End-of-Day report
Timeframe: Montag 06-07-2020 18:00 - Dienstag 07-07-2020 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
HTTPS/TLS: Zwischenzertifikate von Tausenden Webseiten fehlerhaft
Viele Webseiten müssen ihre Zertifikate tauschen, da sie von Zwischenzertifikaten ausgestellt wurden, die ein Sicherheitsrisiko darstellen.
https://www.golem.de/news/https-tls-zwischenzertifikate-von-tausenden-webseiten-fehlerhaft-2007-149498-rss.html
Company web names hijacked via outdated cloud DNS records
Why hack into a server when you can just send vistors to a fake alternative instead?
https://nakedsecurity.sophos.com/2020/07/07/company-web-names-hijacked-via-outdated-cloud-dns-records/
Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits, (Mon, Jul 6th)
Our honeypots have been busy collecting exploit attempts for CVE-2020-5902, the F5 Networks Bit IP vulnerability patched last week. Most of the exploits can be considered recognizance. We only saw one working exploit installing a backdoor. Badpackets reported seeing a DDoS bot being installed.
https://isc.sans.edu/diary/rss/26316
Vulnerability Management Maturity Model
I get it. You dread going into the office sometimes. It isn-t that you don-t like the people or the location. It-s that beast, waiting for you when you arrive, and it never seems to go away. You work hard at it, but you never seem to get ahead.
You are responsible for the vulnerability management program within your organization. Either as part of a formal program or on an ad-hoc basis, it-s your baby. Except that it isn-t a baby, it is more of an untameable monster, a minotaur in the labyrinth, waiting to surprise you as you turn the corner.
https://www.sans.org/blog/vulnerability-management-maturity-model
Vulnerabilities Digest: June 2020
Highlights for June 2020 Cross site scripting is still the most common vulnerability in WordPress Plugins. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization. Massive local file inclusion (LFI) attempts have been discovered attempting to harvest WordPress and Magento credentials. Attackers continue to target old plugins with known vulnerabilities in an ongoing malware campaign targeting WordPress websites.
https://blog.sucuri.net/2020/07/vulnerabilities-digest-june-2020.html
Passwortmanager gegen die Vergesslichkeit
Die Kennwortvorgaben von Webdiensten machen es fast unmöglich, alle Kennwörter im Kopf zu behalten. Passwortmanager machen das Leben leichter.
https://heise.de/-4798284
Credit card skimmer targets ASP.NET sites
This unusual web skimmer campaign goes after sites running Microsofts IIS servers with an outdated version of the ASP.NET framework.
https://blog.malwarebytes.com/threat-analysis/2020/07/credit-card-skimmer-targets-asp-net-sites/
Free Microsoft Service Looks at OS Memory Snapshots to Find Malware
Microsoft on Monday unveiled Project Freta, a free service that allows users to find rootkits and other sophisticated malware in operating system memory snapshots.
https://www.securityweek.com/free-microsoft-service-looks-os-memory-snapshots-find-malware
Purple Fox Exploit Kit Targets Vulnerabilities Linked to DarkHotel Group
The developers of the Purple Fox exploit kit (EK) have added two new exploits to their arsenal, including one for a vulnerability addressed in February this year.
https://www.securityweek.com/purple-fox-exploit-kit-targets-vulnerabilities-linked-darkhotel-group
Pwning smart garage door openers
TL;DR We reversed a smart garage door opener, which appeared pretty secure at first: The firmware was encrypted, debug access was restricted, the web server wasn-t running as root, it [...]
https://www.pentestpartners.com/security-blog/pwning-smart-garage-door-openers/
Vorsicht vor knuth-kredit.online: Vorschussbetrug statt Kreditvergabe
Die Watchlist Internet erreichen Meldungen verzweifelter KonsumentInnen, die auf ihre Kreditauszahlungen warten. Während die Beantragung eines Kredites auf knuth-kredit.online noch äußerst einfach abläuft, werden anschließend unzählige Gebühren vorab in Rechnung gestellt. So fallen beispielsweise Versicherungs-, Aktivierungs- und Anwaltsgebühren, Kautionen oder sonstige Kosten an. Ein Kredit wird nie ausbezahlt und alle Zahlungen sind verloren.
https://www.watchlist-internet.at/news/vorsicht-vor-knuth-kreditonline-vorschussbetrug-statt-kreditvergabe/
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by Debian (php7.3), Fedora (gst), Mageia (libvirt, mariadb, pdns-recursor, and ruby), openSUSE (chocolate-doom, coturn, kernel, live555, ntp, python3, and rust, rust-cbindgen), Oracle (virt:ol), Red Hat (file, firefox, gettext, kdelibs, kernel, kernel-alt, microcode_ctl, nghttp2, nodejs:10, nodejs:12, php, qemu-kvm, ruby, and tomcat), SUSE (libjpeg-turbo, mozilla-nspr, mozilla-nss, mozilla-nss, nasm, openldap2, and permissions), and Ubuntu (coturn, glibc, nss, [...]
https://lwn.net/Articles/825504/
Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update
Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited,-could result in-a number of-security issues-including: [...]
https://support.citrix.com/article/CTX276688
Android/Pixel Patchday Juli
http://www.cert-bund.de/advisoryshort/CB-K20-0671
Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4386)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-cve-2020-4386-2/
Security Bulletin: BIND for IBM i is affected by CVE-2020-8616 and CVE-2020-8617
https://www.ibm.com/blogs/psirt/security-bulletin-bind-for-ibm-i-is-affected-by-cve-2020-8616-and-cve-2020-8617/
Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for ACH Services (CVE-2020-2654)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affect-financial-transaction-manager-for-ach-services-cve-2020-2654/
Security Bulletin: IBM® Db2® is vulnerable to buffer overflow leading to a privileged escalation (CVE-2020-4363)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-buffer-overflow-leading-to-a-privileged-escalation-cve-2020-4363-2/
Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4387)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-cve-2020-4387-2/
Security Bulletin: An Information Disclosure vulnerability in IBM Websphere Libtery affects IBM License Key Server Administration & Reporting Tool and Administration Agent
https://www.ibm.com/blogs/psirt/security-bulletin-an-information-disclosure-vulnerability-in-ibm-websphere-libtery-affects-ibm-license-key-server-administration-reporting-tool-and-administration-agent/
XSA-328 - non-atomic modification of live EPT PTE
https://xenbits.xen.org/xsa/advisory-328.html
XSA-327 - Missing alignment check in VCPUOP_register_vcpu_info
https://xenbits.xen.org/xsa/advisory-327.html
XSA-321 - insufficient cache write-back under VT-d
https://xenbits.xen.org/xsa/advisory-321.html
XSA-319 - inverted code paths in x86 dirty VRAM tracking
https://xenbits.xen.org/xsa/advisory-319.html
XSA-317 - Incorrect error handling in event channel port allocation
https://xenbits.xen.org/xsa/advisory-317.html