Bala Krishna, Sergey Yakovlev Security Vulnerabilities

NVIDIA Patches Critical Bug in High-Performance Servers

NVIDIA released a patch for a critical bug in its high-performance line of DGX servers that could open the door for a remote attacker to take control of and access sensitive data on systems typically operated by governments and Fortune-100 companies. In all, NVIDIA issued nine patches, each fixing....

Security Bulletin: AMI Baseboard Management Controller (BMC) Firmware Vulnerabilities in NVIDIA DGX-1, DGX-2, and DGX A100 Servers - October 2020

NVIDIA has released a firmware security update for NVIDIA DGX™ servers. This update addresses security issues in the AMI Baseboard Management Controller (BMC) firmware that may lead to remote code execution, elevation of privileges, or information disclosure. All issues require network access to...

openjdk-8, openjdk-lts vulnerabilities

It was discovered that OpenJDK incorrectly handled deserializing Proxy class objects with many interfaces. A remote attacker could possibly use this issue to cause a denial of service (memory consumption) via a specially crafted input. (CVE-2020-14779) Sergey Ostanin discovered that OpenJDK...

perl vulnerabilities

USN-4602-1 fixed several vulnerabilities in Perl. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: ManhND discovered that Perl incorrectly handled certain regular expressions. In environments where untrusted regular expressions...

Perl vulnerabilities

Releases Ubuntu 14.04 ESM Ubuntu 12.04 Packages perl - Practical Extraction and Report Language Details USN-4602-1 fixed several vulnerabilities in Perl. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: ManhND discovered that...

OpenJDK vulnerabilities

Releases Ubuntu 20.10 Ubuntu 20.04 LTS Ubuntu 18.04 ESM Ubuntu 16.04 ESM Packages openjdk-8 - Open Source Java implementation openjdk-lts - Open Source Java implementation Details It was discovered that OpenJDK incorrectly handled deserializing Proxy class objects with many interfaces. A...

perl vulnerabilities

ManhND discovered that Perl incorrectly handled certain regular expressions. In environments where untrusted regular expressions are evaluated, a remote attacker could possibly use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code....

Perl vulnerabilities

Releases Ubuntu 20.04 LTS Ubuntu 18.04 ESM Ubuntu 16.04 ESM Packages perl - Practical Extraction and Report Language Details ManhND discovered that Perl incorrectly handled certain regular expressions. In environments where untrusted regular expressions are evaluated, a remote attacker could...

Libtaxii 1.1.117 / OpenTaxi 0.2.0 Server-Side Request Forgery

...

U.S. Charges 6 Russian Intelligence Officers Over Destructive Cyberattacks

The US government on Monday formally charged six Russian intelligence officers for carrying out destructive malware attacks with an aim to disrupt and destabilize other nations and cause monetary losses. The individuals, who work for Unit 74455 of the Russian Main Intelligence Directorate (GRU),...

DOJ Charges 6 Sandworm APT Members in NotPetya Cyberattacks

The Department of Justice (DOJ) on Monday announced charges against six Russian nationals who are allegedly tied to the Sandworm APT. The threat group is believed to have launched several high-profile cyberattacks over the past few years – including the destructive NotPetya cyberattack that...

Exploit for Cross-site Scripting in Olimpoks Olimpok

CVE-2020-16270 [Suggested description]: OLIMPOKS under...

Chrome for Android Update

Hi, everyone! We've just released Chrome 86 (86.0.4240.99) for Android: it'll become available on Google Play over the next few weeks. This release includes Security, stability and performance improvements. You can see a full list of the changes in the Git log. If you find a new issue, please let.....

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work

There's an old adage in information security: "Every company gets penetration tested, whether or not they pay someone for the pleasure." Many organizations that do hire professionals to test their network security posture unfortunately tend to focus on fixing vulnerabilities hackers could use to...

Promising Infusions of Cash, Fake Investor John Bernard Walked Away With $30M

September featured two stories on a phony tech investor named John Bernard, a pseudonym used by a convicted thief named John Clifton Davies who's fleeced dozens of technology companies out of an estimated $30 million with the promise of lucrative investments. Those stories prompted a flood of tips....

Exploit for Use of Hard-coded Credentials in Rubetek Rv-3406 Firmware

CVE-2020-25749 [Suggested description] The Telnet service...

Exploit for Cleartext Transmission of Sensitive Information in Rubetek Rv-3406 Firmware

CVE-2020-25748 [Suggested description] A Cleartext...

Exploit for Missing Authentication for Critical Function in Rubetek Rv-3406 Firmware

CVE-2020-25747 [Suggested description] The Telnet service...

TikTok Fixes Flaws That Opened Android App to Compromise

Researchers have disclosed four high-severity flaws in the Android version of TikTok that could have easily been exploited by a seemingly benign third-party Android app. If successful, an attacker could fully compromise the target’s TikTok account. Public disclosure of the vulnerabilities was...

Unbreakable Enterprise kernel security update

[5.4.17-2011.6.2] - Revert 'aarch64/BM: config failed, hub doesnt have any ports' (Thomas Tai) [Orabug: 31838351] [Orabug: 31844671] - kvm: ioapic: Restrict lazy EOI update to edge-triggered interrupts (Paolo Bonzini) [Orabug: 31839185] [Orabug: 31844556] [5.4.17-2011.6.1] - nfsd: apply umask...

Security fix for the ALT Linux 8 package clamav version 0.102.4-alt1

0.102.4-alt1 built July 30, 2020 Sergey Y. Afonin in task #255498 July 28, 2020 Sergey Y. Afonin - 0.102.4 + CVE-2020-3350 + CVE-2020-3327 +...

Security fix for the ALT Linux 9 package clamav version 0.102.4-alt1

0.102.4-alt1 built July 29, 2020 Sergey Y. Afonin in task #255486 July 28, 2020 Sergey Y. Afonin - 0.102.4 + CVE-2020-3350 + CVE-2020-3327 +...

Security fix for the ALT Linux 10 package clamav version 0.102.4-alt1

July 28, 2020 Sergey Y. Afonin 0.102.4-alt1 - 0.102.4 + CVE-2020-3350 + CVE-2020-3327 +...

About the security content of macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra

About the security content of macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra This document describes the security content of macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra. About Apple security updates...

Russian Cybercrime Boss Burkov Gets 9 Years

A well-connected Russian hacker once described as “an asset of supreme importance” to Moscow was sentenced on Friday to nine years in a U.S. prison after pleading guilty to running a site that sold stolen payment card data, and to administering a highly secretive crime forum that counted among its....

Microsoft Joins Ban on Sale of Facial Recognition Tech to Police

Microsoft is joining Amazon and IBM when it comes to halting the sale of facial recognition technology to police departments. In a statement released Thursday by Microsoft President Brad Smith, he said the ban would stick until federal laws regulating the technology’s use were put in place. “We...

Unbreakable Enterprise kernel security update

[4.14.35-1902.303.4.1] - x86/speculation: Add SRBDS vulnerability and mitigation documentation (Mark Gross) [Orabug: 31422209] {CVE-2020-0543} - x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation (Mark Gross) [Orabug: 31422209] {CVE-2020-0543} - x86/cpu: Add 'table'...

Security fix for the ALT Linux 8 package clamav version 0.102.3-alt1

0.102.3-alt1 built May 28, 2020 Sergey Y. Afonin in task #245886 May 27, 2020 Sergey Y. Afonin - 0.102.3 + CVE-2020-3327 - 0.102.2 only + CVE-2020-3341 - from 0.101 to...

Security fix for the ALT Linux 9 package clamav version 0.102.3-alt1

0.102.3-alt1 built May 27, 2020 Sergey Y. Afonin in task #245876 May 27, 2020 Sergey Y. Afonin - 0.102.3 + CVE-2020-3327 - 0.102.2 only + CVE-2020-3341 - from 0.101 to...

Security fix for the ALT Linux 10 package clamav version 0.102.3-alt1

May 27, 2020 Sergey Y. Afonin 0.102.3-alt1 - 0.102.3 + CVE-2020-3327 - 0.102.2 only + CVE-2020-3341 - from 0.101 to...

Security fix for the ALT Linux 9 package kde5-kio-extras version 19.12.3-alt2

19.12.3-alt2 built Feb. 12, 2021 Sergey V Turchin in task #265603 19.12.3-alt2 built May 13, 2020 Sergey V Turchin in task #251571 May 12, 2020 Sergey V Turchin - don't store unasked fish:/ passwords (Fixes:...

Shade Threat Actors Call It Quits, Release 750K Encryption Keys

The threat actors behind the Shade ransomware have called it quits, releasing 750,000 encryption keys on GitHub and publicly apologizing to victims affected by the malware. User “shade-team” posted four files on the code repository earlier this week, one containing the file keys and four “ReadMe”.....

Security fix for the ALT Linux 8 package libssh version 0.8.8-alt1

0.8.8-alt1 built March 13, 2020 Sergey V Turchin in task #247316 March 4, 2020 Sergey V Turchin - new version (Fixes:...

Siemens SPPA-T3000 (Update A)

EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SPPA-T3000 Vulnerabilities: Improper Input Validation, Deserialization of Untrusted Data, Improper Authentication, Cleartext Transmission of Sensitive Information, Unrestricted...

Stable Channel Update for Desktop

The stable channel has been updated to 80.0.3987.132 for Windows, Mac, and Linux, which will roll out over the coming days/weeks. A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug....

Stable Channel Update for Desktop

The stable channel has been updated to 80.0.3987.122 for Windows, Mac, and Linux, which will roll out over the coming days/weeks. A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug....

DDoS attacks in Q4 2019

News overview In the past quarter, DDoS organizers continued to harness non-standard protocols for amplification attacks. In the wake of WS-Discovery, which we covered in the previous report, cybercriminals turned to Apple Remote Management Service (ARMS), part of the Apple Remote Desktop (ARD)...

Privilege Escalation

Overview Versions of cordova-plugin-inappbrowser prior to 3.1.0 are vulnerable to Privilege Escalation. A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI. This affects Cordova Android....

Russian Cybercrime Boss Burkov Pleads Guilty

Aleksei Burkov, an ultra-connected Russian hacker once described as "an asset of supreme importance" to Moscow, has pleaded guilty in a U.S. court to running a site that sold stolen payment card data and to administering a highly secretive crime forum that counted among its members some of the...

Stable Channel Update for Desktop

The stable channel has been updated to 79.0.3945.130 for Windows, Mac, and Linux, which will roll out over the coming days/weeks. A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug....

Citrix ADC (NetScaler) Directory Traversal RCE

This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command...

Security fix for the ALT Linux 9 package cyrus-imapd version 3.0.13-alt1

3.0.13-alt1 built Jan. 10, 2020 Sergey Y. Afonin in task #243772 Jan. 1, 2020 Sergey Y. Afonin - 3.0.13 (fixes:...

Security fix for the ALT Linux 8 package cyrus-imapd version 2.5.15-alt0.M80P.1

2.5.15-alt0.M80P.1 built Jan. 10, 2020 Sergey Y. Afonin in task #243774 Jan. 2, 2020 Sergey Y. Afonin - 2.5.15 (fixes:...

CISO Forum 2019: Vulnerability Management, Red Teaming and a career in Information Security abroad

Today, at the very end of 2019, I want to write about the event I attended in April. Sorry for the delay . This doesn't mean that CISO Forum 2019 was not Interesting or I had nothing to share. Not at all! In fact, it was the most inspiring event of the year, and I wanted to make a truly monumental....

WP Accessibility < 1.7.0 - Minor Authenticated Stored XSS in custom CSS

A minor authenticated stored XSS vulnerability was found in the "Styles for Skiplinks when they have focus" section of the WP Accessibility...

WP Accessibility < 1.7.0 - Minor Authenticated Stored XSS in custom CSS

A minor authenticated stored XSS vulnerability was found in the "Styles for Skiplinks when they have focus" section of the WP Accessibility plugin. PoC 1) Navigate to the Settings page of the plugin https://example.com/wp-admin/options-general.php?page=wp-accessibility/wp-accessibility.php 2)...

Stable Channel Update for Desktop

The stable channel has been updated to 79.0.3945.88 for Windows, Mac, and Linux, which will roll out over the coming days/weeks. A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug....

Security fix for the ALT Linux 9 package libssh version 0.9.3-alt1

0.9.3-alt1 built Dec. 14, 2019 Sergey V Turchin in task #242718 Dec. 11, 2019 Sergey V Turchin - new version - security (Fixes:...

Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 79 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks. Chrome 79.0.3945.79 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for...

Security fix for the ALT Linux 9 package clamav version 0.101.5-alt1

0.101.5-alt1 built Nov. 28, 2019 Sergey Y. Afonin in task #241709 Nov. 26, 2019 Sergey Y. Afonin - 0.101.5 (CVE-2019-15961) - fixed tests for libcheck 0.13.0 (clamav-0.101.5-libcheck-0.13.0.patch) - updated License tag to SPDX syntax (needs revision of exceptions) - removed rpm-build-licenses from....