Skip to content

VMware update breaks the NetScaler VPX

VMware recently released updates to both ESX 5.1 and 5.5 that cause the NetScaler VPX to lose networking.

ESX 5.1 EP5 and ESX 5.5 Update 2 both cause the issue. The issue is described from Citrix as:

NetScaler VPX network connectivity issue on VMware ESXi 5.1.0 2191751 and VMware ESXi 5.5 Build 2143827 is caused by tx_ring_length mismatch, which causes TX stalls.

There is a fix, which involves running a command from the console of the VPX:

echo hw.em.txd=512 > /flash/boot/loader.conf.local

A reboot is required, then networking should be restored. Please reference the following Citrix and VMware articles that describe the issue and fix. Note the suggested fix from VMware and Citrix differ a bit, so we suggest using the Citrix fix.


Gotham Security Daily Threat Alerts

November 21, Securityweek – (International) Siemens fixes critical vulnerabilities in WinCC SCADA products. Siemens issued patches for two vulnerabilities in its SIMATIC WinCC supervisory control and data acquisition (SCADA) systems, one of which could be remotely exploited by an unauthorized attacker. The SIMATIC WinCC system is used to monitor and control industrial and infrastructure systems in chemical, food and beverage, oil and gas, and water and wastewater applications. Source

November 21, Softpedia – (International) Persistent XSS flaw fixed in WP Statistics plug-in for WordPress. The developers of the WP Statistics plug-in for WordPress released version 8.3.1 in order to close a stored cross-site scripting (XSS) vulnerability that could allow attackers to execute commands in the administration panel. Source

November 21, The Register – (International) DoubleDirect hackers snaffle fandroid and iPhone-strokers’ secrets. Researchers with Zimperium identified a man-in-the-middle (MitM) attack technique targeting Android and iOS devices dubbed DoubleDirect that can be used by attackers to intercept devices’ traffic to steal credentials or deliver malicious payloads that can go on to infect a larger network. The researchers have observed the attack being used in the wild and provided a proof of concept for the attack method. Source

November 21, Securityweek – (International) WordPress 4.0.1 released to address critical XSS, other vulnerabilities. The developers of WordPress released version 4.0.1 of the content management system, closing a cross-site scripting (XSS) vulnerability and eight other security issues. Source

November 20, Securityweek – (International) Multiple vulnerabilities found in Hikvision DVR devices. Researchers with Rapid7 identified and reported three remotely exploitable vulnerabilities in Hikvision DVR devices that could be used by unauthenticated attackers to execute arbitrary code. Source

November 20, Securityweek – (International) DDoS attacks over 10 Gbps jump in Q3: Verisign. Verisign released their report on distributed denial of service (DDoS) attacks for the third quarter (Q3) of 2014 and found that attacks exceeding 10 Gpbs grew by 38 percent compared to the second quarter (Q2), representing over 20 percent of all DDoS attacks in Q3, among other findings. Source

November 20, IDG News Service – (International) Governments act against webcam-snooping websites. Authorities in the U.S. and U.K. warned users of Internet-connected webcams and other video devices to secure their devices by adding passwords and changing default passwords after Web sites broadcasting unsecured video feeds were identified online. One of the major unsecured feed sites went offline November 20 while at least one other was still available. Source

November 20, U.S. Attorney’s Office, Southern District of New York – (International) Former corporate executives charged with securities fraud and tax offenses for wide-ranging commercial bribery scheme. Federal authorities charged two Coral Gables, Florida men who worked as senior executives at Systemax Inc., and its subsidiary computer and electronics vendor TigerDirect for allegedly engaging in a kickback scheme with an Asia-based group of suppliers that netted the men over $9 million in kickbacks and benefits. The men were also charged for allegedly concealing the illicit income from the Internal Revenue Service. Source

Gotham Security Daily Threat Alerts

November 20, Threatpost – (International) Attackers using compromised Web plug-ins in CryptoPHP blackhat SEO campaign. Researchers with Fox-IT identified a group of attackers using compromised WordPress themes and plugins to deliver a piece of malware dubbed CryptoPHP that engages in fraudulent search engine optimization (SEO) operations. The malware can also inject content into sites using the compromised plugins and themes, update itself, and perform other tasks. Source:

November 20, Securityweek – (International) Developers fix XSS vulnerability in jQuery Validation Plugin script. The developers of the jQuery Validation Plugin issued a fix for a vulnerability present in the plugin’s demo code that could have allowed an attacker to engage in session hijacking using a reflected cross-site scripting (XSS) attack. The code appeared to be first reported in 2007. Source:

November 20, Threatpost – (International) Angler exploit kit adds new Flash exploit for CVE-2014-8440. A security researcher reported that the Angler exploit kit has been equipped with an exploit for the CVE-2014-8440 vulnerability in Adobe Flash that can be used to take control of target systems. The vulnerability was patched by Adobe November 11 but unpatched systems remain vulnerable. Source:

November 20, Threatpost – (International) Drupal patches denial of service vulnerability; details disclosed. Researchers who identified a denial of service (DoS) vulnerability in the Drupal content management system published details of the vulnerability that could also expose user names following the release of a patch by Drupal November 19 to close the vulnerability. Source:

November 19, Securityweek – (International) Chrome 39 includes 42 security fixes, disables fallback to SSL 3.0. Google released version 39 of its Chrome browser, closing 42 security issues, 11 of which were rated as high-severity, adding features, and disabling fallback to SSL 3.0 which could be exploited in POODLE attacks. Source:

November 19, Network World – (International) FTC gets federal court to shut down $120M tech support scam. The Federal Trade Commission (FTC) announced November 19 that a federal court granted its request to temporarily shut down two telemarketing operations that allegedly defrauded consumers out of more than $120 million by convincing them to grant the marketers remote access and deceiving them into paying for services and products to solve nonexistent computer problems. The companies involved include PC Cleaner, Boost Software, and Inbound Call Experts, and the defendants are the targets of separate cases filed by the FTC and the State of Florida. Source:

November 19, Softpedia – (International) Privilege escalation risk fixed in Android Lollipop, lower versions vulnerable. A researcher who identified and reported a flaw in the Android operating system that could allow an attacker to execute arbitrary code released a proof-of-concept for the vulnerability following the November 3 release of a patch that closes the vulnerability in Android Lollipop (also known as Android 5.0). The vulnerability is still present on previous Android versions. Source:

November 19, Threatpost – (International) Citadel variant targets password managers. Researchers with IBM Trusteer notified the makers of the nexus Personal Security Client, KeePass, and Password Safe password managers that a new variant of the Citadel malware is targeting the three services in an attempt to steal users’ logins and passwords. Source:

Gotham Security Daily Threat Alerts

November 19, Securityweek – (International) Advanced variant of “NotCompatible” Android malware a threat to enterprises. Researchers with Lookout identified a new variant of the NotCompatible trojan for Android dubbed NotCompatible.C which includes several changes to avoid detection by security software, including encrypted communications and geographically distributed command and control (C&C) servers. The malware is being spread by spam emails and compromised Web sites and acts as a proxy on infected systems. Source:

November 18, Securityweek – (International) Microsoft fixes critical Kerberos flaw under attack with out-of-band patch. Microsoft released an out-of-band patch November 18 to close a vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to domain administrator privileges. The vulnerability has been exploited in limited, targeted attacks and users were advised to apply the patch as soon as possible due to the critical nature of the vulnerability. Source:

November 18, SC Magazine – (International) Apple releases OS X Yosemite and iOS updates. Apple released updates November 18 for its OS X Yosemite operating system and iOS 8 mobile operating system, adding improvements and closing an unlimited passcode attempt vulnerability in iOS 8. Source:

November 18, Securityweek – (International) Flashpack exploit kit uses ad networks to deliver Cryptowall, Dofoil malware. Trend Micro researchers identified a malicious advertisement campaign that uses free ads to attempt to redirect users to a page hosting the Flashpack exploit kit, which then attempts to serve a variant of the Dofoil trojan or the Cryptowall ransomware. Source:

November 18, Softpedia – (International) Legit Windows Phone apps can be replaced by malicious ones through copy/paste. A researcher reported that rogue versions of legitimate apps can be installed onto Windows Phone mobile devices after the installation of the legitimate app by replacing the files with the rogue app files. Source:

Gotham Security Daily Threat Alerts

November 18, Securityweek – (International) New variant of Matsnu trojan uses configurable DGA. Researchers from Seculert found that a new variant of the Matsnu trojan (also known as Trustezeb) is using a configurable Domain Generation Algorithm (DGA) to attempt to create domain names that won’t be detected by phonetic algorithms designed to look for nonsensical domain names. The malware can be instructed to take various actions, including downloading and executing files, updating itself, and reporting its status to its controllers. Source:

November 17, Securityweek – (International) Research finds 1 percent of online ads malicious. Researchers from universities in the U.S., U.K., and Germany presenting at the 2014 Internet Measurement Conference reported that their research looked at 600,000 online advertisements on 40,000 Web sites over a 3 month period and found that 1 percent of advertisements were malicious. Source:

Gotham Security Daily Threat Alerts

November 17, Softpedia – (International) BusyBox devices compromised through Shellshock attack. Researchers with Trend Micro identified a new version of the Bashlite malware that identifies devices on an infected system’s network that use the BusyBox software for Linux, including routers, and can then attempt to compromise them using the Shellshock vulnerability. Source

November 17, Softpedia – (International) Steam password stealer is stored on Google Drive. A researcher with Panda Security analyzed and reported a piece of malware designed to steal passwords for the Steam gaming service that is being delivered from a Google Drive account. The account was still active when the researcher reported the malware November 16 and targets victims via a fraudulent link in Steam chat that downloads an executable file. Source

November 17, The Register – (International) WinShock PoC clocked: But DON’T PANIC… It’s no Heartbleed. Researchers released a proof-of-concept (PoC) exploit for a SChannel crypto library flaw that was patched the week of November 10 in a Microsoft patch release. The flaw can still be exploited in unpatched Windows Server 2012, 2008 R2, and 2003 installations to run arbitrary code. Source

November 17, The Register – (International) Attack reveals 81 percent of Tor users but admins call for calm. A paper released by researchers at the Indraprastha Institute of Information Technology outlined a traffic confirmation attack method that the researchers stated could be used to identify users of the Tor anonymity network in 81 percent of cases if an attacker has sufficient resources. Source

November 17, Securityweek – (International) Alleged creators of WireLurker malware arrested in China. Authorities in China arrested three individuals for allegedly creating and distributing the WireLurker malware targeting Mac OS X, iOS, and Windows devices and shut down the Web site used to distribute the malware. Source

November 17, Securityweek – (International) Majority of top 100 paid iOS, Android apps have hacked versions: Report. Arxan Technologies released their annual State of Mobile App Security report which found that there were cloned or repackaged versions of 97 percent of the top 100 paid Android apps and 87 percent for top 100 paid iOS apps, and that repackaged or cloned financial services apps existed for 95 percent of apps on Android and 70 percent in iOS, among other findings. Source

November 16, Softpedia – (International) New variant of Dofoil trojan emerges with strong evasion features. Fortinet researchers identified a new variant of the Dofoil botnet malware that contains several changes aimed at preventing the malware from being detected and analyzed. Source

November 15, Softpedia – (International) New encryption ransomware offers file decryption trial. Researchers at Webroot identified a new piece of encryption ransomware dubbed CoinVault that encrypts victims’ files using AES-256 encryption, demands a ransom, and offers a free trial of the decryption performed if a ransom is paid. Source

November 14, Softpedia – (International) Google misses trojan SMS app in Play Store for more than a year. An SMS trojan named Thai Fun Content was identified by Malwarebytes researchers on the Google Play Store and was available for download for over 1 year. The app subscribes victims to a paid SMS service and charges victims $0.37 per day. Source


November 14, Securityweek – (International) OnionDuke APT malware distributed via malicious Tor exit node. Researchers with F-Secure identified a piece of sophisticated malware dubbed OnionDuke that was distributed by a Russia-based Tor exit node and uses the same command and control infrastructure as the MiniDuke malware used in advanced persistent threat (APT) campaigns. Source

November 13, Threatpost – (International) Internet voting hack alters PDF ballots in transmission. Researchers at Galois published a paper demonstrating how an attacker could conduct an attack against home routers by altering the router firmware that would allow them to intercept a PDF voting ballot and modify it before sending it to the election authority. Source

November 12, Associated Press – (National) US confirms climate agency websites hacked. A National Oceanic and Atmospheric Agency spokesman confirmed November 12 that four of its Web sites were compromised by an Internet-sourced attack after staff detected the intrusion and began incident response efforts. The agency performed unscheduled maintenance and all services were fully restored. Source

November 13, Securityweek – (International) Mobile Pwn2Own 2014: iPhone 5s, Galaxy S5, Nexus 5, Fire Phone hacked. Researchers participating in the Mobile Pwn2Own mobile device hacking competition in Tokyo November 12-13 were able to compromise several popular smartphones and mobile devices, achieving a full sandbox escape on an iPhone 5s, successful near field communications (NFC) attacks on the Galaxy 5S, and several other successful compromises. Source

November 12, WTNH 8 New Haven – (Connecticut) Coast Guard contractor pleads guilty to stealing personal information. A Pawcatuck man who ran a computer repair business and also worked as a contractor for the U.S. Coast Guard pleaded guilty November 12 to stealing personal information and data over 250 times from computers and other devices brought to him for repairs. Source

November 12, Softpedia – (International) 18-year-old remotely exploitable vulnerability in Windows patched by Microsoft. Microsoft released a patch November 11 for a data manipulation vulnerability that has existed in Windows operating systems starting with Windows 95. Researchers with IBM’s X-Force discovered and reported the vulnerability in May, which could have been used by attackers to gain control of affected systems for the last 18 years. Source

November 12, Help Net Security – (International) Microsoft patches Windows, IE, Word, SharePoint and IIS. Microsoft released its monthly Patch Tuesday round of updates for its products, which includes 14 bulletins including one patching a zero-day vulnerability in the Windows OLE packager for Windows Vista and newer Windows operating systems. Source

November 12, Softpedia – (International) 18 critical vulnerabilities patched in Flash Player Adobe released a new version of its Flash Player software, closing 18 critical security issues, 15 of which could allow an attacker to execute arbitrary code. Source

November 12, Network World – (International) Google DoubleClick down, leaving sites ad-free. The Google DoubleClick for Publishers service experienced an outage November 12, preventing ads from being displayed on several Web sites. Google stated that the company was working to resolve the issue. Source

November 12, Softpedia – (International) Air-gapped systems targeted by Sednit espionage group. Researchers with ESET stated that the Sednit espionage group (also known as APT28 or Sofacy) have employed a tool known as Win32/USBStealer since at least 2005 that can exfiltrate data from air gapped systems. The tool is added to a compromised system connected to the Internet and then plants the tool on any removable storage device, collects information on the air gapped system, and then transmits it back to the attackers whenever the storage device is next connected to an Internet-connected system. Source

November 11, Softpedia – (International) Uroburos espionage group is still active, relies on new remote access trojan. G Data researchers found that the Uroburos espionage group (also known as Turla or Snake) remains active and is using two similar versions of a new remote access trojan (RAT) known as ComRAT that includes increased obfuscation and anti-analysis capabilities. Source

November 10, Securityweek – (International) SQL injection vulnerability patched in IP.Board forum software. Invision Power Services released patches for its IP.Board forum software November 9, closing a SQL injection vulnerability several hours after its discovery on versions 3.3.x and 3.4.x. Source

November 10, Securityweek – (International) iOS security issue allows attackers to swap good apps for bad ones: FireEye. Researchers with FireEye identified a new attack dubbed a Masque Attack that can allow attackers to replace a legitimate iOS app with a malicious one if both applications use the same bundle identifier. Victims targeted by the attack must be lured into installing the malicious app which can then be replaced by the malicious app on jailbroken and non-jailbroken iOS devices. Source


Gotham Security Daily Threat Alerts

November 10, Securityweek – (International) Darkhotel attackers target business travelers via hotel networks. Kaspersky Lab researchers identified an advanced persistent threat (APT) group dubbed Darkhotel APT that has targeted travelers in the Asia-Pacific region in addition to the U.S. using malicious hotel WiFi networks, spear phishing, and malicious torrent files. The group’s hotel attacks involve prompting users with a software update notice that installs a backdoor, and the group has targeted guests associated with industries and sectors including government organizations, the defense industry, energy industry, pharmaceutical industry, electronics manufacturers, medical providers, and non-governmental organizations. Source

November 10, The Register – (International) BrowserStack HACK ATTACK: Service still suspended after rogue email. Browser testing service BrowserStack stated that it was temporarily suspending service to recover after an attacker managed to gain access to a list of email addresses and the company’s official email account, using it to send out a fake message to developers. Source

November 10, The Register – (International) Emoticons blast three security holes in Pidgin :-(. Researchers at Cisco reported that the instant messaging client Pidgin contained three security vulnerabilities that could have allowed attackers to overwrite files or cause a denial of service (DoS) situation. The vulnerabilities have since been patched. Source

November 11, Dark Reading – (International) Stuxnet ‘Patient Zero’ Attack Targets Revealed Researchers name five Iranian industrial control systems companies attacked in 2009-2010, and they question whether USB sticks were really the method of infection. Research released today challenges some earlier analysis of the Stuxnet attacks of 2009 and 2010. Source


%d bloggers like this: