End-of-Day report
Timeframe: Montag 23-12-2019 18:00 - Freitag 27-12-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Timely acquisition of network traffic evidence in the middle of an incident response procedure, (Wed, Dec 25th)
The acquisition of evidence is one of the procedures that always brings controversy in incident management. We must answer questions such as: [...]
https://isc.sans.edu/diary/rss/25560
Bypassing UAC to Install a Cryptominer
First of all, Merry Christmas to all our readers! I hope youre enjoying the break with your family and friends! Even if everything slows down in this period, there is always malicious activity ongoing. I found a small PowerShell script that looked interesting for a quick diary. First of all, it has a VT score of 2/60[1]. It installs a cryptominer and its most interesting feature is the use of a classic technique to bypass UAC[2].
https://isc.sans.edu/forums/diary/Bypassing+UAC+to+Install+a+Cryptominer/25644/
Video: Identitätsdiebstahl mit gefälschten Airbnb-Mails
Airbnb genießt hohes Vertrauen bei seinen UserInnen. Das versuchen sich auch Kriminelle zu Nutze zu machen. Sie versenden betrügerische Phishing-Mails im Design von Airbnb.
https://www.watchlist-internet.at/news/video-identitaetsdiebstahl-mit-gefaelschten-airbnb-mails/
Video: Erpressungs-Mails
Kriminelle versenden massenhaft Erpressungs-Mails an InternetnutzerInnen. Darin behaupten sie, die EmpfängerInnen der Nachrichten beim Masturbieren gefilmt zu haben. Um zu vermeiden, dass das Video veröffentlicht wird, sollen gewisse Geldbeträge in Form von Bitcoins bezahlt werden.
https://www.watchlist-internet.at/news/video-erpressungs-mails/
Vulnerabilities
New Magellan 2.0 SQLite Vulnerabilities Affect Many Programs
New vulnerabilities in the SQLite database engine affect a wide range of applications that utilize it as a component within their software packages.
https://www.bleepingcomputer.com/news/security/new-magellan-20-sqlite-vulnerabilities-affect-many-programs/
AVE DOMINAplus 1.10.x Credentials Disclosure Exploit
The application suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file /xml/authClients.xml and obtain administrative login information that allows for a successful authentication bypass attack.
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php
AVE DOMINAplus 1.10.x Authentication Bypass Exploit
DOMINAplus suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials.
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php
AVE DOMINAplus 1.10.x Unauthenticated Remote Reboot
The application suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario.
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5548.php
AVE DOMINAplus 1.10.x CSRF/XSS Vulnerabilities
The application suffers from multiple CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script [...]
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php
Inim Electronics Smartliving SmartLAN/G/SI 6.x Hard-coded Credentials
The devices utilizes hard-coded credentials within its Linux distribution image. These sets of credentials (Telnet, SSH, FTP) are never exposed to the end-user and cannot be changed through any normal operation of the smart home device. Attacker could exploit this vulnerability by logging in and gain system access.
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php
Security updates for Tuesday
Security updates have been issued by CentOS (freetype, kernel, nss, nss-softokn, nss-util, and thunderbird), Mageia (ghostpcl, libmirage, and spamassassin), Oracle (fribidi), and SUSE (mariadb-100, shibboleth-sp, and slurm).
https://lwn.net/Articles/808090/
Security updates for Thursday
Security updates have been issued by CentOS (firefox, fribidi, nss, nss-softokn, nss-util, openslp, and thunderbird), Debian (opensc), and Mageia (389-ds-base, apache, apache-mod_auth_openidc, kernel, libofx, microcode, php, and ruby).
https://lwn.net/Articles/808119/
CA Client Automation 14.x Privilege Escalation
https://cxsecurity.com/issue/WLB-2019120108
IBM Security Bulletins
https://www.ibm.com/blogs/psirt/
Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-01-validation-en
Security Advisory - Integer Overflow Vulnerability in the Linux Kernel (SACK Panic)
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-01-kernel-en
Security Advisory - Multiple Vulnerabilities in the X.509 Implementation in Some Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-01-eudemon-en
Security Advisory - Missing Integrity Checking Vulnerability on Some Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-01-digital-en
Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit den Rechten des Dienstes
http://www.cert-bund.de/advisoryshort/CB-K19-1110
ImageMagick / GraphicsMagick: Mehrere Schwachstellen ermöglichen Denial of Service
http://www.cert-bund.de/advisoryshort/CB-K19-1117
D-LINK Router: Schwachstelle ermöglicht Cross-Site Scripting
http://www.cert-bund.de/advisoryshort/CB-K19-1116
Nvidia GeForce Experience: Schwachstelle ermöglicht Privilegieneskalation
http://www.cert-bund.de/advisoryshort/CB-K19-1114
Trend Micro Maximum Security: Schwachstelle ermöglicht Denial of Service oder Offenlegung von Informationen
http://www.cert-bund.de/advisoryshort/CB-K19-1113
Trend Micro AntiVirus für Mac: Schwachstelle ermöglicht Manipulation von Dateien
http://www.cert-bund.de/advisoryshort/CB-K19-1120