Saturday, October 19, 2019

VU#927237: Multiple vulnerabilities in Pulse Secure VPN

Pulse Secure released an out-of-cycle advisory along with software patches for the various affected products on April 24,2019. This addressed a number of vulnerabilities including a Remote Code Execution(RCE)vulnerability with pre-authentication access. This vulnerability has no viable workarounds except...

VU#763073: iTerm2 with tmux integration is vulnerable to remote command execution

iTerm2 is a popular terminal emulator for macOS that supports terminal multiplexing using tmux integration and is frequently used by developers and system administrators. A vulnerability,identified as CVE-2019-9535,exists in the way that iTerm2 integrates with tmux's control mode,which may...

VU#719689: Multiple vulnerabilities found in the Cobham EXPLORER 710 satcom terminal

The Cobham EXPLORER 710 is a portable satellite terminal used to provide satellite telecommunications and internet access. For consistency,“device” mentioned in the following section is defined as the Cobham EXPLORER 710. The affected firmware version is 1.07 for all...

VU#672565: Exim servers that accept TLS connections are vulnerable to local and remote program execution with root privileges

Exim is an open source mail server or message transfer agent(MTA)that is used on Unix-like operating systems. Versions up to and including 4.92.1 of Exim are vulnerable to local and report program execution with root privileges. Exim servers that...

VU#918987: Bluetooth BR/EDR supported devices are vulnerable to key negotiation attacks

Bluetooth is a short-range wireless technology based off of a core specification that defines six different core configurations,including the Bluetooth Basic Rate/Enhanced Data Rate Core Configurations. Bluetooth BR/EDR is used for low-power short-range communications. To establish an encrypted connection,two...

VU#605641: HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion

The Security Considerations section of RFC7540 discusses some of the considerations needed for HTTP/2 connections as they demand more resources to operate than HTTP/1.1 connections. While it generally covers expected behavior considerations,how to mitigate abnormal behavior is left to...

VU#489481: Cylance Antivirus Products Susceptible to Concatenation Bypass

Cylance PROTECT is an endpoint protection system. It contains an antivirus functionality that uses a machine learning algorithm(specifically,a neural network)to classify executables as malicious or benign. Security researchers isolated properties of the machine learning algorithm allowing them to change...

VU#790507: Oracle Solaris vulnerable to arbitrary code execution via /proc/self

The process file system(/proc)in Oracle Solaris 11 and Solaris 10 provides a self/alias that refers to the current executing process's PID subdirectory with state information about the process. Protection mechanisms for/proc in Solaris 11/10 did not properly restrict the...

VU#129209: LLVMs Arm stack protection feature can be rendered ineffective

The Stack Protection feature provided in the LLVM Arm backend protects against buffer overflows by adding a cookie value between local variables and the stack frame return address. The compiler stores this value in memory and checks the cookie...

VU#465632: Microsoft Exchange server 2013 and newer are vulnerable to NTLM relay attacks

Microsoft Exchange supports a API called Exchange Web Services(EWS). One of the EWS API functions is called PushSubscriptionRequest,which can be used to cause the Exchange server to connect to an arbitrary website. Connections made using the PushSubscriptionRequest function will...

VU#905115: Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels

CVE-2019-11477:SACK Panic(Linux>=2.6.29). A sequence of specifically crafted selective acknowledgements(SACK)may trigger an integer overflow,leading to a denial of service or possible kernel failure(panic). CVE-2019-11478:SACK Slowness(Linux

VU#576688: Microsoft Windows RDP can bypass the Windows lock screen

In Windows a session can be locked,which presents the user with a screen that requires authentication to continue using the session. Session locking can happen over RDP in the same way that a local session can be locked. CWE-288:Authentication...

VU#119704: Microsoft Windows Task Scheduler SetJobFileSecurityByName privilege escalation vulnerability

Task Scheduler is a set of Microsoft Windows components that allows for the execution of scheduled tasks. The front-end components of Task Scheduler,such as schtasks.exe,are interfaces that allow for users to view,create,and modify scheduled tasks. The back-end part of...

VU#877837: Multiple vulnerabilities in Quest Kace System Management Appliance

CVE-2018-5404:The Quest Kace System Management(K1000)Appliance allows an authenticated,remote attacker with least privileges('User Console Only' role)to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. (CWE-89) CVE-2018-5405:The Quest Kace System...

VU#400865: Cisco Trust Anchor module (TAm) improperly checks code and Cisco IOS XE web UI does not sanitize user input

CVE-2019-1649:Secure Boot Tampering,also known as Thrangrycat The logic that handles Cisco's Secure Boot improperly checks an area of code that manages the Field Programmable Gate Array(FPGA). The secure boot feature is a proprietary FPGA based implementation used for ensuring...
The Register

Deus ex hackina: It took just 10 minutes to find data-divulging demons corrupting Pope’s Click to Pray eRosary app

Vatican coders exorcise API gremlins but, we must confess, they missed little monster.... Exclusive  The technology behind the Catholic Church’s latest innovation, an electronic rosary, is so insecure, it can be trivially hacked to siphon off worshipers' personal information.…
SC Magazine

Trojanized Russian-language Tor browser lets attacks steal from users’ e-wallets

Researchers have discovered a trojanized version of a Tor private browser that targets Russian-speaking dark web marketplace visitors and lets cybercriminals steal from their e-wallet transactions. The developers behind the malicious browser have so far stolen at least $40,000 in...
SC Magazine

UC Browser potentially endangers 500 million users

The popular Android browser UC Browser was found to break several Google mobile app rules possibly placing up to 500 million of its users at risk. UC Browser, which is available from the Google Play store, was found by Zscaler ThreatLabZ...

US stopped using floppy disks to manage nuclear weapons arsenal

US Air Force switches to secure solid-state-based solution to replace antiquated floppy disks in SACCS nuclear weapons management system.
Bruce Schneier

Friday Squid Blogging: Six-Foot-Long Mass of Squid Eggs Found on Great Barrier Reef

It's likely the diamondback squid. There's a video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.