Security News

Claroty researchers have found and privately disclosed nine vulnerabilities affecting Rockwell Automation's FactoryTalk AssetCentre, an ICS-specific backup solution. Rockwell Automation's FactoryTalk AssetCentre is a centralized tool for securing, managing, versioning, tracking and reporting automation-related asset information across industrial facilities.

Threat actors are constantly targeting new vulnerabilities in SAP applications within days after the availability of security patches, according to a joint report issued by SAP and Onapsis. Used within more than 400,000 organizations for resource planning, management of product lifecycle, human capital, and supply chain, and for various other purposes, SAP's applications represent an attractive target for adversaries.

Before we talk about what can be done, how do we change this, fix this, how vulnerable are we? With security being left out of the equation oftentimes when it comes to software, where are we seeing that we are vulnerable? Sixty percent of the vulnerabilities we find were never fixed.

Most vulnerabilities are never patched, leaving users susceptible to cyberattacks.

Why Apple had to rush out a security update for iDevices. Two cryptographic security holes patched in OpenSSL. How PHP nearly got backdoored by crooks.

Vulnerabilities Citrix patched in Hypervisor this week could allow for code executed in a virtual machine to cause denial of service on the host. Tracked as CVE-2021-28038 and CVE-2021-28688, the newly addressed vulnerabilities could be abused to cause the host to crash or become unresponsive.

Recent Linux kernel updates include patches for a couple of vulnerabilities that could allow an attacker to bypass mitigations designed to protect devices against Spectre attacks. Symantec reported on Monday that Piotr Krysiuk, a member of its Threat Hunter team, has identified two new vulnerabilities in the Linux kernel that can be exploited to bypass mitigations for the Spectre vulnerabilities.

A cybersecurity researcher who specializes in industrial control systems has identified three types of critical vulnerabilities in products made by human-machine interface manufacturer Weintek. The vulnerabilities can be exploited by a remote, unauthenticated attacker for code execution with root privileges, to remotely access sensitive information and conduct actions on behalf of an admin, and to execute malicious JavaScript code via a stored XSS flaw.

The maintainers of OpenSSL have released a fix for two high-severity security flaws in its software that could be exploited to carry out denial-of-service attacks and bypass certificate verification. While CVE-2021-3449 affects all OpenSSL 1.1.1 versions, CVE-2021-3450 impacts OpenSSL versions 1.1.1h and newer.

Today, the OpenSSL project has issued an advisory for two high-severity vulnerabilities CVE-2021-3449 and CVE-2021-3450 lurking in OpenSSL products. CVE-2021-3450: An improper Certificate Authority certificate validation vulnerability which impacts both the server and client instances.