Patch: Multiple vulnerabilities

Background Patch takes a patch file containing a difference listing produced by the diff program and applies those differences to one or more original files, producing patched versions. Description Multiple vulnerabilities have been discovered in Patch. Please review the CVE identifiers reference...

Integration Credential Status by Authentication Protocol - Failure for Provided Credentials

Nessus was not able to execute patch management checks because it was not possible to log into the designated patch management system using the credentials that have been provided. TRUSTED...

Integration Credential Status by Authentication Protocol - Valid Credentials Provided

Nessus was able to execute credentialed checks because it was possible to log in to the remote patch management system using provided credentials. TRUSTED...

Researcher: Not Hard for a Hacker to Capsize a Ship at Sea

Maritime transport still contributes in an important way to the world’s economy, with on-time shipments influencing everything from commodities availability and spot pricing to the stability of small countries. Unfortunately, capsizing a ship with a cyberattack is a relatively low-skill enterpris...

Guinea Pig and Vulnerability Management products

IMHO, security vendors use the term "Vulnerability Management" extremely inaccurate. Like a guinea pig, which is not a pig and is not related to Guinea, the current Vulnerability Management products are not about the actual practically exploitable vulnerabilities and not really about the...

Managing the Risk of IT-OT Convergence

A few years ago, it wasn’t easy getting executives on board with the concept of operational technology OT security. Having finally come around to acknowledging the need for information technology IT security, boards and C-suite executives at industrial enterprises were then faced with the...

CISO series: Lessons learned—4 priorities to achieve the largest security improvements

In my past life as CISO, Ive worked for small companies, state governments, and large enterprises, and one thing that has been true at all of them is that there is an infinite number of security initiatives in each organization you could implement, yet the resources to accomplish those tasks are...

Oracle Siebel CRM 8.1.1 - CSV Injection Vulnerability

Exploit for java platform in category web applications Exploit Title: Oracle Siebel CRM 8.1.1 - CSV Injection Exploit Author: Sarath Nair aka AceNeon13 Contact: @AceNeon13 Vendor Homepage: www.oracle.com Software Link:...

Oracle Siebel CRM 8.1.1 - CSV Injection

Exploit Title: Oracle Siebel CRM 8.1.1 - CSV Injection Date: 2018-10-21 Exploit Author: Sarath Nair aka AceNeon13 Contact: @AceNeon13 Vendor Homepage: www.oracle.com Software Link: http://www.oracle.com/us/products/applications/siebel/siebel-crm-8-1-1-066196.html Version: Oracle Siebel CRM Versio...

ICS Security Plagued with Basic, Avoidable Mistakes

At least 33 percent of the security issues found in industrial control systems ICS are rated as being of high or critical risk. FireEye iSIGHT Intelligence compiled data from dozens of ICS security health assessment engagements performed by its Mandiant division, and found that these issues inclu...

Local-Privilege Escalation Flaw in Linux Kernel Allows Root Access

A local-privilege escalation vulnerability in the Linux kernel affects all current versions of Red Hat Enterprise Linux and CentOS, even in their default/minimal installations. It would allow an attacker to obtain full administrator privileges over the targeted system, and from there potentially...

Zero-Day Bug Allows Hackers to Access CCTV Surveillance Cameras

Between 180,000 and 800,000 IP-based closed-circuit television cameras are vulnerable to a zero-day vulnerability that allows hackers to access surveillance cameras, spy on and manipulate video feeds or plant malware. According to a Tenable Research Advisory issued Monday, the bugs are rated...

Psychological Aspects of Vulnerability Remediation

In my opinion, Remediation is the most difficult part of Vulnerability Management process. If you know the assets in your organization and can assess them, you will sooner or later produce a good enough flow of critical vulnerabilities. But what the point, if the IT team will not fix them?...

SYS.2.2.3.A3

Ziel des Bausteins SYS.2.2.3 ist der Schutz von Informationen, die durch und auf Windows 10-Clients verarbeiten werden. Die Basis-Anforderung SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right...

Back to Basics: Why We Need to Encourage More Secure IoT Development

The Internet of Things IoT is radically reshaping the way we live and work. Before our very eyes, organizations are becoming more agile, efficient and cost effective to run, all while consumers marvel at the wonders of the smart home, fitness trackers and connected cars. There’s just one major...

ThreatList: Financial Services Firms Lag in Patching Habits

Almost half 45 percent of financial services firms in a recent survey have reported a data breach in the last two years – with many of those attacks being completely avoidable if known vulnerabilities were patched. In a Ponemon Institute survey of nearly 3,000 cybersecurity professionals at...

COSCO incident. Phishing frenzy and exploding goods?

If you haven’t seen the coverage, COSCO the world’s 4th largest shipping line has had a ransomware outbreak. Sounds terribly familiar, doesn’t it. One wonders why on earth they didn’t carry out a thorough review after the Maersk incident, so as to be rather better prepared. Phishing time Breaches...

Zero Day Initiative: A 1H2018 Recap

When the Zero Day Initiative ZDI was formed in 2005, the cyber threat landscape was a bit different from what we see today. Threats were a little less sophisticated, but there was one thing that we saw then that we still see now: the shortage of cybersecurity professionals and researchers. The te...

QSC18 Virtual Edition: Vulnerability Risk Management

When vulnerability risk management is proactive, organizations don’t have to hurriedly react to attacks that exploit bugs for which patches are available, as happened with WannaCry. “The vast majority of WannaCry remediation took place as an emergency type process,” Jimmy Graham, a Qualys Directo...

Qualys Security Conference Virtual 2018. New Agents, Patch Management and Free Services

Today I attended a very interesting online event - Qualys Security Conference Virtual 2018. It consisted of 11 webinars, began at 18:00 and will end at 03:45 Moscow time. Not the most convenient timing for Russia, but it was worth it. Last time I was at offline QSC event in 2016, so for me it was...