Security News
A vulnerability in GNOME Display Manager could allow a standard user to create accounts with increased privileges, giving a local attacker a path to run code with administrator permissions. The process involves running a few simple commands in the terminal and modifying general system settings that do not require increased rights.
The U.S. Cybersecurity and Infrastructure Security Agency has been named a Top-Level Root CVE Numbering Authority and it will be overseeing CNAs that assign CVE identifiers for vulnerabilities in industrial control systems and medical devices. A Top-Level Root CNA can not only assign CVEs, but it's also tasked with managing CNAs in a specific domain or community.
Some information needs to be leaked from the kernel that reveals the current layout of its components in RAM. If a ROP exploit just guesses the kernel's layout and is wrong, it will trigger a crash, and this can be detected and acted on by an administrator. "Using speculative execution for crash suppression allows the elevation of basic memory write vulnerabilities into powerful speculative probing primitives that leak through microarchitectural side effects," the paper stated.
Expiring root certificates will cause devices like smart TVs and refrigerators to fail in the next few years, security researcher Scott Helme has warned. In order to validate the certificate the client must have a trusted root certificate from the issuing authority, and this, says Helme, is a problem for devices that never get updated.
On Saturday, at 10:48 UTC, Sectigo's AddTrust legacy root certificate expired, causing a bit of weekend havoc for thousands of websites and services that rely on it for making a secure TLS/SSL connection. "Generally speaking, this is affecting older, non-browser clients which talk to TLS servers which serve a Sectigo certificate chain ending in the expired certificate," wrote Andrew Ayer, founder of SSLMate, in a blog post.
We have a bunch of new security patches from Switchzilla, including one for a critical hole in its call-center software. CVE-2020-3280 is a remote-code-execution vulnerability in the Java remote management interface for Unified Contact Center Express.
We have a bunch of new security patches from Switchzilla, including one for a critical hole in its call-center software. CVE-2020-3280 is a remote-code-execution vulnerability in the Java remote management interface for Unified Contact Center Express.
Verizon has released its annual Data Breach Investigations Report, which offers an overview of the cyber security incidents and data breaches that happened in/were discovered in the past year. The majority of data breaches are caused by credential theft, social attacks and errors.
The open-source Salt management framework contains high-severity security vulnerabilities that allow full remote code execution as root on servers in data centers and cloud environments. "The ClearFuncs class also exposes the method prep auth info(), which returns the root key used to authenticate commands from the local root user on the master server. This root key can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master."
IBM has acknowledged that it mishandled a bug report that identified four vulnerabilities in its enterprise security software, and plans to issue an advisory. IBM Data Risk Manager offers security-focused vulnerability scanning and analytics, to help businesses identify weaknesses in their infrastructure.