USN-6290-1: LibTIFF vulnerabilities

Read Time:2 Minute, 17 Second

It was discovered that LibTIFF could be made to write out of bounds when
processing certain malformed image files with the tiffcrop utility. If a
user were tricked into opening a specially crafted image file, an attacker
could possibly use this issue to cause tiffcrop to crash, resulting in a
denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2022-48281)

It was discovered that LibTIFF incorrectly handled certain image files. If
a user were tricked into opening a specially crafted image file, an
attacker could possibly use this issue to cause a denial of service. This
issue only affected Ubuntu 23.04. (CVE-2023-2731)

It was discovered that LibTIFF incorrectly handled certain image files
with the tiffcp utility. If a user were tricked into opening a specially
crafted image file, an attacker could possibly use this issue to cause
tiffcp to crash, resulting in a denial of service. (CVE-2023-2908)

It was discovered that LibTIFF incorrectly handled certain file paths. If
a user were tricked into specifying certain output paths, an attacker
could possibly use this issue to cause a denial of service. This issue
only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-3316)

It was discovered that LibTIFF could be made to write out of bounds when
processing certain malformed image files. If a user were tricked into
opening a specially crafted image file, an attacker could possibly use
this issue to cause a denial of service, or possibly execute arbitrary
code. (CVE-2023-3618)

It was discovered that LibTIFF could be made to write out of bounds when
processing certain malformed image files. If a user were tricked into
opening a specially crafted image file, an attacker could possibly use
this issue to cause a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and
Ubuntu 23.04. (CVE-2023-25433, CVE-2023-26966)

It was discovered that LibTIFF did not properly managed memory when
processing certain malformed image files with the tiffcrop utility. If a
user were tricked into opening a specially crafted image file, an attacker
could possibly use this issue to cause tiffcrop to crash, resulting in a
denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04.
(CVE-2023-26965)

It was discovered that LibTIFF contained an arithmetic overflow. If a user
were tricked into opening a specially crafted image file, an attacker
could possibly use this issue to cause a denial of service.
(CVE-2023-38288, CVE-2023-38289)

Read More

Anomaly in Fedora `dnf update`: md5 mismatch of result

Read Time:29 Second

Posted by Georgi Guninski on Aug 15

In short, I found anomaly in Fedora 37 and would like to
know if it is vulnerability.

As root type in terminal:
dnf update

If there is kernel update, watch stdout and stderr for:

##On Mon Aug 14 05:33:29 AM UTC 2023
(2/6): kernel-6.4.10-100.fc37.x86_64.rpm 1.2 MB/s | 140 kB 00:00
/var/cache/dnf/updates-fd4d3d0d1c34d49a/packages/kernel-modules-extra-6.4.9-100.fc37_6.4.10-100.fc37.x86_64.drpm:
md5 mismatch of result

##$ md5sum…

Read More

Missing Immutable Root of Trust in Hardware (CWE-1326) / CVE-2023-22955

Read Time:19 Second

Posted by Moritz Abrell via Fulldisclosure on Aug 15

Advisory ID: SYSS-2022-055
Product: AudioCodes VoIP Phones
Manufacturer: AudioCodes Ltd.
Affected Version(s): Firmware Versions >= 3.4.4.1000
Tested Version(s): Firmware Version 3.4.4.1000
Vulnerability Type: Missing Immutable Root of Trust in Hardware (CWE-1326)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2022-11-14
Solution…

Read More

Use of Hard-coded Cryptographic Key (CWE-321) / CVE-2023-22956

Read Time:19 Second

Posted by Moritz Abrell via Fulldisclosure on Aug 15

Advisory ID: SYSS-2022-054
Product: AudioCodes VoIP Phones
Manufacturer: AudioCodes Ltd.
Affected Version(s): Firmware Versions >= 3.4.8.M4
Tested Version(s): Firmware Version 3.4.4.1000
Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2022-11-11
Solution Date:…

Read More

Use of Hard-coded Cryptographic Key (CWE-321) / CVE-2023-22957

Read Time:19 Second

Posted by Moritz Abrell via Fulldisclosure on Aug 15

Advisory ID: SYSS-2022-052
Product: AudioCodes VoIP Phones
Manufacturer: AudioCodes Ltd.
Affected Version(s): Firmware Versions >= 3.4.8.M4
Tested Version(s): Firmware Version 3.4.4.1000
Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2022-11-11
Solution Date:…

Read More

Get the AT&T Cybersecurity Insights Report: Focus on US SLED

Read Time:5 Minute, 17 Second

We’re pleased to announce the availability of the 2023 AT&T Cybersecurity Insights Report™: Focus on State and Local government and higher Education in the United States (US SLED). It looks at the edge ecosystem, surveying US SLED leaders, and provides benchmarks for assessing your edge computing plans. This is the 12th edition of our vendor-neutral and forward-looking report. Last year’s Focus on  US SLED report documented trends in securing the data, applications, and endpoints that rely on edge computing (get the 2022 report).

Get the complimentary 2023 report.

The robust quantitative field survey reached 1,418 security, IT, application development, and line of business professionals worldwide. The qualitative research tapped subject matter experts across the cybersecurity industry.

At the onset of our research, we established the following hypotheses.

Momentum edge computing has in the market.
Approaches to connecting and securing the edge ecosystem – including the role of trusted advisors to achieve edge goals.
Perceived risk and perceived benefit of the common use cases in each industry surveyed.

The results focus on common edge use cases in seven vertical industries – healthcare, retail, finance, manufacturing, energy and utilities, transportation, and US SLED- delivering actionable advice for securing and connecting an edge ecosystem, including external trusted advisors. Finally, it examines cybersecurity and the broader edge ecosystem of networking, service providers, and top use cases. For this Focus on US SLED, 178 respondents represented the vertical.

The role of IT is shifting, embracing stakeholders at the ideation phase of development.

Edge computing is a transformative technology that brings together various stakeholders and aligns their interests to drive integrated outcomes. The emergence of edge computing has been fueled by a generation of visionaries who grew up in the era of smartphones and limitless possibilities. Look at the infographic below for a topline summary of key findings.

In this paradigm, the role of IT has shifted from being the sole leader to a collaborative partner in delivering innovative edge computing solutions. In addition, we found that US SLED leaders are budgeting differently for edge use cases. These two things, along with an expanded approach to securing edge computing, were prioritized by our respondents in the 2023 AT&T Cybersecurity Insights Report: Edge Ecosystem.

In 2023, US SLED respondents’ primary edge use case is building management, which involves hosted HVAC applications, electricity and utility monitoring applications, and various sensors for large buildings. This is just the beginning of the evolution in the public sector to increase the value of public investments, so every dollar goes a bit further. In higher education, edge uses cases are being used for things like immersive and interactive learning and helping faculty to be more accessible with solutions like real-time feedback.

Edge computing brings the data closer to where decisions are made.

With edge computing, the intelligence required to make decisions, the networks used to capture and transmit data, and the use case management are distributed. Distributed means things work faster because nothing is backhauled to a central processing area such as a data center and delivers the near-real-time experience.

With this level of complexity, it’s common to re-evaluate decisions regarding security, data storage, or networking. The report shares the trends emerging as US SLED embraces edge computing. One area examined is expense allocation, and what we found may surprise you. The research reveals the allocation of investments across overall strategy and planning, network, application, and security for the anticipated use cases that organizations plan to implement within the next three years.

How to prepare for securing your edge ecosystem.

Develop your edge computing profile. It is essential to break down the barriers that typically separate the internal line of business teams, application development teams, network teams, and security teams. Technology decisions should not be made in isolation but rather through collaboration with a diverse group of stakeholders. Understanding the capabilities and limitations of all stakeholders makes it easier to identify gaps in evolving project plans.

The edge ecosystem is expanding, and expertise is available to offer solutions that address cost, implementation, mitigating risks, and more. Including expertise from the broader SLED edge ecosystem increases the chances of outstanding performance and alignment with organizational goals.

Develop an investment strategy. During edge use case development, organizations should carefully determine where and how much to invest. Think of it as part of monetizing the use case. Building security into the use case from the start allows the organization to consider security as part of the overall project cost. It’s important to note that no one-size-fits-all solution can provide complete protection for all aspects of edge computing. Instead, organizations should consider a comprehensive and multi-layered approach to address the unique security challenges of each use case.

Increase your compliance capabilities. Regulations in the public sector and for education can vary significantly. This underscores the importance of not relying solely on a checkbox approach or conducting annual reviews to help ensure compliance with the growing number of regulations. Keeping up with technology-related mandates and helping to ensure compliance requires ongoing effort and expertise. If navigating compliance requirements is not within your organization’s expertise, seeking outside help from professionals specializing in this area is advisable.

Align resources with emerging priorities. External collaboration allows organizations to utilize expertise and reduce resource costs. It goes beyond relying solely on internal teams within the organization. It involves tapping into the expanding ecosystem of edge computing experts who offer strategic and practical guidance. Engaging external subject matter experts (SMEs) to enhance decision-making can help prevent costly mistakes and accelerate deployment. These external experts can help optimize use case implementation, ultimately saving time and resources.

Build-in resilience. Consider approaching edge computing with a layered mindset. Take the time to ideate on various “what-if” scenarios and anticipate potential challenges. For example, what measures exist if a private 5G network experiences an outage? Can data remain secure when utilizing a public 4G network? How can business-as-usual operations continue in the event of a ransomware attack?

Successful SLED edge computing implementations require a holistic approach encompassing collaboration, compliance, resilience, and adaptability. By considering these factors and proactively engaging with the expertise available, organizations can unlock the full potential of edge computing to deliver improved outcomes, operational efficiency, and cost-effectiveness.

Read More