End-of-Shift report
Timeframe: Freitag 30-06-2017 18:00 − Montag 03-07-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
From Pass-the-Hash to Pass-the-Ticket with No Pain
We are all grateful to the Microsoft which gave us the possibility to use the "Pass the Hash" technique! In short: if we have the NTLM hashes of the user password, we can authenticate against the remote system without knowing the real password, just using the hashes. Things were (finally) changing, starting from Windows 7, [...]
http://resources.infosecinstitute.com/pass-hash-pass-ticket-no-pain/
SQL Injection Vulnerability in WP Statistics
As part of a vulnerability research project for our Sucuri Firewall, we have been auditing popular open source projects looking for security issues. While working on the WordPress plugin WP Statistics, we discovered a SQL Injection vulnerability. This plugin is currently installed on 300,000+ websites. Are You at Risk? This vulnerability is caused by the lack of sanitization in user provided data. An attacker with at least a subscriber account could leak sensitive data and under the right [...]
https://blog.sucuri.net/2017/06/sql-injection-vulnerability-wp-statistics.html
OutlawCountry Is CIAs Malware for Hacking Linux Systems
WikiLeaks dumped today a manual describing a new CIA malware strain. Called OutlawCountry, this is malware designed for Linux operating systems. [...]
https://www.bleepingcomputer.com/news/security/outlawcountry-is-cias-malware-for-hacking-linux-systems/
So You Think You Can Spot a Skimmer?
This week marks the 50th anniversary of the automated teller machine -- better known to most people as the ATM or cash machine. Thanks to the myriad methods thieves have devised to fleece unsuspecting cash machine users over the years, there are now more ways than ever to get ripped off at the ATM. Think youre good at spotting the various scams? A newly released ATM fraud inspection guide may help you test your knowledge.
https://krebsonsecurity.com/2017/06/so-you-think-you-can-spot-a-skimmer/
PE Section Name Descriptions, (Sun, Jul 2nd)
PE files (.exe, .dll, ...) have sections: a section with code, one with data, ... Each section has a name, and different compilers use different section names. Section names can help us identify the compiler and the type of PE file we are analyzing.
https://isc.sans.edu/diary/rss/22576
TLS security: Past, present and future
The Transport Layer Security (TLS) protocol as it stands today has evolved from the Secure Sockets Layer (SSL) protocol from Netscape Communications and the Private Communication Technology (PCT) protocol from Microsoft that were developed in the 1990s, mainly to secure credit card transactions over the Internet. It soon became clear that a unified standard was required, and an IETF TLS WG was tasked. As a result, TLS 1.0 was specified in 1999, TLS 1.1 in [...]
https://www.helpnetsecurity.com/2017/07/03/tls-security/
Achtung, Fake: Nein, Billa verlost keinen 250-Euro-Gutschein auf Whatsapp
Der Kettenbrief verbreitet sich momentan rasant - Verlinkung auf mysteriöse Seite
http://derstandard.at/2000060650645
WSUSpendu? What for?
At BlackHat USA 2015, the WSUSpect attack scenario has been released. Approximately at the same time, some french engineers have been wondering if it would be possible to use a compromised WSUS server to extend the compromise to its clients, similarly to this WSUSpect attack. After letting this topic rest for almost two years, weve been able, at Alsid and ANSSI, to demonstrate this attack.
https://github.com/AlsidOfficial/WSUSpendu
SB17-184: Vulnerability Summary for the Week of June 26, 2017
Original release date: July 03, 2017 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit [...]
https://www.us-cert.gov/ncas/bulletins/SB17-184
DSA-3901 libgcrypt20 - security update
Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon GrootBruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal andYuval Yarom discovered that Libgcrypt is prone to a local side-channelattack allowing full key recovery for RSA-1024.
https://www.debian.org/security/2017/dsa-3901
Bugtraq: [CVE-2017-9313] Webmin 1.840 Multiple XSS Vulnerabilities
http://www.securityfocus.com/archive/1/540794
Microsoft Dynamics CRM Input Validation Flaw in SyncFilterPage.aspx Lets Remote Users Conduct Cross-Site Scripting Attacks
http://www.securitytracker.com/id/1038813
FortiWLM upgrade user account hard-coded credentials
FortiWLM has a hard-coded password for its "upgrade" user account, which it uses to transfer files to and from the FortiWLC controller. Having the upgrade account credentials would allow an attacker to transfer files to any attached or previously attached controllers as an admin user, thus raising potential further security issues.
http://fortiguard.com/psirt/FG-IR-17-115
F5 Security Advisories
BIND vulnerability CVE-2017-3142
https://support.f5.com/csp/article/K59448931
BIND vulnerability CVE-2017-3143
https://support.f5.com/csp/article/K02230327
GnuTLS vulnerability CVE-2017-7507
https://support.f5.com/csp/article/K37830055
Novell Patches
Sentinel 8.1 (Sentinel 8.1.0.0) Build 3732
https://download.novell.com/Download?buildid=SISjocZzgJM~
eDirectory 9.0.3 Patch 1 (9.0.3.1)
https://download.novell.com/Download?buildid=_f8Eq87R-gs~
eDirectory 8.8 SP8 Patch 10 HotFix 1
https://download.novell.com/Download?buildid=z1R5CZBTHBM~
IBM Security Bulletins
IBM Security Bulletin: Improper Authentication vulnerability affects IBM Security Guardium (CVE-2017-1264)
http://www-01.ibm.com/support/docview.wss?uid=swg22004425
IBM Security Bulletin: IBM Security Guardium is affected by XML External Entity vulnerability (CVE-2017-1254)
http://www-01.ibm.com/support/docview.wss?uid=swg22004463
IBM Security Bulletin: OS Command Injection vulnerability affects IBM Security Guardium (CVE-2017-1253 )
http://www-01.ibm.com/support/docview.wss?uid=swg22004426
IBM Security Bulletin: IBM Maximo Asset Management could allow a local user to obtain sensitive information due to inappropriate data retention of attachments(CVE-2017-1176)
http://www-01.ibm.com/support/docview.wss?uid=swg22005210
IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to SQL injection(CVE-2017-1175)
http://www-01.ibm.com/support/docview.wss?uid=swg22005212
IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting(CVE-2017-1208)
http://www-01.ibm.com/support/docview.wss?uid=swg22005243
IBM Security Bulletin: Multiple security vulnerabilities affect the Report Builder that is shipped with Jazz Reporting Service
http://www-01.ibm.com/support/docview.wss?uid=swg22001007
IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM's Jazz technology
http://www.ibm.com/support/docview.wss?uid=swg21999760
IBM Security Bulletin: Cross-site scripting vulnerabilities affect IBM Rational Team Concert
http://www.ibm.com/support/docview.wss?uid=swg22004611
IBM Security Bulletin: Multiple vulnerabilities in NTP and OpenSSL affect IBM Netezza Firmware Diagnostics
http://www-01.ibm.com/support/docview.wss?uid=swg21997020
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect SmartCloud Entry
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025357
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker and IBM Integration Bus
http://www.ibm.com/support/docview.wss?uid=swg22005345
IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Information Disclosure vulnerability
http://www.ibm.com/support/docview.wss?uid=swg22005382
IBM Security Bulletin: IBM Integration Bus and WebSphere Message Broker are affected by Unquoted Search Path or Element (CWE-428) Vulnerability on Windows
http://www.ibm.com/support/docview.wss?uid=swg22005383
IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus
http://www.ibm.com/support/docview.wss?uid=swg22005335
IBM Security Bulletin: A vulnerability in Open Source Botan affects IBM Netezza Platform Software clients (CVE-2016-2849).
http://www-01.ibm.com/support/docview.wss?uid=swg22001108
IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Open Source Tomcat vulnerability
http://www.ibm.com/support/docview.wss?uid=swg22005331