Tageszusammenfassung - 17.08.2018

End-of-Day report

Timeframe: Donnerstag 16-08-2018 18:00 - Freitag 17-08-2018 18:00 Handler: Stephan Richter Co-Handler: n/a

News

PHP Deserialization Issue Left Unfixed in WordPress CMS

WordPress CMS installations are vulnerable to a PHP bug related to data unserialization (also known as deserialization), a security researcher has revealed at the start of the month.

https://www.bleepingcomputer.com/news/security/php-deserialization-issue-left-unfixed-in-wordpress-cms/

New Trickbot Variant Touts Stealthy Code-Injection Trick

Trickbot is back, this time with a stealthy code injection trick.

https://threatpost.com/new-trickbot-variant-touts-stealthy-code-injection-trick/136606/

Highly Flexible Marap Malware Enters the Financial Scene

A new downloader, which has been spotted in an array of recent email campaigns, uses anti-analysis techniques and calls in a system fingerprinting module.

https://threatpost.com/highly-flexible-marap-malware-enters-the-financial-scene/136623/

Anti-Coinminer Mining Campaign

Coinminer malware has been on the rise for some time. As more and more users become aware of this threat and try to take measures to protect themselves, cybercriminals are attempting to cash on that fear by serving crypto-miner malware from a website claiming to offer a coinminer blocker.

https://www.zscaler.com/blogs/research/anti-coinminer-mining-campaign

Detecting SSH Username Enumeration

A very quick post about a new thread which has been started yesterday on the OSS-Security mailing list. It's about a vulnerability affecting almost ALL SSH server version.

https://blog.rootshell.be/2018/08/16/detecting-ssh-username-enumeration/

Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe

Microsoft.Workflow.Compiler.exe, a utility included by default in the .NET framework, permits the execution of arbitrary, unsigned code by supplying a serialized workflow in the form of a XOML workflow file (dont worry. I had no clue what that was either) and an XML file consisting of serialized compiler arguments.

https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb

Back to the 90s: FragmentSmack

As we had the previous week SegmentSmack (CVE-2018-5390) allowing remote DoS attacks by sending crafted TCP packets, this week a similar vulnerability has been reported on IP fragments.

https://isc.sans.edu/forums/diary/Back+to+the+90s+FragmentSmack/23998/

Vulnerabilities

Philips PageWriter TC10, TC20, TC30, TC50, and TC70 Cardiographs

This medical device advisory includes mitigation recommendations for improper input validation and use of hard-coded credentials vulnerabilities in Philips PageWriter Cardiographs.

https://ics-cert.us-cert.gov/advisories/ICSMA-18-228-01

Emerson DeltaV DCS Workstations

This advisory includes mitigation recommendations for uncontrolled search path element, relative path traversal, improper privilege management, and stack-based buffer overflow vulnerabilities in Emersons Delta V workstations.

https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01

Tridium Niagara

This advisory was originally posted to the HSIN ICS-CERT library on July 10, 2018, and is being released to the NCCIC/ICS-CERT website. This advisory includes mitigation recommendations for path traversal and improper authentication vulnerabilities in Tridums Niagara systems.

https://ics-cert.us-cert.gov/advisories/ICSA-18-191-03

WAGO 750-8xx Controller Denial of Service

The 750-8xx controller are susceptible to a Denial-of-Service attack due to a flood of network packets.

https://cert.vde.com/de-de/advisories/vde-2018-013

Security updates for Friday

Security updates have been issued by Debian (intel-microcode, keystone, php-horde-image, and xen), Fedora (rsyslog), openSUSE (apache2, clamav, kernel, php7, qemu, samba, and Security), Oracle (mariadb and qemu-kvm), Red Hat (docker, mariadb, and qemu-kvm), Scientific Linux (mariadb and qemu-kvm), SUSE (GraphicsMagick, kernel, kgraft, mutt, perl-Archive-Zip, python, and xen), and Ubuntu (postgresql-10, postgresql-9.3, postgresql-9.5, procps, and webkit2gtk).

https://lwn.net/Articles/762914/

Jenkins: Mehrere Schwachstellen ermöglichen u. a. Denial-of-Service-Angriffe

https://adv-archiv.dfn-cert.de/adv/2018-1645/

Red Hat JBoss Core Services Apache HTTP Server: Mehrere Schwachstellen ermöglichen u. a. verschiedene Denial-of-Service-Angriffe

https://adv-archiv.dfn-cert.de/adv/2018-1673/

Red Hat JBoss Web Server: Mehrere Schwachstellen ermöglichen das Umgehen von Sicherheitsvorkehrungen

https://adv-archiv.dfn-cert.de/adv/2018-1674/

IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java- Technology Edition

http://www.ibm.com/support/docview.wss?uid=ibm10719653

IBM Security Bulletin: Cross-site scripting vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology

https://www-01.ibm.com/support/docview.wss?uid=ibm10713739