Ping Identity, a Colorado-based IAM software vendor, is making a new product, PingOne Neo, available in a limited early access program. PingOne Neo is designed as a decentralized platform, as opposed to the heavily federated systems commonly in use. It allows for data decentralization, storing credentials and keys on the user’s mobile device, and lets credentials be issued using a wider range of identity proofs, instead of particular government-issued ID.
It works something like a wallet, according to the company. End users request a credential from an issuing organization, which is cryptographically signed and verifiable. That credential becomes a part of the user’s “digital wallet,” and works like a ticket into whatever system or application it is designed to access. PingOne Neo also supports other identity standards that are popular in the market, including OpenID, ISO and W3C.
While the total number of recorded Microsoft vulnerabilities was higher in 2022 than ever before, the number of critical vulnerabilities declined to its lowest point, according to the latest Microsoft Vulnerability Report by BeyondTrust, released Tuesday.
In 2022, only 6.9% of Microsoft’s vulnerabilities were rated as critical — less than half the number of critical vulnerabilities recorded in 2020. In 2013, 44% of all Microsoft vulnerabilities were classified as critical.
Vulnerabilities categorized as critical are those with characteristics that make their exploitation a potentially high-impact security event.
“This trend indicates that, while overall vulnerabilities have increased in number, the risks and worst-case scenarios associated with these individual vulnerabilities have decreased from previous years,” BeyondTrust said.
Document an importand gotcha about working with CVS. Clean up some annoyances in the build and test machinery.
4.34: 2023-01-24
Change repocutter -f (basename) option to -n. Default filecopy to matching a regexp; -f now undoes this. Add repocutter count and debug commands. Repocutter patches missing copyfrom source revisions. Added repocutter swapcheck command for sanity checking.
4.33: 2022-12-21
Some potentially unsafe shellouts have been fixed. Format –fossil is no loinger broken. Fix segfault when listing descendants of orphaned commit. Ensure that repocutter is quieted when output is not stdout.
Managing multiple security vendors is proving to be a significant challenge for organizations, leading to difficulties in integration, visibility, and control. Recent surveys and reports have identified numerous problems associated with managing an assortment of security products from different vendors, and that managing multiple vendors was cited as the top challenge in achieving an effective security posture.
“Simplicity is the ultimate sophistication.” – Leonardo da Vinci
To mitigate security risks, one effective approach is to consolidate vendors. This strategy can enhance security management, simplify operations, and reduce complexity. In this article, we evaluate the risks of managing numerous security tools and solutions, as well as the benefits of vendor consolidation.
FortiGuard Labs has observed threat actors continuing to exploit an arbitrary command injection vulnerability in Realtek Jungle SDK (CVE-2021-35394). Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on vulnerable devices, leading to system compromise. Realtek Jungle SDK based IoT devices are available from multiple vendors.Why is this Significant?This is significant because FortiGuard Labs is still detecting high counts (upwards of 6,000 devices per day) of CVE-2021-35394 being exploited in the wild even after a patch was released in August 2021. As such, it is recommended that the patch is applied as soon as possible when possible. CISA added CVE-2021-35394 to the Known Exploited Vulnerability (KEV) Catalog on December 10th, 2021.What is CVE-2021-35394?CVE-2021-35394 is an arbitrary command injection vulnerability that affects UDPServer in Realtek Jungle SDK version v2.0 up to v3.4.14B. Threat actors can leverage the vulnerability to execute arbitrary code on vulnerable devices, leading to system compromise. The vulnerability has a CVSS base score of 9.8.Malware such as RedGoBot, GooberBot, Mirai, Gafgyt and Mozi are reportedly associated with CVE-2021-35394.Has the Vendor Released an Advisory?Yes, Realtek released an advisory on August 15th, 2021. See the Appendix for a link to “Realtek AP-Router SDK Advisory (CVE-2021-35392/CVE-2021-35393/CVE-2021-35394/CVE-2021-35395)”.Has the Vendor Released a Patch for CVE-2021-35394?Yes, a patch from Realtek is available, however IoT device manufactures need to distribute the patch to their end products.What is the Status of Protection?FortiGuard Labs has the following IPS signature in place for CVE-2021-35394:Realtek.SDK.UDPServer.Command.Execution
A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information.
A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.
A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.
A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The name of the patch is e54abadc777715b6dcb545c13214d1dea63df6c9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223403.
