Riasztások

ECHO Network · 2021. április 16.

Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers?

Executive Summary. On March 16, 2021, Unit 42 researchers observed an attacker targeting Nagios XI software to exploit the vulnerability CVE-2021-25296 , a remote command injection vulnerability impacting Nagios XI version 5.7.5, to conduct a cryptojacking attack and deploy the XMRig coinminer on victims’ devices.
Ubuntu Secutity Notices · 2021. április 16.

USN-4917-1: Linux kernel vulnerabilities

It was discovered that the overlayfs implementation in the Linux kernel did not properly validate the application of file system capabilities with respect to user namespaces. A local attacker could use this to gain elevated privileges. (CVE-2021-3493) Vincent Dehors discovered that the shiftfs file system in the Ubuntu Linux kernel did not properly handle faults in copy_from_user() when passing through ioctls to an underlying file system. A local attacker could use this to cause a denial of service (memory exhaustion) or execute arbitrary code. (CVE-2021-3492) Piotr Krysiuk discovered that the BPF JIT compiler for x86 in the Linux kernel did not properly validate computation of branch displacements in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-29154)
Ubuntu Secutity Notices · 2021. április 16.

USN-4916-1: Linux kernel vulnerabilities

It was discovered that the overlayfs implementation in the Linux kernel did not properly validate the application of file system capabilities with respect to user namespaces. A local attacker could use this to gain elevated privileges. (CVE-2021-3493) Piotr Krysiuk discovered that the BPF JIT compiler for x86 in the Linux kernel did not properly validate computation of branch displacements in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-29154)
ECHO Network · 2021. április 16.

CVE-2019-15949 (nagios_xi)

Current Description. Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.
ECHO Network · 2021. április 16.

2021 and Emerging Cybersecurity Threats

2020 might have brought most activities to a standstill, but not cybersecurity threats. If anything, 2020 an increase in cybersecurity threats saw as criminals found new ways to take advantage of vulnerabilities and infiltrate business systems. Developments in COVID-19 , which forced workers into remote work, further worsened these attacks.
ECHO Network · 2021. április 16.

Links 15/4/2021: Zorin OS 16 Beta and Pushing Linux to GitHub- and Microsoft-Connected Rust

Without a doubt, Kubernetes is the most important thing that has happened in enterprise computing in the past two decades, rivalling the transformation that swept over the datacenter with server virtualization, first in the early 2000s on RISC/Unix platforms and then during the Great Recession when....
ECHO Network · 2021. április 16.

Fedora 32: webkit2gtk3 2021-619711d709>

Update to WebKitGTK 2.30.6: * Update user agent quirks again for Google Docs and Google Drive * Fix several crashes and rendering issues. Security fixes: CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799, CVE-2021-1801, CVE-2021-1870.
ECHO Network · 2021. április 16.

Google Brings 37 Security Fixes to Chrome 90

Google this week released Chrome 90 to the stable channel for Windows, Mac, and Linux. The update, which will roll out over the coming days and weeks, brings 37 security fixes, HTTPS by default, and other updates to the browser. Chrome 90.0.4430.72 fixes six high-severity vulnerabilities, 10....
ECHO Network · 2021. április 16.

NA - CVE-2020-28898 - In QED ResourceXpress through 4.9k, a large...

In QED ResourceXpress through 4.9k, a large numeric or alphanumeric value submitted in specific URL parameters causes a server error in script execution due to insufficient input validation. COMPANY. Security-Database help your corporation foresee and avoid any security risks that may impact your IT infrastructure and business applications.
ECHO Network · 2021. április 16.

NA - CVE-2021-28055 - An issue was discovered in Centreon-Web in...

An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. The anti-CSRF token generation is predictable, which might allow CSRF attacks that add an admin user. COMPANY. Security-Database help your corporation foresee and avoid any security risks that may impact your IT infrastructure and business applications.
ECHO Network · 2021. április 16.

NA - CVE-2021-29433 - ### Impact Missing input validation of some...

### Impact Missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. ### Patches Fixed by 3175fd3. ### Workarounds There are no known workarounds.
ECHO Network · 2021. április 16.

NA - CVE-2021-31402 - The dio package 4.0.0 for Dart allows CRLF...

The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669. COMPANY. Security-Database help your corporation foresee and avoid any security risks that may impact your IT infrastructure and business applications.
ECHO Network · 2021. április 16.

Medium CVE-2021-28320: Microsoft Windows 10

Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability.
ECHO Network · 2021. április 16.

Transatlantic Cable podcast, episode 197 | Kaspersky official blog

This week, Jeff and I chat with Ivan Kwiatkowski from Kaspersky’s GReAT to talk about the recent controversy surrounding Google’s decision to “burn” a zero-day exploit in use by US spies. We also talk briefly about another zero-day discovery: Kaspersky found it, and it requires IT teams’ immediate attention.
ECHO Network · 2021. április 16.

CVE-2021-30245

Description. The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution.
ECHO Network · 2021. április 16.

CVE-2021-29431

Description. Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration.
Ubuntu Secutity Notices · 2021. április 16.

USN-4915-1: Linux kernel (OEM) vulnerabilities

It was discovered that the overlayfs implementation in the Linux kernel did not properly validate the application of file system capabilities with respect to user namespaces. A local attacker could use this to gain elevated privileges. (CVE-2021-3493) Vincent Dehors discovered that the shiftfs file system in the Ubuntu Linux kernel did not properly handle faults in copy_from_user() when passing through ioctls to an underlying file system. A local attacker could use this to cause a denial of service (memory exhaustion) or execute arbitrary code. (CVE-2021-3492)
NVD: all CVE · 2021. április 16.

CVE-2021-29450

Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.
NVD: all CVE · 2021. április 16.

CVE-2021-21405

Lotus is an Implementation of the Filecoin protocol written in Go. BLS signature validation in lotus uses blst library method VerifyCompressed. This method accepts signatures in 2 forms: "serialized", and "compressed", meaning that BLS signatures can be provided as either of 2 unique byte arrays. Lotus block validation functions perform a uniqueness check on provided blocks. Two blocks are considered distinct if the CIDs of their blockheader do not match. The CID method for blockheader includes the BlockSig of the block. The result of these issues is that it would be possible to punish miners for valid blocks, as there are two different valid block CIDs available for each block, even though this must be unique. By switching from the go based `blst` bindings over to the bindings in `filecoin-ffi`, the code paths now ensure that all signatures are compressed by size and the way they are deserialized. This happened in https://github.com/filecoin-project/lotus/pull/5393.
ECHO Network · 2021. április 16.

Low CVE-2021-27067: Microsoft Team foundation server

Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability.