It was discovered that json-c incorrectly handled certain JSON files.
An attacker could possibly use this issue to cause a crash or
execute arbitrary code.
Monthly Archives: August 2023
CVE-2020-27366
Cross Site Scripting (XSS) vulnerability in wlscanresults.html in Humax HGB10R-02 BRGCAB version 1.0.03, allows local attackers to execute arbitrary code.
USN-6309-1: Linux kernel vulnerabilities
Zheng Zhang discovered that the device-mapper implementation in the Linux
kernel did not properly handle locking during table_clear() operations. A
local attacker could use this to cause a denial of service (kernel
deadlock). (CVE-2023-2269)
It was discovered that a use-after-free vulnerability existed in the HFS+
file system implementation in the Linux kernel. A local attacker could
possibly use this to cause a denial of service (system crash).
(CVE-2023-2985)
It was discovered that the DVB Core driver in the Linux kernel did not
properly handle locking events in certain situations. A local attacker
could use this to cause a denial of service (kernel deadlock).
(CVE-2023-31084)
It was discovered that the virtual terminal driver in the Linux kernel
contained a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly expose sensitive
information (kernel memory). (CVE-2023-3567)
It was discovered that the Quick Fair Queueing network scheduler
implementation in the Linux kernel contained an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-3611)
It was discovered that the network packet classifier with
netfilter/firewall marks implementation in the Linux kernel did not
properly handle reference counting, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-3776)
USN-6308-1: Libqb vulnerability
It was discovered that Libqb incorrectly handled certain messages.
An attacker could possibly use this issue to cause a crash or execute
arbitrary code.
libtiff-4.4.0-8.fc38
FEDORA-2023-8daf1023c7
Packages in this update:
libtiff-4.4.0-8.fc38
Update description:
Enabled LERC compression support
Fixed CVE-2023-0804
Multiple Vulnerabilities in ChromeOS Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in ChromeOS, the most severe of which could allow for arbitrary code execution. ChromeOS is a Linux-based operating system developed and designed by Google. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
CVE-2018-25089
A vulnerability was found in glb Meetup Tag Extension 0.1 on MediaWiki. It has been rated as problematic. This issue affects some unknown processing of the component Link Attribute Handler. The manipulation leads to use of web link to untrusted target with window.opener access. Upgrading to version 0.2 is able to address this issue. The identifier of the patch is 850c726d6bbfe0bf270801fbb92a30babea4155c. It is recommended to upgrade the affected component. The identifier VDB-238157 was assigned to this vulnerability.
CVE-2017-20186
** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in nikooo777 ckSurf up to 1.19.2. It has been declared as problematic. This vulnerability affects the function SpecListMenuDead of the file csgo/addons/sourcemod/scripting/ckSurf/misc.sp of the component Spectator List Name Handler. The manipulation of the argument cleanName leads to denial of service. Upgrading to version 1.21.0 is able to address this issue. The name of the patch is fd6318d99083a06363091441a0614bd2f21068e6. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-238156. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Remotely Stopping Polish Trains
Turns out that it’s easy to broadcast radio commands that force Polish trains to stop:
…the saboteurs appear to have sent simple so-called “radio-stop” commands via radio frequency to the trains they targeted. Because the trains use a radio system that lacks encryption or authentication for those commands, Olejnik says, anyone with as little as $30 of off-the-shelf radio equipment can broadcast the command to a Polish train—sending a series of three acoustic tones at a 150.100 megahertz frequency—and trigger their emergency stop function.
“It is three tonal messages sent consecutively. Once the radio equipment receives it, the locomotive goes to a halt,” Olejnik says, pointing to a document outlining trains’ different technical standards in the European Union that describes the “radio-stop” command used in the Polish system. In fact, Olejnik says that the ability to send the command has been described in Polish radio and train forums and on YouTube for years. “Everybody could do this. Even teenagers trolling. The frequencies are known. The tones are known. The equipment is cheap.”
Even so, this is being described as a cyberattack.
Biden’s IoT Cybersecurity initiative
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
The Biden Administration has recently announced the implementation of a cybersecurity labeling program for smart devices. Overseen by the Federal Communication Commission (FCC), this new program seeks to address the security of Internet of Things (IoT) devices nationwide. This announcement is in response to an increasing number of smart devices that fall victim to hackers and malware (AP News).
As IoT devices increase in popularity in homes, offices, and other settings, these labels allow consumers to be aware of their digital safety. The cybersecurity labeling program will mandate manufacturers of smart devices to meet certain cybersecurity standards before releasing their products into the market. Each smart device will be required to have a standardized cybersecurity label. Labels will serve as an indicator of the device’s security level and inform consumers about the device’s compliance with security standards. Devices that meet the highest level of security will be awarded a “Cyber Trust Mark,” indicating their adherence to the most stringent security measures.
The program will be able to hold companies accountable for producing secure devices while also giving customers the information they need to make informed decisions while purchasing IoT devices. Examples of IoT devices include smart watches, home assistants, Ring cameras, thermostats, and smart appliances. New technologies such as these have grown increasingly more present in modern life.
However, hackers have continued to exploit vulnerabilities in these devices, which compromise user privacy. These devices also allow hackers to gain entry to consumers’ larger networks. In the last quarter of 2022, there was a 98% increase in malware targeting IoT devices. New malware variants also spiked, rising 22% on the year (Tech Monitor). Compared to 2018, 2022 had more than 3 times the amount of IoT malware attacks (Statista).
Economically motivated attacks have been on the rise, and a larger number of consumers’ personal devices are being breached through IoT devices on the same network. Hackers then hold users’ devices until they are paid a ransom in cryptocurrency to keep the transaction anonymous. This rise in cybersecurity attacks can be contributed to the fact that it has become easier than ever for hackers to target networks. With Raas (Ransomware as a Service) offerings, hackers don’t need any previous cybersecurity expertise, as they can buy software written by ransomware operators. Because IoT devices are often left with default passwords and are easily hackable, they have been becoming a larger target for hackers.
IoT devices have been breached multiple times in the past resulting in leaks for big corporations such as NASA. In 2018, a NASA laboratory was breached through an IoT device added to its network by hackers. Another example of an IoT hack was the Mirai Botnet hack in 2016. Hackers used malware to infect an IoT device, which they later used to infiltrate other devices through a shared network. The malware would then use the default name and password to log into devices and continue to replicate itself.
IoT devices aren’t limited to just small gadgets that play a role in the home. In 2015, Jeep was hacked by a team from IBM, who used a firmware update to take control of the car’s steering, acceleration, and more (IoT Solutions World Congress). Because of electric cars increasing popularity, companies need to be aware of potential security risks that could cause harm to drivers.
After the implementation of Biden’s new program, IoT devices will be vetted and consumers will be shown the safety rating for each of the devices. The cybersecurity rating of each device is determined by evaluations and testing procedures carried out by FCC inspectors. These evaluations will make sure that devices can withstand potential cyber threats and protect users’ private data.
Some methods that hackers often use are brute force attacks, man-in-the-middle attacks, and malware attacks. Brute force attacks involve hackers using programs to repeatedly try to guess a device’s password, man-in-the-middle attacks involve hackers intercepting communications between a device and the internet, and malware attacks are when hackers use malware to take over IoT devices and eventually entire networks (Pass Camp). The cybersecurity labeling program has been highly praised by cybersecurity professionals across the industry. It is an important step towards building a more secure online network while also allowing consumers to make knowledgeable decisions on what they are buying.
However, some critics have voiced concerns about the program. The rapidly evolving nature of technology could lead to a lag in new security standards, which could leave devices outdated in security certifications. To address this, the program is expected to include provisions for periodic reviews to ensure that standards remain relevant and up to date.
In conclusion, the Biden administration’s announcement of the cybersecurity labeling program for smart devices marks a significant milestone in the ongoing efforts to enhance cybersecurity and safeguard consumer interests. Consumers can also make efforts to secure their own devices by using stronger passwords, keeping software up to date, and securing their networks. By incentivizing manufacturers to prioritize security in their product development and providing consumers with transparent information, the program aims to create a more secure and trustworthy environment for the increasingly connected world of smart devices. As the program takes effect, it is hoped that it will foster greater confidence in the IoT industry and encourage the adoption of robust cybersecurity programs across the board.
The author of this blog works at Perimeterwatch.