End-of-Shift report
Timeframe: Dienstag 24-01-2017 18:00 − Mittwoch 25-01-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
Kritische Sicherheitslücke in der Webshop-Software Shopware
Die vor allem in Deutschland beliebte Software aus Schöppingen hat eine Schwachstelle, über die Angreifer beliebigen Schadcode ausführen können.
https://heise.de/-3606627
VB2016 paper: Great crypto failures
Crypto is hard, and malware authors often make mistakes. At VB2016, Check Point researchers Yaniv Balmas and Ben Herzog discussed the whys and hows of some of the crypto blunders made by malware authors. Today, we publish their paper and the recording of their presentation.
https://www.virusbulletin.com:443/blog/2017/01/vb2016-paper-great-crypto-failures/
Call for Papers: VB2017
We have opened the Call for Papers for VB2017. We are particularly interested in receiving submissions from those working outside the security industry itself.
https://www.virusbulletin.com:443/blog/2017/01/call-papers-vb2017/
Malicious SVG Files in the Wild, (Tue, Jan 24th)
In November 2016, the Facebook messenger application was used to deliver malicious SVG files to people [1]. SVG files (or Scalable Vector Graphics) are vector images that can be displayed in most modern browsers (natively or via a specific plugin). More precisely, Internet Explorer 9 supports the basic SVG feature sets and IE10 extended the support by adding SVG 1.1 support. In the Microsoft Windows operating system,SVG files are handled by Internet Explorer by default. From a file format point...
https://isc.sans.edu/diary.html?storyid=21971&rss
Sicherheitspatch: Western Digital My Cloud Mirror empfänglich für Schadcode
Besitzer des Netzwerkspeichers sollten aus Sicherheitsgründen prüfen, dass sie die aktuelle Firmware installiert haben.
https://heise.de/-3606909
Trojan Transforms Linux Devices into Proxies for Malicious Traffic
Security researchers have uncovered a new trojan that targets Linux devices that is capable of transforming infected machines into proxy servers and relay malicious traffic, hiding the true origin of attacks or other nefarious activities. [...]
https://www.bleepingcomputer.com/news/security/trojan-transforms-linux-devices-into-proxies-for-malicious-traffic/
Capturing Pattern-Lock Authentication
Interesting research -- "Cracking Android Pattern Lock in Five Attempts": Abstract: Pattern lock is widely used as a mechanism for authentication and authorization on Android devices. In this paper, we demonstrate a novel video-based attack to reconstruct Android lock patterns from video footage filmed u sing a mobile phone camera. Unlike prior attacks on pattern lock, our approach does not require the video to capture any content displayed on the screen. Instead, we employ a computer...
https://www.schneier.com/blog/archives/2017/01/capturing_patte.html
Wartungsarbeiten Dienstag, 31. 1. 2017
http://www.cert.at/services/blog/20170125134029-1890.html
Detecting threat actors in recent German industrial attacks with Windows Defender ATP
When a Germany-based industrial conglomerate disclosed in December 2016 that it was breached early that year, the breach was revealed to be a professionally run industrial espionage attack. According to the German press, the intruders used the Winnti family of malware as their main implant, giving them persistent access to the conglomerate's network as early...
https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/
Lücke in Samsung-Handys: Endlos-Bootschleife durch Killer-SMS
Samsung hat eine Lücke in älteren Geräten gestopft, die missbraucht werden kann, diese in eine Bootschleife zu versetzen und Angreifern wahrscheinlich auch die Möglichkeit gibt, Schadcode auszuführen. Geräte anderer Hersteller sind wohl noch verwundbar.
https://heise.de/-3607266
DFN-CERT-2017-0142: Mozilla Firefox, Firefox ESR, Tor Browser: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0142/
IDM 4.5 SAP User Driver Version 4.0.1.0
Abstract: Patch update for the NetIQ Identity Manager SAP User Manager driver with the SAP JCO version 3. This patch will take the driver version to 4.0.1.0. You must have IDM 4.5 or later to use this driver. You should only use this patch if you are using SAP JCO3. It will not work with SAP JCO2. NetIQ recommends that users of SAP JCO2 transition to SAP JCO3 and use the IDM SAP User Manager driver for JCO3. Future versions of IDM do not support SAP JCO2.Document ID: 5269090Security Alert:...
https://download.novell.com/Download?buildid=juq3iF7EF5o~
Citrix Provisioning Services Multiple Security Updates
https://support.citrix.com/article/CTX219580
Citrix XenServer Multiple Security Updates
https://support.citrix.com/article/CTX220112
IBM Security Bulletins
IBM Security Bulletin: Security Vulnerability affecting FileNet Content Manager and IBM Content Foundation (CVE-2013-5462)
http://www.ibm.com/support/docview.wss?uid=swg21994241
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Content Collector for SAP Applications (CVE-2016-5597)
http://www-01.ibm.com/support/docview.wss?uid=swg21996483
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Enterprise Content Management System Monitor
http://www-01.ibm.com/support/docview.wss?uid=swg21997196
Huawei Security Advisories
Security Advisory - Authentication Bypass Vulnerability in the Find Phone Function of some Huawei Smart Phones
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170125-01-smartphone-en
Security Advisory - Two Security Vulnerabilities in Huawei EMUI
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170125-01-emui-en
Security Advisory - Improper Permission Control Vulnerability in Huawei Vmall Alert Service
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170125-01-vmall-en
Cisco Security Advisories
Cisco Adaptive Security Appliance CX Context-Aware Security Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-cas
Cisco TelePresence Multipoint Control Unit Remote Code Execution Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-telepresence
Cisco Expressway Series and TelePresence VCS Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-expressway
Cisco WebEx Browser Extension Remote Code Execution Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex
HP Security Bulletins
Bugtraq: [security bulletin] HPSBGN03690 rev.1 - HPE Real User Monitor (RUM), Remote Disclosure of Information
http://www.securityfocus.com/archive/1/540044
Bugtraq: [security bulletin] HPSBST03642 rev.3 - HPE StoreVirtual Products running LeftHand OS using OpenSSL and OpenSSH, Remote Arbitrary Code Execution, Denial of Service (DoS), Disclosure of Sensitive Information, Unauthorized Access
http://www.securityfocus.com/archive/1/540048
Bugtraq: [security bulletin] HPSBHF03695 rev.1 - HPE Ethernet Adaptors, Remote Denial of Service (DoS)
http://www.securityfocus.com/archive/1/540047
Bugtraq: [security bulletin] HPSBHF03441 rev.2 - HPE iLO 3, iLO 4 and iLO 4 mRCA, Remote Multiple Vulnerabilities
http://www.securityfocus.com/archive/1/540046