End-of-Day report
Timeframe: Montag 19-08-2019 18:00 - Dienstag 20-08-2019 18:00
Handler: Dimitri Robl
Co-Handler: Robert Waldner
News
Kernel: Defekte Dateisysteme bringen Linux zum Stolpern
In einer Diskussion um die Aufnahme eines neuen Dateisystems in den Linux-Kernel wird klar, dass viele Dateisystemtreiber mit defekten Daten nicht klarkommen. Das kann nicht nur zu Abstürzen führen, sondern auch zu Sicherheitslücken.
...
Das Mounten von fremden Dateisystemen ist aber unter den gegebenen Umständen riskant. Wie die Diskussion zeigt, kann man sich nicht darauf verlassen, dass Linux-Dateisystemtreiber mit bösartigen Eingabedaten klarkommen.
https://www.golem.de/news/kernel-defekte-dateisysteme-bringen-linux-zum-stolpern-1908-143323-rss.html
Guildma malware is now accessing Facebook and YouTube to keep up-to-date, (Tue, Aug 20th)
A new variant of the information stealer Guildma (aka Astaroth) we analyzed last week is accessing Facebook and YouTube to get a fresh list of its C2 servers. The C2 list is encrypted and hosted in two Facebook and three YouTube profiles maintained and constantly updated by the cybercriminals.
https://isc.sans.edu/diary/rss/25222
GitHub Token Scanning-one billion tokens identified and five new partners
If you-ve ever accidentally shared a token or credentials in a GitHub repository, or read about someone who has, you know how damaging it could be if a malicious user finds and exploits it. About a year ago, we introduced token scanning to help scan pushed commits and prevent fraudulent use of any credentials that are shared accidentally.
https://github.blog/2019-08-19-github-token-scanning-one-billion-tokens-identified-and-five-new-partners/
GAME OVER: Detecting and Stopping an APT41 Operation
In August 2019, FireEye released the -Double Dragon- report on our newest graduated threat group, APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. APT41 is known to adapt quickly to changes and detections within victim environments, often recompiling malware within hours of incident responder activity.
http://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
Falsche Versionsangaben: Mehrere Security Bulletins zu Apache Struts korrigiert
Struts-2-Anwender, die sich beim Updaten an offizielle Advisories halten, sollten erneut draufschauen - oder gleich zu Versionen ab 2.3.35 / 2.5.17 wechseln.
https://heise.de/-4500834
Erpressung mit Pädophilie per E-Mail ignorieren
Angeblich wurde Ihr Computer gehackt und Sie wurden beim Masturbieren gefilmt. Damit das Video nicht veröffentlicht wird, muss ein Schweigegeld bezahlt werden. Es besteht jedoch kein Grund zur Sorge, es handelt sich um eine Betrugsmasche. Weder wurde Ihre Webcam gehackt, noch wurden intime Videos über Sie angefertigt! Verschieben Sie dieses Mail in den Spam-Ordner.
https://www.watchlist-internet.at/news/erpressung-mit-paedophilie-per-e-mail-ignorieren/
Vulnerabilities
Severe Flaws in Kubernetes Expose All Servers to DoS Attacks
Two high severity security flaws impacting the Kubernetes open-source system for handling containerized apps can allow an unauthorized attacker to trigger a denial of services state remotely, without user interaction.
https://www.bleepingcomputer.com/news/security/severe-flaws-in-kubernetes-expose-all-servers-to-dos-attacks/
Remote Code Execution: Doppelte Hintertür in Webmin
In der Systemkonfigurationssoftware Webmin waren offenbar für über ein Jahr Hintertüren, mit denen sich übers Netz Code ausführen lässt. Den Angreifern gelang es dabei offenbar, die Release-Dateien des Projekts zu manipulieren.
https://www.golem.de/news/remote-code-execution-doppelte-hintertuer-in-webmin-1908-143311-rss.html
iOS 12.4 jailbreak released after Apple -accidentally un-patches- an old flaw
A fully functional jailbreak has been released for the latest iOS 12.4 on the Internet, making it the first public jailbreak in a long time-thanks to Apple. Dubbed "unc0ver 3.5.0," the jailbreak works with the updated iPhones, iPads and iPod Touches by leveraging a vulnerability that Apple previously patched in iOS 12.3 but accidentally reintroduced in the latest iOS version 12.4.
https://thehackernews.com/2019/08/ios-iphone-jailbreak.html
SphinxSearch 0.0.0.0:9306 (CVE-2019-14511)
TL;DR: SphinxSearch comes with a insecure default configuration that opens a listener on port 9306. No auth required. Connections using a mysql client are possible.
https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-14511/
Security Bulletin VLC 3.0.8
If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.
While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.
We have not seen exploits performing code execution through these vulnerabilities
https://www.videolan.org/security/sb-vlc308.html
Ruby rest-client 1.6.13
It seems that rest-client 1.6.13 is uploaded to rubygems.org. I did review between 1.6.9 and 1.6.13 and it seems that latest version evaluate remote code from pastebin.com and sends information to mironanoru.zzz.com.ua
https://github.com/rest-client/rest-client/issues/713
Vulnerability Spotlight: Multiple vulnerabilities in Aspose APIs
Cory Duplantis and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.Cisco Talos recently discovered multiple remote code execution vulnerabilities in various Aspose APIs. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs, Microsoft Word files and more.
https://blog.talosintelligence.com/2019/08/aspose-APIs-RCE-vulns-aug-2019.html
Security updates for Tuesday
Security updates have been issued by Debian (flask), openSUSE (clementine, dkgpg, libTMCG, openexr, and zstd), Oracle (kernel, mysql:8.0, redis:5, and subversion:1.10), SUSE (nodejs6, python-Django, and rubygem-rails-html-sanitizer), and Ubuntu (cups, docker, docker-credential-helpers, kconfig, kde4libs, libreoffice, nova, and openldap).
https://lwn.net/Articles/796759/
IBM Security Bulletin: IBM MQ is vulnerable to a denial of service attack within the error logging function (CVE-2019-4049)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-is-vulnerable-to-a-denial-of-service-attack-within-the-error-logging-function-cve-2019-4049/
IBM Security Bulletin: A vulnerability in IBM Websphere Application Server affects IBM Cloud App Management
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ibm-websphere-application-server-affects-ibm-cloud-app-management/
IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM License Metric Tool v9 (CVE-2019-4046).
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ibm-websphere-application-server-liberty-affects-ibm-license-metric-tool-v9-cve-2019-4046/
IBM Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM License Key Server Administration & Reporting Tool and Agent
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vulnerabilities-in-ibm-websphere-application-server-liberty-affect-ibm-license-key-server-administration-reporting-tool-and-agent/
IBM Security Bulletin: IBM MQ Appliance affected by an OpenSSH vulnerability (CVE-2019-6110)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-appliance-affected-by-an-openssh-vulnerability-cve-2019-6110/
IBM Security Bulletin: Information disclosure for IBM Infosphere Global Name Management
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosure-for-ibm-infosphere-global-name-management/
IBM Security Bulletin: Information disclosure for IBM Infosphere Identity Insight
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosure-for-ibm-infosphere-identity-insight/
IBM Security Bulletin: Error Message Vulnerabilities Affect IBM Emptoris Sourcing, IBM Emptoris Contract Management and IBM Emptoris Spend Analysis.
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-error-message-vulnerabilities-affect-ibm-emptoris-sourcing-ibm-emptoris-contract-management-and-ibm-emptoris-spend-analysis/
IBM Security Bulletin: Cross-site Scripting Affects IBM Emptoris Spend Analysis (CVE-2019-4482)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-affects-ibm-emptoris-spend-analysis-cve-2019-4482/
IBM Security Bulletin: SQL Injection Affects IBM Emptoris Spend Analysis and IBM Emptoris Contract Management (CVE-2019-4481, CVE-2019-4483)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-sql-injection-affects-ibm-emptoris-spend-analysis-and-ibm-emptoris-contract-management-cve-2019-4481-cve-2019-4483/
IBM Security Bulletin: Multiple IBM MQ Security Vulnerabilities Affect IBM Sterling B2B Integrator
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-ibm-mq-security-vulnerabilities-affect-ibm-sterling-b2b-integrator/
IBM Security Bulletin: API Connect V2018 (ova) is impacted by vulnerabilities in Ubuntu OS (CVE-2019-4504)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-ova-is-impacted-by-vulnerabilities-in-ubuntu-os-cve-2019-4504/
IBM Security Bulletin: API Connect V2018 is impacted by a Kubernetes vulnerability(CVE-2019-11246)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-impacted-by-a-kubernetes-vulnerabilitycve-2019-11246/
IBM Security Bulletin: IBM API Connect-s Developer Portal is impacted by a path traversal vulnerability.
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-developer-portal-is-impacted-by-a-path-traversal-vulnerability/
IBM Security Bulletin: IBM i is affected by networking BIND vulnerability CVE-2019-6471.
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-i-is-affected-by-networking-bind-vulnerability-cve-2019-6471/
IBM Security Bulletin: API Connect V2018 is impacted by a information disclosure vulnerability (CVE-2019-4437)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-impacted-by-a-information-disclosure-vulnerability-cve-2019-4437/
IBM Security Bulletin: IBM Cloud Kubernetes Service is affected by Linux Kernel security vulnerabilities (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-kubernetes-service-is-affected-by-linux-kernel-security-vulnerabilities-cve-2019-11477-cve-2019-11478-cve-2019-11479/
IBM Security Bulletin: XML External Entity Injection vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4424)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-xml-external-entity-injection-vulnerability-in-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2019-4424/
IBM Security Bulletin: Reverse tabnabbing vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4425)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-reverse-tabnabbing-vulnerability-in-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2019-4425/
IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private - Docker (CVE-2018-15664)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerability-affects-ibm-cloud-private-docker-cve-2018-15664/
IBM Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple security vulnerabilities
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-multiple-security-vulnerabilities/
IBM Security Bulletin: Vulnerability in NTP affects AIX (CVE-2019-8936) Security Bulletin
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ntp-affects-aix-cve-2019-8936-security-bulletin/
IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jul 2018 - Includes Oracle Jul 2018 CPU affects DB2 Recovery Expert for Linux, Unix and Windows
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-jul-2018-includes-oracle-jul-2018-cpu-affects-db2-recovery-expert-for-linux-unix-and-windows/
HTTP/2 Empty Frames Flood vulnerability CVE-2019-9518
https://support.f5.com/csp/article/K46011592
HTTP/2 Settings Flood vulnerability CVE-2019-9515
https://support.f5.com/csp/article/K50233772
HTTP/2 Ping Flood vulnerability CVE-2019-9512
https://support.f5.com/csp/article/K98053339
HTTP/2 Reset Flood vulnerability CVE-2019-9514
https://support.f5.com/csp/article/K01988340