Security News

Microsoft WinGet package manager failing from expired SSL certificate
2023-02-12 04:37

Microsoft's WinGet package manager is currently having problems installing or upgrading packages after WinGet CDN's SSL/TLS certificate expired. The problem appears to be connected to WinGet CDN's SSL/TLS certificate that has now expired.

How to force Portainer to use HTTPS and upload your SSL certificates for heightened security
2023-01-25 23:34

Portainer smooths out the rather steep learning curve of Kubernetes, making it considerably easier for your teams to manage namespaces, networks, pods, ingresses, Helm, ConfigMaps & Secrets, Volumes and even the cluster. My go-to method of deploying Portainer is via a Microk8s cluster, which is the easiest method of getting Kubernetes support rolled into the web-based GUI; however, when deployed in this fashion, Portainer can be accessed either via HTTP or HTTPS and doesn't use SSL certificates.

Fortinet: Govt networks targeted with now-patched SSL-VPN zero-day
2023-01-12 16:05

Fortinet says unknown attackers exploited a FortiOS SSL-VPN zero-day vulnerability patched last month in attacks against government organizations and government-related targets. The security flaw abused in these incidents is a heap-based buffer overflow weakness found in the FortiOS SSLVPNd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution.

Fortinet Warns of Active Exploitation of New SSL-VPN Pre-auth RCE Vulnerability
2022-12-13 03:34

Fortinet on Monday issued emergency patches for a severe security flaw affecting its FortiOS SSL-VPN product that it said is being actively exploited in the wild. Tracked as CVE-2022-42475, the critical bug relates to a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to execute arbitrary code via specially crafted requests.

Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks
2022-12-12 17:15

Fortinet urges customers to patch their appliances against an actively exploited FortiOS SSL-VPN vulnerability that could allow unauthenticated remote code execution on devices."A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests," warns Fortinet in a security advisory released today.

Critical Vulnerability in Open SSL
2022-10-28 13:12

There are no details yet, but it's really important that you patch Open SSL 3.x when the new version comes out on Tuesday. How bad is "Critical"? According to OpenSSL, an issue of critical severity affects common configurations and is also likely exploitable.

Loads of PostgreSQL systems are sitting on the internet without SSL encryption
2022-10-07 10:48

Only a third of PostgreSQL databases connected to the internet use SSL for encrypted messaging, according to a cloud database provider. Bit.io, which offers a drag-and-drop database as a service based on PostgreSQL, searched shodan.io to create a sample of 820,000 PostgreSQL servers connected to the internet over September 1-29.

Let's Encrypt is revoking lots of SSL certificates in two days
2022-01-26 10:38

Let's Encrypt will begin revoking certain SSL/TLS certificates issued within the last 90 days starting January 28, 2022. As a non-profit certificate authority run by Internet Security Research Group, Let's Encrypt provides X.509 certificates for Transport Layer Security encryption at no cost.

GoDaddy breach: SSL keys, sFTP, database passwords of WordPress customers exposed
2021-11-23 10:10

GoDaddy, the popular internet domain registrar and web hosting company, has suffered a data breach that affected over a million of their Managed WordPress customers. For active customers: sFTP and database usernames and passwords.

SSL keys, sFTP passwords and more exposed after someone broke into GoDaddy Managed WordPress using 'compromised password'
2021-11-22 20:37

GoDaddy has admitted to America's financial watchdog that one or more miscreants broke into its systems and potentially accessed a huge amount of customer data, from email addresses to SSL private keys. GoDaddy's chief information security officer Demetrius Comes said his company "Immediately began an investigation with the help of an IT forensics firm and contacted law enforcement."