End-of-Day report
Timeframe: Dienstag 16-10-2018 18:00 - Mittwoch 17-10-2018 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
News
Injecting Code into Windows Protected Processes using COM - Part 1
Posted by James Forshaw, Google Project ZeroAt Recon Montreal 2018 I presented "Unknown Known DLLs and other Code Integrity Trust Violations" with Alex Ionescu. We described the implementation of Microsoft Windows' Code Integrity mechanisms and how Microsoft implemented Protected Processes (PP). As part of that I demonstrated various ways of bypassing Protected Process Light (PPL), some requiring administrator privileges, others not.
https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html
Multiple D-Link Routers Open to Complete Takeover with Simple Attack
The vendor only plans to patch two of the eight impacted devices, according to a researcher.
https://threatpost.com/multiple-d-link-routers-open-to-complete-takeover-with-simple-attack/138383/
Party like its 1987... SVGA code bug haunts VMwares house, lets guests flee to host OS
Malicious code in VMs can leap over ESXi, Workstation, Fusion hypervisor security Get busy, VMware admins and users: the virtualisation virtuoso has patched a programming blunder in ESXi, Workstation Pro and Player, and Fusion and Fusion Pro products that can be exploited by malicious code to jump from guest OS to host machine.
http://go.theregister.com/feed/www.theregister.co.uk/2018/10/17/vmware_svga_guest_escape_critical_bug/
Warnung vor gefälschtem A1-Update
Konsument/innen erhalten eine angebliche Nachricht von A1, in der es heißt, dass der Mobilfunkanbieter ein Update für sie bereit stellt. Kund/innen sollen es installieren, damit sie weiterhin das Mobilfunknetz des Anbieters nutzen können. Kommen sie der Aufforderung nach, installieren sie Schadsoftware auf ihrem Smartphone.
https://www.watchlist-internet.at/news/warnung-vor-gefaelschtem-a1-update/
IT-Sicherheit - 100.000 Geräte: "Netter" Hacker entfernt ungefragt Sicherheitslücken
Seit April sind verheerende Sicherheitslücken bei Routern der Marke Mikrotik bekannt - vom Hersteller gibt es kein Update
https://derstandard.at/2000089517357/Netter-Hacker-entfernt-ungefragt-Sicherheitsluecken-bei-hunderttausend
Persistent Credential Theft with Authorization Plugins
Credential theft is often one of the first tactics leveraged by attackers once they-ve escalated privileges on a victim-s machine. Credential theft on OSX has become more difficult with the introduction of System Integrity Protection (SIP). Attackers can no longer use methods such as extracting the master keys from the securityd process and decrypting the victim-s login keychain. An example of this can be seen here.
https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65
Vulnerabilities
Omron CX-Supervisor
This advisory includes mitigations for improper restriction of operations within the bounds of a memory buffer, out-of-bounds read, use-after-free, and incorrect type conversion or cast vulnerabilities in Omrons CX-Supervisor software.
https://ics-cert.us-cert.gov/advisories/ICSA-18-290-01
Authentication bypass in server code in libssh
There is a vulnerability within the server code which can enable a client to bypass the authentication process and set the internal state machine maintained by the library to authenticated, enabling the (otherwise prohibited) creation of channels.
https://www.libssh.org/security/advisories/CVE-2018-10933.txt
VMSA-2018-0026
VMware ESXi, Workstation, and Fusion updates address an out-of-bounds read vulnerability
https://www.vmware.com/security/advisories/VMSA-2018-0026.html
Security updates for Wednesday
Security updates have been issued by CentOS (tomcat), Debian (asterisk, graphicsmagick, and libpdfbox-java), openSUSE (apache2 and git), Oracle (tomcat), Red Hat (kernel and Satellite 6.4), Slackware (libssh), SUSE (binutils, ImageMagick, and libssh), and Ubuntu (clamav, libssh, moin, and paramiko).
https://lwn.net/Articles/768617/
Synology-SA-18:55 DSM
A vulnerability allows remote authenticated users to obtain sensitive information via a susceptible version of Synology Diskstation Manager (DSM).
https://www.synology.com/en-global/support/security/Synology_SA_18_55
Oracle Critical Patch Update Advisory - October 2018
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Solaris Third Party Bulletin - October 2018
http://www.oracle.com/technetwork/topics/security/bulletinoct2018-5139632.html
Security Advisory - Information Leak Vulnerability in Some Huawei Smart Phones
http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20181017-01-smartphone-en
HPESBHF03891 rev.1 - HPE UIoT, Remote Unauthorized Access
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03891en_us