NXP MQX Versions 5.1 and prior are vulnerable to integer overflow in mem_alloc, _lwmem_alloc and _partition functions. This unverified memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
Daily Archives: May 3, 2022
USN-5390-2: Linux kernel (Raspberry Pi) vulnerabilities
David Bouman discovered that the netfilter subsystem in the Linux kernel
did not properly validate passed user register indices. A local attacker
could use this to cause a denial of service or possibly execute arbitrary
code. (CVE-2022-1015)
David Bouman discovered that the netfilter subsystem in the Linux kernel
did not initialize memory in some situations. A local attacker could use
this to expose sensitive information (kernel memory). (CVE-2022-1016)
It was discovered that the ST21NFCA NFC driver in the Linux kernel did not
properly validate the size of certain data in EVT_TRANSACTION events. A
physically proximate attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-26490)
CVE-2021-29854
IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 205680.
Former eBay Exec Pleads Guilty to Cyber Stalking
eBay’s former senior director of safety and security admits role in fetal pig harassment campaign
CIS Benchmarks May 2022 Update
The CIS Benchmarks development team has been hard at work preparing several brand new Benchmarks and updates for May 2022.
Using Pupil Reflection in Smartphone Camera Selfies
Researchers are using the reflection of the smartphone in the pupils of faces taken as selfies to infer information about how the phone is being used:
For now, the research is focusing on six different ways a user can hold a device like a smartphone: with both hands, just the left, or just the right in portrait mode, and the same options in horizontal mode.
It’s not a lot of information, but it’s a start. (It’ll be a while before we can reproduce these results from Blade Runner.)
Research paper.
CVE-2021-22573
The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token’s payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
CVE-2021-22556
The Security Team discovered an integer overflow bug that allows an attacker with code execution to issue memory cache invalidation operations on pages that they don’t own, allowing them to control kernel memory from userspace. We recommend upgrading to kernel version 4.1 or beyond.
NortonLifeLock Willfully Infringed Malware Patents
Jury finds cybersecurity company violated Columbia University’s rights over two patents
Ransomware Attack Closes Michigan College
Cyber-attack forces Kellogg Community College to cancel classes at five campuses