NPM Bug Allowed Attackers to Distribute Malware as Legitimate Packages

A "logical flaw" has been disclosed in NPM, the default package manager for the Node.js JavaScript runtime environment, that enables malicious actors to pass off rogue libraries as legitimate and trick unsuspecting developers into installing them. The supply chain threat has been dubbed "Package...

_incrementGaugeWeight allows user to add weight to nonexistent gauges

Lines of code Vulnerability details Impact User adds weight to a gauge that hasn't been added In addition to adding to a nonexistent gauge it also increments totalWeight which only contains weight for live gauges. This value then results in returning values for reward distribution that account fo...

Emotet Testing New Delivery Ideas After Microsoft Disables VBA Macros by Default

The threat actor behind the prolific Emotet botnet is testing new attack methods on a small scale before co-opting them into their larger volume malspam campaigns, potentially in response to Microsoft's move to disable Visual Basic for Applications VBA macros by default across its products. Calli...

In ERC20Gauges, contribution to total weight is double-counted when incrementGauge is called before addGauge for a given gauge.

Lines of code Vulnerability details Impact The impact depends really on how gauges are used by other contracts. The most obvious consequence I can imagine is that some other contract distributes rewards based on calculateGaugeAllocation. However, because getStoredWeighttotalWeight, currentCycle i...

USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor

!/usr/bin/env python3 USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor Vendor: Jinan USR IOT Technology Limited Product web page: https://www.pusr.com | https://www.usriot.com Affected version: 1.0.36 USR-G800V2, USR-G806, USR-G807, USR-G808 1.2.7 USR-LG220-L Summary:...

USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor

Summary USR-G806 is a industrial 4G wireless LTE router which provides a solution for users to connect own device to 4G network via WiFi interface or Ethernet interface. USR-G806 adopts high performance embedded CPU which can support 580MHz working frequency and can be widely used in Smart Grid,...

Owner can takeover funds meant for distribution

Lines of code Vulnerability details Impact By calling sweep function at correct moment, Owner can transfer more than required tokenOut token which were meant to be distributed to users. Proof of Concept 1. Observe the sweep function function sweepaddress token external gacPausable nonReentrant...

Race between governance and strategist on other token earned

Lines of code Vulnerability details Impact There is a race between the strategist and the governance to report other tokens earned by the strategy. Indeed the strategist can trigger the function 1 by calling the strategy while the governance can call 2. Both these functions can report earn tokens...

Critically Underrated: Studying the Data Distribution Service (DDS) Protocol

Researchers from Trend Micro Research, TXOne, ADLINK, Alias Robotics, and ZDI looked into the Data Distribution Service DDS standard and its implementations from a security angle. The full findings of this research will be presented in the S4X22 Conference in April 2022...

Fedora: Security Advisory for stargz-snapshotter (FEDORA-2022-a7d438b30b)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 35 Update: stargz-snapshotter-0.10.2-1.fc35

Fast container image distribution plugin with lazy pulling...

[SECURITY] Fedora 34 Update: stargz-snapshotter-0.10.2-1.fc34

Fast container image distribution plugin with lazy pulling...

CVE-2022-24527: Microsoft Connected Cache Local Privilege Escalation (Fixed)

On April 12, 2022, Microsoft published CVE-2022-24527, a local privilege escalation vulnerability in Microsoft Connected Cache. The vulnerability allowed a local low-privileged user to execute arbitrary Powershell as SYSTEM due to improper file permission assignment CWE-732. Product description...

[SECURITY] [DSA 5118-1] thunderbird security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5118-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 10, 2022 https://www.debian.org/security/faq -...

[SECURITY] [DSA 5117-1] xen security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5117-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 10, 2022 https://www.debian.org/security/faq -...

firefox security update

91.8.0-1.0.1 - Remove upstream references Orabug: 30143292 - Update distribution for Oracle Linux Orabug: 30143292 - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file - Enabled aarch64 build 91.8.0-1 - Update to 91.8.0...

The vulnerability of the Libraries component of the Oracle Java SE software platform and the Oracle GraalVM Enterprise Edition virtual machine allows a perpetrator to cause partial service disruption.

The vulnerability of the Libraries component of the Oracle Java SE software platform and the Oracle GraalVM Enterprise Edition virtual machine is related to the unlimited distribution of resources. Exploiting this vulnerability can allow a malicious actor to cause partial service interruptions...

Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter

By Edmund Brumaghin, with contributions from Alex Karkins. Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.The infections leverage process injection to evade detection by endpoint security software.These...

Multiple Hacker Groups Capitalizing on Ukraine Conflict for Distributing Malware

At least three different advanced persistent threat APT groups from across the world have launched spear-phishing campaigns in mid-March 2022 using the ongoing Russo-Ukrainian war as a lure to distribute malware and steal sensitive information. The campaigns, undertaken by El Machete, Lyceum, and...

The vulnerability of the data analysis module of Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Small Office Security, Kaspersky Security Cloud, and Kaspersky Endpoint Security allows a perpetrator to execute arbitrary code.

The vulnerability of the data analysis module of Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Small Office Security, Kaspersky Security Cloud, and Kaspersky Endpoint Security lies in the unlimited distribution of resources. Exploiting this vulnerability...