Security News
A critical vulnerability has been disclosed in hardware random number generators used in billions of Internet of Things devices whereby it fails to properly generate random numbers, thus undermining their security and putting them at risk of attacks. "It turns out that these 'randomly' chosen numbers aren't always as random as you'd like when it comes to IoT devices," Bishop Fox researchers Dan Petro and Allan Cecil said in an analysis published last week.
A recent spike in large-scale ransomware attacks has highlighted the vulnerabilities in the nation's critical infrastructure and the ease with which their systems can be breached. Cyberattacks and ransomware pose a greater risk to critical infrastructure than a non-digital external threat like a nation-state does, and the size and scale of the infrastructure has little to do with the scope of the risk; ransomware is just as much as threat to a water treatment plant in downtown Smallville, USA, as it is to a large-scale energy grid or gasoline pipeline.
The commonly used "Net" library in Go and Rust languages is also impacted by the mixed-format IP address validation vulnerability. The vulnerability, tracked by CVE-2021-29922 and CVE-2021-29923 concerns how net handles mixed-format IP addresses, or more specifically when a decimal IPv4 address contains a leading zero.
A critical security vulnerability in a subset of Cisco Systems' small-business VPN routers could allow a remote, unauthenticated attacker to take over a device - and researchers said there are at least 8,800 vulnerable systems open to compromise. The critical bug affects the vendor's Dual WAN Gigabit VPN routers.
IT management and security company Ivanti this week released patches for multiple vulnerabilities in its Pulse Connect Secure VPN appliances, including a critical issue that could be exploited to execute arbitrary code with root privileges. Tracked as CVE-2021-22937, the issue is in fact a bypass of the patch released in October last year for CVE-2020-8260, a high-severity remote code execution flaw in the admin web interface of Pulse Connect Secure.
Koo, India's homegrown Twitter clone, recently patched a serious security vulnerability that could have been exploited to execute arbitrary JavaScript code against hundreds of thousands of its users, spreading the attack across the platform. The vulnerability involves a stored cross-site scripting flaw in Koo's web application that allows malicious scripts to be embedded directly into the affected web application.
ThreatX announced new API Catalog capabilities to provide enterprises with a clear view of their API's attack surface, as well as the operational health of APIs in production. ThreatX supports DevOps and Security teams by assessing traffic in real-time to reduce risk and protect critical APIs from misconfiguration, DDoS, BOT attacks and malicious use.
VMware has released security updates for multiple products to address a critical vulnerability that could be exploited to gain access to confidential information. CVE-2021-22002 concerns an issue with how VMware Workspace One Access and Identity Manager allow the "/cfg" web app and diagnostic endpoints to be accessed via port 443 by tampering with a host header, resulting in a server-side request.
Cisco on Wednesday announced the release of patches for a critical vulnerability in small business VPN routers that could allow unauthenticated attackers to execute arbitrary code on affected devices. To exploit the bug, a remote, unauthenticated attacker has to send specially crafted HTTP requests to an affected device, which could allow them to execute arbitrary code or cause a denial of service condition.
The technology-independent offering enables clients to take rapid and decisive action against today's most critical cyberattacks and strengthen their security posture. "Optiv MXDR brings simplicity, transparency and automation to clients' environments, enhancing existing defenses to counter known and emerging threats with confidence and speed," said David Martin, chief services officer for Optiv.