IBM ServeRAID Manager exposes unauthenticated Java Remote Method Invocation (RMI) service

Overview IBM ServeRAID Manager version 9.30-17006 and prior exposes a Java RMI that allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description IBM ServeRAID Manager includes an embedded instance of Java version 1.4.2. Both ServeRAID Manager and Java...

Cisco Discovery Protocol (CDP) enabled devices are vulnerable to denial-of-service and remote code execution

Overview Cisco Discovery Protocol CDP is a proprietary layer-2 networking protocol that Cisco devices use to gather information about devices connected to the network. Armis Security found that CDP supported devices are vulnerable to heap overflow in Cisco IP Cameras CVE-2020-3110, stack overflow...

OpenSMTPD vulnerable to local privilege escalation and remote code execution

Overview Qualys Research Labs found that the smtpmailaddr function in OpenSMTPD version 6.6 does not properly sanitize user input, which could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root. Description OpenSMTPD ...

Microsoft Internet Explorer Scripting Engine memory corruption vulnerability

Overview The Microsoft Internet Explorer Scripting Engine contains a memory corruption vulnerability, which can allow a remote, unauthenticated attacker to execute arbitrary code. Description Microsoft Internet Explorer contains a scripting engine, which handles execution of scripting languages...

Microsoft Windows Remote Desktop Gateway allows for unauthenticated remote code execution

Overview Microsoft Windows Remote Desktop Gateway contains vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. Description Microsoft Windows Remote Desktop Gateway RD Gateway is a Windows Server component that...

Content Delivery Networks handle HTTP headers in different and unexpected ways

Overview A Content Delivery Network CDN is a distributed network of proxy servers that deliver web content collected from a back end web server using a temporary local storage called a cache. HTTP cache poisoning is a type of attack that allows a remote attacker to inject arbitrary content using...

Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains

Overview The Microsoft Windows CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography ECC, which may allow an attacker to spoof the validity of certificate chains. Description The Microsoft Windows CryptoAPI, which is provided by Crypt32.dll, fails to validate ECC...

Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP web server vulnerability

Overview A vulnerability been identified in Citrix Application Delivery Controller ADC formerly known as NetScaler ADC, Citrix Gateway formerly known as NetScaler Gateway, and Citrix SDWAN WANOP that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system...

Apple devices vulnerable to arbitrary code execution in SecureROM

Overview Some Apple devices are vulnerable to arbitrary code execution at the Boot ROM level called "SecureROM" by Apple by exploiting a use-after-free vulnerability. Successful exploitation results in the ability to execute arbitrary code on the device. checkm8 is a public exploit for this...

Telos Automated Message Handling System contains multiple vulnerabilities

Overview Telos Automated Message Handling System AMHS contains multiple XSS vulnerabilities and a database information disclosure vulnerability. Description Telos AMHS is a web-based messaging system that supports DoD and Intelligence Community IC security marking requirements. AMHS versions prio...

Microsoft Office for Mac cannot properly disable XLM macros

Overview The Microsoft Office for Mac option "Disable all macros without notification" enables XLM macros without prompting, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description XLM macros Up to and including Microsoft Excel 4.0, a macro...

Multiple D-Link routers vulnerable to remote command execution

Overview Multiple D-Link routers are vulnerable to unauthenticated remote command execution. Description Several D-Link routers contain CGI capability that is exposed to users as /applysec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws: 1. The...

Pulse Secure VPN contains multiple vulnerabilities

Overview Pulse Secure SSL VPN contains multiple vulnerabilities that can allow remote unauthenticated remote attacker to compromise the VPN server and connected clients. Description Pulse Secure released an out-of-cycle advisory along with software patches for the various affected products on Apr...

iTerm2 with tmux integration is vulnerable to remote command execution

Overview iTerm2, up to and including version 3.3.5, with tmux integration is vulnerable to remote command execution. Description iTerm2 is a popular terminal emulator for macOS that supports terminal multiplexing using tmux integration and is frequently used by developers and system administrator...

Multiple vulnerabilities found in the Cobham EXPLORER 710 satcom terminal

Overview CERT/CC researchers examined the satcom terminal Cobham EXPLORER 710 as an expansion of work from IOActive’s findings in 2014. They discovered multiple new vulnerabilities affecting the device and the firmware, some of which could allow an unauthenticated, local attacker to gain access t...

Exim fails to properly handle trailing backslashes in string_interpret_escape()

Overview Exim versions up to and including 4.92.1 do not properly handle trailing backslash characters in the stringinterpretescape function. This function is used to handle peer distinguished names DN and Sever Name Indication SNI during a TLS negotiation. This vulnerability could allow a local ...

Bluetooth BR/EDR supported devices are vulnerable to key negotiation attacks

Overview The encryption key length negotiation process in Bluetooth BR/EDR Core v5.1 and earlier is vulnerable to packet injection by an unauthenticated, adjacent attacker that could result in information disclosure and/or escalation of privileges. This can be achieved using an attack referred to...

HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion

Overview Multiple HTTP/2 implementations are vulnerable to a variety of denial-of-service DoS attacks. Description The Security Considerations section of RFC7540 discusses some of the considerations needed for HTTP/2 connections as they demand more resources to operate than HTTP/1.1 connections...

Cylance Antivirus Products Susceptible to Concatenation Bypass

Overview The Cylance AI-based antivirus product, prior to July 21, 2019, contains flaws that allow an adversary to craft malicious files that the AV product will likely mistake for benign files. Description Cylance PROTECT is an endpoint protection system. It contains an antivirus functionality...

Oracle Solaris vulnerable to arbitrary code execution via /proc/self

Overview Oracle Solaris 11 and Solaris 10 are vulnerable to arbitrary code execution if an attacker has read/write access to /proc/self in the process file system. Description The process file system /proc in Oracle Solaris 11 and Solaris 10 provides a self/ alias that refers to the current...

LLVMs Arm stack protection feature can be rendered ineffective

Overview The stack protection feature in LLVM's Arm backend can be rendered ineffective when the stack protector slot is re-allocated so that is appears after the local variables that it is meant to protect, leaving the function potentially vulnerable to a stack-based buffer overflow. Description...

Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels

Overview Multiple TCP Selective Acknowledgement SACK and Maximum Segment Size MSS networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels. Description CVE-2019-11477: SACK Panic Linux = 2.6.29. A sequence of specifically crafted selective acknowledgements SA...

Microsoft Windows RDP can bypass the Windows lock screen

Overview Microsoft Windows RDP can allow an attacker to bypass the lock screen on remote sessions. Description In Windows a session can be locked, which presents the user with a screen that requires authentication to continue using the session. Session locking can happen over RDP in the same way...

Multiple vulnerabilities in Quest Kace System Management Appliance

Overview The Quest Kace System Management K1000 Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing CORS mechanism and improperly...

Microsoft Windows Task Scheduler SetJobFileSecurityByName privilege escalation vulnerability

Overview Microsoft Windows contains a privilege escalation vulnerability in the way that theTask Scheduler SetJobFileSecurityByName function is used, which can allow an authenticated attacker to gain SYSTEM privileges on an affected system. Description Task Scheduler is a set of Microsoft Windows...

Cisco Trust Anchor module (TAm) improperly checks code and Cisco IOS XE web UI does not sanitize user input

Overview Cisco's Trust Anchor module TAm can be bypassed through manipulating the bitstream of the Field Programmable Gate Array FPGA. This component handles access control to a hardware component within Cisco's Secure Boot implementations, which affects multiple products that support this...

PrinterLogic Print Management Software fails to validate SSL certificates or the integrity of software updates.

Overview PrinterLogic Print Management Software fails to validate SSL and software update certificates, which could allow an attacker to reconfigure the software and remotely execute code. In addition, the PrinterLogic agent does not sanitize browser input allowing a remote attacker to modify...

Broadcom WiFi chipset drivers contain multiple vulnerabilities

Overview The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer...

WPA3 design issues and implementation vulnerabilities in hostapd and wpa_supplicant

Overview Multiple vulnerabilities have been identified in WPA3 protocol design and implementations of hostapd and wpasupplicant, which can allow a remote attacker to acquire a weak password, conduct a denial of service, or gain complete authorization. These vulnerabilities have also been referred...

VPN applications insecurely store session cookies

Overview Multiple Virtual Private Network VPN applications store the authentication and/or session cookies insecurely in memory and/or log files. Description Virtual Private Networks VPNs are used to create a secure connection with another network over the internet. Multiple VPN applications stor...

MyCar Controls uses hard-coded credentials

Overview The MyCar Controls mobile applications prior to v3.4.24 on iOS and prior to v4.1.2 on Android contains hard-coded admin credentials. Description MyCar is a small aftermarket telematics unit from AutoMobility Distribution Inc. MyCar add smartphone-controlled geolocation, remote start/stop...

Marvell Avastar wireless SoCs have multiple vulnerabilities

Overview Some Marvell Avastar wireless system on chip SoC models have multiple vulnerabilities, including a block pool overflow during Wi-Fi network scan. Description A presentation at the ZeroNights 2018 conference describes multiple security issues with Marvell Avastar SoCs models 88W8787,...

Microsoft Exchange server 2013 and newer are vulnerable to NTLM relay attacks

Overview Microsoft Exchange 2013 and newer fail to set signing and sealing flags on NTLM authentication traffic, which can allow a remote attacker to gain the privileges of the Exchange server. Description Microsoft Exchange supports a API called Exchange Web Services EWS. One of the EWS API...

Microsoft Windows Kernel Transaction Manager (KTM) is vulnerable to a race condition

Overview The Microsoft Windows Kernel Transaction Manager KTM is vulnerable to a race condition because it fails to properly handle objects in memory, which can result in local privilege escalation. Description CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization 'Rac...

Microsoft Windows DNS servers are vulnerable to heap overflow

Overview Microsoft Windows DNS servers are vulnerable to heap overflow attacks, enabling unauthenticated attackers to send malicious requests to affected servers. Description CWE-122: Heap-based Buffer Overflow - CVE-2018-8626Microsoft Windows Domain Name System DNS servers are vulnerable to heap...

Microsoft Windows MsiAdvertiseProduct function vulnerable to privilege escalation via race condition

Overview The Microsoft Windows MsiAdvertiseProduct function contains a race-condition vulnerability, which can allow an authentication attacker to elevate privileges to read protected files. Description The Microsoft Windows MsiAdvertiseProduct function allows a Windows installer product to...

Dokan file system driver contains a stack-based buffer overflow

Overview A system driver in the Dokan Open Source File System contains a stack-based buffer overflow, which could allow an attacker to gain elevated privileges on the host machine. Description CWE-121: Stack-based Buffer Overflow - CVE-2018-5410Dokan, versions between 1.0.0.5000 and 1.2.0.1000,...

Microsoft Internet Explorer scripting engine JScript memory corruption vulnerability

Overview Microsoft Internet Explorer contains a memory corruption vulnerability in the scripting engine JScript component, which can allow a remote attacker to execute arbitrary code on a vulnerable system. Description Microsoft Internet Explorer contains a scripting engine, which handles executi...

Pixar Tractor contains a stored cross-site scripting vulnerability

Overview Pixar's Tractor network rendering software is vulnerable to stored cross-site scripting which may allow an attacker to execute arbitrary JavaScript. Description Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability CWE-79 in the field tha...

Self-encrypting hard drives do not adequately protect data

Overview There are multiple vulnerabilities in implementations of ATA Security or TCG Opal Standards in Self-Encrypting Disks SEDs, which can allow an attacker to decrypt contents of an encrypted drive. Description CVE-2018-12037 There is no cryptographic relation between the password provided by...

Cisco ASA and FTD SIP Inspection denial-of-service vulnerability

Overview Cisco Adaptive Security Appliance ASA software and Cisco Firepower Threat Defense FTD software fails to properly parse SIP traffic, which can result in a denial-of-service condition on affected devices. Description Cisco Adaptive Security Appliance ASA software and Cisco Firepower Threat...

Texas Instruments CC2640 and CC2650 microcontrollers vulnerable to heap overflow and insecure update

Overview Texas Instruments CC2640 and CC2650 microcontrollers are vulnerable to a heap overflow and may allow unauthenticated firmware installation. Description CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer CVE-2018-16986 - also known as BLEEDINGBIT The following...

Auto-Maskin DCU 210E RP 210E and Marine Pro Observer App

Overview Auto-Maskin RP remote panels and DCU controls units are used to monitor and control ship engines. The units have several authentication and encryption vulnerabilities which can allow attackers to access the units and control connected engines. Description CWE 798: ​Use of Hard-Coded...

TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks

Overview The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices. EAP Controller for Linux lacks user authentication for RMI service commands, as well as utilizes an outdated vulnerable version of Apache commons-collections, which may allow an...

Automatic DNS registration and proxy autodiscovery allow spoofing of network services

Overview Automatic DNS registration and autodiscovery functionality provides an opportunity for the misconfiguration of networks, resulting in a loss of confidentiality and integrity of the network if an attacker on the network adds a specially configured proxy device. Description The Web Proxy...

Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface

Overview Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call ALPC interface, which can allow a local user to obtain SYSTEM privileges. Description The Microsoft Windows task scheduler SchRpcSetSecurity API contains a...

Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities

Overview Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system. Description Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript...

Intel processors are vulnerable to a speculative execution side-channel attack called L1 Terminal Fault (L1TF)

Overview Intel processors are vulnerable to one or more L1 data cache information disclosure and terminal fault attacks via a speculative execution side channel. These attacks are known as L1 Terminal Fault: SGX, L1 Terminal Fault: OS/SMM, and L1 Terminal Fault: VMM. Description Speculative...

IKEv1 Main Mode vulnerable to brute force attacks

Overview Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Description The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. CVE-2018-5389It is well known, that the aggressive mode of IKEv1 PSK is vulnerable...

Android and iOS apps contain multiple vulnerabilities

Overview Android apps, including those pre-installed on some mobile devices, contain multiple vulnerabilities. All of these vulnerabilities were reported by Kryptowire. Vulnerabilities in pre-installed apps were presented at DEF CON 26 and a set of different vulnerabilities were previously...