‼ CVE-2022-27052 ‼
📖 Read
via "National Vulnerability Database".
FreeFtpd version 1.0.13 and below contains an unquoted service path vulnerability which allows local users to launch processes with elevated privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24791 ‼
📖 Read
via "National Vulnerability Database".
Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interruption in Wasmtime. If you are not explicitly enabling epoch interruption (it is disabled by default) then you are not affected. If you are explicitly disabling the Wasm reference types proposal (it is enabled by default) then you are also not affected. The use after free is caused by Cranelift failing to emit stack maps when there are safepoints inside cold blocks. Cold blocks occur when epoch interruption is enabled. Cold blocks are emitted at the end of compiled functions, and change the order blocks are emitted versus defined. This reordering accidentally caused Cranelift to skip emitting some stack maps because it expected to emit the stack maps in block definition order, rather than block emission order. When Wasmtime would eventually collect garbage, it would fail to find live references on the stack because of the missing stack maps, think that they were unreferenced garbage, and therefore reclaim them. Then after the collection ended, the Wasm code could use the reclaimed-too-early references, which is a use after free. Patches have been released in versions 0.34.2 and 0.35.2, which fix the vulnerability. All Wasmtime users are recommended to upgrade to these patched versions. If upgrading is not an option for you at this time, you can avoid the vulnerability by either: disabling the Wasm reference types proposal, config.wasm_reference_types(false); or by disabling epoch interruption if you were previously enabling it. config.epoch_interruption(false).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27049 ‼
📖 Read
via "National Vulnerability Database".
Raidrive before v2021.12.35 allows attackers to arbitrarily move log files by pre-creating a mountpoint and log files before Raidrive is installed.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27965 ‼
📖 Read
via "National Vulnerability Database".
Xlpd v7.0.0094 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27050 ‼
📖 Read
via "National Vulnerability Database".
BitComet Service for Windows before version 1.8.6 contains an unquoted service path vulnerability which allows attackers to escalate privileges to the system level.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27964 ‼
📖 Read
via "National Vulnerability Database".
Xmanager v7.0.0096 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24798 ‼
📖 Read
via "National Vulnerability Database".
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27966 ‼
📖 Read
via "National Vulnerability Database".
Xshell v7.0.0099 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24796 ‼
📖 Read
via "National Vulnerability Database".
RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. A Remote Code Execution (RCE) vulnerability in the file upload facility of the WebUI interface of RaspberryMatic exists. Missing input validation/sanitization in the file upload mechanism allows remote, unauthenticated attackers with network access to the WebUI interface to achieve arbitrary operating system command execution via shell metacharacters in the HTTP query string. Injected commands are executed as root, thus leading to a full compromise of the underlying system and all its components. Versions after `2.31.25.20180428` and prior to `3.63.8.20220330` are affected. Users are advised to update to version `3.63.8.20220330` or newer. There are currently no known workarounds to mitigate the security impact and users are advised to update to the latest version available.📖 Read
via "National Vulnerability Database".
📢 Breaking end-to-end encryption would do more harm than good, warn IT professionals 📢
📖 Read
via "ITPro".
Two-thirds of IT specialists said restricting the use of this technology would have a negative impact on protecting society📖 Read
via "ITPro".
IT PRO
Breaking end-to-end encryption would do more harm than good, warn IT professionals | IT PRO
Two-thirds of IT specialists said restricting the use of this technology would have a negative impact on protecting society
📢 Mobile security firm Zimperium to be acquired for $525 million 📢
📖 Read
via "ITPro".
Texas-based Zimperium offers on-device mobile threat defense to protect against cyber attacks📖 Read
via "ITPro".
IT PRO
Mobile security firm Zimperium to be acquired for $525 million | IT PRO
Texas-based Zimperium offers on-device mobile threat defense to protect against cyber attacks
📢 Google patches second Chrome browser zero-day of 2022 📢
📖 Read
via "ITPro".
Google acted quickly to secure against the type confusion vulnerability that was under active exploitation📖 Read
via "ITPro".
ITPro
Google patches second Chrome browser zero-day of 2022
Google acted quickly to secure against the type confusion vulnerability that was under active exploitation
📢 WatchGuard Firebox T40-W review: Powerful yet classy 📢
📖 Read
via "ITPro".
A powerful desktop security appliance with classy remote monitoring and configuration services📖 Read
via "ITPro".
IT PRO
WatchGuard Firebox T40-W review: Powerful yet classy | IT PRO
A powerful desktop security appliance with classy remote monitoring and configuration services
📢 Patch finally released for Spring4Shell zero-day after vulnerable businesses put on high alert 📢
📖 Read
via "ITPro".
With proof-of-concept code out in the wild, businesses are encouraged to assess their exposure to what's being dubbed 'Log4Shell 2.0'📖 Read
via "ITPro".
ITPro
Patch finally released for Spring4Shell zero-day after vulnerable businesses put on high alert
With proof-of-concept code out in the wild, businesses are encouraged to assess their exposure to what's being dubbed 'Log4Shell 2.0'
📢 NCSC warns businesses against using Kaspersky products 📢
📖 Read
via "ITPro".
Critical infrastructure companies, as well as organisations aiding Ukraine or criticising the Russian government, are at the highest risk of being compromised📖 Read
via "ITPro".
IT PRO
NCSC warns businesses against using Kaspersky products | IT PRO
Critical infrastructure companies, as well as organisations aiding Ukraine or criticising the Russian government, are at the highest risk of being compromised
📢 Leaked report on Okta breach reveals finer details of LAPSUS$ operation 📢
📖 Read
via "ITPro".
Poor OPSEC and publicly available hacking tools allowed the hackers to pull off one of the most high-profile cyber attacks of the year so far📖 Read
via "ITPro".
IT PRO
Leaked report on Okta breach reveals finer details of LAPSUS$ operation | IT PRO
Poor OPSEC and publicly available hacking tools allowed the hackers to pull off one of the most high-profile cyber attacks of the year so far
📢 Kaspersky declared threat to US national security 📢
📖 Read
via "ITPro".
Kaspersky was added to the FCC's blacklist alongside China Mobile International and China Telecom📖 Read
via "ITPro".
IT PRO
Kaspersky declared threat to US national security | IT PRO
Kaspersky was added to the FCC's blacklist alongside China Mobile International and China Telecom
📢 Cyber attackers' NFT blockchain heist nets hundreds of millions in stolen cryptocurrency 📢
📖 Read
via "ITPro".
Ronin blockchain owner Sky Mavis said it's working with outside experts to ensure the stolen funds are returned to owners📖 Read
via "ITPro".
IT PRO
Cyber attackers' NFT blockchain heist nets hundreds of million in stolen cryptocurrency | IT PRO
Owner of the Ronin blockchain Sky Mavis said it's working with outside experts to ensure the stolen funds are returned to owners
📢 DCMS: A third of businesses experience "weekly" cyber attacks 📢
📖 Read
via "ITPro".
Government data suggests senior managers are more worried about cyber attacks than ever before📖 Read
via "ITPro".
IT PRO
DCMS: A third of businesses experience "weekly" cyber attacks | IT PRO
Government data suggests senior managers are more worried about cyber attacks than ever before
📢 Cyber incidents targeting UK financial services providers surged in 2021 📢
📖 Read
via "ITPro".
A fifth of incidents reported to the Financial Conduct Authority involved ransomware📖 Read
via "ITPro".
IT PRO
Cyber incidents targeting UK financial services providers surged in 2021 | IT PRO
A fifth of incidents reported to the Financial Conduct Authority involved ransomware
📢 The ten biggest threats to your Windows PC in 2022 📢
📖 Read
via "ITPro".
From malware to a man with a screwdriver called Steve, we round up the biggest dangers to your machine this year📖 Read
via "ITPro".
IT PRO
The ten biggest threats to your Windows PC in 2022 | IT PRO
From malware to a man with a screwdriver called Steve, we round up the biggest dangers to your machine this year