Security Leftovers
-
LWN ☛ Security updates for Wednesday
Security updates have been issued by Fedora (zabbix), Gentoo (OpenJDK), Red Hat (kernel), Slackware (gnutls and xorg), SUSE (cloud-init, kernel, xorg-x11-server, and xwayland), and Ubuntu (freeimage, postgresql-10, and xorg-server, xwayland).
-
LWN ☛ The odd saga of CVE-2012-5639
A new release for any project with a fix for a 12-year old CVE is going to stand out pretty obviously; a recent release has a fix of that nature, but the trail of CVE-2012-5639 is rather elusive. The Apache OpenOffice project made its 4.1.15 release with fixes for four CVEs, including one for CVE-2012-5639 ("Loading internal / external resources without warning"), on December 22. But nearly everything about that CVE seems rather murky, and it is difficult to get a clear picture of what, exactly, was done in OpenOffice to address the problem.
-
Security Week ☛ Hacker Conversations: HD Moore and the Line Between Black and White
SecurityWeek talked to HD Moore, best known as the founder and original developer of Metasploit.
-
SANS ☛ Scans for Ivanti Connect "Secure" VPN Vulnerability (CVE-2023-46805, CVE-2024-21887), (Tue, Jan 16th)
These vulnerabilities have been exploited in limited, targeted attacks. At this point, Ivanti released a configuration workaround but no patch for this vulnerability. The configuration can be applied in the form of an encrypted XML file.
-
Security Week ☛ Vulnerabilities Expose PAX Payment Terminals to Hacking
Vulnerabilities in Android-based PoS terminals from PAX can be exploited to downgrade bootloaders, execute arbitrary code.
-
SANS ☛ Number Usage in Passwords, (Wed, Jan 17th)
Numbers are often used in passwords to add complexity. Passwords submitted to honeypots are also often found within pre-existing passwords lists, containing compromised credentials.
-
Silicon Angle ☛ Federal agencies warn that Androxgh0st malware operators are building a botnet
The U.S. Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have issued a warning that the hackers behind the Androxgh0st malware are creating a new, powerful botnet. According to today’s joint advisory, Androxgh0st has been observed establishing a botnet for victim identification and exploitation in target networks.
-
Security Week ☛ VMware Urges Customers to Patch Critical Aria Automation Vulnerability
Aria Automation is affected by a critical vulnerability that could be exploited to gain access to remote organizations and workflows.
-
Security Week ☛ 180k Internet-Exposed SonicWall Firewalls Vulnerable to DoS Attacks, Possibly RCE
Two DoS vulnerabilities patched in 2022 and 2023 haunt nearly 180,000 internet-exposed SonicWall firewalls.
-
Security Week ☛ Remote Code Execution Vulnerability Found in Opera File Sharing Feature
A vulnerability in Opera browser’s file sharing feature My Flow could be exploited for remote code execution.
-
Security Week ☛ Ho, Ho, Hoooold on a Minute: A New Year Resolution That IoT Isn’t a Gift That Keeps on Taking
Some IoT products may make your life easier, but they also may be somewhat of a Trojan Horse.
-
Security Week ☛ Remotely Exploitable ‘PixieFail’ Flaws Found in Tianocore EDK II PXE Implementation
Quarkslab finds serious, remotely exploitable vulnerabilities in EDK II, the de-facto open source reference implementation of the UEFI spec.
-
CSO ☛ New Bluetooth vulnerability allows takeover of iOS, Android, Linux, and MacOS devices
Over the past six weeks, Google, Microsoft, Linux (BlueZ), and Apple have rolled out fixes for a Bluetooth security flaw that, among other things, tricks the Bluetooth host machine into pairing with a fake keyboard without user confirmation, allowing threat actors to take control of Android, Linux, macOS, and iOS devices.
The flaw tracked as CVE-2023-45866 (CVE-2024-0230 for Apple and CVE-2024-21306 for Microsoft) leaves Android devices vulnerable whenever Bluetooth is enabled, while Linux devices require Bluetooth to be discoverable or connectable. iOS and macOS devices become vulnerable to the flaw when Bluetooth is enabled and a Magic Keyboard has been paired with the phone or computer.