Security News

A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system, researchers warn today. Researchers at Qualys information security company found that the pkexec program could be used by local attackers to increase privileges to root on default installations of Ubuntu, Debian, Fedora, and CentOS. They warn that PwnKit is likely exploitable on other Linux operating systems as well.

A vulnerability in Polkit's pkexec component that is present in the default configuration of all major Linux distributions can be exploited to gain full root privileges on the system, researchers warn today. Identified as CVE-2021-4034 and named PwnKit, the security issue has been tracked to the initial commit of pkexec, more than 12 years ago, meaning that all Polkit versions are affected.

Two security vulnerabilities that impact the Control Web Panel software can be chained by unauthenticated attackers to gain remote code execution as root on vulnerable Linux servers. CWP, previously known as CentOS Web Panel, is a free Linux control panel for managing dedicated web hosting servers and virtual private servers.

Cisco released a security update warning about a handful of vulnerabilities lurking in its networking technology, led by a critical bug in the company's StarOS debug services. Cisco pushed out a fix for its Cisco StarOS Software on Wednesday.

Cisco has fixed a critical security flaw discovered in the Cisco Redundancy Configuration Manager for Cisco StarOS Software during internal security testing. "A vulnerability in Cisco RCM for Cisco StarOS Software could allow an unauthenticated, remote attacker to perform remote code execution on the application with root-level privileges in the context of the configured container," Cisco said.

Umbrella company Parasol Group has confirmed why it shut down part of its IT last week: it found unauthorised activity from an intruder. Tech freelancers suspected a cyberattack was to blame for the blackout and sure enough the Group wrote to customers at the close of last working week to explain in more detail what had happened.

A local privilege escalation security vulnerability could allow attackers to gain root access on Ubuntu systems by exploiting a double-free memory corruption bug in GNOME's AccountsService component. The security flaw was accidentally spotted by GitHub security researcher Kevin Backhouse while testing an exploit demo for another AccountsService bug that also made it possible to escalate privileges to root on vulnerable devices.

Researchers shed light on hidden root CAsHow widespread is the use of hidden root CAs and certificates signed by them? To answer that and other questions, a group of researchers from several Chinese and U.S. universities and Qihoo 360, the company developing the 360 Secure Browser, have collected 5 months worth of certificate data from volunteer users and analyzed certificate chains and verification statuses in web visits. How to achieve permanent server hardening through automationInformation security standards such as PCI DSS and ISO 27001 and regulations such as HIPAA and CMMC mandate system hardening as one of the most basic defenses against cyber intrusions.

How widespread is the use of hidden root CAs and certificates signed by them? To answer that and other questions, a group of researchers from several Chinese and U.S. universities and Qihoo 360, the company developing the 360 Secure Browser, have collected 5 months worth of certificate data from volunteer users and analyzed certificate chains and verification statuses in web visits. Many flaws in the implementation of hidden root CAs and certificates.

Networking equipment company Netgear has released yet another round of patches to remediate a high-severity remote code execution vulnerability affecting multiple routers that could be exploited by remote attackers to take control of an affected system. Because of its ubiquitous nature, UPnP is used by a wide variety of devices, including personal computers, networking equipment, video game consoles and internet of things devices.