Throwback Thursday: Peter-II – Three Questions of The Sphinx

This Throwback Thursday, VB heads back to 1993, when an ordinary memory-resident master boot sector virus spiced things up with a bit of pop trivia.

Over recent years we have become used to hearing about ransomware extorting money from victims by locking up their devices and demanding a ransom in order for access to the device to be restored. Back in 1993, however,
before malware had truly become linked with monetary gain, there was a device hold-up of a different kind: know your pop trivia or face losing your data.

The creator of the Peter-II virus seemingly fancied himself as some sort of quiz master and set the haplesss victims of his boot sector virus a pop trivia
challenge: get the answers right and your hard disk would be recovered, but get the answers wrong and all your data would be lost…

In July 1993, Eugene Kaspersky brought us a full analysis of Peter-II — including the answers to the trivia questions, should you ever need to know them.

Read more (1 paragraph)



Source: Virus Blog
Originally Posted: Throwback Thursday: Peter-II – Three Questions of The Sphinx

VB2015 paper: Effectively testing APT defences

Simon Edwards discusses how to test the potentially untestable.

Like the term or loathe it, APTs have given rise to a new generation of security products that protect against these more targeted and sometimes more advanced threats. Often, such products come with bold claims about how they are
able to fend off such threats in ways that traditional security products can’t.

At VB2015, Simon Edwards (Dennis Technology Labs) presented a paper, written together with Richard Ford (Florida Institute of
Technology
) and Gabor Szappanos (Sophos), on how to effectively test such technologies.

You can read the paper, “Effectively testing APT defences”, here in HTML-format, or download it
here as a PDF, and find the video on our YouTube channel, or embedded below.

Read more (2 paragraphs)



Source: Virus Blog
Originally Posted: VB2015 paper: Effectively testing APT defences

7ev3n Ransomware trashes your PC and then demands 13 Bitcoins

A new ransomware has been spotted called 7ev3n that encrypts your data and demands 13 bitcoins to decrypt your files. A 13 bitcoin ransom demand is the largest we have seen to date for this type of infection, but this ransomware also has another surprise as it does a good job trashing your system. […]

Source: Bleeping Computer
Originally Posted: 7ev3n Ransomware trashes your PC and then demands 13 Bitcoins

New multipurpose backdoor for Linux detected

January 22, 2016

Doctor Web security researchers examined a multipurpose Trojan designed to infect Linux devices. Its malicious activity is extremely versatile and includes download of various files to an infected device, different operations carried out with file objects, screenshotting, keylogging, and many other functions.

This malicious program was added to the Dr.Web virus database under the name of Linux.BackDoor.Xunpes.1. It consists of a dropper and the backdoor itself that performs main spy functions on an affected device.

The dropper is contrived using Lazarus, a free cross-platform IDE for the Free Pascal compiler. Once launched, it displays the following dialog with a list of devices designed to carry out operations with the Bitcoin cryptocurrency:

#drweb

The dropper body contains the backdoor—the second component of the Trojan—that is stored in unencrypted form and saved into the /tmp/.ltmp/ folder after the dropper is launched. It is the backdoor that is responsible for performing main malicious functions.

Once launched, the backdoor written in C decrypts the configuration file using the key that is hard-coded in its body. Its configuration parameters include a list of C&C servers and proxy servers addresses and other information necessary for the correct operation of the malicious program. After that, the Trojan establishes connection to the server and waits for commands from cybercriminals.

In total, Linux.BackDoor.Xunpes.1 is capable to execute more than 40 commands. Among them are keylogging—recording of keystrokes on an infected device—and downloading and running of a file, whose path and arguments are received from the server, which terminates the work of the backdoor. Besides, it can also send file names in a specified directory and upload selected files to the server. In addition to this, the Trojan creates, removes and renames files and folders, takes screenshots, executes the bash commands; and the list is far from being exhaustive.

The signature of Linux.BackDoor.Xunpes.1 has been added to Dr.Web virus databases. Thus, users of Dr.Web for Linux are under reliable protection.

More information about this Trojan



Source: Doctor Web
Originally Posted: New multipurpose backdoor for Linux detected

VB2015 paper: The ethics and perils of APT research: an unexpected transition into intelligence brokerage

Juan Andrés Guerrero-Saade discusses the perils and ethical conundrums that arise as the industry enters a new playing field.

Many security researchers have been part of the security community for long enough to remember the days when the typical adversary was a 17-year-old teenager operating from their bedroom. These days, however, some of the adversaries faced
by many researchers and companies are powerful and resourceful nation states and intelligence agencies.

In a paper he presented at VB2015 in Prague, “The ethics and perils of APT research: an unexpected transition into intelligence brokerage”, Kaspersky Lab researcher Juan Andrés Guerrero-Saade explains that the change in typical
adversary has consequences that go far beyond the fact that the malware is a little more advanced, and OPSEC matters a bit more. In fact, we have entered a whole new playing field that we have barely
begun to understand.

You can read the paper here in HTML-format, or download it here as a PDF, and find the video on our
YouTube channel, or embedded below.

Read more (2 paragraphs)



Source: Virus Blog
Originally Posted: VB2015 paper: The ethics and perils of APT research: an unexpected transition into intelligence brokerage

Trojan for Android preinstalled on Phillips s307 firmware

January 20, 2016

The past year was marked by a big number of firmware Trojans for Android capable to covertly download and install various software and display annoying advertisements. Android.Cooee.1 incorporated into the graphical shell of some cheap Chinese smartphones was one of them. Virus makers obviously continued to preinstall Android.Cooee.1 into mobile devices. This time, however, Doctor Web security researchers detected the Trojan on firmware of a well-known electronics manufacturer.

Android.Cooee.1 was found on several unpopular and inexpensive Android devices in October 2015. A new case of Android firmware being infected with this malicious application proves that cybercriminals’ activity is gradually expanding as this malware was detected on Philips s307. Doctor Web specialists informed the producer about this incident. At the moment, Philips is considering possible solutions to the problem.

Android.Cooee.1 is a malicious launcher (Android graphical shell) that, apart from its standard functions, displays annoying advertisements and downloads and installs different software. In particular, Android.Cooee.1 is capable of displaying advertisements in the status bar, in full screen, or on top of running applications. It also can show video advertisements and animation on the home screen. It should be noted that the Trojan starts performing its malicious activities not right after the first running of the system but some time later. As a result, the true source of annoying notifications stays unnoticed because an owner of an infected device believes that advertisements are shown by applications that were installed during device usage.

#drweb
 
#drweb

#drweb
 
#drweb

Considering that Android.Cooee.1 is, in fact, a system program, software downloaded by this malware is installed without user knowledge. At that, the range of the downloaded applications is extremely wide: from benign games and web browsers to various malicious programs, such as SMS and downloader Trojans, and even banking Trojans that are able to covertly steal money from users’ bank accounts.

#drweb
 
#drweb

As Android.Cooee.1 is incorporated into the firmware, you cannot get rid of the Trojan by restoring default settings of the device. One of the possible solutions is to gain root privileges. However, even if such privileges are successfully gained, removal of Android.Cooee.1 will render the device “dead”. The fact is that the launcher program, that contains the Trojan, is responsible for the normal system loading. That is why, before removing the malicious application, it is necessary to install an alternative launcher and set it as default. Moreover, if you gain root privileges, your official manufacturer’s warranty becomes invalid. Besides, there is a high risk of making the device non-operational if its firmware or system files are treated by an inexperienced user. Therefore, the safest solution for victims of Android.Cooee.1 is to contact the manufacturer of the device and ask them to release a firmware update without the Trojan.

Obviously, if you want to safe your device, it is not enough to download applications only from trusted sources. Virus makers more and more often preinstall malware directly on Android devices that you can buy on the Internet or in a store. Thus, Doctor Web security researchers strongly recommend Android users to install a reliable anti-virus software that not only prevents penetration of malware and unwanted applications, but also detects Trojans in firmware.

Protect your Android device with Dr.Web now


Buy online
Buy via Google Play

Free of charge



Source: Doctor Web
Originally Posted: Trojan for Android preinstalled on Phillips s307 firmware

SB16-025: Vulnerability Summary for the Week of January 18, 2016

Original release date: January 25, 2016

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
cgit_project — cgit Integer overflow in the authenticate_post function in CGit before 0.12 allows remote attackers to have unspecified impact via a large value in the Content-Length HTTP header, which triggers a buffer overflow. 2016-01-20 7.5 CVE-2016-1901
MLIST
MLIST
MLIST
CONFIRM
fortinet — fortios FortiOS 4.x before 4.3.17 and 5.0.x before 5.0.8 has a hardcoded passphrase for the Fortimanager_Access account, which allows remote attackers to obtain administrative access via an SSH session. 2016-01-15 10.0 CVE-2016-1909
EXPLOIT-DB
MISC
SECTRACK
CONFIRM
FULLDISC
MISC
CONFIRM
hp — arcsight_logger HPE ArcSight Logger before 6.1P1 allows remote attackers to execute arbitrary code via unspecified input to the (1) Intellicus or (2) client-certificate upload component. 2016-01-16 7.5 CVE-2015-6863
HP
ibm — tealeaf_customer_experience Directory traversal vulnerability in the replay server in IBM Tealeaf Customer Experience before 8.7.1.8818, 8.8 before 8.8.0.9026, 9.0.0, 9.0.0A, 9.0.1 before 9.0.1.1083, 9.0.1A before 9.0.1.5073, 9.0.2 before 9.0.2.1095, and 9.0.2A before 9.0.2.5144 allows remote attackers to read arbitrary files via unspecified vectors. 2016-01-18 7.8 CVE-2015-4988
CONFIRM
php — php Stack-based buffer overflow in the phar_fix_filepath function in ext/phar/phar.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large length value, as demonstrated by mishandling of an e-mail attachment by the imap PHP extension. 2016-01-19 7.5 CVE-2015-5590
CONFIRM
CONFIRM
MLIST
CONFIRM
php — php The php_str_replace_in_subject function in ext/standard/string.c in PHP 7.x before 7.0.0 allows remote attackers to execute arbitrary code via a crafted value in the third argument to the str_ireplace function. 2016-01-19 7.5 CVE-2015-6527
CONFIRM
MLIST
CONFIRM
php — php Multiple use-after-free vulnerabilities in SPL in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allow remote attackers to execute arbitrary code via vectors involving (1) ArrayObject, (2) SplObjectStorage, and (3) SplDoublyLinkedList, which are mishandled during unserialization. 2016-01-19 7.5 CVE-2015-6831
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
MLIST
php — php Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute arbitrary code via crafted serialized data that triggers misuse of an array field. 2016-01-19 7.5 CVE-2015-6832
CONFIRM
CONFIRM
php — php The SoapClient __call method in ext/soap/soap.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 does not properly manage headers, which allows remote attackers to execute arbitrary code via crafted serialized data that triggers a “type confusion” in the serialize_function_call function. 2016-01-19 7.5 CVE-2015-6836
CONFIRM
CONFIRM
php — php Use-after-free vulnerability in the Collator::sortWithSortKeys function in ext/intl/collator/collator_sort.c in PHP 7.x before 7.0.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging the relationships between a key buffer and a destroyed array. 2016-01-19 7.5 CVE-2015-8616
CONFIRM
CONFIRM
php — php Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling. 2016-01-19 10.0 CVE-2015-8617
CONFIRM
CONFIRM
CONFIRM
php — php Multiple integer overflows in ext/standard/exec.c in PHP 7.x before 7.0.2 allow remote attackers to cause a denial of service or possibly have unspecified other impact via a long string to the (1) php_escape_shell_cmd or (2) php_escape_shell_arg function, leading to a heap-based buffer overflow. 2016-01-19 7.5 CVE-2016-1904
CONFIRM
CONFIRM
CONFIRM
MLIST
sap — hana Buffer overflow in the XS engine (hdbxsengine) in SAP HANA allows remote attackers to cause a denial of service or execute arbitrary code via a crafted HTTP request, related to JSON, aka SAP Security Note 2241978. 2016-01-20 7.5 CVE-2016-1928
MISC
MISC
sap — hana The XS engine in SAP HANA allows remote attackers to spoof log entries in trace files and consequently cause a denial of service (disk consumption and process crash) via a crafted HTTP request, related to an unspecified debug function, aka SAP Security Note 2241978. 2016-01-20 8.5 CVE-2016-1929
MISC
MISC
seeds — acmailer Seeds acmailer before 3.8.21 and 3.9.x before 3.9.15 Beta allows remote authenticated users to execute arbitrary OS commands via unspecified vectors. 2016-01-16 9.0 CVE-2016-1142
CONFIRM
JVNDB
JVN

Back to top

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
cgit_project — cgit CRLF injection vulnerability in the ui-blob handler in CGit before 0.12 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks via CRLF sequences in the mimetype parameter, as demonstrated by a request to blob/cgit.c. 2016-01-20 4.3 CVE-2016-1899
MLIST
MLIST
MLIST
MLIST
CONFIRM
cgit_project — cgit CRLF injection vulnerability in the cgit_print_http_headers function in ui-shared.c in CGit before 0.12 allows remote attackers with permission to write to a repository to inject arbitrary HTTP headers and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks via newline characters in a filename. 2016-01-20 4.3 CVE-2016-1900
MLIST
MLIST
MLIST
MLIST
CONFIRM
cisco — firesight_system_software Multiple cross-site scripting (XSS) vulnerabilities in the Management Center in Cisco FireSIGHT System Software 6.0.0 and 6.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCux40414. 2016-01-16 4.3 CVE-2016-1293
CISCO
cisco — firesight_system_software Cross-site scripting (XSS) vulnerability in the Management Center in Cisco FireSIGHT System Software 6.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted cookie, aka Bug ID CSCuw89094. 2016-01-16 4.3 CVE-2016-1294
CISCO
cisco — adaptive_security_appliance_software Cisco Adaptive Security Appliance (ASA) Software 8.4 allows remote attackers to obtain sensitive information via an AnyConnect authentication attempt, aka Bug ID CSCuo65775. 2016-01-16 5.0 CVE-2016-1295
CISCO
cisco — web_security_appliance The proxy engine on Cisco Web Security Appliance (WSA) devices with software 8.5.3-055, 9.1.0-000, and 9.5.0-235 allows remote attackers to bypass intended proxy restrictions via a malformed HTTP method, aka Bug ID CSCux00848. 2016-01-20 5.0 CVE-2016-1296
CISCO
dolibarr — dolibarr Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the “import external calendar” page. 2016-01-15 4.3 CVE-2015-8685
CONFIRM
CONFIRM
FULLDISC
gajim — gajim Gajim before 0.16.5 allows remote attackers to modify the roster and intercept messages via a crafted roster-push IQ stanza. 2016-01-15 5.8 CVE-2015-8688
CONFIRM
SUSE
MISC
h2o_project — h2o CRLF injection vulnerability in the on_req function in lib/handler/redirect.c in H2O before 1.6.2 and 1.7.x before 1.7.0-beta3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URI. 2016-01-16 4.3 CVE-2016-1133
CONFIRM
CONFIRM
CONFIRM
JVNDB
JVN
hp — arcsight_logger HPE ArcSight Logger before 6.1P1 allows remote authenticated users to execute arbitrary code via unspecified input to the (1) Intellicus or (2) client-certificate upload component. 2016-01-16 6.5 CVE-2015-6864
HP
ibm — websphere_mq_light IBM WebSphere MQ Light 1.x before 1.0.2 allows remote attackers to cause a denial of service (MQXR service crash) via a series of connect and disconnect actions. 2016-01-18 5.0 CVE-2015-4942
CONFIRM
ibm — tivoli_storage_manager Client Acceptor Daemon (CAD) in the client in IBM Spectrum Protect (formerly Tivoli Storage Manager) 5.5 and 6.x before 6.3.2.5, 6.4 before 6.4.3.1, and 7.1 before 7.1.3 allows remote attackers to cause a denial of service (daemon crash) via a crafted Web client URL. 2016-01-20 5.0 CVE-2015-4951
CONFIRM
ibm — tivoli_federated_identity_manager Cross-site scripting (XSS) vulnerability in IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 before FP16 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. 2016-01-18 4.3 CVE-2015-4959
CONFIRM
AIXAPAR
ibm — host_on-demand Cross-site scripting (XSS) vulnerability in IBM Host On-Demand 11.0 through 11.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. 2016-01-18 4.3 CVE-2015-5002
CONFIRM
ibm — websphere_commerce Cross-site scripting (XSS) vulnerability in IBM WebSphere Commerce 6.0 through FP11, 6.0 Feature Pack 4, 7.0 through FP9, 7.0 Feature Pack 5 through 8, and 8.0 before 8.0.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. 2016-01-18 4.3 CVE-2015-5008
CONFIRM
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
ibm — jazz_reporting_service Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Rational-CLM-ifix011 and 6.0 before 6.0.0-Rational-CLM-ifix005 allows remote authenticated users to bypass intended restrictions on administrator tasks via unspecified vectors. 2016-01-17 4.0 CVE-2015-7468
CONFIRM
ibm — jazz_reporting_service Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Rational-CLM-ifix011 and 6.0 before 6.0.0-Rational-CLM-ifix005 allows remote authenticated users to bypass intended read-only restrictions by leveraging a JazzGuest role. 2016-01-17 4.0 CVE-2015-7469
CONFIRM
ibm — jazz_reporting_service Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Rational-CLM-ifix011 and 6.0 before 6.0.0-Rational-CLM-ifix005 allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors, as demonstrated by login information. 2016-01-17 5.0 CVE-2015-7470
CONFIRM
ibm — security_network_protection_firmware GSKit in IBM Security Network Protection 5.3.1 before 5.3.1.7 and 5.3.2 allows remote attackers to discover credentials by triggering an MD5 collision. 2016-01-18 4.3 CVE-2016-0201
CONFIRM
isc — bind apl_42.c in ISC BIND 9.x before 9.9.8-P3 and 9.9.x and 9.10.x before 9.10.3-P3 allows remote authenticated users to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed Address Prefix List (APL) record. 2016-01-20 6.8 CVE-2015-8704
CONFIRM
isc — bind buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3, when debug logging is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit, or daemon crash) or possibly have unspecified other impact via (1) OPT data or (2) an ECS option. 2016-01-20 6.6 CVE-2015-8705
CONFIRM
juniper — junos Juniper Junos OS before 12.1X44-D55, 12.1X46 before 12.1X46-D40, 12.1X47 before 12.1X47-D25, 12.3 before 12.3R10, 12.3X48 before 12.3X48-D20, 13.2 before 13.2R8, 13.2X51 before 13.2X51-D40, 13.3 before 13.3R7, 14.1 before 14.1R5, 14.1X53 before 14.1X53-D18 or 14.1X53-D30, 14.1X55 before 14.1X55-D25, 14.2 before 14.2R4, 15.1 before 15.1R2, and 15.1X49 before 15.1X49-D10 allow remote attackers to cause a denial of service via a malformed IGMPv3 packet, aka a “multicast denial of service.” 2016-01-15 5.0 CVE-2016-1256
CONFIRM
juniper — junos The Routing Engine in Juniper Junos OS 13.2R5 through 13.2R8, 13.3R1 before 13.3R8, 13.3R7 before 13.3R7-S3, 14.1R1 before 14.1R6, 14.1R3 before 14.1R3-S9, 14.1R4 before 14.1R4-S7, 14.1X51 before 14.1X51-D65, 14.1X53 before 14.1X53-D12, 14.1X53 before 14.1X53-D28, 14.1X53 before 4.1X53-D35, 14.2R1 before 14.2R5, 14.2R3 before 14.2R3-S4, 14.2R4 before 14.2R4-S1, 15.1 before 15.1R3, 15.1F2 before 15.1F2-S2, and 15.1X49 before 15.1X49-D40, when LDP is enabled, allows remote attackers to cause a denial of service (RPD routing process crash) via a crafted LDP packet. 2016-01-15 4.3 CVE-2016-1257
CONFIRM
juniper — junos Embedthis Appweb, as used in J-Web in Juniper Junos OS before 12.1X44-D60, 12.1X46 before 12.1X46-D45, 12.1X47 before 12.1X47-D30, 12.3 before 12.3R10, 12.3X48 before 12.3X48-D20, 13.2X51 before 13.2X51-D20, 13.3 before 13.3R8, 14.1 before 14.1R6, and 14.2 before 14.2R5, allows remote attackers to cause a denial of service (J-Web crash) via unspecified vectors. 2016-01-15 5.0 CVE-2016-1258
CONFIRM
juniper — junos Juniper Junos OS before 13.2X51-D36, 14.1X53 before 14.1X53-D25, and 15.2 before 15.2R1 on EX4300 series switches allow remote attackers to cause a denial of service (network loop and bandwidth consumption) via unspecified vectors related to Spanning Tree Protocol (STP) traffic. 2016-01-15 5.0 CVE-2016-1260
CONFIRM
juniper — junos Juniper Junos OS before 12.1X46-D45, 12.1X47 before 12.1X47-D30, 12.1X48 before 12.3X48-D20, and 15.1X49 before 15.1X49-D30 on SRX series devices, when the Real Time Streaming Protocol Application Layer Gateway (RTSP ALG) is enabled, allow remote attackers to cause a denial of service (flowd crash) via a crafted RTSP packet. 2016-01-15 4.3 CVE-2016-1262
CONFIRM
netapp — data_ontap NetApp Data ONTAP before 8.2.4P1, when 7-Mode and HTTP access are enabled, allows remote attackers to obtain sensitive volume information via unspecified vectors. 2016-01-18 4.3 CVE-2015-7886
CONFIRM
openbsd — openssh The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic. 2016-01-19 5.0 CVE-2016-1907
CONFIRM
CONFIRM
openstack — compute The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors. 2016-01-15 4.3 CVE-2015-8749
CONFIRM
CONFIRM
MLIST
MLIST
php — php Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call. 2016-01-19 5.0 CVE-2015-6833
CONFIRM
CONFIRM
MLIST
php — php The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function. 2016-01-19 6.4 CVE-2016-1903
CONFIRM
CONFIRM
CONFIRM
MLIST
sap — netweaver The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security Note 2191290. 2016-01-15 5.0 CVE-2016-1910
MISC
MISC
sap — netweaver Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to the (1) Runtime Workmench (RWB) or (2) Pmitest servlet in the Process Monitoring Infrastructure (PMI), aka SAP Security Note 2206793 and 2234918. 2016-01-15 4.3 CVE-2016-1911
MISC
MISC
MISC

Back to top

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
dolibarr — dolibarr Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email, (4) job, or (5) signature parameter to htdocs/user/card.php. 2016-01-15 3.5 CVE-2016-1912
MISC
CONFIRM
CONFIRM
MISC
MISC
gnu — glibc The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. 2016-01-20 2.1 CVE-2015-8777
CONFIRM
MLIST
MISC
huawei — s5300_firmware Huawei S5300 Campus Series switches with software before V200R005SPH008 do not mask the password when uploading files, which allows physically proximate attackers to obtain sensitive password information by reading the display. 2016-01-15 2.1 CVE-2015-8675
CONFIRM
ibm — infosphere_master_data_management IBM InfoSphere Master Data Management – Collaborative Edition 9.1, 10.1, 11.0 before 11.0.0.0 IF11, 11.3 before 11.3.0.0 IF7, and 11.4 before 11.4.0.4 IF1 does not properly restrict browser caching, which allows local users to obtain sensitive information by reading cache files. 2016-01-17 2.1 CVE-2015-4958
CONFIRM
ibm — infosphere_master_data_management IBM InfoSphere Master Data Management – Collaborative Edition 9.1, 10.1, 11.0 before 11.0.0.0 IF11, 11.3 before 11.3.0.0 IF7, and 11.4 before 11.4.0.4 IF1 allows remote authenticated users to conduct clickjacking attacks via a crafted web site. 2016-01-17 3.5 CVE-2015-4960
CONFIRM
ibm — websphere_commerce Cross-site scripting (XSS) vulnerability in IBM WebSphere Commerce 6.0 through FP11, 6.0 Feature Pack 4, 7.0 through FP9, 7.0 Feature Pack 5 through 8, and 8.0 before 8.0.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. 2016-01-18 3.5 CVE-2015-5009
CONFIRM
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
ibm — infosphere_master_data_management Cross-site scripting (XSS) vulnerability in the GDS component in IBM InfoSphere Master Data Management – Collaborative Edition 9.1, 10.1, 11.0 before 11.0.0.0 IF11, 11.3 before 11.3.0.0 IF7, and 11.4 before 11.4.0.4 IF1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. 2016-01-17 3.5 CVE-2015-7414
CONFIRM
ibm — jazz_reporting_service Cross-site scripting (XSS) vulnerability in Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Rational-CLM-ifix011 and 6.0 before 6.0.0-Rational-CLM-ifix005 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. 2016-01-17 3.5 CVE-2015-7467
CONFIRM
redhen_project — redhen Multiple cross-site scripting (XSS) vulnerabilities in the Redhen module 7.x-1.x before 7.x-1.11 for Drupal allow remote authenticated users with certain access to inject arbitrary web script or HTML via unspecified vectors, related to (1) individual contacts, (2) notes, or (3) engagement scores. 2016-01-15 3.5 CVE-2016-1913
MISC
CONFIRM

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.



Source: US-CERT Bulletins
Originally Posted: SB16-025: Vulnerability Summary for the Week of January 18, 2016

Hidden Tear Ransomware Developer Blackmailed by Malware Developers using his Code

In a post on the BleepingComputer.com forums, the developer of the Magic Ransomware infection is blackmailing the author of the open source Hidden Tear and EDA2 Ransomware Project. The malware developer’s demands are simple; take down the Hidden Tear project or their Magic ransomware’s victims lose their keys forever. […]

Source: Bleeping Computer
Originally Posted: Hidden Tear Ransomware Developer Blackmailed by Malware Developers using his Code