End-of-Shift report
Timeframe: Montag 29-06-2015 18:00 − Dienstag 30-06-2015 18:00
Handler: Robert Waldner
Co-Handler: n/a
Windows kerberos ticket theft and exploitation on other platforms
I decided to take a look at how the kerberos tickets can be dumped from a Windows target and re-used on Linux. It was surprisingly easy to accomplish.
https://mikkolehtisalo.wordpress.com/2015/06/29/copying-windows-kerberos-tickets-to-linux/
Why vulnerability disclosure shouldn't be a marketing tool
So now we have three approaches to vulnerability disclosure: full disclosure, responsible disclosure, and marketing disclosure. My concern with the latter is that by its very nature it will get more coverage in both the IT industry and mainstream media.
...
In the cases where the vulnerability does affect the organization, the security team is called into action to remediate it, but this remediation may be based more on the impact the vulnerability has had on the news headlines rather than on the impact it actually may have on the environment, This results in already overstretched security teams being distracted from other core tasks.
http://www.net-security.org/article.php?id=2318
DSA-3297 unattended-upgrades - security update
It was discovered that unattended-upgrades, a script for automaticinstallation of security upgrades, did not properly authenticatedownloaded packages when the force-confold or force-confnew dpkg optionswere enabled via the DPkg::Options::* apt configuration.
https://www.debian.org/security/2015/dsa-3297
How Malware Campaigns Employ Google Redirects and Analytics, (Tue, Jun 30th)
The email message sent to the bank employee claimed that the sender received a wire transfer from the recipients organization and that the sender wanted to confirm that the payment went through without issues. The victim was encouraged to click a link that many people would considersafe, in part because it began with
https://www.google.com/.
How would you examine the nature of this email? Examining MSG and EML Files on Linux One way to analyze the suspicious message saved as an Outlook .msg file
https://isc.sans.edu/diary.html?storyid=19843&rss
Tearing Apart a Datto
Datto devices are becoming a popular backup solution for small to medium sized businesses. They are easy to use and well equipped out of the box. We recently found ourselves in an engagement where one of these devices was accessible via the LAN. Gaining access to backups is a bit of a goldmine during an assessment; unrestricted access to file shares, configuration information, extracting hashes from the NTDS.dit file, and a multitude of other things.
http://silentbreaksecurity.com/tearing-apart-a-datto/
Vulnerability in Citrix NetScaler Application Deliver Controller and NetScaler Gateway Management Interface Could Result in Arbitrary Command Injection
A vulnerability has been identified in Citrix NetScaler Application Delivery Controller (ADC) and Citrix NetScaler Gateway Management Interface that could allow an authenticated malicious user to execute shell commands on the appliance.
CVE: CVE-2015-5080
http://support.citrix.com/article/CTX201149
Viele Android-Geräte über Debugger angreifbar
Über eine Schwachstelle im Debugger können Angreifer den Inhalt des Hauptspeichers von über 90 Prozent aller Android-Geräte auslesen und so weitere Attacken fahren.
http://www.heise.de/newsticker/meldung/Viele-Android-Geraete-ueber-Debugger-angreifbar-2731739.html?wt_mc=rss.ho.beitrag.rdf
Analyzing a Facebook Clickbait Worm
Here at Sucuri we suspect everything, especially when your friends start to share content written in another language with clickbait headlines.
If you are not familiar with the term, clickbait is when web content is created in a way that psychologically exploits the reader's curiosity using compelling headlines. When someone clicks on the article to read it, the service promoting the article generates online advertisement revenue.
https://blog.sucuri.net/2015/06/analyzing-a-facebook-clickbait-worm.html
Vulnerabilities in Cisco products***
Cisco Unified IP Phones 9900 Series Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39554
Cisco Unified Communications Domain Manager Information Disclosure Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39557
Vulnerabilities in IBM products***
Security Bulletin: Vulnerabilities in libxml2 affect System Networking Products (CVE-2014-0191, CVE-2013-2877, CVE-2014-3660)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098306
Security Bulletin: Vulnerabilities in OpenSSL affect Flex System FC3171 8Gb SAN Switch and Flex System FC3171 8Gb SAN Pass-thru (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098265
Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Flex System Manager (FSM) SMIA Configuration Tool (CVE-2015-4000)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098403
Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware. (CVE-2015-2808)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098314
Security Bulletin: Vulnerability in RC4 stream cipher affects IBM System Networking RackSwitch (CVE-2015-2808)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098302
Security Bulletin: Vulnerability in RC4 stream cipher affects IBM BladeCenter Switches (CVE-2015-2808)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098303
Security Bulletin: Multiple vulnerabilities in xorg-x11-server affect IBM Flex System Manger (FSM)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098372
Security Bulletin: GNU C library (glibc) vulnerability affects IBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware (CVE-2015-0235)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098317
Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098358
Security Bulletin: Vulnerabilities in OpenSSL affect IBM System x, BladeCenter and Flex Systems Unified Extensible Firmware Interface (UEFI) (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098339
IBM Security Bulletin: IBM SmartCloud Analytics - Log Analysis is affected by Open Source Python Vulnerability (CVE-2014-9365)
http://www.ibm.com/support/docview.wss?uid=swg21958936
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Endpoint Manager for Remote Control
http://www.ibm.com/support/docview.wss?uid=swg21903374
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime, affect Tivoli Endpoint Manager for Remote Control.
http://www.ibm.com/support/docview.wss?uid=swg21903373
IBM Security Bulletin: A vulnerability in cURL libcURL affects IBM Tivoli Composite Application Manager for Transactions (CVE-2014-8150)
http://www.ibm.com/support/docview.wss?uid=swg21697198