CVE-2017-5999

An issue was discovered in sysPass 2.x before 2.1, in which an algorithm was never sufficiently reviewed by cryptographers. The fact that inc/SP/Core/Crypt.class is using the MCRYPTRIJNDAEL256 function the 256-bit block version of Rijndael, not AES instead of MCRYPTRIJNDAEL128 real AES could help...

CVE-2017-5999

The vulnerability CVE-2017-5999 affects sysPass 2.x before 2.1. The root cause is a cryptographic implementation using MCRYPT_RIJNDAEL_256() (256-bit block version) instead of MCRYPT_RIJNDAEL_128 (AES). This could allow an attacker to cause unknown havoc on the remote system. The connected source...

Vulnerabilities of iOS and Mac OS X operating systems, which allow attackers to circumvent cryptographic security measures

The vulnerability of the Security component in iOS and Mac OS X operating systems is related to the insufficient robustness of the 3DES encryption algorithm. Exploiting this vulnerability allows a malicious actor to circumvent the cryptographic security measures...

sysPass >= 2.0 risky cryptographic algorithm usage Vulnerability

Exploit for php platform in category web applications CVE-2017-5999 - sysPass risky cryptographic algorithm usage Credit: Guenaelle De Julis & Quentin Olagne CVE: CVE-2017-5999 Dates: 14/02/2017 Vendor: sysPass Product: sysPass Versions Affected: = 2.0 Risk / Severity Rating: 4.4 CVSSv2 SysPass...

AES - Critical - Unsupported - SA-CONTRIB-2017-027

This module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm. The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be...

OpenJDK: DSA implementation timing attack (Libraries, 8168728)

A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel...

OpenJDK: DSA implementation timing attack (Libraries, 8168728)

A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel...

Do we need a new heading element? We don't know

There's a proposal to add a new element to the HTML spec. It solves a fairly common use-case. Take this HTML snippet: Do you find the "plot" a distraction in movies? If so, you should check out "John Wick" - satisfaction guaranteed! This could be a web component, or a simple include. The problem...

Sawmill Enterprise 8.7.9 - Authentication Bypass

Credits: John Page AKA Hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SAWMILL-PASS-THE-HASH-AUTHENTICATION-BYPASS.txt + ISR: ApparitionSec Vendor: =============== www.sawmill.net Product: ======================== Sawmill Enterprise v8.7.9...

OpenJDK: DSA implementation timing attack (Libraries, 8168728)

A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel...

Denial Of Service (DoS) Through An Infinite Loop

OpenSSL is vulnerable to denial of service DoS attacks. These attacks are possible because it does not correctly handle ECParameter structures where the curve is over a malformed binary polynomial field. These attacks can be triggered through a session that uses an Elliptic Curve algorithm...

USN-3194-1: OpenJDK 7 vulnerabilities

Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update moves those algorithms to the legacy algorithm set and causes...

Protection Mechanism Bypass

OpenSSL is vulnerable to protection mechanism bypass. This is because OpenSSL accepts several variations of certificate signature algorithms and signature encodings. It doesn't then enforce a match between the signature algorithm between the signed and unsigned portions of the certificate. This...

USN-3189-1 linux, linux-raspi2, linux-snapdragon vulnerabilities

Mikulas Patocka discovered that the asynchronous multibuffer cryptographic daemon mcryptd in the Linux kernel did not properly handle being invoked with incompatible algorithms. A local attacker could use this to cause a denial of service system crash. CVE-2016-10147 Qidan He discovered that the...

CVE-2016-1919

The CVE-2016-1919 entry concerns Samsung KNOX 1.0 on Android 4.3 where the eCryptFS key is derived from the user password and a TIMA key. The weakness lies in the eCryptFS-key generation algorithm, enabling potential disclosure of Data-at-Rest from KNOX containers when an attacker has local acces...

openssl: Non-constant time codepath followed for certain operations in DSA implementation

It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm DSA signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system...

Netscaler round robin algorithm

How to troubleshoot round robin method to confirm functionality?...

Alvosec: Alvocrypt uses a cryptographically insecure PRNG.

Dear Alvosec bug bounty team, Summary --- A PRNG is an algorithm used to produce random-looking numbers with certain desirable statistical properties. In order for a PRNG to be cryptographically secure it must be resistant to prediction. The generatepass function in Alvocrypt currently uses...

About the security content of OS X Server 5.1 - Apple Support

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website. For information about...

OpenJDK: DSA implementation timing attack (Libraries, 8168728)

A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel...