End-of-Day report
Timeframe: Mittwoch 25-09-2019 18:00 - Donnerstag 26-09-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Forensoftware vBulletin: Patch schließt kritische Zero-Day-Lücke
Die Entwickler von vBulletin haben Patches bereitgestellt, die eine als kritisch eingestufte Sicherheitslücke schließen. Forenbetreiber sollten jetzt handeln.
https://heise.de/-4539833
BSI stellt Service-Paket "IT-Notfall" für kleine und mittlere Unternehmen vor
Eine Notfallkarte zum Aushängen und ein neuer Maßnahmenkatalog für Sicherheitsverantwortliche sollen KMU helfen, mit Cyber-Bedrohungen besser umzugehen.
https://heise.de/-4540075
Hackers Replace Windows Narrator to Get SYSTEM Level Access
Chinese hackers are replacing the legitimate Narrator app on targeted Windows systems with a trojanized version that gives them remote access with privileges of the most powerful account on the operating system.
https://www.bleepingcomputer.com/news/security/hackers-replace-windows-narrator-to-get-system-level-access/
Ransomware Decryptors Released for Yatron, WannaCryFake, & FortuneCrypt
Security vendors released decryptors for three ransomware infections today that allow victims to recover their files for free. These decryptors are for the WannaCryFake, Yatron, and FortuneCrypt Ransomware infections.
https://www.bleepingcomputer.com/news/security/ransomware-decryptors-released-for-yatron-wannacryfake-and-fortunecrypt/
Windows- -Exploitation- -Tricks:- -Spoofing- -Named- -Pipe- -Client- -PID-
Posted by James Forshaw, Project ZeroWhile researching the Access Mode Mismatch in IO Manager bug class I came across an interesting feature in named pipes which allows a server to query the connected clients PID. This feature was introduced in Vista and is exposed to servers through the GetNamedPipeClientProcessId API, pass the API a handle to the pipe server and you-ll get back the PID of the connected client.
https://googleprojectzero.blogspot.com/2019/09/windows-exploitation-tricks-spoofing.html
Joomla! Security Best Practices: 12 Ways to Keep Joomla! Secure
At Sucuri, we-re often asked how website owners and webmasters can secure their websites. However, most advice can often be too broad; different content management systems (CMS) exist in this ecosystem, and each requires a unique security configuration.
https://blog.sucuri.net/2019/09/joomla-security-best-practices.html
Hackers looking into injecting card stealing code on routers, rather than websites
Magecart (web skimming) attacks are evolving into a direction where theyre gonna be harder and harder to detect.
https://www.zdnet.com/article/hackers-looking-into-injecting-card-stealing-code-on-routers-rather-than-websites/
Vulnerabilities
Cisco Releases Security Advisories
Original release date: September 26, 2019Cisco has released security updates to address vulnerabilities affecting multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco Security Advisories page and apply the necessary updates.
https://www.us-cert.gov/ncas/current-activity/2019/09/26/cisco-releases-security-advisories
Security updates for Thursday
Security updates have been issued by CentOS (dovecot), Debian (lemonldap-ng, openssl, and ruby-nokogiri), openSUSE (fish3, ibus, nmap, and openssl-1_1), Slackware (mozilla), SUSE (mariadb, python-numpy, and SDL2), and Ubuntu (firefox).
https://lwn.net/Articles/800647/
Multiple Vulnerabilities in Citrix License Server for Windows and VPX
CTX261963 NewApplicable Products : LicensingMultiple Denial-of-Service vulnerabilities have been identified in Citrix License Server for Windows and VPX that, when exploited, could result in an attacker being able to force the vendor service to shutdown.
https://support.citrix.com/article/CTX261963
BlackBerry Powered by Android Security Bulletin - September 2019
http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000058452
Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069
https://www.drupal.org/sa-contrib-2019-069
Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068
https://www.drupal.org/sa-contrib-2019-068
IBM Security Bulletin: Linux kernel as used by IBM QRadar SIEM is vulnerable to privilege escalation(Publicly disclosed vulnerability) (CVE-2019-3896)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-linux-kernel-as-used-by-ibm-qradar-siem-is-vulnerable-to-privilege-escalationpublicly-disclosed-vulnerability-cve-2019-3896/
IBM Security Bulletin: IBM MQ and IBM MQ Appliance are vulnerable to a denial of service attack caused by a memory leak in the clustering code. (CVE-2019-4141)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-and-ibm-mq-appliance-are-vulnerable-to-a-denial-of-service-attack-caused-by-a-memory-leak-in-the-clustering-code-cve-2019-4141/
IBM Security Bulletin: There are multiple vulnerabilities in IBM® SDK Java- Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. These issues were disclosed as part of the IBM Java SDK updates in October 2018
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-there-are-multiple-vulnerabilities-in-ibm-sdk-java-technology-edition-version-7-version-8-that-is-used-by-ibm-workload-scheduler-these-issues-were-disclosed-a/
Multiple SQL Injection Vulnerabilities in eBrigade
https://sec-consult.com/en/blog/advisories/multiple-sql-injection-vulnerabilities-in-ebrigade/
Linux Kernel: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten
http://www.cert-bund.de/advisoryshort/CB-K19-0840
Linux Kernel: Schwachstelle ermöglicht Offenlegung von Informationen
http://www.cert-bund.de/advisoryshort/CB-K19-0838