USN-5422-1: libxml2 vulnerabilities

Read Time:23 Second

Shinji Sato discovered that libxml2 incorrectly handled certain XML files.
An attacker could possibly use this issue to cause a crash, resulting in a
denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 14.04 ESM, and Ubuntu 16.04 ESM. (CVE-2022-23308)

It was discovered that libxml2 incorrectly handled certain XML files.
An attacker could possibly use this issue to cause a crash or execute
arbitrary code. (CVE-2022-29824)

Read More

CVE-2021-25119

Read Time:12 Second

The AGIL WordPress plugin through 1.0 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

Read More

Tenable.io Achieves StateRamp Authorization as Part of Our Commitment to Protect State and Local Governments

Read Time:2 Minute, 3 Second

StateRamp-authorized cloud solutions like Tenable.io meet stringent security and compliance standards.

Increasingly targeted by cyber criminals, state and local governments (SLGs) need highly-secure cloud solutions. StateRAMP authorization, which involves a rigorous security and compliance evaluation, helps SLGs reduce risk and efficiently verify the security of their cloud solutions. 

Today, we’re excited to announce that Tenable.io is StateRamp authorized, meaning our SLG customers can have peace of mind knowing that our vulnerability management solution meets the strict cybersecurity standards required by federal and SLG agencies.

Achieving this milestone is part of our continued commitment to providing secure, compliant products to help our public sector customers keep their data safe and protect against breaches.

Cybersecurity stakes keep climbing for SLGs 

SLGs are on the front lines of cybersecurity. They hold access to sensitive databases and PII, and often oversee critical infrastructure. To meet citizens’ needs, SLG agencies are embracing digital technologies from mobile to IoT to cloud. With the increased amount of sensitive data to protect and an expanded attack surface, it’s no surprise that cyber attacks against SLGs are becoming more prevalent. 

To help SLG CISOs and security leaders identify truly secure and compliant cloud solutions, the State Risk and Authorization Management Program (StateRAMP) was launched. This new program provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud service providers (CSP) at the state level. The security verification model is based on the NIST SP 800-53 control framework and is modeled, in part, after FedRAMP. 

Tenable.io’s StateRamp authorization

Tenable is excited to be a part of StateRAMP’s effort to secure state and local governments. Our StateRAMP active solution, Tenable.io, provides risk-based vulnerability management so you can:

Get full visibility into the assets and vulnerabilities across your attack surface
Continuously track and assess known and unknown assets— and their vulnerabilities, even dynamic assets like mobile devices, virtual machines and cloud instances
Proactively identify and prioritize vulnerabilities with the highest impact to your organization
Get immediate insight and visualizations into your security posture

With both StateRAMP and FedRAMP authorizations, you can be assured that Tenable.io is a secure, effective and tested cloud-based vulnerability management solution that meets the high security and compliance standards of Federal and state and local government agencies. To learn more about how Tenable protects state and local governments read the Solutions Overview

For more information on StateRAMP read the StateRAMP FAQ.

Read More

The NSA Says that There are No Known Flaws in NIST’s Quantum-Resistant Algorithms

Read Time:1 Minute, 31 Second

Rob Joyce, the director of cybersecurity at the NSA, said so in an interview:

The NSA already has classified quantum-resistant algorithms of its own that it developed over many years, said Joyce. But it didn’t enter any of its own in the contest. The agency’s mathematicians, however, worked with NIST to support the process, trying to crack the algorithms in order to test their merit.

“Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance,” Joyce said. “We’ve worked against all of them to make sure they are solid.”

The purpose of the open, public international scrutiny of the separate NIST algorithms is “to build trust and confidence,” he said.

I believe him. This is what the NSA did with NIST’s candidate algorithms for AES and then for SHA-3. NIST’s Post-Quantum Cryptography Standardization Process looks good.

I still worry about the long-term security of the submissions, though. In 2018, in an essay titled “Cryptography After the Aliens Land,” I wrote:

…there is always the possibility that those algorithms will fall to aliens with better quantum techniques. I am less worried about symmetric cryptography, where Grover’s algorithm is basically an upper limit on quantum improvements, than I am about public-key algorithms based on number theory, which feel more fragile. It’s possible that quantum computers will someday break all of them, even those that today are quantum resistant.

It took us a couple of decades to fully understand von Neumann computer architecture. I’m sure it will take years of working with a functional quantum computer to fully understand the limits of that architecture. And some things that we think of as computationally hard today will turn out not to be.

Read More