Auto-Maskin DCU 210E RP 210E and Marine Pro Observer App

Overview Auto-Maskin RP remote panels and DCU controls units are used to monitor and control ship engines. The units have several authentication and encryption vulnerabilities which can allow attackers to access the units and control connected engines. Description CWE 798: ​Use of Hard-Coded...

Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency

Overview Open Shortest Path First OSPF protocol implementations may improperly determine Link State Advertisement LSA recency for LSAs with MaxSequenceNumber. Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to poison routing...

Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP web server vulnerability

Overview A vulnerability been identified in Citrix Application Delivery Controller ADC formerly known as NetScaler ADC, Citrix Gateway formerly known as NetScaler Gateway, and Citrix SDWAN WANOP that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system...

Akeo Consulting Rufus fails to update itself securely

Overview Akeo Consulting Rufus fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code on a vulnerable system. Description Akeo Consulting Rufus 2.16 retrieves updates over HTTP. While Rufus does attempt to perform some basic signature...

Inmarsat AmosConnect8 Mail Client Vulnerable to SQL Injection and Backdoor Account

Overview Inmarsat Solutions offers a shipboard email client service, AmosConnect 8 AC8, which was designed to be utilized over satellite networks in a highly optimized manner. IOActive has identified two security vulnerabilities in the client software: On-board ship network access could provide...

Windows SMB version 2 vulnerability

Overview Microsoft Windows Vista and Server 2008 do not correctly parse SMB version 2 messages.This vulnerability could allow an attacker to execute arbitrary code. Description The Server Message Block version 2 SMBv2 protocol is the successor to the original SMB protocol. SMBv2 is available in...

OpenPGP and S/MIME mail client vulnerabilities

Overview Mail clients may leak plaintext messages while decrypting OpenPGP and S/MIME messages. Description Email clients supporting the OpenPGP or S/MIME standards may be vulnerable to a CBC/CFB gadget attack which may allow an attacker to inject content into an encrypted email which would...

IKEv1 Main Mode vulnerable to brute force attacks

Overview Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Description The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. CVE-2018-5389It is well known, that the aggressive mode of IKEv1 PSK is vulnerable...

SSL and TLS protocols renegotiation vulnerability

Overview A vulnerability exists in SSL and TLS protocols that may allow attackers to execute an arbitrary HTTP transaction. Description The Secure Sockets Layer SSL and Transport Layer Security TLS protocols are commonly used to provide authentication, encryption, integrity, and non-repudiation...

HP/H3C and Huawei networking equipment h3c-user snmp vulnerability

Overview HP/H3C and Huawei networking equipment contains a vulnerability which could allow an attacker to access administrative functions of the device using systems network management protocol SNMP requests. Description According to the researcher's report.:"HP/H3C and Huawei networking equipmen...

mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR

Overview mingw-w64 produces a executable Windows files without a relocations table by default, which breaks compatibility with ASLR. Description ASLR is an exploit mitigation technique used by modern Windows platforms. For ASLR to function, Windows executables must contain a relocations table...

IEEE P1735 implementations may have weak cryptographic protections

Overview The P1735 IEEE standard describes methods for encrypting electronic-design intellectual property IP, as well as the management of access rights for such IP. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plainte...

Savitech USB audio drivers install a new root CA certificate

Overview Savitech provides USB audio drivers for a number of specialized audio products. Some versions of the Savitech driver package silently install a root CA certificate into the Windows trusted root certificate store. Description Savitech provides USB audio drivers for a number of specialized...

Acronis True Image fails to update itself securely

Overview Acronis True Image fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code with administrator privileges. Description Acronis True Image is a disk backup utility for Windows and Mac systems. Acronis True Image versions through...

Pulse Secure Linux client GUI fails to validate SSL certificates

Overview The Pulse Secure Linux client GUI fails to validate SSL certificates, which can allow an attacker to modify connection settings. Description Pulse Secure is an SSL VPN solution. The Linux Pulse Secure client GUI is implemented using WebKit, and the actions taken using the GUI are...

Microsoft Outlook retrieves remote OLE content without prompting

Overview When a Rich Text RTF email is previewed in Microsoft Outlook, remotely-hosted OLE content is retrieved without requiring any additional user interaction. This can leak private information including the user's password hash, which may be cracked by an attacker. Description Microsoft Outlo...

Samsung Magician fails to update itself securely

Overview Samsung Magician fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code with administrator privileges. Description Samsung Magician is a management utility for Samsung SSDs. Prior to version 5.0, Samsung Magician checks for an...

Action Message Format (AMF3) Java implementations are vulnerable to insecure deserialization and XML external entities references

Overview Several Java implementations of AMF3 are vulnerable to insecure deserialization and XML external entities references. Description Several Java implementations of Action Message Format AMF3 are vulnerable to one or more of the following implementation errors:CWE-502: Deserialization of...

Windows 8 and later fail to properly randomize every application if system-wide mandatory ASLR is enabled via EMET or Windows Defender Exploit Guard

Overview Microsoft Windows 8 introduced a change in how system-wide mandatory ASLR is implemented. This change requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy. Tools that enable system-wide ASLR without also setting bottom-up ASLR will fail to properly...

Integrated GPUs may allow side-channel and rowhammer attacks using WebGL ("Glitch")

Overview Some platforms with integrated GPUs, such as smartphones, may allow both side-channel and rowhammer attacks via WebGL, which may allow a remote attacker to compromise the browser on an affected platform. An attack technique that leverages these vulnerabilities is called "GLitch."...

Install Norton Security for Mac does not verify SSL certificates

Overview Install Norton Security for Mac, prior to version 7.6, does not validate SSL certificates. Description CWE-295: Improper Certificate Validation - CVE-2017-15528The Install Norton Security for Mac installer, versions prior to 7.6, fails to properly validate SSL certificates provided by...

Microsoft SMBv3 compression remote code execution vulnerability

Overview Microsoft SMBv3 contains a vulnerability in the handling of compression, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. This vulnerability is being referred to as "SMBGhost and CoronaBlue." Description Microsoft Server Message Block...

Microsoft Windows 10 gives unprivileged user access to system32\config files

Overview Multiple versions of Windows 10 grant non-administrative users read access to files in the %windir%\system32\config directory. This can allow for local privilege escalation LPE. Description With multiple versions of Windows 10, the BUILTIN\Users group is given RX permissions to files in...

Mozilla Firefox allows cross-domain iframe access via JavaScript

Overview Mozilla Firefox allows cross-domain access to an iframe. This vulnerability could allow an attacker to interact with a web site in a different domain. The attacker could read content and cookies, capture keystrokes, and modify content. Description An iframe is an HTML element which allow...

Huawei HG532 routers contain a path traversal vulnerability

Overview Huawei HG532 routers, including the HG532e, n, s, and possibly other models, are vulnerable to arbitrary file access through path traversal. Description CWE-22: Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' - CVE-2015-7254In vulnerable Huawei router models,...

Apache Commons Collections Java library insecurely deserializes data

Overview The Apache Commons Collections ACC library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. Description CWE-50...

Wind River Systems VxWorks debug service enabled by default

Overview Some products based on VxWorks have the WDB target agent debug service enabled by default. This service provides read/write access to the device's memory and allows functions to be called. Description The VxWorks WDB target agent is a target-resident, run-time facility that is required f...

Oracle database TNS listener vulnerability

Overview The Oracle database component contains a vulnerability in the TNS listener service that may be exploited to sniff database traffic and run arbitrary database commands. Description The Oracle database component contains a vulnerability in the TNS listener service that has been referred to...

OpenSSH Client contains a client information leak vulnerability and buffer overflow

Overview OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations. Description CWE-200:...

Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains

Overview The Microsoft Windows CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography ECC, which may allow an attacker to spoof the validity of certificate chains. Description The Microsoft Windows CryptoAPI, which is provided by Crypt32.dll, fails to validate ECC...

Multiple DNS implementations vulnerable to cache poisoning

Overview Deficiencies in the DNS protocol and common DNS implementations facilitate DNS cache poisoning attacks. Description The Domain Name System DNS is responsible for translating host names to IP addresses and vice versa and is critical for the normal operation of internet-connected systems...

Broadcom WiFi chipset drivers contain multiple vulnerabilities

Overview The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer...

Zhuhai Raysharp firmware for DVRs from multiple vendors contains hard-coded credentials

Overview Digital Video Recorders DVRs, security cameras, and possibly other devices from multiple vendors use a firmware derived from Zhuhai RaySharp that contains a hard-coded root password. Description CWE-259: Use of Hard-coded Password- CVE-2015-8286 According to the reporter, DVR devices bas...

TCG TPM2.0 implementations vulnerable to memory corruption

Overview Two buffer overflow vulnerabilities were discovered in the Trusted Platform Module TPM 2.0 reference library specification, currently at Level 00, Revision 01.59 November 2019. An attacker who has access to a TPM-command interface can send maliciously-crafted commands to the module and...

SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes

Overview A vulnerability in the specification of the SSL 3.0 and TLS 1.0 protocols could allow an attacker to decrypt encrypted traffic. Description The Secure Sockets Layer SSL and Transport Layer Security TLS protocols are commonly used to provide authentication, encryption, integrity, and...

Microsoft Windows RDP can bypass the Windows lock screen

Overview Microsoft Windows RDP can allow an attacker to bypass the lock screen on remote sessions. Description In Windows a session can be locked, which presents the user with a screen that requires authentication to continue using the session. Session locking can happen over RDP in the same way...

Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels

Overview Multiple TCP Selective Acknowledgement SACK and Maximum Segment Size MSS networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels. Description CVE-2019-11477: SACK Panic Linux = 2.6.29. A sequence of specifically crafted selective acknowledgements SA...

HP LaserJet Professional printer telnet debug shell vulnerability

Overview Certain HP LaserJet Professional printers contain a telnet debug shell which could allow a remote attacker to gain unauthorized access to data. Description Certain HP LaserJet Professional printers contain a telnet debug shell which could allow a remote attacker to gain unauthorized acce...

Linux Kernel local privilege escalation via SUID /proc/pid/mem write

Overview Linux kernel = 2.6.39 incorrectly handles the permissions for /proc//mem. A local, authenticated attacker could exploit this vulnerability to escalate to root privileges. Exploit code is available in the wild and there have been reports of active exploitation. Description /proc//mem is a...

Samsung Printer firmware contains a hardcoded SNMP community string

Overview Samsung printers contain a hardcoded SNMP community string that could allow a remote attacker to take control of an affected device. Description Samsung printers as well as some Dell printers manufactured by Samsung contain a hardcoded SNMP full read-write community string that remains...

Microsoft Internet Explorer scripting engine JScript memory corruption vulnerability

Overview Microsoft Internet Explorer contains a memory corruption vulnerability in the scripting engine JScript component, which can allow a remote attacker to execute arbitrary code on a vulnerable system. Description Microsoft Internet Explorer contains a scripting engine, which handles executi...

IBM AIX sendmail configured as open mail relay by default

Overview Sendmail shipped with IBM AIX is configured by default as an open mail relay. Unauthenticated, remote users can route mail through such a system. Description Sendmail is a widely used mail transfer agent MTA that is included with IBM AIX. According to IBM:The default configuration files...

OpenSSL re-uses unsafe prime numbers in Diffie-Hellman protocol

Overview OpenSSL may generate unsafe primes for use in the Diffie-Hellman protocol, which may lead to disclosure of enough information for an attacker to recover the private encryption key. Description CWE-325: Missing Required Cryptographic Step - CVE-2016-0701OpenSSL 1.0.2 introduced the abilit...

Android Stagefright contains multiple vulnerabilities

Overview Stagefright is the media playback service for Android, introduced in Android 2.2 Froyo. Stagefright in versions of Android prior to 5.1.1r9 may contain multiple vulnerabilities, including several integer overflows, which may allow a remote attacker to execute code on the device...

Pulse Connect Secure contains a use-after-free vulnerability

Overview Pulse Connect Secure PCS gateway contains a use-after-free vulnerability that can allow an unauthenticated remote attacker to execute arbitrary code. Description CVE-2021-22893 A use-after-free vulnerability that can be reached via a license server handling endpoint may allow a remote,...

ZyXEL pre-authentication command injection in weblogin.cgi

Overview Multiple ZyXEL devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. Description CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command...

Marvell Avastar wireless SoCs have multiple vulnerabilities

Overview Some Marvell Avastar wireless system on chip SoC models have multiple vulnerabilities, including a block pool overflow during Wi-Fi network scan. Description A presentation at the ZeroNights 2018 conference describes multiple security issues with Marvell Avastar SoCs models 88W8787,...

Samba command injection vulnerability

Overview Samba fails to properly filter input to /bin/sh. This vulnerability may allow a remote, authenticated attacker to execute arbitrary code on a Samba server. Description Samba provides file and print services for Microsoft Windows, Unix, Linux, and OS X clients. Samba can also act as a...

SSL/TLS implementations accept export-grade RSA keys (FREAK attack)

Overview Some implementations of SSL/TLS accept export-grade 512-bit or smaller RSA keys even when not specifically requesting export grade ciphers. An attacker able to act as a Man-in-The-Middle MiTM could factor weak temporary RSA keys, obtain session keys, and decrypt SSL/TLS trafflc. This iss...

OpenSSL is vulnerable to a man-in-the-middle attack

Overview OpenSSL is vulnerable to a man-in-the-middle attack. Description The OpenSSL security advisory states:SSL/TLS MITM vulnerability CVE-2014-0224 =========================================== An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL...