SUSE SLED12 / SLES12 Security Update : ceph (SUSE-SU-2019:2364-1)

This update for ceph to version 12.2.12-594-g02236657ca fixes the following issues : Security issues fixed : CVE-2018-16889: Fixed missing sanitation of customer encryption keys from log output in v4 auth. bsc1121567 Note that Tenable Network Security has extracted the preceding description block...

Five years later, Heartbleed vulnerability still unpatched

The Heartbleed vulnerability was introduced into the OpenSSL crypto library in 2012. It was discovered and fixed in 2014, yet today—five years later—there are still unpatched systems. This article will provide IT teams with the necessary information to decide whether or not to apply the Heartblee...

ceph: debug logging for v4 auth does not sanitize encryption keys

It was found that Ceph RGW did not properly sanitize encryption keys in debug logging for v4 auth. Encryption keys could be inadvertently disclosed when sharing debug logs...

ceph: authenticated user with read only permissions can steal dm-crypt / LUKS key

It was found that authenticated ceph user with read only permissions could steal dm-crypt encryption keys used in ceph disk encryption...

ceph: debug logging for v4 auth does not sanitize encryption keys

It was found that Ceph RGW did not properly sanitize encryption keys in debug logging for v4 auth. Encryption keys could be inadvertently disclosed when sharing debug logs...

ceph: authenticated user with read only permissions can steal dm-crypt / LUKS key

It was found that authenticated ceph user with read only permissions could steal dm-crypt encryption keys used in ceph disk encryption...

New Bluetooth Vulnerability Lets Attackers Spy On Encrypted Connections

Over a billion Bluetooth-enabled devices, including smartphones, laptops, smart IoT devices, and industrial devices, have been found vulnerable to a high severity vulnerability that could allow attackers to spy on data transmitted between the two devices. The vulnerability, assigned as...

NewStart CGSL MAIN 5.04 : java-1.7.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0003)

The remote NewStart CGSL host, running version MAIN 5.04, has java-1.7.0-openjdk packages installed that are affected by multiple vulnerabilities: - It was discovered that the Security component of OpenJDK could fail to properly enforce restrictions defined for processing of X.509 certificate...

CB TAU Threat Intelligence Notification: Buran Ransomware

Recently there was malvertising campaign which would redirect users to RIG exploit kit and then infecting victim’s computer with a new ransomware named as Buran Ransomware. It will drop a ransom note named ‘!!! YOUR FILES ARE ENCRYPTED !!!.txt’ and append victim’s personal ID as extensions to the...

Ubuntu: Security Advisory (USN-4035-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu 16.04 LTS : Ceph vulnerabilities (USN-4035-1)

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4035-1 advisory. It was discovered that Ceph incorrectly handled read only permissions. An authenticated attacker could use this issue to obtain dm-crypt encryption keys...

USN-4035-1: Ceph vulnerabilities

It was discovered that Ceph incorrectly handled read only permissions. An authenticated attacker could use this issue to obtain dm-crypt encryption keys. This issue only affected Ubuntu 16.04 LTS. CVE-2018-14662 It was discovered that Ceph incorrectly handled certain OMAPs holding bucket indices...

The vulnerability of Siemens LOGO!8 BM programmable logic controller’s microprogramming software lies in the presence of pre-installed encryption keys, which allow attackers to decrypt the project data.

The vulnerability of Siemens LOGO!8 BM programmable logic controller’s microprogramming software is related to the presence of pre-installed encryption keys. Exploiting this vulnerability allows an attacker to decrypt project data using port 10005/TCP...

CVE-2019-10155

The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. This issue affects...

CVE-2018-6185

In Cloudera Navigator Key Trustee KMS 5.12 and 5.13, incorrect default ACL values allow remote access to purge and undelete API calls on encryption zone keys. The Navigator Key Trustee KMS includes 2 API calls in addition to those in Apache Hadoop KMS: purge and undelete. The KMS ACL values for...

The vulnerability of the Cisco Application Policy Infrastructure Controller automation tool, related to errors in the encryption key deletion mechanism, allows a perpetrator to gain access to protected information.

The vulnerability of the Cisco Application Policy Infrastructure Controller automation tool is related to errors in the mechanism for deleting encryption keys. Exploiting this vulnerability could allow an attacker to gain access to protected information...

CVE-2019-10851

Computrols CBAS 18.0.0 has hard-coded encryption keys...

Hardcoded credentials

Computrols CBAS 18.0.0 has hard-coded encryption keys...

CVE-2019-10851

Computrols CBAS 18.0.0 has hard-coded encryption keys...

CVE-2019-10851

CVE-2019-10851 affects Computrols CBAS Web; vulnerability stems from hard-coded encryption keys used to decrypt database backups in CBAS Web scripts. An authenticated attacker could access the device’s full database and discover sensitive information. Mitigations referenced in multiple advisories...