1050

(SOL16081)

https://support.f5.com:443/kb/en-us/solutions/public/16000/000/sol16081.html?ref=rss

Security Advisory: OpenSSL vulnerability CVE-2014-0160

(SOL15159)

https://support.f5.com:443/kb/en-us/solutions/public/15000/100/sol15159.html?ref=rss

Security Advisory: XSS vulnerability in echo.jsp CVE-2014-4023

(SOL15532)

https://support.f5.com:443/kb/en-us/solutions/public/15000/500/sol15532.html?ref=rss

Cisco Security Notices

Cisco ACE 4710 Application Control Engine and Application Neworking Manager Cross-Site Request Forgery Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0651

DSA-3176 request-tracker4 - security update

Multiple vulnerabilities have been discovered in Request Tracker, anextensible trouble-ticket tracking system. The Common Vulnerabilitiesand Exposures project identifies the following problems:

https://www.debian.org/security/2015/dsa-3176

Network Vision IntraVue Code Injection Vulnerability

This advisory provides mitigation details for a code injection vulnerability in Network Vision's IntraVue software.

https://ics-cert.us-cert.gov/advisories/ICSA-15-057-01

[2015-02-27] Multiple vulnerabilities in Loxone Smart Home

Multiple design and implementation flaws within Loxone Smart Home enable an attacker to control arbitrary devices connected to the system, execute JavaScript code in the users browser, steal the users credentials and cause a denial of service.

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150227-0_Loxone_Smart_Home_Multiple_Vulnerabilities_v10.txt