End-of-Shift report
Timeframe: Mittwoch 16-03-2016 18:00 − Donnerstag 17-03-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
Blundering ransomware uses backdoored crypto, unlock keys spewed
Hahah ... wait, what? A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware.
http://www.theregister.co.uk/2016/03/16/locky_ransomware_undone_for_now/
Netgear CG3000v2 Password Change Bypass
I noticed a security issue in my Netgear CG3000v2 cable modem, as provided by Optus (an Australian phone/communications provider).
The "admin password" can be changed on the web interface, without providing the current password. The page
http://192.168.0.1/SetPassword.asp prompts for old and new passwords (and repeat of new), but in fact ignores the old password provided, and changes the password to the new one, regardless.
https://cxsecurity.com/issue/WLB-2016030089
2015-12-10: POODLE Vulnerability in RTU500 Series
Affected Products: RTU500 series firmware of release 10 less than version 10.8.6 and of release 11 less than 11.2.1.
RTU500 series releases 9 and less are not affected.
Summary: A vulnerability has recently been published that affects the SSL protocol 3.0 and is
commonly referred to as “POODLE”. The vulnerability affects the product versions listed
above.
http://search.abb.com/library/Download.aspx?DocumentID=1KGT090264&LanguageCode=en&DocumentPartId=&Action=Launch
ADAC: Autos mit Keyless-Schlüssel sehr leichter zu stehlen
Diebe können sich eine Sicherheitslücke in der Funkverbindung zunutze machen
http://derstandard.at/2000033077997
APT Attackers Flying More False Flags Than Ever
Investigators continue to focus on attack attribution, but Kaspersky researchers speaking at CanSecWest 2016 caution that attackers are manipulating data used to tie attacks to perpetrators.
http://threatpost.com/apt-attackers-flying-more-false-flags-than-ever/116814/
sol06223540: F5 TCP vulnerability CVE-2015-8240
Improper handling of TCP options under some circumstances may cause a denial-of-service (DoS) condition. (CVE-2015-8240) Versions known to be vulnerable: 11.6.0 HF5, 11.5.3 HF2, 11.4.1 HF9 on various BIG-IP products
https://support.f5.com/kb/en-us/solutions/public/k/06/sol06223540.html
Metaphor - A (real) reallife Stagefright exploit
The team here at NorthBit has built a working exploit affecting Android versions 2.2 - 4.0 and 5.0 - 5.1, while bypassing ASLR on versions 5.0 - 5.1 (as Android versions 2.2 - 4.0 do not implement ASLR).
https://www.exploit-db.com/docs/39527.pdf
Xen XSA-171: I/O port access privilege escalation in x86-64 Linux
User mode processes not supposed to be able to access I/O ports may be granted such permission, potentially resulting in one or more of in-guest privilege escalation, guest crashes (Denial of Service), or in-guest information leaks.
http://xenbits.xen.org/xsa/advisory-171.html
BSI veröffentlicht Anforderungskatalog für Cloud Computing
Anhand des Katalogs können Kunden von Cloud-Dienstleistern herausfinden, wie es um die Informationssicherheit in einer Cloud steht. Aber auch Anbieter solcher Dienste können sich damit etwa auf eine anstehende Zertifizierung vorbereiten.
http://heise.de/-3141368
Introducing SHIPS - Centralized Password Management
The Shared Host Integrated Password System (SHIPS) is an open-source solution created by Geoff Walton from TrustedSec to provide unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts. Our goal is to make post exploitation more difficult and provide a simplistic way to manage multiple systems in an environment where Windows does not necessarily support an alternative. SHIPS supports both Linux
https://www.trustedsec.com/january-2015/introducing-ships-centralized-local-password-management-windows/
New NIST Encryption Guidelines
NIST has published a draft of their new standard for encryption use: "NIST Special Publication 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms." In it, the Escrowed Encryption Standard from the 1990s, FIPS-185, is no longer certified. And Skipjack, NSAs symmetric algorithm from the same period, will no longer be certified.
https://www.schneier.com/blog/archives/2016/03/new_nist_encryp.html
Scores of Serial Servers Plagued by Lack of Authentication, Encryption
Thousands of serial servers connected to the internet arent password protected and lack encryption, leaving any data that transfers between them and devices theyre connected to open to snooping, experts warn.
http://threatpost.com/scores-of-serial-servers-plagued-by-lack-of-authentication-encryption/116834/
VU#897144: Solarwinds Dameware Remote Mini Controller Windows service is vulnerable to stack buffer overflow
The Solarwinds Dameware Remote Mini Controller Windows service is vulnerable to stack buffer overflow. Description CWE-121: Stack-based Buffer Overflow - CVE-2016-2345
Solarwinds Dameware Remote Mini Controller is a software for assisting in remote desktop connections for helpdesk support.
http://www.kb.cert.org/vuls/id/897144
Bypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks
This paper discusses different techniques that an attacker can use to bypass NoScript Security Suite Protection. These techniques can be used by malicious vectors in bypassing the default installation of NoScript. The paper also provides solutions and recommendations for end-users that can enhances the current protection of NoScript Security Suite.
https://mazinahmed.net/uploads/Bypassing%20NoScript%20Security%20Suite%20Using%20Cross-Site%20Scripting%20and%20MITM%20Attacks.pdf
Symantec Endpoint Protection Multiple Security Issues
Symantec Endpoint Protection (SEP) was susceptible to a number of security findings that could potentially result in an authorized but less privileged user gaining elevated access to the Management Console. SEP Client security mitigations can potentially be bypassed allowing arbitrary code execution on a targeted client.
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2016&suid=20160317_00
IBM Security Bulletin
IBM Rational DOORS Web Access is affected by Apache Tomcat vulnerabilities (CVE-2015-5345, CVE-2015-5351)
http://www.ibm.com/support/docview.wss?uid=swg21978300
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearCase (CVE-2015-7575, CVE-2015-4872, CVE-2015-4893, CVE-2015-4803)
http://www.ibm.com/support/docview.wss?uid=swg21976573
IBM Security Bulletin: OpenStack vulnerabilities affect IBM SmartCloud Entry (CVE-2015-7713, CVE-2015-5286)
http://www.ibm.com/support/docview.wss?uid=isg3T1023399
IBM Security Bulletin: OpenStack vulnerabilities affect IBM SmartCloud Entry(CVE-2015-5163 CVE-2015-3241 CVE-2015-5223)
http://www.ibm.com/support/docview.wss?uid=isg3T1023469
IBM Security Bulletin: OpenStack vulnerabilities affect IBM Cloud Manager with Openstack (CVE-2015-5163 CVE-2015-3241 CVE-2015-5223)
http://www.ibm.com/support/docview.wss?uid=isg3T1023470