End-of-Shift report
Timeframe: Dienstag 13-12-2016 18:00 − Mittwoch 14-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
Facebook helps companies detect rogue SSL certificates for domains
Facebook has launched a tool that allows domain name owners to discover TLS/SSL certificates that were issued without their knowledge.The tool uses data collected from the many Certificate Transparency logs that are publicly accessible. Certificate Transparency (CT) is a new open standard requiring certificate authorities to disclose the certificate that they issue.Until a few years ago, there was no way of tracking the certificates issued by every certificate authority (CA). At best,...
http://www.cio.com/article/3149737/security/facebook-helps-companies-detect-rogue-ssl-certificates-for-domains.html#tk.rss_security
MS16-DEC - Microsoft Security Bulletin Summary for December 2016 - Version: 1.0
This bulletin summary lists security bulletins released for December 2016.
For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.
https://technet.microsoft.com/en-us/library/security/MS16-DEC
Patchday: Kritische Lücken in Edge, Windows & Co.
Microsoft veröffentlicht im Dezember insgesamt zwölf Sicherheitsupdates. Im schlimmsten Fall können Angreifer Computer von Opfern durch den bloßen Aufruf einer manipulierten Webseite kapern.
https://heise.de/-3569916
MSRT December 2016 addresses Clodaconas, which serves unsolicited ads through DNS hijacking
In this month's Microsoft Malicious Software Removal Tool (MSRT) release, we continue taking down unwanted software, the pesky threats that force onto our computers things that we neither want nor need. BrowserModifier:Win32/Clodaconas, for instance, displays ads when you're browsing the internet. It modifies search results pages so that you see unsolicited ads related to your...
https://blogs.technet.microsoft.com/mmpc/2016/12/13/msrt-december-2016-addresses-clodaconas-which-serves-unsolicited-ads-through-dns-hijacking/
"Statistisch gesehen": Verschlüsselungstrojaner - ein Millionengeschäft
Petya, Goldeneye - diese und andere Erpressungstrojaner haben weltweit viele Nutzer zur Kasse gebeten. Die Zahlungsmoral hängt nicht zuletzt von Empfehlungen der Behörden ab. Wie viel bisher wo gezahlt wurde, zeigt ein neues...
https://heise.de/-3569888
Malvertising Campaign Infects Your Router Instead of Your Browser
Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Discovered by security researchers from US security firm Proofpoint, this malvertising campaign is powered by a new exploit kit called DNSChanger EK. [...]
https://www.bleepingcomputer.com/news/security/malvertising-campaign-infects-your-router-instead-of-your-browser/
Modbus Stager: Using PLCs as a payload/shellcode distribution system
This weekend I have been playing around with Modbus and I have developed a stager in assembly to retrieve a payload from the holding registers of a PLC. Since there are tons of PLCs exposed to the Internet, I thought whether it would be possible to take advantage of the processing and memory provided by them to store certain payload so that it can be recovered later (from the stager).
http://www.shelliscoming.com/2016/12/modbus-stager-using-plcs-as.html
UAC Bypass in JScript Dropper
What makes this sample different? After the classic execution of the PE files, it tries to bypass the Windows UAC using a "feature" present in eventvwr.exe. This system tool runs as a high integrity process and uses HKCU / HKCR registry hives to start mmc.exe which opens finally eventvwr.msc.
https://isc.sans.edu/diary/UAC+Bypass+in+JScript+Dropper/21813
Sophos schließt Dirty-Cow-Lücke in Sicherheitspaket UTM
Die Unified-Thread-Management-Lüsung von Sophos bekommt Sicherheitsupdates, die mehrere Schwachstellen schließen.
https://heise.de/-3570179
Electronic Safe Lock Analysis: Part 2
After performing an initial tear-down, we were able to map out the device's behaviors and attack surface. We then narrowed our efforts on analyzing the device's BLE wireless communication. The Prologic B01's main feature is that it can be unlocked by a mobile Android or iOS device over BLE. The end result was a fully-automated attack that allows us to remotely compromise any Prologic B01 lock up to 100 yards away.
http://www.somersetrecon.com/blog/2016/10/14/electronic-safe-lock-analysis-part-2-
Microsoft Fixes Windows 10 Issue That Knocked People off the Internet
Microsft has released KB3206632, a Windows update that fixes an issue introduced in an earlier update that crashed the CDPSVC service and prevented some users from receiving IP address information via the DCHP protocol, used by both home and enterprise-grade routers to connect users to the Internet. [...]
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-10-issue-that-knocked-people-off-the-internet/
Xen Security Advisory 200 (CVE-2016-9932) - x86 CMPXCHG8B emulation fails to ignore operand size override
Impact: A malicious unprivileged guest may be able to obtain sensitive information from the host.
http://seclists.org/oss-sec/2016/q4/662
PHP: imagefilltoborder stackoverflow on truecolor images (CVE 2016-9933)
Invalid color causes stack exhaustion by recursive call to function gdImageFillToBorder when the image used is truecolor. This was tested on a 64 bits platform.
https://bugs.php.net/bug.php?id=72696
Joomla! Security Announcements
[20161203] - Core - Information Disclosure
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/EY3UcBwQtzI/666-20161203-core-information-disclosure.html
[20161202] - Core - Shell Upload
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/fI7Ty93n-Rk/665-20161202-core-shell-upload.html
[20161201] - Core - Elevated Privileges
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/OjvlaBoXTCU/664-20161201-core-elevated-privileges.html
[20161204] - Misc. Security Hardening
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/jYB3ItEGbWQ/667-20161204-misc-security-hardening.html
Novell Patches
Filr 2.0 - Security Update 3
https://download.novell.com/Download?buildid=Am-_TGOll0g~
Filr 3.0 - Security Update 1
https://download.novell.com/Download?buildid=Qct0ao9jRAI~
IDM 4.5 Delimited Text Driver 4.0.2.0
https://download.novell.com/Download?buildid=hX_xlukrkNY~
Huawei Security Advisories
Security Advisory - Buffer Overflow Vulnerability in Wi-FI Driver of Huawei Smart Phone
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-02-smartphone-en
Security Advisory - DoS Vulnerability in Huawei Firewall
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-01-firewall-en
Security Advisory - E-mail Information Leak Vulnerability in Android System
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-01-smartphone-en
Security Advisory - Memory Leak Vulnerability in Some Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-01-ldp-en
ICS-CERT Advisories
Visonic PowerLink2 Vulnerabilities
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-01
Moxa DACenter Vulnerabilities
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-02
Delta Electronics WPLSoft, ISPSoft, and PMSoft Vulnerabilities
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-03
Siemens SIMATIC WinCC and SIMATIC PCS 7 ActiveX Vulnerability
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-04
Siemens S7-300/400 PLC Vulnerabilities
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-05
IBM Security Bulletins
IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2016 - Includes Oracle Oct 2016 CPU affect Content Collector for IBM Connections
https://www-01.ibm.com/support/docview.wss?uid=swg21988356
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset analyzer. (CVE-2016-5597)
http://www-01.ibm.com/support/docview.wss?uid=swg21995883
IBM Security Bulletin: Sweet32 Birthday attacks on 64-bit block ciphers in TLS affect Content Manager for z/OS (CVE-2016-2183)
http://www-01.ibm.com/support/docview.wss?uid=swg21995455
IBM Security Bulletin: Multiple vulnerabilities in BIND affects IBM Netezza Host Management
http://www.ibm.com/support/docview.wss?uid=swg21994505
IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS
http://www.ibm.com/support/docview.wss?uid=ssg1S1009647
IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified.
http://www.ibm.com/support/docview.wss?uid=ssg1S1009554
IBM Security Bulletin: Multiple Security Vulnerabilities in OpenSSL affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center)
http://www.ibm.com/support/docview.wss?uid=swg21995129
IBM Security Bulletin: Password disclosure vulnerability in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware vSphere GUI (CVE-2016-6034)
http://www.ibm.com/support/docview.wss?uid=swg21995544
IBM Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-5986
http://www.ibm.com/support/docview.wss?uid=swg21995745
IBM Security Bulletin: Potential Information Disclosure in WebSphere Application Server
http://www-01.ibm.com/support/docview.wss?uid=swg21991469
IBM Security Bulletin: Multiple Vulnerabilities affect IBM Spectrum Control formerly Tivoli Storage Productivity Center (CVE-2016-8941, CVE-2016-8942, CVE-2016-8943)
http://www.ibm.com/support/docview.wss?uid=swg21995128