AI news is bad news, an online service to catch your cheating partner, and an IoT-enabled dick cage fails to keep a grip on its own security.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley.
Plus don’t miss our featured interview with Alex Lawrence, principal security architect at Sysdig.
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly validate MFT flags in certain situations. An
attacker could use this to construct a malicious NTFS image that, when
mounted and operated on, could cause a denial of service (system crash).
(CVE-2022-48425)
Zi Fan Tan discovered that the binder IPC implementation in the Linux
kernel contained a use-after-free vulnerability. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2023-21255)
It was discovered that a race condition existed in the f2fs file system in
the Linux kernel, leading to a null pointer dereference vulnerability. An
attacker could use this to construct a malicious f2fs image that, when
mounted and operated on, could cause a denial of service (system crash).
(CVE-2023-2898)
It was discovered that the DVB Core driver in the Linux kernel did not
properly handle locking events in certain situations. A local attacker
could use this to cause a denial of service (kernel deadlock).
(CVE-2023-31084)
Yang Lan discovered that the GFS2 file system implementation in the Linux
kernel could attempt to dereference a null pointer in some situations. An
attacker could use this to construct a malicious GFS2 image that, when
mounted and operated on, could cause a denial of service (system crash).
(CVE-2023-3212)
It was discovered that the KSMBD implementation in the Linux kernel did not
properly validate buffer sizes in certain operations, leading to an out-of-
bounds read vulnerability. A remote attacker could use this to cause a
denial of service (system crash) or possibly expose sensitive information.
(CVE-2023-38426, CVE-2023-38428)
It was discovered that the KSMBD implementation in the Linux kernel did not
properly calculate the size of certain buffers. A remote attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2023-38429)
netconsd-0.3-1.fc38
Update to prevent invalid fragment values from leading to a buffer overrun
netconsd-0.3-1.el9
Update to prevent invalid fragment values from leading to a buffer overrun
netconsd-0.3-1.fc39
Update to prevent invalid fragment values from leading to a buffer overrun
netconsd-0.3-1.el8
Update to prevent invalid fragment values from leading to a buffer overrun
netconsd-0.3-1.fc37
Update to prevent invalid fragment values from leading to a buffer overrun
FAIR is a leading methodology for quantifying and managing information risk. Here’s how a CIS SecureSuite Membership can support your risk analysis.
A vulnerability has been discovered in Cisco BroadWorks Application Delivery Platform and Xtended Services Platform which could allow for arbitrary code execution. Cisco BroadWorks Application Delivery Platform and Xtended Services Platform is an enterprise-grade calling and collaboration platform that integrates with Cisco Webex to meet the full range of enterprise communications and collaboration needs. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Here is an overview of the CIS Benchmarks that the Center for Internet Security updated or released for September 2023.
