It was discovered that SNI Proxy did not properly handle wildcard backend
hosts. An attacker could possibly use this issue to cause a buffer overflow,
resulting in a denial of service, or arbitrary code execution.
Daily Archives: June 12, 2023
CVE-2022-38156
A remote command injection issues exists in the web server of the Kratos SpectralNet device with SpectralNet Narrowband (NB) before 1.7.5. As an admin user, an attacker can send a crafted password in order to execute Linux commands as the root user.
USN-6157-1: GlusterFS vulnerability
Tao Lyu discovered that GlusterFS did not properly handle certain event
notifications. An attacker could possibly use this issue to cause a denial
of service.
CVE-2022-45827
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in GalleryPlugins Video Contest plugin <=Â 3.2 versions.
Data Flows Between UK and US to be Simplified Under New Agreement
The ‘data bridge’ is an extension to the Data Privacy Framework agreed between the US and EU last year
USN-6156-1: SSSD vulnerability
It was discovered that SSSD incorrrectly sanitized certificate data used in
LDAP filters. When using this issue in combination with FreeIPA, a remote
attacker could possibly use this issue to escalate privileges.
Cycode’s free CI/CD monitoring tool offers new DevOps visibility
Cycode’s new Cimon monitoring tool for continuous integration and continuous delivery is designed to offer a new level of visibility into the CI/CD process, securing code against data exfiltration and other malicious activity.
According to the company’s announcement, Cimon — short for CI Monitor — is a runtime security agent that uses the enhanced Berkeley Packet Filter (eBPF) system to look directly into the CI pipeline, develop a baseline understanding of what normal behavior looks like, and monitor for abnormalities.
The use of eBPF, according to Cycode head of security research Alex Ilgayev, provides for flexibility and visibility into the operating system.
USN-6155-1: Requests vulnerability
Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly
leaked Proxy-Authorization headers. A remote attacker could possibly use
this issue to obtain sensitive information.
USN-6154-1: Vim vulnerabilities
It was discovered that Vim was using uninitialized memory when fuzzy
matching, which could lead to invalid memory access. An attacker could
possibly use this issue to cause a denial of service or execute arbitrary
code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 22.10 and Ubuntu
23.04. (CVE-2023-2426)
It was discovered that Vim was not properly performing bounds checks when
processing register contents, which could lead to a NULL pointer
dereference. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. (CVE-2023-2609)
It was discovered that Vim was not properly limiting the length of
substitution expression strings, which could lead to excessive memory
consumption. An attacker could possibly use this issue to cause a denial
of service. (CVE-2023-2610)
AI-Generated Steganography
New research suggests that AIs can produce perfectly secure steganographic images:
Abstract: Steganography is the practice of encoding secret information into innocuous content in such a manner that an adversarial third party would not realize that there is hidden meaning. While this problem has classically been studied in security literature, recent advances in generative models have led to a shared interest among security and machine learning researchers in developing scalable steganography techniques. In this work, we show that a steganography procedure is perfectly secure under Cachin (1998)’s information theoretic-model of steganography if and only if it is induced by a coupling. Furthermore, we show that, among perfectly secure procedures, a procedure is maximally efficient if and only if it is induced by a minimum entropy coupling. These insights yield what are, to the best of our knowledge, the first steganography algorithms to achieve perfect security guarantees with non-trivial efficiency; additionally, these algorithms are highly scalable. To provide empirical validation, we compare a minimum entropy coupling-based approach to three modern baselines—arithmetic coding, Meteor, and adaptive dynamic grouping—using GPT-2, WaveRNN, and Image Transformer as communication channels. We find that the minimum entropy coupling-based approach achieves superior encoding efficiency, despite its stronger security constraints. In aggregate, these results suggest that it may be natural to view information-theoretic steganography through the lens of minimum entropy coupling.
News article.