‼ CVE-2023-43240 ‼
📖 Read
via "National Vulnerability Database".
D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter sip_address in ipportFilter.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43237 ‼
📖 Read
via "National Vulnerability Database".
D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter macCloneMac in setMAC.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43241 ‼
📖 Read
via "National Vulnerability Database".
D-Link DIR-823G v1.0.2B05 was discovered to contain a stack overflow via parameter TXPower and GuardInt in SetWLanRadioSecurity.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43236 ‼
📖 Read
via "National Vulnerability Database".
D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter statuscheckpppoeuser in dir_setWanWifi.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43239 ‼
📖 Read
via "National Vulnerability Database".
D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter flag_5G in showMACfilterMAC.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43235 ‼
📖 Read
via "National Vulnerability Database".
D-Link DIR-823G v1.0.2B05 was discovered to contain a stack overflow via parameter StartTime and EndTime in SetWifiDownSettings.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43242 ‼
📖 Read
via "National Vulnerability Database".
D-Link DIR-816 A2 v1.10CNB05 was discovered to contain a stack overflow via parameter removeRuleList in form2IPQoSTcDel.📖 Read
via "National Vulnerability Database".
🦿 Top 5 Ways to Secure Work Data on Your Personal Mac 🦿
📖 Read
via "Tech Republic".
Worried about work data security on your personal Mac? In this article, we'll discuss the best strategies to keep your work data secure on your Mac.📖 Read
via "Tech Republic".
TechRepublic
Top 5 Ways to Secure Work Data on Your Personal Mac
Worried about work data security on your personal Mac? We'll discuss the best strategies to keep your work data secure on your Mac.
🦿 5 Tips for Securing Data When Using a Personal Mac for Work 🦿
📖 Read
via "Tech Republic".
Discover strategies for securing data on your personal Mac for work tasks. Learn how to protect your device against potential threats.📖 Read
via "Tech Republic".
TechRepublic
5 Tips for Securing Data When Using a Personal Mac for Work
Discover strategies for securing data on your personal Mac for work tasks. Learn how to protect your device against potential threats.
📢 Explained: The state of end-to-end encryption in the UK now the Online Safety Bill saga is over 📢
📖 Read
via "ITPro".
Industry stakeholders have previously criticized the Online Safety Bill over its heavy-handed approach to encryption 📖 Read
via "ITPro".
ITPro
Explained: The state of end-to-end encryption in the UK now the Online Safety Bill saga is over
Industry stakeholders have previously criticized the Online Safety Bill over its heavy-handed approach to encryption
‼ CVE-2023-41048 ‼
📖 Read
via "National Vulnerability Database".
plone.namedfile allows users to handle `File` and `Image` fields targeting, but not depending on, Plone Dexterity content. Prior to versions 5.6.1, 6.0.3, 6.1.3, and 6.2.1, there is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. Note that an image tag with an SVG image as source is not vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in versions 5.6.1 (for Plone 5.2), 6.0.3 (for Plone 6.0.0-6.0.4), 6.1.3 (for Plone 6.0.5-6.0.6), and 6.2.1 (for Plone 6.0.7). There are no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-42457 ‼
📖 Read
via "National Vulnerability Database".
plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one's frontend web server (nginx, Apache).📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43632 ‼
📖 Read
via "National Vulnerability Database".
As noted in the “VTPM.mdâ€� file in the eve documentation, “VTPM is a server listening on port8877 in EVE, exposing limited functionality of the TPM to the clients. VTPM allows clients toexecute tpm2-tools binaries from a list of hardcoded optionsâ€�The communication with this server is done using protobuf, and the data is comprised of 2parts:1. Header2. DataWhen a connection is made, the server is waiting for 4 bytes of data, which will be the header,and these 4 bytes would be parsed as uint32 size of the actual data to come.Then, in the function “handleRequestâ€� this size is then used in order to allocate a payload onthe stack for the incoming data.As this payload is allocated on the stack, this will allow overflowing the stack size allocated forthe relevant process with freely controlled data.* An attacker can crash the system. * An attacker can gain control over the system, specifically on the “vtpm_serverâ€� processwhich has very high privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43631 ‼
📖 Read
via "National Vulnerability Database".
On boot, the Pillar eve container checks for the existence and content of“/config/authorized_keysâ€�.If the file is present, and contains a supported public key, the container will go on to openport 22 and enable sshd with the given keys as the authorized keys for root login.An attacker could easily add their own keys and gain full control over the system withouttriggering the “measured bootâ€� mechanism implemented by EVE OS, and without markingthe device as “UUDâ€� (“Unknown Update Detectedâ€�).This is because the “/configâ€� partition is not protected by “measured bootâ€�, it is mutable, andit is not encrypted in any way.An attacker can gain full control over the device without changing the PCR values, thus nottriggering the “measured bootâ€� mechanism, and having full access to the vault.Note:This issue was partially fixed in these commits (after disclosure to Zededa), where the configpartition measurement was added to PCR13:• aa3501d6c57206ced222c33aea15a9169d629141• 5fef4d92e75838cc78010edaed5247dfbdae1889.This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43637 ‼
📖 Read
via "National Vulnerability Database".
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault keywould always have the last 16 bytes predetermined to be "arfoobarfoobarfo".This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will alwaysreturn "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byterandomly generated key with this key (by takeing 16bytes from each, see "mergeKeys").This makes the key a lot weaker.This issue does not persist in devices that were initialized on/after version 7.10, but devicesthat were initialized before that and updated to a newer version still have this issue.Roll an update that enforces the full 32bytes key usage.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43634 ‼
📖 Read
via "National Vulnerability Database".
When sealing/unsealing the “vaultâ€� key, a list of PCRs is used, which defines which PCRsare used.In a previous project, CYMOTIVE found that the configuration is not protected by the secureboot, and in response Zededa implemented measurements on the config partition that wasmapped to PCR 13.In that process, PCR 13 was added to the list of PCRs that seal/unseal the key.In commit “56e589749c6ff58ded862d39535d43253b249acfâ€�, the config partitionmeasurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list ofPCRs that seal/unseal the key.This change makes the measurement of PCR 14 effectively redundant as it would not affectthe sealing/unsealing of the key.An attacker could modify the config partition without triggering the measured boot, this couldresult in the attacker gaining full control over the device with full access to the contents of theencrypted “vaultâ€�📖 Read
via "National Vulnerability Database".
‼ CVE-2023-40183 ‼
📖 Read
via "National Vulnerability Database".
DataEase is an open source data visualization and analysis tool. Prior to version 1.18.11, DataEase has a vulnerability that allows an attacker to to obtain user cookies. The program only uses the `ImageIO.read()` method to determine whether the file is an image file or not. There is no whitelisting restriction on file suffixes. This allows the attacker to synthesize the attack code into an image for uploading and change the file extension to html. The attacker may steal user cookies by accessing links. The vulnerability has been fixed in v1.18.11. There are no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43309 ‼
📖 Read
via "National Vulnerability Database".
There is a stored cross-site scripting (XSS) vulnerability in Webmin 2.002 and below via the Cluster Cron Job tab Input field, which allows attackers to run malicious scripts by injecting a specially crafted payload.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43633 ‼
📖 Read
via "National Vulnerability Database".
On boot, the Pillar eve container checks for the existence and content of“/config/GlobalConfig/global.jsonâ€�.If the file exists, it overrides the existing configuration on the device on boot.This allows an attacker to change the system’s configuration, which also includes somedebug functions.This could be used to unlock the ssh with custom “authorized_keysâ€� via the“debug.enable.sshâ€� key, similar to the “authorized_keysâ€� finding that was noted before.Other usages include unlocking the usb to enable the keyboard via the “debug.enable.usbâ€�key, allowing VNC access via the “app.allow.vncâ€� key, and more.An attacker could easily enable these debug functionalities without triggering the “measuredbootâ€� mechanism implemented by EVE OS, and without marking the device as “UUDâ€�(“Unknown Update Detectedâ€�).This is because the “/configâ€� partition is not protected by “measured bootâ€�, it is mutable and itis not encrypted in any way.An attacker can gain full control over the device without changing the PCR values, thereby nottriggering the “measured bootâ€� mechanism, and having full access to the vault.Note:This issue was partially fixed in these commits (after disclosure to Zededa), where the configpartition measurement was added to PCR13:• aa3501d6c57206ced222c33aea15a9169d629141• 5fef4d92e75838cc78010edaed5247dfbdae1889.This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43274 ‼
📖 Read
via "National Vulnerability Database".
Phpjabbers PHP Shopping Cart 4.2 is vulnerable to SQL Injection via the id parameter.📖 Read
via "National Vulnerability Database".
🛠BDS Linux Userland Rootkit ðŸ›
📖 Read
via "Packet Storm Security".
The BDS Userland rootkit is a Linux userland rootkit. It hides files, directories, processes, the bind shell port, the daemon port, and the reverse shell port. It also cleans up bash history and logs during installation.📖 Read
via "Packet Storm Security".
Packetstormsecurity
BDS Linux Userland Rootkit ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers