Tageszusammenfassung - Donnerstag 22-09-2016

End-of-Shift report

Timeframe: Mittwoch 21-09-2016 18:00 − Donnerstag 22-09-2016 18:00 Handler: Stephan Richter Co-Handler: n/a

Fake-Abmahnung von RA Jörg Schmidt im Umlauf

Haushalte erhalten eine Abmahnung der Rechtsanwaltskanzlei Jörg Schmidt. Darin heißt es, dass es zu einer Verletzung von Urheberrechten der abbywinters.com BV gekommen sei, weil Empfänger/innen den Erotikfilm "Girl & Girl Pee Marigold & Christiana" verwertet haben. Aus diesem Grund sollen sie 950.00 Euro zahlen. Es handelt sich um einen Betrugsversuch.

https://www.watchlist-internet.at/sonstiges/fake-abmahnung-von-ra-joerg-schmidt-im-umlauf/

More than 840,000 Cisco devices are vulnerable to NSA-related exploit

More than 840,000 Cisco networking devices from around the world are exposed to a vulnerability thats similar to one exploited by a hacking group believed to be linked to the U.S. National Security Agency.The vulnerability was announced by Cisco last week and it affects the IOS, IOS XE, and IOS XR software that powers many of its networking devices. The flaw allows hackers to remotely extract the contents of a devices memory, which can lead to the exposure of sensitive information.

http://www.cio.com/article/3122868/more-than-840000-cisco-devices-are-vulnerable-to-nsa-related-exploit.html#tk.rss_security

Bug that hit Firefox and Tor browsers was hard to spot - now we know why

The curious case of Firefoxs (now fixed) certificate pinning failure.

http://arstechnica.com/security/2016/09/bug-that-hit-firefox-and-tor-browsers-was-hard-to-spot-now-we-know-why/

Hacked Website Report - 2016/Q2

Today we're releasing our quarterly Hacked Website Report for 2016/Q2. The data in this report is based on compromised websites we worked on, with insights and analysis performed by our Incident Response Team (IRT) and Malware Research Team (MRT). CMS Analysis Our analysis consisted of over 9,000 infected websites. The graphs below show a side-by-side...

https://blog.sucuri.net/2016/09/hacked-website-report-2016q2.html

KrebsOnSecurity Hit With Record DDoS

On Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack theyve seen previously, and was among the biggest assaults the Internet has ever witnessed.

http://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

Controlling Kerio Control - When your firewall turns against you.

IntroductionThis blog post describes two different attacks which can be used to compromise companies which use Kerio Control in their network. Kerio Control is a hardware appliance which can be used as network firewall, router and VPN gateway. Both attacks spawn a reverse shell on Kerio Control. Since both attack payloads are delivered via CSRF (cross site request forgery) or XSS (cross site scripting) no ports must be open from the Internet.

http://blog.sec-consult.com/2016/09/controlling-kerio-control-when-your.html

Future attack scenarios against ATM authentication systems

The report comprises two papers in which we analyze all existing methods of authentication used in ATMs and those expected to be used in the near future, including: contactless authentication through NFC, one-time password authentication and biometric authentication systems, as well as potential vectors of attacks using malware, through to network attacks and attacks on hardware components.

http://securelist.com/analysis/publications/76099/future-attack-scenarios-against-atm-authentication-systems/

Cisco plugs two Cloud Services Platform system compromise flaws

Cisco has patched two serious vulnerabilities in Cisco Cloud Services Platform 2100, both of which could allow a remote attacker to execute arbitrary code on a targeted system. Both vulnerabilities affect version 2.0 of the platform and there are no workarounds to address them, so administrators are advised to update to release 2.1.0 and later to plug the holes. What's the problem? Cisco Cloud Services Platform 2100 is a popular Linux Kernel-based Virtual Machine software...

https://www.helpnetsecurity.com/2016/09/22/cisco-plugs-cloud-services-platform-flaws/

Fixing the mixed content problem with Automatic HTTPS Rewrites

CloudFlare aims to put an end to the unencrypted Internet. But the web has a chicken and egg problem moving to HTTPS. Long ago it was difficult, expensive, and slow to set up an HTTPS capable web site. Then along came services like CloudFlare's Universal SSL that made switching...

https://blog.cloudflare.com/fixing-the-mixed-content-problem-with-automatic-https-rewrites/

OpenSSL Update Released, (Thu, Sep 22nd)

As announced earlier this week,OpenSSLreleased an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0). The update fixes 14 different vulnerabilities. Only one vulnerability is rated High. This vulnerability,CVE-2016-6304, can lead to memory exhaustion and a denial of service if the client sends multiple largeOCSP">OCSP">">">SWEET32">">OOB write in">">MalformedSHA512">">">">Pointer...

https://isc.sans.edu/diary.html?storyid=21509&rss

OpenSSL Security Advisory [22 Sep 2016]

OCSP Status Request extension unbounded memory growth (CVE-2016-6304) SSL_peek() hang on empty record (CVE-2016-6305) SWEET32 Mitigation (CVE-2016-2183) OOB write in MDC2_Update() (CVE-2016-6303) Malformed SHA512 ticket DoS (CVE-2016-6302) OOB write in BN_bn2dec() (CVE-2016-2182) OOB read in TS_OBJ_print_bio() (CVE-2016-2180) Pointer arithmetic undefined behaviour (CVE-2016-2177) Constant time flag not preserved in DSA signing (CVE-2016-2178) DTLS buffered message DoS (CVE-2016-2179) DTLS...

https://www.openssl.org/news/secadv/20160922.txt

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004

Description Users who have rights to edit a node, can set the visibility on comments for that node. Advisory ID: DRUPAL-SA-CORE-2016-004Project: Drupal core Version:li 8.xDate: 2016-September-21Security risk: 18/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: DescriptionUsers without "Administer comments" can set comment visibility on nodes they can edit. (Less critical) Users who have rights to edit a node, can set the visibility on comments for that

https://www.drupal.org/SA-CORE-2016-004

ZDI-16-526: (0Day) Google Chrome Protocol Handler Logic Error Restrictions Bypass Vulnerability

This vulnerability allows remote attackers to bypass restrictions on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

http://www.zerodayinitiative.com/advisories/ZDI-16-526/

ZDI-16-525: (0Day) Fatek Automation PM Designer Heap Memory Corruption Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Fatek Automation PM Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

http://www.zerodayinitiative.com/advisories/ZDI-16-525/

[2016-09-22] Potential backdoor access through multiple vulnerabilities in in Kerio Control Unified Threat Management

Kerio Control contains multiple vulnerabilities which can be used by an attacker to obtain a reverse root shell to the internal firewall system of a network. An attacker can use this reverse root shell to further compromise the victims local network, sniff VPN traffic (including VPN credentials) or just backdoor the firewall/VPN gateway.

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160922-0_Kerio_Control_Potential_backdoor_access_through_multiple_vulnerabilities_v10.txt

HPSBGN03649 rev.1 - HPE Network Automation using Java Deserialization, Remote Code Execution

A vulnerability in Apache Commons-Collections and Commons-BeanUtils library used for handling Java object deserialization was addressed by HPE Network Automation. The vulnerability could be exploited remotely to allow remote code execution.

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05279098

SSA-342135 (Last Update 2016-09-22): Web Vulnerability in SCALANCE M-800 / S615

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-342135.pdf

SSA-301706 (Last Update 2016-09-22): GNU C Library Vulnerability in Industrial Products

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-301706.pdf

Cisco Security Advisories

Cisco Application Policy Infrastructure Controller Binary Privilege Escalation Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160921-apic

Cisco IOS and IOS XE iox Command Injection Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160921-iox

Cisco Firepower Management Center and FireSIGHT System Software SSLIinspection Bypass Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160921-fmc

Cisco IOS and IOS XE Software Data in Motion Component Denial of Service Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160921-dmo

Cisco IOS and IOS XE Software Application-Hosting Framework Unauthorized File Access Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160921-caf