From security em unicamp.br Mon Nov 3 10:51:32 2014 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 3 Nov 2014 10:51:32 -0200 Subject: [SECURITY-L] Vulnerabilidade no CMS Drupal 7 - Highly Critical Message-ID: <20141103125132.GA21656@unicamp.br> Prezados Administradores, Foi publicada uma vulnerabilidade critica no CMS Drupal 7 que pode ser explorada atraves de SQL Injection. Se voce utiliza esse software com essa versao no ambiente computacional sob sua responsabilidade, orientamos a leitura do boletim e, caso esteja vulneravel, orientamos a atualização o mais rapido possivel. Maiores informações em: https://www.drupal.org/PSA-2014-003 Atenciosamente, Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC E-mail: security em unicamp.br GnuPG Public Key: http://www.security.unicamp.br/security.asc Contact: +55 19 3521-2289 or +55 19 3521-2290 INOC-DBA-BR: 1251*830 From security em unicamp.br Mon Nov 10 12:27:41 2014 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 10 Nov 2014 12:27:41 -0200 Subject: [SECURITY-L] TA14-310A: Microsoft Ending Support for Windows Server 2003 Operating System Message-ID: <20141110142740.GA22391@unicamp.br> -------- Forwarded Message -------- Subject: TA14-310A: Microsoft Ending Support for Windows Server 2003 Operating System Date: Mon, 10 Nov 2014 07:16:22 -0600 From: US-CERT Reply-To: US-CERT em ncas.us-cert.gov To: daniela em ccuec.unicamp.br TA14-310A: Microsoft Ending Support for Windows Server 2003 Operating System NCCIC / US-CERT National Cyber Awareness System: TA14-310A: Microsoft Ending Support for Windows Server 2003 Operating System 11/10/2014 07:19 AM EST Original release date: November 10, 2014 Systems Affected Microsoft Windows Server 2003 operating system Overview Microsoft is ending support for the Windows Server 2003 operating system on July 14, 2015.[1] After this date, this product will no longer receive: * Security patches that help protect PCs from harmful viruses, spyware, and other malicious software * Assisted technical support from Microsoft * Software and content updates Description All software products have a lifecycle. End of support refers to the date when Microsoft will no longer provide automatic fixes, updates, or online technical assistance.[2] As of July 2014, there were 12 million physical servers worldwide still running Windows Server 2003.[3] Impact Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss. Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003. Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003. Solution Computers running the Windows Server 2003 operating system will continue to work after support ends. However, using unsupported software may increase the risks of viruses and other security threats. Negative consequences could include loss of confidentiality, integrity, and or availability of data, system resources and business assets. The Microsoft "Microsoft Support Lifecycle Policy FAQ" page offers additional details.[2] Users have the option to upgrade to a currently supported operating system or other cloud-based services. There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows Server 2003 to a currently supported operating system or SaaS (software as a service) / IaaS (infrastructure as a service) products and services.[4 ,5 ] US-CERT does not endorse or support any particular product or vendor. References * [1] Microsoft Product Lifecycle Listing * [2] Microsoft Support Lifecycle Policy FAQ * [3] Redmond Magazine, Prepare for Windows Server 2003's End of Support * [4] Windows Server 2003 Migration Support * [5] TechTarget, Weighing next steps following Windows Server 2003 end-of-life Revision History * November 10, 2014: Initial Release ------------------------------------------------------------------------ This product is provided subject to this Notification and this Privacy & Use policy. ------------------------------------------------------------------------ OTHER RESOURCES: Contact Us | Security Publications | Alerts and Tips | Related Resources STAY CONNECTED: Sign up for email updates ------------------------------------------------------------------------ From adipaz em ccuec.unicamp.br Mon Nov 10 11:15:56 2014 From: adipaz em ccuec.unicamp.br (Adilson Paz) Date: Mon, 10 Nov 2014 11:15:56 -0200 Subject: [SECURITY-L] [Uni-adm] CSIRT Unicamp: atualizacao do site - 10/11/2014 Message-ID: <5460BA8C.20507@ccuec.unicamp.br> Prezados, O site do CSIRT Unicamp foi atualizado com as publicações: Log - O aliado do administrador https://www.security.unicamp.br/artigos/58-log-o-aliado-do-administrador.html Att. -- === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC Contato: +55 19 3521-2290 From security em unicamp.br Wed Nov 12 07:41:39 2014 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 12 Nov 2014 07:41:39 -0200 Subject: [SECURITY-L] Novo Video: Tratamento de Incidentes Message-ID: <20141112094139.GA27287@unicamp.br> -------- Forwarded Message -------- Subject: [ALUMNI] Novo Video: Tratamento de Incidentes Date: Tue, 11 Nov 2014 19:41:22 -0200 From: Cristine Hoepers Reply-To: Lista de ex-alunos do CERT.br To: alumni em listas.cert.br Olá a todos, Foi lançado um novo vídeo do NIC.br sobre Tratamento de Incidentes: - Tratamento de Incidentes de Seguranca na Internet, explicado pelo NIC.br http://youtu.be/flu6JPRHW04?list=UUscVLgae-2f9baEXhVbM1ng Ele faz parte de uma série de vídeos sendo desenvolvida pela equipe do CEPTRO.br, sob coordenação do Antonio Moreiras, para explicar de maneira simples vários conceitos sobre operação de redes e segurança. Abraços, Cristine -- Cristine Hoepers CERT.br/NIC.br http://www.cert.br/ _______________________________________________ From security em unicamp.br Fri Nov 14 09:11:20 2014 From: security em unicamp.br (CSIRT - UNICAMP) Date: Fri, 14 Nov 2014 09:11:20 -0200 Subject: [SECURITY-L] TA14-317A: Apple iOS "Masque Attack" Technique Message-ID: <20141114111120.GA13181@unicamp.br> -------- Forwarded Message -------- Subject: TA14-317A: Apple iOS "Masque Attack" Technique Date: Thu, 13 Nov 2014 10:18:31 -0600 From: US-CERT Reply-To: US-CERT em ncas.us-cert.gov To: daniela em ccuec.unicamp.br TA14-317A: Apple iOS "Masque Attack" Technique NCCIC / US-CERT National Cyber Awareness System: TA14-317A: Apple iOS "Masque Attack" Technique 11/13/2014 09:17 AM EST Original release date: November 13, 2014 Systems Affected iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta. Overview A technique labeled ?Masque Attack? allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances. Description Masque Attack was discovered and described by FireEye mobile security researchers.[1] This attack works by luring users to install an app from a source other than the iOS App Store or their organizations? provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link. This technique takes advantage of a security weakness that allows an untrusted app?with the same ?bundle identifier? as that of a legitimate app?to replace the legitimate app on an affected device, while keeping all of the user?s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple?s own iOS platform apps, such as Mobile Safari, are not vulnerable. Impact An app installed on an iOS device using this technique may: * Mimic the original app?s login interface to steal the victim?s login credentials. * Access sensitive data from local data caches. * Perform background monitoring of the user?s device. * Gain root privileges to the iOS device. * Be indistinguishable from a genuine app. Solution iOS users can protect themselves from Masque Attacks by following three steps: 1. Don?t install apps from sources other than Apple?s official App Store or your own organization. 2. Don?t click ?Install? from a third-party pop-up when viewing a web page. 3. When opening an app, if iOS shows an ?Untrusted App Developer? alert, click on ?Don?t Trust? and uninstall the app immediately. Further details on Masque Attack and mitigation guidance can be found on FireEye?s blog [1] . US-CERT does not endorse or support any particular product or vendor. References * [1] FireEye Revision History * November 13, 2014: Initial Release ------------------------------------------------------------------------ This product is provided subject to this Notification and this Privacy & Use policy. ------------------------------------------------------------------------ OTHER RESOURCES: Contact Us | Security Publications | Alerts and Tips | Related Resources STAY CONNECTED: Sign up for email updates SUBSCRIBER SERVICES: Manage Preferences | Unsubscribe | Help ------------------------------------------------------------------------ ----- End forwarded message ----- From security em unicamp.br Mon Nov 17 10:34:26 2014 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 17 Nov 2014 10:34:26 -0200 Subject: [SECURITY-L] TA14-318A: Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability Message-ID: <20141117123426.GC29034@unicamp.br> TA14-318A: Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability NCCIC / US-CERT National Cyber Awareness System: TA14-318B: Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability 11/14/2014 05:42 PM EST Original release date: November 14, 2014 Systems Affected * Microsoft Windows Vista, 7, 8, 8.1, RT, and RT 8.1 * Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2 Overview A vulnerability in Microsoft Windows Object Linking and Embedding (OLE) could allow remote code execution if a user views a specially-crafted web page in Internet Explorer.[1] Description The Microsoft Windows OLE OleAut32.dll library provides the SafeArrayRedim function that allows resizing of SAFEARRAY objects in memory.[2] In certain circumstances, this library does not properly check sizes of arrays when an error occurs. The improper size allows an attacker to manipulate memory in a way that can bypass the Internet Explorer Enhanced Protected Mode (EPM) sandbox as well as the Enhanced Mitigation Experience Toolkit (EMET). This vulnerability can be exploited using a specially-crafted web page utilizing VBscript in Internet Explorer. However, it may impact other software that makes use of OleAut32.dll and VBscript. Exploit code is publicly available for this vulnerability. Additional details may be found in CERT/CC Vulnerability Note VU#158647 . Impact Arbitrary code can be run on the computer with user privileges. If the user is an administrator, the attacker may run arbitrary code as an administrator, fully compromising the system. Solution An update is available from Microsoft.[3] Please see Microsoft Security Bulletin MS14-064 for more details and mitigation guidance, and apply the necessary updates. References * [1] NIST Vulnerability Summary for CVE-2014-6332 * [2] IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows * [3] Microsoft Security Bulletin MS14-064 Revision History * November 14, 2014: Initial Release ------------------------------------------------------------------------ This product is provided subject to this Notification and this Privacy & Use policy. ------------------------------------------------------------------------ OTHER RESOURCES: Contact Us | Security Publications | Alerts and Tips | Related Resources STAY CONNECTED: Sign up for email updates SUBSCRIBER SERVICES: Manage Preferences | Unsubscribe | Help ------------------------------------------------------------------------ This email was sent to daniela em ccuec.unicamp.br using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery From security em unicamp.br Mon Nov 17 10:39:42 2014 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 17 Nov 2014 10:39:42 -0200 Subject: [SECURITY-L] TA14-318A: Microsoft Secure Channel (Schannel) Vulnerability (CVE-2014-6321) Message-ID: <20141117123942.GE29034@unicamp.br> TA14-318A: Microsoft Secure Channel (Schannel) Vulnerability (CVE-2014-6321) NCCIC / US-CERT National Cyber Awareness System: TA14-318A: Microsoft Secure Channel (Schannel) Vulnerability (CVE-2014-6321) 11/14/2014 10:32 AM EST Original release date: November 14, 2014 Systems Affected * Microsoft Windows Server 2003 SP2 * Microsoft Windows Vista SP2 * Microsoft Windows Server 2008 SP2 * Microsoft Windows Server 2008 R2 SP1 * Microsoft Windows 7 SP1 * Microsoft Windows 8 * Microsoft Windows 8.1 * Microsoft Windows Server 2012 * Microsoft Windows Server 2012 R2 * Microsoft Windows RT * Microsoft Windows RT 8.1 Microsoft Windows XP and 2000 may also be affected. Overview A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1] Description Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2 , 3 ] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1] It may be possible for exploitation to occur without authentication and via unsolicited network traffic. According to Microsoft MS14-066, there are no known mitigations or workarounds.[2] Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5] Impact This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6] Solution Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2] References * [1] NIST Vulnerability Summary for CVE-2014-6321 * [2] Microsoft Security Bulletin MS14-066 - Critical * [3] Microsoft, Secure Channel * [4] Reddit, Microsoft Security Bulletin MS14-066 * [5] Pastebin, SChannelShenanigans * [6] Winshock.txt Revision History * November 14, 2014: Initial Release ------------------------------------------------------------------------ This product is provided subject to this Notification and this Privacy & Use policy. ------------------------------------------------------------------------ OTHER RESOURCES: Contact Us | Security Publications | Alerts and Tips | Related Resources STAY CONNECTED: Sign up for email updates SUBSCRIBER SERVICES: Manage Preferences | Unsubscribe | Help ------------------------------------------------------------------------ This email was sent to daniela em ccuec.unicamp.br using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery From security em unicamp.br Wed Nov 19 11:45:58 2014 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 19 Nov 2014 11:45:58 -0200 Subject: [SECURITY-L] Fwd: Microsoft Security Bulletin Releases Message-ID: <20141119134558.GB17190@unicamp.br> -------- Forwarded Message -------- Subject: Microsoft Security Bulletin Releases Date: Tue, 18 Nov 2014 12:10:59 -0600 From: Microsoft Reply-To: Microsoft ******************************************************************** Title: Microsoft Security Bulletin Releases Issued: November 18, 2014 ******************************************************************** Summary ======= The following bulletin has been released. * MS14-068 - Critical The following bulletins have undergone a major revision increment. * MS14-066 - Critical * MS14-NOV Bulletin Information: ===================== MS14-068 - Critical - https://technet.microsoft.com/library/security/ms14-068 - Reason for Revision: V1.0 (November 18, 2014): Bulletin published. - Originally posted: November 18, 2014 - Updated: November 18, 2014 - Bulletin Severity Rating: Critical - Version: 1.0 MS14-066 - Critical - https://technet.microsoft.com/library/security/ms14-066 - Reason for Revision: V2.0 (November 18, 2014): Bulletin revised to announce the reoffering of the 2992611 update to systems running Windows Server 2008 R2 and Windows Server 2012. The reoffering addresses known issues that a small number of customers experienced with the new TLS cipher suites that were included in the original release. Customers running Windows Server 2008 R2 or Windows Server 2012 who installed the 2992611 update prior to the November 18 reoffering should reapply the update. See Microsoft Knowledge Base Article 2992611 for more information. - Originally posted: November 11, 2014 - Updated: November 18, 2014 - Bulletin Severity Rating: Critical - Version: 2.0 MS14-NOV - https://technet.microsoft.com/library/security/ms14-nov - Reason for Revision: V2.0 (November 18, 2014): Bulletin Summary revised to document the out-of-band release of MS14-068 and, for MS14-066, to announce the reoffering of the 2992611 update to systems running Windows Server 2008 R2 and Windows Server 2012. See the respective bulletins for more information. - Originally posted: November 11, 2014 - Updated: November 18, 2014 - Version: 2.0 Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security bulletins, or installing security updates. You can obtain the MSRC public PGP key at . ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 ----- End forwarded message ----- ----- End forwarded message ----- From security em unicamp.br Fri Nov 21 14:28:34 2014 From: security em unicamp.br (CSIRT - UNICAMP) Date: Fri, 21 Nov 2014 14:28:34 -0200 Subject: [SECURITY-L] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006 Message-ID: <20141121162834.GA14222@unicamp.br> ----- Forwarded message from security-news em drupal.org ----- Date: Wed, 19 Nov 2014 20:47:24 +0000 (UTC) From: security-news em drupal.org To: security-news em drupal.org Subject: [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006 X-Mailer: Drupal View online: https://www.drupal.org/SA-CORE-2014-006 * Advisory ID: DRUPAL-SA-CORE-2014-006 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2014-November-19 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- .... Session hijacking (Drupal 6 and 7) A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session. This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode" [3]), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7. .... Denial of service (Drupal 7 only) Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text. A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). This vulnerability can be exploited by anonymous users. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 6.x versions prior to 6.34. * Drupal core 7.x versions prior to 7.34. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 6.x, upgrade to Drupal core 6.34. [5] * If you use Drupal 7.x, upgrade to Drupal core 7.34. [6] If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113 [7] Also see the Drupal core [8] project page. -------- REPORTED BY --------------------------------------------------------- Session hijacking: * Aaron Averill [9] Denial of service: * Michael Cullum [10] * Javier Nieto [11] * Andrés Rojas Guerrero [12] -------- FIXED BY ------------------------------------------------------------ Session hijacking: * Klaus Purer [13] of the Drupal Security Team * David Rothstein [14] of the Drupal Security Team * Peter Wolanin [15] of the Drupal Security Team Denial of service: * Klaus Purer [16] of the Drupal Security Team * Peter Wolanin [17] of the Drupal Security Team * Heine Deelstra [18] of the Drupal Security Team * Tom Phethean [19] -------- COORDINATED BY ------------------------------------------------------ * The Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [20]. Learn more about the Drupal Security team and their policies [21], writing secure code for Drupal [22], and securing your site [23]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [24] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/https-information [4] http://cve.mitre.org/ [5] https://www.drupal.org/drupal-6.34-release-notes [6] https://www.drupal.org/drupal-7.34-release-notes [7] https://www.drupal.org/node/2378367 [8] https://www.drupal.org/project/drupal [9] https://www.drupal.org/user/1317732 [10] https://www.drupal.org/u/MichaelCu [11] https://www.drupal.org/u/jnietotn [12] https://www.drupal.org/u/c0r3dump3d [13] https://www.drupal.org/u/klausi [14] https://www.drupal.org/u/David_Rothstein [15] https://www.drupal.org/u/pwolanin [16] https://www.drupal.org/u/klausi [17] https://www.drupal.org/u/pwolanin [18] https://www.drupal.org/u/Heine [19] https://www.drupal.org/u/tsphethean [20] https://www.drupal.org/contact [21] https://www.drupal.org/security-team [22] https://www.drupal.org/writing-secure-code [23] https://www.drupal.org/security/secure-configuration [24] https://twitter.com/drupalsecurity _______________________________________________ ----- End forwarded message -----