CERT-SEI

Subscribe to CERT-SEI hírcsatorna
CERT publishes vulnerability advisories called "Vulnerability Notes." Vulnerability Notes include summaries, technical details, remediation information, and lists of affected vendors. Many vulnerability notes are the result of private coordination and disclosure efforts.
Frissítve: 22 perc 47 másodperc
2017. szeptember 13.

VU#101048: Microsoft .NET framework WSDL parser PrintClientProxy remote code execution vulnerability

The Microsoft.NET framework fails to properly parse WSDL content,which can allow a remote,unauthenticated attacker to execute arbitrary code on a vulnerable system.
2017. szeptember 12.

VU#240311: Multiple Bluetooth implementation vulnerabilities affect many devices

A collection of Bluetooth implementation vulnerabilities known as"BlueBorne"has been released. These vulnerabilities collectively affect Windows,OS X,and Linux-kernel-based operating systems including Android and Tizen,and may in worst case allow an unauthenticated attacker to perform commands on the device.
2017. szeptember 8.

VU#166743: Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode,U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data.
2017. szeptember 6.

VU#112992: Apache Struts 2 framework REST plugin insecurely deserializes untrusted XML data

Apache Struts 2 framework,versions 2.5 to 2.5.12,with REST plugin insecurely deserializes untrusted XML data. A remote,unauthenticated attacker can leverage this vulnerability to execute arbitrary code in the context of the Struts application.
2017. augusztus 29.

VU#403768: Akeo Consulting Rufus fails to update itself securely

Akeo Consulting Rufus fails to securely check for and retrieve updates,which an allow an authenticated attacker to execute arbitrary code on a vulnerable system.
2017. augusztus 3.

VU#824672: Microsoft Windows automatically executes code specified in shortcut files

Microsoft Windows automatically executes code specified in shortcut(LNK)files.
2017. július 27.

VU#793496: Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency

Open Shortest Path First(OSPF)protocol implementations may improperly determine Link State Advertisement(LSA)recency for LSAs with MaxSequenceNumber. Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to poison routing tables within the domain.
2017. július 25.

VU#838200: Telerik Web UI contains cryptographic weakness

The Telerik Web UI,versions R2 2017(2017.2.503)and prior,is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys.
2017. július 20.

VU#586501: Inmarsat AmosConnect8 Mail Client Vulnerable to SQL Injection and Backdoor Account

Inmarsat Solutions offers a shipboard email client service,AmosConnect 8(AC8),which was designed to be utilized over satellite networks in a highly optimized manner. A third-party security research firm has identified two security vulnerabilities in the client software:On-board ship network access could provide visibility of user names and passwords configured on the client device. A backdoor account has been identified in the client that provides full system privileges. This vulnerability could be exploited remotely. An attacker with high skill would be able to exploit this vulnerability. AmosConnect 8 has been deemed end of life,and no longer supported. Inmarsat customers must contact Inmarsat Customer Service to obtain the replacement mail client software.
2017. július 18.

VU#547255: Dahua IP cameras' Sonia web interface is vulnerable to stack buffer overflow

Dahua IP camera products using firmware versions prior to V2.400.0000.14.R.20170713 include a version of the Sonia web interface that may be vulnerable to a stack buffer overflow.
2017. június 19.

VU#489392: Acronis True Image fails to update itself securely

Acronis True Image fails to securely check for and retrieve updates,which an allow an authenticated attacker to execute arbitrary code with administrator privileges.
2017. június 15.

VU#846320: Samsung Magician fails to update itself securely

Samsung Magician fails to securely check for and retrieve updates,which an allow an authenticated attacker to execute arbitrary code with administrator privileges.
2017. június 13.

VU#768399: HPE SiteScope contains multiple vulnerabilities

HPE's SiteScope is vulnerable to several cryptographic issues,insufficiently protected credentials,and missing authentication.
2017. június 8.

VU#251927: CalAmp LMU-3030 devices may not authenticate SMS interface

OBD-II devices are used to provide telematics information for managers of fleets of vehicles. One type of device,manufactured by CalAmp,has an SMS(text message)interface. We have found multiple deployments where no password was configured for this interface by the integrator/reseller. Companies using the CalAmp hardware should be aware that they need to set a password or disable SMS. Vendors were notified and the SMS interface was disabled or password-protected by all vendors known to be affected.
2017. június 7.

VU#350135: Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin

WiMAX routers from several vendors making use of a custom httpd plugin for libmtk are vulnerable to an authentication bypass allowing a remote,unauthenticated attacker to change the administrator password on the device.