Security News
Two stack-based buffer overflows collectively tracked as CVE-2023-32560 impact Ivanti Avalanche, an enterprise mobility management solution designed to manage, monitor, and secure a wide range of mobile devices. The flaws are rated critical and are remotely exploitable without user authentication, potentially allowing attackers to execute arbitrary code on the target system.
Researchers at IoT security company Sternum dug into a popular home automation mains plug from well-known device brand Belkin. Even though there are probably loads of these affected devices in use in the real world, Belkin apparently said that it considered the device to be "At the end of its life" and that the security hole will therefore not be patched.
The CVE-2022-0185 vulnerability in Ubuntu is severe enough that Red Hat is also advising immediate patching. It affects RHEL as well as Ubuntu 20.04, 21.04 and 21.10 - and presumably other distros, too.
Cisco SD-WAN Buffer Overflow Vulnerabilities: Systems running the Cisco SD-WAN software - such as SD-WAN vEdge Routers - can be exploited "By sending crafted IP traffic through an affected device, which may cause a buffer overflow when the traffic is processed." A successful attack can result in the execution of arbitrary code on the underlying operating system with root privileges, which means you basically hand over the gear to a stranger. Cisco SD-WAN Command Injection Vulnerabilities: These can be exploited by authenticated users to gain root-level privileges on a system running the vulnerable software.
The Huawei Cyber Security Evaluation Centre - mostly run by GCHQ offshoot the National Cyber Security Centre, though it is also staffed by some Huawei personnel - sighed that the Chinese company has made "Limited" progress on last year's recommendations to toughen up its act. Code reviewers found "Evidence that Huawei continues to fail to follow its own internal secure coding guidelines. This is despite some minor improvements over previous years." In addition, "The Cell" said it had found more vulnerabilities during 2019 than it had in previous years - though Huawei was keen to paint this finding as "Proof the review system is working", something NCSC guardedly agreed with.
An annoying vulnerability in the widely used GRUB2 bootloader can be potentially exploited by malware or a rogue insider already on a machine to thoroughly compromise the operating system or hypervisor while evading detection by users and security tools. Any system on which GRUB2 can be installed and run at boot-time is potentially vulnerable.
Consumer router models allowed authenticated users to take unrestricted remote control over TL-WR940N and TL-WR941ND routers.
Researcher's stumbling on bug was risky to say the least A cybersecurity professor has insisted he was not hunting for a vulnerability when he found a denial-of-service bug on an in-flight...
Version 60.0.2 of the resurgent Firefox browser fixes a critical security flaw in its SVG rendering code.
The BSD libc library was updated recently to address a buffer overflow vulnerability that could have allowed an attacker to execute arbitrary code.