CVE-2017-9856

An issue was discovered in SMA Solar Technology products. Sniffed passwords from SMAdata2+ communication can be decrypted very easily. The passwords are "encrypted" using a very simple encryption algorithm. This enables an attacker to find the plaintext passwords and authenticate to the device...

Weak Algorithm Vulnerability in Huawei USG Products

Huawei USG6300/USG6600 are firewall products from Huawei, China. A weak algorithmic vulnerability exists in several Huawei firewall USG6300/USG6600 products. By exploiting this weak algorithm vulnerability, an attacker can intercept information transmitted over the network and successfully decryp...

Security Advisory - Weak Algorithm Vulnerability in Huawei USG product

There is a weak algorithm vulnerability in Huawei USGUSG6300/USG6600 products. Attackers may exploit the weak algorithm vulnerability to crack the cipher text and cause confidential information leaks on the transmission links. Vulnerability ID: HWPSIRT-2017-02028 This vulnerability has been...

kernel: Kernel crash by spawning mcrypt(alg) with incompatible algorithm

Algorithms not compatible with mcryptd could be spawned by mcryptd with a direct cryptoalloctfm invocation using a "mcryptdalg" name construct. This causes mcryptd to crash the kernel if an arbitrary "alg" is incompatible and not intended to be used with mcryptd...

kernel: Kernel crash by spawning mcrypt(alg) with incompatible algorithm

Algorithms not compatible with mcryptd could be spawned by mcryptd with a direct cryptoalloctfm invocation using a "mcryptdalg" name construct. This causes mcryptd to crash the kernel if an arbitrary "alg" is incompatible and not intended to be used with mcryptd...

openssl: ECDSA P-256 timing attack key recovery

A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys...

VulnCheck KEV: CVE-2017-20202

Web Developer for Chrome v0.4.9 contained malicious code that generated a domain via a DGA and fetched a remote script. The fetched script conditionally loaded follow-on modules that performed extensive ad substitution and malvertising, displayed fake “repair” alerts that redirected users to...

Clustering and Dimensionality Reduction: Understanding the “Magic” Behind Machine Learning

These days we hear about machine learning and artificial intelligence AI in all aspects of life. We see machines that learn and imitate the human brain in order to automate human processes. There are autonomous cars that learn the road conditions to drive, personal assistants we can converse with...

Signature Verification Bypass

namashi/jose is vulnerable to signature verification bypass. The library didn't check for the "none" algorithm without case, allowing attackers to easily bypass the signature verification mechanism...

OpenJDK: DSA implementation timing attack (JCE, 8175106)

A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel...

OpenJDK: DSA implementation timing attack (JCE, 8175106)

A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel...

IBM Tivoli Endpoint Manager Encryption Algorithm Vulnerability

IBM BigFix Platform is IBM's dynamic multi-technology platform that integrates message content drivers and management systems, of which Tivoli Endpoint Manager is the endpoint control software. A cryptographic algorithm vulnerability exists in Tivoli Endpoint Manager in the IBM BigFix Platform th...

Code injection

IBM Tivoli Endpoint Manager uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 123903...

Google Changes How it Analyzes Misbehaving Mobile Apps

Mobile apps in the Google Play store are categorized by their purpose, i.e., productivity or games. But there is a science to how apps are arranged, in particular around security and privacy features, and especially in holding back those apps whose behaviors pose a risk to mobile users. Google on...

Virtuozzo 7 : java-1.8.0-openjdk / etc (VZLSA-2017-1108)

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Virtuozzo 7 : java-1.6.0-openjdk / java-1.6.0-openjdk-demo / etc (VZLSA-2017-0061)

An update for java-1.6.0-openjdk is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives...

DEBIAN-CVE-2017-11104

Knot DNS before 2.4.5 and 2.5.x before 2.5.2 contains a flaw within the TSIG protocol implementation that would allow an attacker with a valid key name and algorithm to bypass TSIG authentication if no additional ACL restrictions are set, because of an improper TSIG validity period check...

Design/Logic Flaw

The racoon daemon in IPsec-Tools 0.8.2 contains a remotely exploitable computational-complexity attack when parsing and storing ISAKMP fragments. The implementation permits a remote attacker to exhaust computational resources on the remote endpoint by repeatedly sending ISAKMP fragment packets in...

Advanced Hash Manipulation: Dagon

Advanced Hash Manipulation Named after the prince of Hell, Dagon day-gone is an advanced hash cracking and manipulation system, capable of bruteforcing multiple hash types, creating bruteforce dictionaries, automatic hashing algorithm verification, random salt generation from Unicode to ASCII, an...

CVE-2017-5361

Request Tracker RT 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack...