Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Summary There are multiple vulnerabilities identified in IBM Guardium Data Encryption GDE .These vulnerabilities have been fixed in GDE 4.0.0.3. Please apply the latest version for the fixes. Vulnerability Details CVEID: CVE-2019-4697 DESCRIPTION: IBM Guardium Data Encryption GDE stores user...

CVE-2020-4459

IBM Security Verify Access 10.7 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 181395...

Update Rollup 2 for System Center 2019 Orchestrator

Update Rollup 2 for System Center 2019 Orchestrator Introduction This article describes the issues that are fixed in Update Rollup 2 for Microsoft System Center Orchestrator 2019. This article also contains the installation instructions for this update. Issues that are fixed Map Published Data...

Tale of the Tape: Top 5 Reasons Phishing Attacks Haven't Dried Up

One of my favourite websites is archive.org OK, so I'm a nerd. For anyone not familiar with this website, it's essentially a time machine that allows you to go back and look at pretty much any site from a point in time over the past 20-odd years. Recently I came across a story on the BBC website...

Security Bulletin: CVE-2019-4668 Pattern integration passwords stored in db without current encryption

Summary The password for pattern integrations is stored in the db without current encryption. Vulnerability Details CVEID: CVE-2019-4668 DESCRIPTION: IBM UrbanCode Deploy UCD stores user credentials in plain in clear text which can be read by a local user. CVSS Base score: 6.2 CVSS Temporal Score...

Threat spotlight: WastedLocker, customized ransomware

WastedLocker is a new ransomware operated by a malware exploitation gang commonly known as the Evil Corp gang. The same gang that is associated with Dridex and BitPaymer. The attribution is not based on the malware variants as WastedLocker is very different from BitPaymer. What was kept was the...

CVE-2019-18256

BIOTRONIK CardioMessenger II devices store per-device credentials in a recoverable format, enabling an attacker with physical access to use credentials for network authentication and to decrypt local data in transit. The EU/ICS and national advisories corroborate a multi-vulnerability exposure wi...

CVE-2019-18254

CVE-2019-18254 affects BIOTRONIK CardioMessenger II; root cause is lack of encryption of sensitive data at rest, enabling disclosure of medical measurements and device serial numbers with physical access. The ICS advisory confirms affected CardioMessenger II variants and assigns CVSSv3 base 4.6 (...

CVE-2019-18254

BIOTRONIK CardioMessenger II, The affected products do not encrypt sensitive information while at rest. An attacker with physical access to the CardioMessenger can disclose medical measurement data and the serial number from the implanted cardiac device the CardioMessenger is paired with...

CVE-2020-12036

CVE-2020-12036 affects Baxter PrismaFlex (all versions) and PrisMax (all versions prior to 3.x). The root cause is lack of data-in-transit encryption (no TLS/SSL) when these devices send treatment data to a PDMS or EMR, enabling an attacker with network access to observe sensitive data. The ICS a...

ABUS Secvest FUBE50001 Information Disclosure Vulnerability

ABUS Secvest FUBE50001 is a wireless control unit from ABUS Germany. A security vulnerability exists in the wireless communication function of the ABUS Secvest FUBE50001 device, which stems from the program not encrypting sensitive data. An attacker could exploit the vulnerability to disable the...

BIOTRONIK CardioMessenger II

1. EXECUTIVE SUMMARY CVSS v3 4.6 ATTENTION: Exploitable with adjacent access/low skill level to exploit Vendor: BIOTRONIK Equipment: CardioMessenger II-S T-Line, CardioMessenger II-S GSM Vulnerabilities: Improper Authentication, Cleartext Transmission of Sensitive Information, Missing Encryption...

Design/Logic Flaw

The wireless-communication feature of the ABUS Secvest FUBE50001 device does not encrypt sensitive data such as PIN codes or IDs of used proximity chip keys RFID tokens. This makes it easier for an attacker to disarm the wireless alarm system...

CVE-2019-16150

Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-cod...

IBM Security Guardium Trust Management Issues Vulnerability

IBM Security Guardium is a suite of platforms from IBM in the United States that provide data protection capabilities. The platform includes features such as custom UI, report management and streamlined audit process building. IBM Security Guardium suffers from a trust management issue...

CVE-2020-4190

IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174851...

Vault - A Tool For Secrets Management, Encryption As A Service, And Privileged Access Management

Please note : We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at [email protected]. Website: https://www.vaultproject.io IRC: vault-tool on Freenode Announcement list: Google...

Secured-core PCs help customers stay ahead of advanced data theft

Researchers at the Eindhoven University of Technology recently revealed information around "Thunderspy," an attack that relies on leveraging direct memory access DMA functionality to compromise devices. An attacker with physical access to a system can use Thunderspy to read and copy data even fro...

CVE-2020-5248

GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data mu...

UBUNTU-CVE-2020-5248

GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data mu...