End-of-Day report
Timeframe: Mittwoch 05-09-2018 18:00 - Donnerstag 06-09-2018 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Nicht bestellen bei apothekerezeptfrei.com
KonsumentInnen, die auf der Suche nach Medikamenten und insbesondere Potenzmitteln sind, finden auf apothekerezeptfrei.com ein großes Angebot an teils verschreibungspflichtigen Medikamenten. InteressentInnen sollten hier auf keinen Fall bestellen, denn es handelt sich um einen Fake-Shop, der trotz Bezahlung keine Ware liefert. Zusätzlich sollten verschreibungspflichtige Medikamente nicht ohne entsprechende Verschreibung gekauft werden.
https://www.watchlist-internet.at/news/nicht-bestellen-bei-apothekerezeptfreicom/
Browser Extensions: Are They Worth the Risk?
Popular file-sharing site Mega.nz is warning users that cybercriminals hacked its browser extension for Google Chrome so that any usernames and passwords submitted through the browser were copied and forwarded to a rogue server in Ukraine. This attack serves as a fresh reminder that legitimate browser extensions can and periodically do fall into the wrong hands, and that it makes good security sense to limit your exposure to such attacks by getting rid of extensions that are no longer useful or
https://krebsonsecurity.com/2018/09/browser-extensions-are-they-worth-the-risk/
Malicious PowerShell Compiling C# Code on the Fly, (Wed, Sep 5th)
What I like when hunting is to discover how attackers are creative to find new ways to infect their victims computers. I came across a Powershell sample that looked new and interesting to me.
https://isc.sans.edu/diary/rss/24072
Using just a laptop, boffins sniff, spoof and pry - without busting browser padlock
In a paper seen by The Register, to be presented at the ACM's Conference on Computer and Communications Security (Toronto in October), Dr Shulman's team wrote:
"The attack exploits DNS Cache Poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own - namely certificates binding the attacker's public key to a victim domain."
https://www.theregister.co.uk/2018/09/06/boffins_break_cas_domain_validation/
Vulnerabilities
Cisco Releases Security Updates
Original release date: September 05, 2018 Cisco has released updates to address multiple vulnerabilities affecting Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. NCCIC encourages users and administrators to review the Cisco Security Advisories and Alerts website and apply the necessary updates.
https://www.us-cert.gov/ncas/current-activity/2018/09/05/Cisco-Releases-Security-Updates
DokuWiki CSV Formula Injection Vulnerability
The administration panel of the application has a -CSV export of users- feature which allows the export of user data (username, real name, email address and user groups) as a CSV file. On the registration page, it is possible for an attacker to set certain values in the Real Name field that - when exported and opened with a spreadsheet application (Microsoft Excel, Open Office, etc.) - will be interpreted as a formula.
https://www.sec-consult.com/en/blog/advisories/dokuwiki-csv-formula-injection-vulnerability/
VMSA-2018-0023: AirWatch Agent and VMware Content Locker updates resolve data protection vulnerabilities
* The AirWatch Agent for iOS devices contains a data protection vulnerability whereby the files and keychain entries in the Agent are not encrypted. CVE-2018-6975
* The VMware Content Locker for iOS devices contains a data protection vulnerability in the SQLite database. This vulnerability relates to unencrypted filenames and associated metadata in SQLite database for the Content Locker. CVE-2018-6976
https://www.vmware.com/security/advisories/VMSA-2018-0023.html
Vulnerability Spotlight: TALOS-2018-0560 - ERPNext SQL Injection Vulnerabilities
Talos is disclosing multiple SQL injection vulnerabilities in the Frappe ERPNext Version 10.1.6 application. Frappe ERPNext is an open-source enterprise resource planning (ERP) cloud application. These vulnerabilities enable an attacker to bypass authentication and get unauthenticated access to sensitive data. An attacker can use a normal web browser to trigger these vulnerabilities - no special tools are required.
https://blog.talosintelligence.com/2018/09/vulnerability-spotlight-talos-2018-0560.html
Security updates for Thursday
Security updates have been issued by Debian (curl, gdm3, git-annex, lcms2, and sympa), Fedora (discount, dolphin-emu, gd, obs-build, osc, tcpflow, and yara), openSUSE (wireshark), Slackware (curl, firefox, ghostscript, and thunderbird), SUSE (apache-pdfbox, curl, dovecot22, and libvirt), and Ubuntu (libtirpc).
https://lwn.net/Articles/764300/
IBM Security Bulletin: Vulnerabilities in Kerberos affect Power Hardware Management Console (CVE-2017-11368, CVE-2017-7562)
http://www.ibm.com/support/docview.wss?uid=ibm10717893
IBM Security Bulletin: IBM Lotus Protector for Mail Security has released fixes in response to the public disclosed vulnerability from PHP
https://www-01.ibm.com/support/docview.wss?uid=ibm10719483
IBM Security Bulletin: Vulnerabilities in Oracle Outside In Technology Affect IBM WebSphere Portal (CVE-2018-2768, CVE-2018-2801, CVE-2018-2806)
https://www-01.ibm.com/support/docview.wss?uid=ibm10715935
IBM Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2018-1567)
https://www-01.ibm.com/support/docview.wss?uid=swg22016254
Apache Tomcat vulnerability CVE-2018-8034
https://support.f5.com/csp/article/K34468163