USN-5831-1: Linux kernel (Azure CVM) vulnerabilities

Read Time:48 Second

Kyle Zeng discovered that the sysctl implementation in the Linux kernel
contained a stack-based buffer overflow. A local attacker could use this to
cause a denial of service (system crash) or execute arbitrary code.
(CVE-2022-4378)

Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation
in the Linux kernel contained multiple use-after-free vulnerabilities. A
physically proximate attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-42896)

It was discovered that the Xen netback driver in the Linux kernel did not
properly handle packets structured in certain ways. An attacker in a guest
VM could possibly use this to cause a denial of service (host NIC
availability). (CVE-2022-3643)

It was discovered that an integer overflow vulnerability existed in the
Bluetooth subsystem in the Linux kernel. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2022-45934)

Read More

USN-5830-1: Linux kernel vulnerabilities

Read Time:50 Second

It was discovered that the NFSD implementation in the Linux kernel did not
properly handle some RPC messages, leading to a buffer overflow. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-43945)

Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation
in the Linux kernel contained multiple use-after-free vulnerabilities. A
physically proximate attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-42896)

It was discovered that the Xen netback driver in the Linux kernel did not
properly handle packets structured in certain ways. An attacker in a guest
VM could possibly use this to cause a denial of service (host NIC
availability). (CVE-2022-3643)

It was discovered that an integer overflow vulnerability existed in the
Bluetooth subsystem in the Linux kernel. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2022-45934)

Read More

flatpak-runtime-f37-3720230120192930.1 flatpak-sdk-f37-3720230120192930.1

Read Time:17 Second

FEDORA-FLATPAK-2023-c878fbe3d7

Packages in this update:

flatpak-runtime-f37-3720230120192930.1
flatpak-sdk-f37-3720230120192930.1

Update description:

Updated flatpak runtime and SDK, including latest Fedora 37 security and bug-fix errata.

In addition to regular package updates, this also adds additional gstreamer1-plugins-ugly-free and jxl-pixbuf-loader packages to the runtime.

Read More

CVE-2021-39217

Read Time:13 Second

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Custom Layout enabled admin users to execute arbitrary commands via block methods. Versions 19.4.22 and 20.0.19 contain patches for this issue.

Read More

CVE-2021-21395

Read Time:22 Second

Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.

Read More

Hackers abuse legitimate remote monitoring and management tools in attacks

Read Time:33 Second

Security researchers warn that an increasing number of attackers are using legitimate remote monitoring and management (RMM) tools in their attacks to achieve remote access and control over systems. These tools are commonly used by managed service providers (MSPs) and IT help desks so their presence on an organization’s network and systems might not raise suspicion.

Researchers from Cisco Talos reported this week that one particular commercial RMM tool called Syncro was observed in a third of the incident response cases the company was engaged in during the fourth quarter of 2022. However, this wasn’t the only such tool used.

To read this article in full, please click here

Read More

Your Data—It’s the Story of You

Read Time:4 Minute, 54 Second

All your online activity creates a trail of data. And that data tells a story. The story of you. 

The websites, apps, and services you use throughout the day all collect data. They may collect data about your behaviors, interests, and purchases—along with what you’re doing, for how long, and where, largely without your knowledge. They may also collect personal information, information you provide, such as health records, your Social Security Number, banking info, your driver’s license number, and more. This can include further health data, such as the kind that gets tracked from a smart watch or wearable device. 

“So what?” 

I’ve heard plenty of people say exactly that about data collection. And plenty of others simply resign themselves to the reality of data collection. “What’s out there is already out there.” They feel like there’s not much they can do about it. If anything at all. And does it really matter? 

It absolutely matters. 

That is, it matters if you hate spam calls and texts. If you’re worried about identity theft. If you’re worried that practically anyone can purchase a detailed picture of your personal information from an online data broker and use it as they like. 

Indeed, your data tells the story of you. And plenty of others are interested in your story. Businesses and advertisers for one, so they can market to the most targeted of your needs and interests. Yet also hackers, scammers, spammers, and thieves—and in extreme cases, stalkers as well. 

While it’s true that you cannot control how each byte of data about you and your family is shared and processed, you’re not helpless! In many cases, you can control how you share your data by taking a few steps. Your data is precious, and you deserve to be selective about who you share it with. 

That’s the reason you’ve seen McAfee roll out so many protections for your privacy and identity, with several more to come. While there are so many tools for data collection today, so are the tools for you to take control. 

Looking at our own McAfee+ online protection plans, they offer you identity theft and fraud protections such as Personal Data Cleanup, identity monitoring, along with credit monitoring, a VPN that can help keep your online activity remain more private, $1M in identity theft coverage and support from an identity restoration specialist … the list goes on. These are tools everyone can benefit from in the face of the current threats out there.  

The evolution of McAfee+ reflects the nature of online threats today. Increasingly, the target is you—your privacy, your identity, and all the things that they unlock.  

Three things you can do right now that help make you more private online 

1) Use a complete security platform that includes a VPN, password manager, and web protection 

Another simple yet powerful step is to protect your devices with comprehensive online protection software. This will help defend you against the latest virus, malware, spyware, and ransomware attacks plus further shield your privacy and minimize web tracking (think advertisers) with a VPN. In addition to this, it will also create and store strong, unique passwords, plus offer web protection that can help steer you clear of sketchy websites that may try to steal your data. 

2) Review your privacy settings for the devices, platforms, and apps you use 

Start with the devices and apps you use most. Different devices and apps will have their own privacy settings, so give them a look and see what your options are. You may be surprised to find how you can limit which information advertisers can use to serve up ads to you. You may find that some apps have GPS tracking turned on, even though they don’t need it to function. All of this adds up to data that companies may collect, share, or resell—depending on their privacy policy. Again, start with the devices and apps you use most then expand from there. It’s also a good opportunity to delete apps you don’t use anymore—along with the data associated with them. 

3) Clean up the personal data posted about you online  

One major privacy leak comes at the hands of online data brokers, companies that collect and resell volumes of exacting personal information about millions of people. In fact, they make up a multi-billion-dollar industry that spans worldwide. Additionally, there are so-called “White Pages” and “people finder” sites that post information like names, addresses, and other public records that anyone can access. With all this information collected in a central location that’s easily searched and accessed, these sites can be an ideal resource for hackers, spammers, and thieves. McAfee’s Personal Data Cleanup can help you take control. It scans high-risk data broker sites and lets you know which ones are selling your data, and depending on your McAfee+ plan, it can remove it for you too. 

Yes, you can take control of your privacy 

Yet you can take even more control of your privacy. As part of our McAfee Safety Series, we have an entire guide dedicated to the topic of online privacy, the McAfee Digital Privacy Guide. It shows you ways that you can take control of your digital privacy, insight into what information you may be creating, and how you may be passing it along—whether you know it or not. 

In all, your privacy is your own. We believe that what you share and don’t share, who you share it with and who you don’t, and for what reason … should be your decision.  

It’s your story. Take control. And we’re here to help. 

The post Your Data—It’s the Story of You appeared first on McAfee Blog.

Read More