Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle Java SE CVE-2014-6517 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-6519 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-6512 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-6531 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-6506 Remote Security Vulnerability
 
Mozilla Firefox/Thunderbird CVE-2014-1574 Multiple Memory Corruption Vulnerabilities
 
Mozilla Firefox/Thunderbird CVE-2014-1577 Out of Bounds Memory Corruption Vulnerability
 

Multiple Vulnerabilities in Cisco TelePresence Video Communication Server and Cisco Expressway Software
Advisory ID: cisco-sa-20141015-vcs

Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Software includes the following vulnerabilities:
Cisco TelePresence VCS and Cisco Expressway Crafted Packets Denial of Service Vulnerability
Cisco TelePresence VCS and Cisco Expressway SIP IX Filter Denial of Service Vulnerability
Cisco TelePresence VCS and Cisco Expressway SIP Denial of Service Vulnerability
Succesfull exploitation of any of these vulnerabilities could allow an unauthenticated, remote attacker to cause a reload of the affected system, which may result in a Denial of Service (DoS) condition.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-vcs

Note: This security advisory does not provide information about the GNU Bash Environment Variable Command Injection Vulnerability (also known as Shellshock). For additional information regarding Cisco products affected by this vulnerability, refer to the Cisco Security Advisory at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash



(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
OpenStack Nova CVE-2014-3517 Information Disclosure Vulnerability
 

The long, painful rollout of patches to a security flaw in the Bourne Again Shell (bash) has left thousands of systems still vulnerable, and malware based on the vulnerability continues to spread, according to a number of security experts. But even for organizations that have already applied the patch for what has been dubbed the “Shellshock” vulnerability, the cleanup may not be over—and it could be long and expensive.

Soon after the Shellshock bug was publicly disclosed and its initial patch was distributed, weaknesses in the patch itself and additional security vulnerabilities were uncovered by developers dealing with the issue. And within a day of the disclosure, attacks exploiting the vulnerability were found in the wild. Some of those attacks are still trying to spread—and in some cases, they’re using Google searches to help them find potential targets. Successful attacks may have made changes to the targeted systems that would not have been corrected by the application of the patch.

The problem with Shellshock is similar to problems that emerged after the Heartbleed bug and numerous other vulnerabilities—while organizations struggle to understand the disclosures, how they affect their systems, and how to successfully implement patches, others—including security researchers—race to build proof-of-concept attacks based on them to demonstrate exactly how dire they are. And those proofs of concept often get picked up by cybercriminals and others with bad intent before organizations can effectively patch them—using them to exploit systems in ways that are much longer-lasting than the vulnerability du jour.

Read 12 remaining paragraphs | Comments

 
wpa_supplicant and hostapd CVE-2014-3686 Remote Command Execution Vulnerability
 
Python Requests CVE-2014-1829 Information Disclosure Vulnerability
 

Before you start: While adjusting your SSL configuration, you should also check for various other SSL related configuration options. A good outline can be found at http://bettercrypto.org as well as at http://ssllabs.com (for web servers in particular)

Here are some configuration directives to turn off SSLv3 support on servers:

Apache: Add -SSLv3 to the SSLProtocol line. It should already contain -SSLv2 unless you list specific protocols.

nginx: list specific allowed protocols in the ssl_protocols line. Make sure SSLv2

Postfix: Disable SSLv3 support in the smtpd_tls_manadatory_protocols configuration line. For example: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

Dovecot: similar, disable SSLv2 and SSLv3 in the ssl_protocols line. For example: ssl_protocols =!SSLv2 !SSLv3

HAProxy Server: the bind configuration line should include no-sslv3 (this line also lists allowed ciphers)

puppet:seehttps://github.com/stephenrjohnson/puppetmodule/commit/1adb73f9a400cb5e91c4ece1c6166fd63004f448 for instructions

For clients, turning off SSLv3 can be a bit more tricky, or just impossible.

Google Chrome: you need to start Google Chrome with the --ssl-version-min=tls1 option.

Internet Explorer: You can turn off SSLv3 support in the advanced internet option dialog.

Firefox: check the security.tls.version.min setting in about:config and set it to 1. Oddly enough, in our testing, the default setting of 0 will allow SSLv3 connections, but refuses to connect to our SSLv3 only server.

For Microsoft Windows, you can use group policies. For details see Microsofts advisory:https://technet.microsoft.com/en-us/library/security/3009008.aspx

To test, continue to use our POODLE Test page at https://poodletest.com or the QualysSSLLabs page at https://ssllabs.com

To detect the use of SSLv3, you can try the following filters:

tshark/wireshark display filters:ssl.handshake.version==0x0300

tcpdump filter: (1) accounting for variable TCP header length:tcp[((tcp[12]4)*4)+9:2]=0x0300
(2) assuming TCP header length is 20:tcp[29:2]=0x0300

We will also have a special webcast at 3pm ET. For details see

https://www.sans.org/webcasts/about-poodle-99032

the webcast will probably last 20-30 minutes and summarize the highlights of what we know so far.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
SEC Consult SA-20141015-0 :: Potential Cross-Site Scripting in ADF Faces
 
Multiple Cross-Site Scripting (XSS) in WP Google Maps WordPress Plugin
 
Reflected Cross-Site Scripting (XSS) in MaxButtons WordPress Plugin
 
Paypal Inc MultiOrderShipping API - Filter Bypass & Persistent XML Vulnerability
 
Indeed Job Search 2.5 iOS API - Multiple Vulnerabilities
 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

This update to the OpenSSL Library addresses 4 vulnerabilities. One of these is the POODLE vulnerability announced yesterday.

CVE-2014-3513: A memory leak in parsing DTLS SRTPmessages can lead to a denial of service. You are vulnerable, unless you specificly compiled your OpenSSL library with the OPENSSL_NO_SRTP option. All 1.0.1 versions of OpenSSL are affected.

CVE-2014-3567: Another memory leak that can lead to a DoS attack. In this case, memory is not free up if an SSL session ticket fails an integrity check. OpenSSL 0.9.8, 1.0.0 and 1.0.1 are affected.

CVE-2014-3566 (POODLE): OpenSSLnow supports TLS_FALLBACK_SCSV to prevent a MitM from downgrading an SSL connection. This affects OpenSSL 1.0.1, 1.0.0 and 0.9.8.

CVE-2014-3568: The no-ssl3 build option, which is intended to disable SSLv3, may actually not work as advertised. This one is of course particularly important if you try to disable SSLv3.

Also, OpenSSL 0.9.8 is now officially end-of-life. Dont expect any more patches for 0.9.8.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
LinuxSecurity.com: Updated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security [More...]
 
LinuxSecurity.com: Updated java-1.6.0-openjdk packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated java-1.7.0-openjdk packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated java-1.7.0-openjdk packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: wpa_supplicant could be made to run programs if it received speciallycrafted network traffic.
 
LinuxSecurity.com: Firefox could be made to crash or run programs as your login if itopened a malicious website.
 
LinuxSecurity.com: Several security issues were fixed in Oxide.
 
LinuxSecurity.com: Requests could be made to expose authentication credentials over thenetwork.
 
LiveZilla 5.3.0.7 Security Issue
 
[SE-2014-01] Breaking Oracle Database through Java exploits (details)
 
two browser mem disclosure bugs (CVE-2014-1580 and CVE-something-or-other)
 
[SECURITY] [DSA 3049-1] wireshark security update
 
HP Sprinter CVE-2014-2638 Remote Code Execution Vulnerability
 
HP Sprinter CVE-2014-2635 Remote Code Execution Vulnerability
 
Google Chrome CVE-2014-3188 Remote Code Execution Vulnerability
 
Squid 'snmpHandleUdp()' Function Off-By-One Heap Buffer Overflow Vulnerability
 
Microsoft Internet Explorer CVE-2014-1769 Remote Memory Corruption Vulnerability
 

Posted by InfoSec News on Oct 15

http://www.affoplano.com/component/obituary/?view=detail&id=452

After a long and devastating illness, Shon passed away on October 8, 2014.
Shon founded and was CEO of Logical Security, an information consultant, a
former engineer in the Air Force Information Warfare unit, instructor and
best-selling author of many books on IT Security. Shon was recognized as
one of the top 25 women in the Information Security field. Shon's family...
 

Posted by InfoSec News on Oct 15

http://www.wired.com/2014/10/poodle-explained/

By Kim Zetter
Threat Level
Wired.com
10.14.14

On a day when system administrators were already taxed addressing several
security updates released by Microsoft, Oracle, and Adobe, there is now
word of a new security hole discovered in a basic protocol used for
encrypting web traffic. Its name is POODLE, which stands for Padding
Oracle on Downgraded Legacy Encryption, and it was discovered by...
 

Interest in secure communications is at an all time high, with many concerned about spying by both governments and corporations. This concern has stimulated developments such as the Blackphone, a custom-designed handset running a forked version of Android that's built with security in mind.

But the Blackphone has a problem. The mere fact of holding one in your hand advertises to the world that you're using a Blackphone. That might not be a big problem for people who can safely be assumed to have access to sensitive information—politicians, security contractors, say—but if you're a journalist investigating your own corrupt government or a dissident fearful of arrest, the Blackphone is a really bad idea. Using such a phone is advertising that you have sensitive material that you're trying to keep secret and is an invitation to break out the rubber hoses.

That's what led a team of security researchers to develop DarkMatter, unveiled today at the Hack In The Box security conference in Kuala Lumpur. DarkMatter is a secure Android fork, but unlike Blackphone and its custom hardware, DarkMatter is a secure Android that runs on regular Android phones (including the Galaxy S4 and Nexus 5) and which, at first glance, looks just like it's stock Android. The special sauce of DarkMatter is secure encrypted storage that selected apps can transparently access. If the firmware believes it's under attack, the secure storage will be silently dismounted, and the phone will appear, to all intents and purposes, to be a regular non-secure device.

Read 9 remaining paragraphs | Comments

 
Microsoft Internet Explorer CVE-2014-4138 Remote Memory Corruption Vulnerability
 
Microsoft Internet Explorer CVE-2014-4141 Remote Memory Corruption Vulnerability
 
Microsoft Office Word File Processing CVE-2014-4117 Remote Code Execution Vulnerability
 

Oracle have released itscritical patch update for October 2014, this series of patches will provide fixes for 154 vulnerabilities across a number of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Product Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Communications Industry Suite, Oracle Retail Industry Suite, Oracle Health Sciences Industry Suite, Oracle Primavera, Oracle Java SE, Oracle and Sun Systems Product Suite, Oracle Linux and Virtualization, and Oracle MySQL.

For more details please refer to the following link:

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft Internet Explorer CVE-2014-4130 Remote Memory Corruption Vulnerability
 

Posted by InfoSec News on Oct 15

http://www.northjersey.com/news/business/dimon-urges-cyberattack-strategy-1.1108945

THE ASSOCIATED PRESS
OCTOBER 15, 2014

NEW YORK - JPMorgan Chase's CEO Jamie Dimon says that more coordination
between businesses and government is needed to combat the rising threat of
cyberattacks.

New York-based JPMorgan said earlier this month that a breach of its
computer systems this summer compromised customer information pertaining
to roughly 76...
 
Internet Storm Center Infocon Status