DEBIAN-CVE-2019-12247

QEMU 3.0.0 has an Integer Overflow because the qga/commands.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable...

2 Million IoT Devices Vulnerable to Complete Takeover

Over 2 million IP security cameras, baby monitors and smart doorbells have serious vulnerabilities that could enable an attacker to hijack the devices and spy on their owners — and there’s currently no known patch for the shared flaws. The attack stems from peer-to-peer P2P communication technolo...

GLSA-201904-25 : QEMU: Multiple vulnerabilities

The remote host is affected by the vulnerability described in GLSA-201904-25 QEMU: Multiple vulnerabilities Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : Please review the referenced CVE identifiers for details...

DEBIAN-CVE-2019-11390

An issue was discovered in OWASP ModSecurity Core Rule Set CRS through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service ReDOS by entering a specially crafted string with seterrorhandler at the beginning and nested repetition operators. NOT...

DEBIAN-CVE-2019-11388

An issue was discovered in OWASP ModSecurity Core Rule Set CRS through 3.1.0. /rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf allows remote attackers to cause a denial of service ReDOS by entering a specially crafted string with nested repetition operators. NOTE: the software maintainer disputes...

CVE-2019-0841: AppXSvc Hard Link Privilege Escalation

An elevation of privilege vulnerability exists when Windows AppX Deployment Service AppXSVC improperly handles hard links, aka ‘Windows Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2019-0730, CVE-2019-0731, CVE-2019-0796, CVE-2019-0805, CVE-2019-0836. Recent assessments:...

Photon OS 2.0: Ruby PHSA-2019-2.0-0130

An update of the ruby package has been released. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2019-2.0-0130. The text itself is copyright C VMware, Inc. include'compat.inc'; if description scriptid122896;...

Amazon Linux 2 : bind (ALAS-2019-1170)

Crash from assertion error when debug log level is 10 and log entries meet buffer boundary. This flaw appears to be exploitable only when debug logging is enabled and set to at least a level of 10. As this configuration should be rare in production instances of bind, it is unlikely that most...

Linux: MAC algorithms

This variable limits the types of MAC algorithms that SSH can use during communication. MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be...

Photon OS 2.0: Linux PHSA-2018-2.0-0049

An update of the linux package has been released. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2018-2.0-0049. The text itself is copyright C VMware, Inc. include'compat.inc'; if description scriptid121947...

Beebug - A Tool For Checking Exploitability

beebug is a tool that can be used to verify if a program crash could be exploitable. This tool was presented the first time at r2con 2018 in Barcelona. Some implemented functionality are: Stack overflow on libc Crash on Program Counter Crash on branch Crash on write memory Heap vulnerabilities Re...

What’s wrong with patch-based Vulnerability Management checks?

My last post about Guinea Pigs and Vulnerability Management products may seem unconvincing without some examples. So, let's review one. It's a common problem that exists among nearly all VM vendors, I will demonstrate it on Tenable Nessus. If you perform vulnerability scans, you most likely seen...

Fedora 28 : libarchive (2018-20c24949c0)

latest upstream release, fixes several CVE issues Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues...

Design/Logic Flaw

An issue was discovered in the Linux kernel before 4.19.3. cryptoreportone and related functions in crypto/cryptouser.c the crypto user configuration API do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a...

F5 Networks BIG-IP : BIG-IP SOCKS proxy vulnerability (K55225440)

Responses to SOCKS proxy requests made through the BIG-IP system may cause a disruption of service provided by theTraffic Management Microkernel TMM. The data plane is impacted and exposed only when a SOCKS proxy profile is attached to a virtual server. The control plane is not impacted by this...

SCADA Engine BACnet OPC Client Buffer Overflow Vulnerability

Overview This advisory is a follow-up to ICS-ALERT-10-260-01 SCADA Engine BACnet OPC Client Buffer Overflow, which was published on the ICS-CERT Web site on September 17, 2010. A buffer overflow vulnerability has been reportedSecunia Advisory SA41466, http://secunia.com/advisories/41466/, website...

Beijer Electronics ADP and H-Designer Buffer Overflow Vulnerability

Overview This advisory provides details about a buffer overflow vulnerability in multiple Beijer Electronics ADP and H-designer products. Independent researcher Kuang-Chun Hung of Information and Communication Security Technology Center ICST has identified a buffer overflow vulnerability in Beije...

Bounded Model Checking Framework for Heap-implementations: HeapHopper

Heap metadata attacks have become one of the primary ways in which attackers exploit memory corruption vulnerabilities. While heap implementation developers have introduced mitigations to prevent and detect corruption, it is still possible for attackers to work around them. In part, this is becau...

Rockwell Automation RSLinx Classic EDS Vulnerability (Update A)

OVERVIEW A buffer overflow vulnerability exists in the Rockwell Automation RSLinx Classic EDS Hardware Installation Tool RSHWare.exe. This vulnerability is likely exploitable; however, significant user interaction would be required. AFFECTED PRODUCTS EDS Hardware Installation Tool Version 1.0.5.1...

Exploitable or Not Exploitable? Using REVEN to Examine a NULL Pointer Dereference.

Authored by Aleksandar Nikolic. Executive summary It can be very time-consuming to determine if a bug is exploitable or not. In this post, we’ll show how to decide if a vulnerability is exploitable by tracing back along the path of execution that led to a crash. In this case, we are using the...