End-of-Shift report
Timeframe: Donnerstag 20-04-2017 18:00 − Freitag 21-04-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
20 Linksys Router Models Vulnerable To Attack
Researchers say more than 100,000 Linksys routers in use today could be vulnerable to 10 flaws found in 20 separate router models made by the company.
http://threatpost.com/20-linksys-router-models-vulnerable-to-attack/125085/
The History of Fileless Malware - Looking Beyond the Buzzword
What's the deal with "fileless malware"? Though many security professionals cringe when they hear this term, lots of articles and product brochures mention fileless malware in the context of threats that are difficult to resist and investigate. Below is my attempt to look beyond the buzzword, tracing the origins of this term and outlining the malware samples that influenced how we use... Read more
https://zeltser.com/fileless-malware-beyond-buzzword/
Archive.org Abused to Deliver Phishing Pages
The Internet Archive is a well-known website and more precisely for its "WaybackMachine" service. It allows you to search for and display old versions of websites. The current Alexa ranking is 262 which makes it a "popular and trusted" website. Indeed, like I explained in a recent SANS ISC diary, whitelists [...]
https://blog.rootshell.be/2017/04/20/archive-org-abused-deliver-phishing-pages/
Analysis of a Maldoc with Multiple Layers of Obfuscation, (Fri, Apr 21st)
Thanks to our readers, we get often interesting samples to analyze. This time, Frederick sent us a malicious Microsoft Word document called Invoice_6083.doc (which was delivered in a zip archive). I had a quick look [...]
https://isc.sans.edu/diary/Analysis+of+a+Maldoc+with+Multiple+Layers+of+Obfuscation/22330
TLS-Interception: Sophos-Firewall wird von Chrome-Änderung überrascht
Nutzer, die den Chrome-Browser hinter einer Firewall von Sophos nutzen, sehen zur Zeit nur Zertifikatswarnungen. Die neue Chrome-Version ignoriert den sogenannten CommonName, der schon seit 17 Jahren als veraltet gilt. (Sophos, Browser)
https://www.golem.de/news/tls-interception-sophos-firewall-wurd-von-chrome-aenderung-ueberrascht-1704-127424-rss.html
Domain Fronting
In this article, we are going to learn about a very interesting and powerful technique known as Domain Fronting which is a circumvention technique based on HTTPS that hides the true destination from the censor. What is Domain Fronting? Domain fronting is a technique to circumvent the censorship employed for certain domains(censorship may be for [...]
http://resources.infosecinstitute.com/domain-fronting/
Top-ranked programming Web tutorials introduce vulnerabilities into software
Researchers from several German universities have checked the PHP codebases of over 64,000 projects on GitHub, and found 117 vulnerabilities that they believe have been introduced through the use of code from popular but insufficiently reviewed tutorials. The process The researchers identified popular tutorials by inputing search terms such as "mysql tutorial", [...]
https://www.helpnetsecurity.com/2017/04/21/programming-tutorials-vulnerabilities/
Security vulnerability in unmaintained Drupal contrib module puts 120000 sites at risk
[...] The module is currently used by over 120 000 individual Drupal installations, but is no longer maintained. The last update was done in February 2013. Unfortunately a critical security vulnerability in this references module has been reported by the Drupal core security team as SA-CONTRIB-2017-38: [...]
http://drupal.sh/vulnerable-drupal-contrib-module-puts-120000-sites-at-risk
References - Unsupported - SA-CONTRIB-2017-38
[...] Updates: 2017-04-18 -- This issue has been resolved with the release of references 7.x-2.2
https://www.drupal.org/node/2869138
cURL/libcurl TLS Session Resumption Client Certificate Bug Lets Remote Users Bypass Security Restrictions on the Target System
http://www.securitytracker.com/id/1038341
SSHD vulnerability CVE-2017-6128
https://support.f5.com/csp/article/K92140924
DFN-CERT-2017-0704: FreeType: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0704/
Security Advisory - Buffer Overflow vulnerability in the GaussDB
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170420-01-gaussdb-en
Security updates available in Foxit Reader 8.3 and Foxit PhantomPDF 8.3
Foxit has released Foxit Reader 8.3 and Foxit PhantomPDF 8.3, which address potential security and stability issues.
https://www.foxitsoftware.com/support/security-bulletins.php
Vuln: Linux Kernel CVE-2017-7645 Multiple Denial of Service Vulnerabilities
http://www.securityfocus.com/bid/97950
IBM Security Bulletins
IBM Security Bulletin: IBM Domino server IMAP EXAMINE command stack buffer overflow (CVE-2017-1274)
http://www.ibm.com/support/docview.wss?uid=swg22002280
IBM Security Bulletin: Plugin Uploads in IBM UrbanCode Deploy Vulnerable to XML Injection (CVE-2016-9007)
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000289
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM BigFix Remote Control.
http://www-01.ibm.com/support/docview.wss?uid=swg22000544
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions(CVE-2016-5556, CVE-2016-5597 and CVE-2016-5542)
http://www-01.ibm.com/support/docview.wss?uid=swg21996985
IBM Security Bulletin: Multiple vulnerability in IBM Java Runtime affect IBM Security SiteProtector System (CVE-2016-5597 CVE-2016-5546 CVE-2016-5548 CVE-2016-5549 CVE-2016-5547 CVE-2016-2183)
http://www-01.ibm.com/support/docview.wss?uid=swg22000580
IBM Security Bulletin: Vulnerability in Pivotal Spring Framework affects IBM Marketing Software products suite (CVE-2014-3625)
http://www.ibm.com/support/docview.wss?uid=swg22002110
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect InfoSphere Optim Performance Manager (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183)
http://www-01.ibm.com/support/docview.wss?uid=swg22002204