End-of-Shift report
Timeframe: Dienstag 23-02-2016 18:00 − Mittwoch 24-02-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
Zahlreiche Hersteller patchen dramatische glibc-Lücke
Linux ist fast überall und dementsprechend verbreitet ist auch die glibc, die in älteren Versionen angreifbar ist. Sicherheits-Updates gibt es unter anderem von Zyxel, VMware und Citrix, andere geben Entwarnung.
http://heise.de/-3115787
OpenCms 9.5.2 Cross Site Scripting
Topic: OpenCms 9.5.2 Cross Site Scripting Risk: Low Text: Advisory ID: SYSS-2015-063 Product: OpenCms Official Maintainer: Alkacon Software GmbH Affected Version(s): 9.5.2 Tested ...
https://cxsecurity.com/issue/WLB-2016020206
DFN-CERT-2016-0326/">Bibliothek libssh: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen
Zwei Schwachstellen in der Bibliothek libssh ermöglichen einem entfernten, nicht authentifizierten Angreifer das Durchführen eines Denial-of-Service (DoS)-Angriffs sowie das Umgehen von Sicherheitsvorkehrungen und in der Folge das Ausspähen von Informationen.
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0326/
Squid: Multiple Denial of Service issues in HTTP Response processing.
Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.
http://www.squid-cache.org/Advisories/SQUID-2016_2.txt
Exploiting a Kernel Paged Pool Buffer Overflow in Avast Virtualization Driver
Version(s): 11.1.2245; possibly earlier versions Description: A vulnerability was reported in avast!. A local user can gain system privileges on the target system. Avast Internet Security, Avast Pro Antivirus, Avast Premier, and Avast Free Antivirus are affected. Solution: The vendor has issued a fix (11.1.2253).
http://www.securitytracker.com/id/1035093
Drupal 6 hits the end of the line
If you have a Drupal 6 website then you wont be receiving any more official security advisories or patches; from today your site is vulnerable to any new security issues discovered in Drupal 6 core or its modules, forever.
https://nakedsecurity.sophos.com/2016/02/24/drupal-6-hits-the-end-of-the-line/
Admins aufgepasst: Krypto-Trojaner befällt hunderte Webserver
Der Erpressungs-Trojaner CTB-Locker hat es dieses Mal nicht auf Windows-Nutzer, sondern auf Webserver abgesehen. Er hat bereits Dateien hunderter Websites verschlüsselt, ein Ende ist derzeit nicht absehbar.
http://heise.de/-3116470
F5: sol13304944: NTP vulnerability CVE-2015-7974
NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." (CVE-2015-7974)
https://support.f5.com/kb/en-us/solutions/public/k/13/sol13304944.html
Analyzis of a Malicious .lnk File with an Embedded Payload, (Wed, Feb 24th)
We received some feedback today from Nick, aSANS ISC reader who detected an interesting phishing campaign based on an ACE file. I also detected the same kind of fileearlier this morning. ACE is an old compression algorithm developed by a German company called e-merge. This file format was popular around the year2000. Today it almost disappeared and was replaced by more popularformatsbut ACE files can still be handled by popular tools like WinRAR or WinZIP. The fact that the format is quite old
https://isc.sans.edu/diary.html?storyid=20763&rss
Attackers Can Turn Microsofts Exploit Defense Tool EMET Against Itself
itwbennett writes: FireEye researchers have found a way for exploits to trigger a specific function in EMET that disables all protections it enforces for other applications. The researchers believe that their new technique, which essentially uses EMET against itself, is more reliable and easier to use than any previously published bypasses. It works against all supported versions of EMET - 5.0, 5.1 and 5.2 - but Microsoft patched the issue in EMET 5.5, which was released on Feb. 2.
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/rwo8Nq2dFiw/attackers-can-turn-microsofts-exploit-defense-tool-emet-against-itself
Ransomware: Locky kommt jetzt auch über Jscript
Eine Spam-Kampagne verteilt die Locky-Ransomware jetzt auch über Jscript-Anhänge in E-Mails - die angeblich von einem Wursthersteller kommen. (Trojaner, Virus)
http://www.golem.de/news/ransomware-locky-kommt-jetzt-auch-ueber-javascript-1602-119331-rss.html
Mousejacking: What you need to know
Got a wireless mouse or keyboards that uses a USB dongle? Seems that many of them can be fed fake clicks and keystrokes from a distance...
https://nakedsecurity.sophos.com/2016/02/24/mousejacking-what-you-need-to-know/
Cisco ACE 4710 Application Control Engine Command Injection Vulnerability
A vulnerability in the Device Manager GUI of the Cisco ACE 4710 Application Control Engine could allow an authenticated, remote attacker to execute any command-line interface (CLI) command on the ACE with admin user privileges.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160224-ace
Cleaners ought to be clean (and clear)
There are many programs that purport to clean up and optimize system performance. While Microsoft does not endorse the use of these tools with Windows, we do not view them as unwanted or malicious. Many programs in this category have a practice of providing a free version of their software that scans your system, ...
https://blogs.technet.microsoft.com/mmpc/2016/02/24/cleaners-ought-to-be-clean-and-clear/
IBM Security Bulletins
IBM Security Bulletin: Multiple vulnerabilities in the IBM SDK for Node.js affect the Cordova tools in Rational Application Developer affecting Rational Developer for i and Rational Developer for AIX and Linux (CVE-2016-2086, CVE-2016-2216,
http://www.ibm.com/support/docview.wss?uid=swg21977146
IBM Security Bulletin: Vulnerabilities in OpenSSL affect the Cordova tools in Rational Application Developer affecting Rational Developer for i and Rational Developer for AIX and Linux (CVE-2016-0701, CVE-2015-3197)
http://www.ibm.com/support/docview.wss?uid=swg21977144
IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Explorer for z/OS 3.0 (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21976483
IBM Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-0483, CVE-2016-0475, CVE-2016-0466, CVE-2015-7575,
http://www.ibm.com/support/docview.wss?uid=swg21977021
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK Version 8 Service Refresh 2 that affect IBM BigFix Compliance Analytics.
http://www.ibm.com/support/docview.wss?uid=swg21976854
IBM Security Bulletin: Java specific SLOTH - Weak MD5 Signature Hash
http://www.ibm.com/support/docview.wss?uid=swg21975823
IBM Security Bulletin: Vulnerability in IBM Java Runtime shipped with WebSphere Partner Gateway Advanced/Enterprise editions (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21976925
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Method Composer (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21975877
IBM Security Bulletin: Vulnerability in IBM Java SDK affects Rational Developer for System z (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21976476
IBM Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM SPSS Modeler (CVE-2016-0466, CVE-2015-7575, CVE-2016-0475)
http://www.ibm.com/support/docview.wss?uid=swg21977518
IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM WebSphere MQ (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21977523
IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 6, 7, 8 affect IBM Transformation Extender Hypervisor Edition for AIX (CVE-2016-0466, CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21977061
IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 6, 7, 8 affect IBM Transformation Extender Hypervisor Edition (CVE-2016-0466, CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21976970
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect FileNet Content Manager, IBM Content Foundation and FileNet BPM (CVE-2015-7575, CVE-2016-0475, CVE-2016-0466)
http://www.ibm.com/support/docview.wss?uid=swg21975820
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs)
http://www.ibm.com/support/docview.wss?uid=swg21976845
IBM Security Bulletin: Fixes available for Security Vulnerabilities in IBM WebSphere Portal
http://www.ibm.com/support/docview.wss?uid=swg21976358