Wednesday, August 10, 2022
CERT

VU#495801: muhttpd versions 1.1.5 and earlier are vulnerable to path traversal

Overview Versions 1.1.5 and earlier of the mu HTTP deamon (muhttpd) are vulnerable to path traversal...
CERT

VU#142546: SMA Technologies OpCon UNIX agent adds the same SSH key to all installations

Overview SMA Technologies OpCon UNIX agent adds the same SSH key on every installation and subsequent...
CERT

VU#473698: CVE-2022-30295 – uClibc, uClibc-ng Libraries Have Monotonically Increasing DNS Transaction ID

Overview The uClibc and uClibc-ng libraries are vulnerable to DNS cache poisoning due to the use...
CERT

VU#730007: Tychon is vulnerable to privilege escalation due to OPENSSLDIR location

Overview Tychon contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that...
CERT

VU#411271: Qt allows for privilege escalation due to hard-coding of qt_prfxpath value

Overview Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a fixed value, which may...
CERT

VU#970766: Spring Framework insecurely handles PropertyDescriptor objects with data binding

Overview The Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to...
CERT

VU#383864: Visual Voice Mail (VVM) services transmit unencrypted credentials via SMS

Overview Visual Voice Mail (VVM) services transmit unencrypted credentials via SMS. An attacker with the ability...
CERT

VU#229438: Mobile device monitoring services do not authenticate API requests

Overview The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or...
CERT

VU#796611: InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM

Overview The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in...
CERT

VU#119678: Samba vfs_fruit module insecurely handles extended file attributes

Overview The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142)....
CERT

VU#287178: McAfee Agent for Windows is vulnerable to privilege escalation due to OPENSSLDIR location

Overview McAfee Agent contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable...
CERT

VU#142629: Silicon Labs Z-Wave chipsets contain multiple vulnerabilities

Overview Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use...
CERT

VU#692873: Saviynt Enterprise Identity Cloud vulnerable to local user enumeration and authentication bypass

Overview Saviynt Enterprise Identity Cloud contains user enumeration and authentication bypass vulnerabilities in the local password...
CERT

VU#930724: Apache Log4j allows insecure JNDI lookups

Overview Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute...
CERT

VU#999008: Compilers permit Unicode control and homoglyph characters

Overview Attacks that allow for unintended control of Unicode and homoglyphic characters, described by the researchers...

Phishers who breached Twilio and fooled Cloudflare could easily get you, too

Enlarge (credit: Getty Images) At least two security-sensitive companies—Twilio and Cloudflare—were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not...
Brian Krebs

Microsoft Patch Tuesday, August 2022 Edition

Microsoft today released updates to fix a record 141 security vulnerabilities in its Windows operating systems and related software. Once again, Microsoft is patching a zero-day vulnerability in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows....

One of 5G's Biggest Features Is a Security Minefield

New research found troubling vulnerabilities in the 5G platforms carriers offer to wrangle embedded device data.
The Register

Patch Tuesday: Yet another Microsoft RCE bug under active exploit

Oh, and that critical VMware auth bypass vuln? Miscreants found it, too August Patch Tuesday clicks off the week of hacker summer camp in Las Vegas this year, so it's basically a code cracker's holiday too. …