End-of-Shift report
Timeframe: Freitag 03-04-2015 18:00 − Dienstag 07-04-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
On Demand Webinar: Monitoring Linux/UNIX Privileged Users
On Demand Webinar - Randy Franklin Smith looks at how to audit what admins do inside Linux and UNIX with sudo's logging capabilities. Then, the BeyondTrust team will walk through how to augment sudo for complete control and auditing over UNIX and Linux user activity.
http://blog.beyondtrust.com/on-demand-webinar-monitoring-linuxunix-privileged-users
Dyre Wolf malware steals more than $1 million, bypasses 2FA protection
Campaign is crude and brazen, but rakes in cash anyway.
http://feeds.arstechnica.com/~r/arstechnica/security/~3/dSucTqiLvNI/
Angler Exploit Kit Utilizing 302 Cushioning and Domain Shadowing
Overview Angler Exploit Kit is one of the most prevalent and advanced exploit kits in use today and is continually evolving. Angler continues to utilize malvertising to push landing pages and malicious actors are still registering domains solely for serving exploits, but recently, weve noticed an increase in two new infection vectors - 302 Cushioning and Domain Shadowing. 302 Cushioning, or a
http://feedproxy.google.com/~r/zscaler/research/~3/JUMaL-rqARE/angler-exploit-kit-utilizing-302.html
Bugs in Tor exploited to run DoS against black markets
A severe vulnerability in Tor network was exploited by attackers to run denial of service attacks against two underground black markets. An operator of an underground black market hosted on the Tor network revealed that hit site suffered a DoS attack that exploited a flaw in Tor architecture. The event is not isolated, a similar...
http://securityaffairs.co/wordpress/35663/hacking/bugs-in-tor-dos.html
Bring Out Your Dead: An Update on the PCI relevance of SSLv3
In October, a tidal wave of discussion surrounding SSLv3 hit the information security community with the release of the POODLE attack vector. This served to heat up existing discussions about when and how organizations would give SSLv3 the final thump...
https://www.ambiron.com/Resources/SpiderLabs-Blog/Bring-Out-Your-Dead--An-Update-on-the-PCI-relevance-of-SSLv3/
A severe arbitrary code execution in BitTorrent Sync affects various products
A security expert has discovered a severe vulnerability in BitTorrent Sync that can be exploited by a remote attacker to execute arbitrary code on a vulnerable machine. The security expert Andrea Micalizzi, also known as "rgod", has discovered a serious vulnerability in BitTorrent Sync (CVE-2015-2846) can be exploited by a remote attacker to execute arbitrary code.
http://securityaffairs.co/wordpress/35752/hacking/severe-flaw-bittorrent-sync.html
SS7-Schwachstellen: Firewalls sollen Angriffe mildern
Die Probleme im Protokoll SS7 lassen sich nicht ohne weiteres absichern, denn es wurden dafür nie entsprechende Sicherheitsmaßnahmen implementiert. Mit Firewalls können Provider Schwachstellen zumindest abmildern.
http://www.golem.de/news/ss7-schwachstellen-firewalls-sollen-angriffe-mildern-1504-113335-rss.html
Fuzzing: Wie man Heartbleed hätte finden können
Vor einem Jahr machte der Heartbleed-Bug in OpenSSL Schlagzeilen - doch solche Bugs lassen sich mit Hilfe von Fuzzing-Technologien aufspüren. Wir haben das mit den Tools American Fuzzy Lop und Address Sanitizer nachvollzogen und den Heartbleed-Bug neu entdeckt.
http://www.golem.de/news/fuzzing-wie-man-heartbleed-haette-finden-koennen-1504-113345-rss.html
Firefox-Update: Mozilla schaltet opportunistische Verschlüsselung wieder aus
Nicht mal eine Woche nach Firefox 37 muss Mozilla nun Firefox 37.0.1 nachlegen. Das Sicherheits-Feature "opportunistic encryption" kann missbraucht werden, um die Sicherheit von SSL/TLS-Verbindungen zu untergraben und wurde wieder entfernt.
http://heise.de/-2596576
Cell Phone Opsec
Heres an article on making secret phone calls with cell phones. His step-by-step instructions for making a clandestine phone call are as follows: Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones arent changing locations); Leave your daily cell phone behind...
https://www.schneier.com/blog/archives/2015/04/cell_phone_opse.html
ZDI-15-112: ManageEngine Desktop Central MSP InventorySWMeteringServlet domain File Upload Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-15-112/
ZDI-15-113: ManageEngine OpManager MultipartRequestServlet filename File Upload Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-15-113/
ZDI-15-114: ManageEngine Desktop Central MSP AndroidCheckInServlet UDID Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-15-114/
ZDI-15-115: BitTorrent Sync btsync: Protocol Command Injection Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of BitTorrent Sync. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
http://www.zerodayinitiative.com/advisories/ZDI-15-115/
ZDI-15-116: IBM Lotus Domino SSL2 Client Master Key Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus Domino. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-15-116/
ZDI-15-117: IBM Lotus Domino LDAP ModifyRequest add Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Domino. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-15-117/
Security Advisory: OpenSSL vulnerability CVE-2015-0287
(SOL16318)
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16318.html?ref=rss
Security Advisory: OpenSSL vulnerability CVE-2009-5146
(SOL16337)
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16337.html?ref=rss
Security Advisory: Multiple MySQL vulnerabilities
(SOL16355)
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16355.html?ref=rss
SA-CONTRIB-2015-065 - Registration codes - Multiple vulnerabilities
Advisory ID: DRUPAL-SA-CONTRIB-2015-065Project: Registration codes (third-party module)Version: 6.x, 7.xDate: 2015-March-04 Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Scripting, Cross Site Request ForgeryDescriptionRegistration codes module allows new account registrations only for users who provide a valid registration code. The module was not properly sanitizing user supplied text in some pages, thereby exposing XSS
https://www.drupal.org/node/2445955
OpenSSH 6.8 Insecure Functions
Topic: OpenSSH 6.8 Insecure Functions Risk: Low Text:-=[Advanced Information Security Corp]=- Author: Nicholas Lemonias Report Date: 2/4/2015 Email: lem.nikolas (at) gmail ...
http://cxsecurity.com/issue/WLB-2015040029
IDM 4.0.2 ACF2 Driver Version 4.0.0.3 Patch 1
Abstract: IDM 4.0.2-4.5 Bi-Directional ACF2 Driver Version 4.0.0.3. This patch is for the Identity Manager 4.0.2 to 4.5 ACF2 Driver. Field patch for IDMLOAD.XMT, SAMPLIB.XMT, RACFEXEC.XMTDocument ID: 5206570Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:idm402acf2_4003.tar.gz (2.55 MB)Products:Identity Manager 4.0.2Identity Manager 4.5Superceded Patches: None
https://download.novell.com/Download?buildid=oJ3evaNQb2M~
IDM 4.0.2 RACF Driver Version 4.0.0.11 Patch 3
Abstract: IDM 4.0.2-4.5 Bi-Directional RACF Driver Version 4.0.0.11. This patch is for the Identity Manager 4.0.2 to 4.5 RACF Driver. Field patch for IDMLOAD.XMT, SAMPLIB.XMT, RACFEXEC.XMTDocument ID: 5206551Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:idm402racf_40011.tar.gz (2.99 MB)Products:Identity Manager 4.0.2Identity Manager 4.5Superceded Patches:IDM 4.0.2 RACF Driver Version 4.0.0.8 Patch2
https://download.novell.com/Download?buildid=6F0mcIA5UQs~
IDM 4.0.2-4.5 Top Secret Driver Version 3.6.1.10 Patch 1
Abstract: IDM 4.0.2-4.5 Bi-Directional Top Secret Driver Version 3.6.1.10. Field patch for IDMLOAD.XMT, SAMPLIB.XMT, TSSEXEC.XMTDocument ID: 5206590Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:idm402topsecret_36110.tar.gz (2.66 MB)Products:Identity Manager 4.0.2Identity Manager 4.5Superceded Patches: None
https://download.novell.com/Download?buildid=_WYyICODfL8~
Cisco Wireless LAN Controller HTML Help Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=38222
HPSBMU03296 rev.1 - HP BladeSystem c-Class Onboard Administrator running OpenSSL, Remote Denial of Service (DoS)
Potential security vulnerabilities have been identified with HP BladeSystem c-Class Onboard Administrator. These vulnerabilities include the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" or "POODLE", which could be exploited remotely to allow a Denial of Service (DoS).
https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04599440
HPSBGN03306 rev.1 - HP IceWall SSO MCRP, SSO Dfw, and SSO Agent running OpenSSL, Remote Denial of Service (DoS)
Potential security vulnerabilities have been identified with HP IceWall SSO MCRP, SSO Dfw, and SSO Agent running OpenSSL. The vulnerabilities could be exploited remotely resulting in Denial of Service (DoS).
https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04626468
DFN-CERT-2015-0463 - Google Chrome, Chromium, Ubuntu oxide-qt: Mehrere Schwachstellen ermöglichen u. a. das Ausführen beliebigen Programmcodes
07.04.2015
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0463/
Security Advisory: Persistent XSS in WP-Super-Cache
Security Risk: Dangerous Exploitation level: Very Easy/Remote DREAD Score: 8/10 Vulnerability: Persistent XSS Patched Version: 1.4.4 During a routine audit for our Website Firewall (WAF), we discovered a dangerous Persistent XSS vulnerability affecting the very popular WP-Super-Cache plugin (more than a million active installs according to wordpress.org). The security issue, as well as another bug-fixRead More
http://blog.sucuri.net/2015/04/security-advisory-persistent-xss-in-wp-super-cache.html