End-of-Day report
Timeframe: Montag 04-03-2019 18:00 - Dienstag 05-03-2019 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
RSAC 2019: Microsoft Zero-Day Allows Exploits to Sneak Past Sandboxes
The flaw allows attackers to hide exploits in weaponized Word documents in a way that won-t trigger most antivirus solutions, the researchers said. In a recent spam campaign observed by Mimecast, attached Word attachments contained a hidden exploit for an older vulnerability in Microsoft Equation Editor (CVE-2017-11882).
https://threatpost.com/zero-day-exploit-microsoft/142327/
SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability
Leakage ... is visible in all Intel generations starting from 1st-gen Intel Core CPUs Further demonstrating the computational risks of looking into the future, boffins have found another way to abuse speculative execution in Intel CPUs to leak secrets and other data from running applications.-
http://go.theregister.com/feed/www.theregister.co.uk/2019/03/05/spoiler_intel_flaw/
Keine Alibis und Urkundenfälschungen auf dokumenten-guru.de bestellen!
Auf dokumenten-guru.de finden Konsument/innen ein höchst zwielichtiges Angebot. Gegen Zahlung per Vorkasse werden gefälschte Alibis, Scheinrechnungen, Dokumente sowie die Fälschung von Zeugnissen und Zertifikaten angeboten. Die Dienste sollten auf keinen Fall in Anspruch genommen werden, denn während Lieferungen Erfahrungsberichten zufolge ohnedies ausbleiben, machen sich Konsument/innen durch die Nutzung gefälschter Urkunden und Zeugnisse strafbar!
https://www.watchlist-internet.at/news/keine-alibis-und-urkundenfaelschungen-auf-dokumenten-gurude-bestellen/
Keine Dienste von installateur-24.info nutzen
Bei der Google-Suche nach Installateursunternehmen stoßen Konsument/innen auf installateur-24.info. Die Betreiber/innen der Seite werben mit einem rund um die Uhr Notservice, fairen Preisen und viel Erfahrung. Wer die Dienste in Anspruch nimmt, wird böse überrascht, denn die Preise fallen extrem hoch aus und die erbrachten Leistungen lassen zu wünschen übrig.
https://www.watchlist-internet.at/news/keine-dienste-von-installateur-24info-nutzen/
Vulnerabilities
Android Security Bulletin - March 2019
[...] The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
https://source.android.com/security/bulletin/2019-03-01.html
VMSA-2018-0023
The AirWatch Agent for iOS devices contains a data protection vulnerability whereby the files and keychain entries in the Agent are not encrypted.
The VMware Content Locker for iOS devices contains a data protection vulnerability in the SQLite database. This vulnerability relates to unencrypted filenames and associated metadata in SQLite database for the Content Locker.
https://www.vmware.com/security/advisories/VMSA-2018-0023.html
Xen XSA-294
Malicious 64bit PV guests may be able to cause a host crash (Denial of Service).
Additionally, vulnerable configurations are unstable even in the absence of an attack.
https://xenbits.xen.org/xsa/advisory-294.html
Xen XSA-293
A malicious unprivileged guest userspace process can escalate its privilege to that of other userspace processes in the same guest, and potentially thereby to that of the guest operating system. Additionally, some guest software which attempts to use this CPU feature may trigger the bug accidentally, leading to crashes or corruption of other processes in the same guest.
https://xenbits.xen.org/xsa/advisory-293.html
Xen XSA-292
Malicious PV guests may be able to cause a host crash (Denial of Service) or to gain access to data pertaining to other guests. Privilege escalation opportunities cannot be ruled out. Additionally, vulnerable configurations are likely to be unstable even
in the absence of an attack.
https://xenbits.xen.org/xsa/advisory-292.html
Xen XSA-291
Malicious or buggy x86 PV guest kernels can mount a Denial of Service (DoS) attack affecting the whole system.
https://xenbits.xen.org/xsa/advisory-291.html
Xen XSA-290
Malicious or buggy x86 PV guest kernels can mount a Denial of Service (DoS) attack affecting the whole system.
https://xenbits.xen.org/xsa/advisory-290.html
Xen XSA-288
An untrusted PV domain with access to a physical device can DMA into its own pagetables, leading to privilege escalation.
https://xenbits.xen.org/xsa/advisory-288.html
Xen XSA-287
A single PV guest can leak arbitrary amounts of memory, leading to a denial of service.
A cooperating pair of PV and HVM/PVH guests can get a writable pagetable entry, leading to information disclosure or privilege escalation.
Privilege escalation attacks using only a single PV guest or a pair of PV guests have not been ruled out.
Note that both of these attacks require very precise timing, which may be difficult to exploit in practice.
https://xenbits.xen.org/xsa/advisory-287.html
Xen XSA-285
Malicious PV guests can escalate their privilege to that of the hypervisor.
https://xenbits.xen.org/xsa/advisory-285.html
Xen XSA-284
The primary impact is a memory leak. Malicious or buggy guests with passed through PCI devices may also be able to escalate their privileges, crash the host, or access data belonging to other guests.
https://xenbits.xen.org/xsa/advisory-284.html
Security updates for Tuesday
Security updates have been issued by Debian (nss), openSUSE (procps), Red Hat (redhat-virtualization-host, rhvm-appliance, and vdsm), SUSE (freerdp, kernel, and obs-service-tar_scm), and Ubuntu (openssh).
https://lwn.net/Articles/781363/
Security Advisory - FRP Bypass Vulnerability on Some Huawei Smartphones
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190305-01-frp-en
IBM Security Bulletin: A vulnerability in Spice affects PowerKVM
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-spice-affects-powerkvm-3/
IBM Security Bulletin: A vulnerability in Polkit affects PowerKVM
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-polkit-affects-powerkvm/
IBM Security Bulletin: A vulnerability in Bind affects PowerKVM
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-bind-affects-powerkvm-3/
IBM Security Bulletin: Vulnerabiliies in systemd affect PowerKVM
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabiliies-in-systemd-affect-powerkvm/
IBM Security Bulletin: A vulnerability in Perl affects PowerKVM
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-perl-affects-powerkvm/
IBM Security Bulletin: Cross-site scripting vulnerability in WebSphere Application Server Admin Console (CVE-2019-4030)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-vulnerability-in-websphere-application-server-admin-console-cve-2019-4030/
IBM Security Bulletin: A vulnerability in keepalived affects PowerKVM
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-keepalived-affects-powerkvm/
IBM Security Bulletin: Vulnerabilities in the Linux Kernel affect PowerKVM
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-the-linux-kernel-affect-powerkvm-14/
IBM Security Bulletin: Vulnerabiliies in libmspack affect PowerKVM
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabiliies-in-libmspack-affect-powerkvm/
IBM Security Bulletin: A vulnerability in NetworkManager affects PowerKVM
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-networkmanager-affects-powerkvm-2/