Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits

Qualcomm has rolled out security updates to address nearly two dozen flaws spanning proprietary and open-source components, including one that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2024-43047 CVSS score: 7.8, has been described as a...

Android Users Urged to Install Latest Security Updates to Fix Actively Exploited Flaw

Google has released its monthly security updates for the Android operating system to address a known security flaw that it said has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2024-32896 CVSS score: 7.8, relates to a case of privilege escalation in...

Qualcomm Releases Patch for 3 new Zero-Days Under Active Exploitation

Chipmaker Qualcomm has released security updates to address 17 vulnerabilities in various components, while warning that three other zero-days have come under active exploitation. Of the 17 flaws, three are rated Critical, 13 are rated High, and one is rated Medium in severity. "There are...

Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal Vulnerability

Exploit Title: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal Exploit Author: LiquidWorm Vendor: CAREL INDUSTRIES S.p.A. Product web page: https://www.carel.com Affected version: Firmware: A2.1.0 - B2.1.0 Application Software: 2.15.4A Software version: v16 13020200 Summary: pCO...

Microsoft Guidance on Intel Processor MMIO Stale Data Vulnerabilities

Executive Summary On June 14, 2022, Intel published information about a class of memory-mapped I/O vulnerabilities known as Processor MMIO Stale Data Vulnerabilities. An attacker who successfully exploited these vulnerabilities might be able to read privileged data across trust boundaries. In...

Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices

Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency “CISA” that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020,...

Critical ThroughTek Flaw Opens Millions of Connected Cameras to Eavesdropping

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Tuesday issued an advisory regarding a critical software supply-chain flaw impacting ThroughTek's software development kit SDK that could be abused by an adversary to gain improper access to audio and video streams. "Successful...

All Bachmann M1 System Processor Modules

1. EXECUTIVE SUMMARY CVSS v3 7.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: Bachmann Electronic, GmbH Equipment: All M-Base Controllers Vulnerability : Use of Password Hash with Insufficient Computational Effort 2. REPOSTED INFORMATION This updated advisory is a follow-up to...

GRUB2 Boothole Buffer Overflow Vulnerability (CVE-2020-10713) – Automatically Discover, Prioritize and Remediate Using Qualys VMDR®

On July 29, 2020, Eclypsium researchers disclosed a high-risk vulnerability in GRUB2 GRand Unified Bootloader version 2 affecting billions of Linux and Windows systems, even when secure boot is enabled. CVE-2020-10713 is assigned to this buffer overflow vulnerability, termed as “Boothole”...

CVE-2019-10575

Wlan binary which is not signed with OEMs RoT is working on secure device without authentication failure in Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in SDA845, SDM845, SDM850...

CVE-2019-10575

CVE-2019-10575 is documented in multiple sources as a vulnerability in Qualcomm closed-source WLAN components, with a status of Critical. The Red Hat and NVD entries describe a WLAN-related issue involving a WLAN binary not signed with OEM RoT, affecting Snapdragon family devices, but the connect...

CVE-2019-11090

Cryptographic timing vulnerabilities were discovered in certain versions of the Trusted Platform Module TPM firmware distributed by Intel and STMicroelectronics. Software that uses the TPM to compute ECDSA signatures could leak information through the timing of ECDSA signature operations, allowin...

CVE-2019-16863

Cryptographic timing vulnerabilities were discovered in certain versions of the Trusted Platform Module TPM firmware distributed by Intel and STMicroelectronics. Software that uses the TPM to compute ECDSA signatures could leak information through the timing of ECDSA signature operations, allowin...

Security Bulletin: NVIDIA NVFlash, GPUModeSwitch Tool - November 2019

NVIDIA has released a software security update for NVIDIA NVFlash Tool. This update addresses issues that may lead to escalation of privileges, information disclosure, or denial of service. This update is available only to NVIDIA OEMs and partners. Go to NVIDIA Product Security. Details This...

Getting your head under the hood and out of the sand: Automotive security testing

We’ve been doing automotive pen testing for several years now. Along the way we’ve had some fascinating experiences, working with some insightful and forward-thinking OEMs. But we’ve also worked with some OEMs and suppliers that consider pen testing to be a box checking exercise and frankly, buri...

Millions of Dell PCs Vulnerable to Flaw in Third-Party Component

Millions of PCs made by Dell and other OEMs are vulnerable to a flaw stemming from a component in pre-installed SupportAssist software. The flaw could enable a remote attacker to completely takeover affected devices. The high-severity vulnerability CVE-2019-12280 stems from a component in...

Security Flaw in Pre-Installed Dell Support Software Affects Million of Computers

Dell's SupportAssist utility that comes pre-installed on millions of Dell laptops and PCs contains a security vulnerability that could allow malicious software or rogue logged-in users to escalate their privileges to administrator-level and access sensitive information. Discovered by security...

5G Security Challenges: A Vendor's POV

How are vendors preparing themselves for the onslaught of 5G networks from a security standpoint? When it comes to 5G there are a slew of use cases being utilized at the bleeding edge – from smart factories to IoT – but these are also opening up security risks. At the GSMA Mobile 360 Security for...

MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 - Local Privilege Escalation

Exploit Title: MaxxAudio Drivers WavesSysSvc64.exe File Permissions SYSTEM Privilege Escalation Google Dork: Date: 2/18/2019 Exploit Author: Mike Siegel @mlsiegel Vendor Homepage: https://maxx.com Software Link: Version: 1.6.2.0 May affect other versions Tested on: Win 10 64 bit CVE :...

Intel Halts Spectre/Meltdown Patching for Broadwell and Haswell Systems

Intel is advising OEMs and partners to halt patching for the Spectre and Meltdown vulnerabilities amid numerous reports the updates are causing reboot issues on systems running the Broadwell and Haswell microprocessors. “We recommend that OEMs, cloud service providers, system manufacturers,...