Sanctioned mixer Blender is actually Sinbad, says Elliptic
Yearly Archives: 2023
LSN-0091-1: Kernel Live Patch Security Notice
It was discovered that a race condition existed in the memory address space
accounting implementation in the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code.(CVE-2022-41222)
Sönke Huster discovered that a use-after-free vulnerability existed in the
WiFi driver stack in the Linux kernel. A physically proximate attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code.(CVE-2022-42719)
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution.
Safari is a graphical web browser developed by Apple.
iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
macOS Monterey is the 18th and release of macOS.
macOS Big Sur is the 17th release of macOS.
iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
macOS Ventura is the 19th and current major release of macOS
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
DSA-5348 haproxy – security update
Two vulnerabilities were discovered in HAProxy, a fast and reliable load
balancing reverse proxy, which may result in denial of service, or
bypass of access controls and routing rules via specially crafted
requests.
DSA-5349 gnutls28 – security update
Hubert Kario discovered a timing side channel in the RSA decryption
implementation of the GNU TLS library.
gssntlmssp-1.2.0-1.fc37
FEDORA-2023-cb63c0f615
Packages in this update:
gssntlmssp-1.2.0-1.fc37
Update description:
Patched several CVEs reported by GitHub Security Lab
CVE-2023-25563
CVE-2023-25564
CVE-2023-25565
CVE-2023-25566
CVE-2023-25567
PLC vulnerabilities can enable deep lateral movement inside OT networks
Threat groups who target operational technology (OT) networks have so far focused their efforts on defeating segmentation layers to reach field controllers such as programmable logic controllers (PLCs) and alter the programs (ladder logic) running on them. However, researchers warn that these controllers should themselves be treated as perimeter devices and flaws in their firmware could enable deep lateral movement through the point-to-point and other non-routable connections they maintain to other low-level devices.
To exemplify such a scenario and highlight the risks, researchers from security firm Forescout used two vulnerabilities they discovered in Schneider Modicon PLCs to move deeper into a simulated OT architecture of a movable bridge and bypass all safety mechanisms to cause physical damage.
CVE-2015-10079
A vulnerability was found in juju2143 WalrusIRC 0.0.2. It has been rated as problematic. This issue affects the function parseLinks of the file public/parser.js. The manipulation of the argument text leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 0.0.3 is able to address this issue. The name of the patch is 45fd885895ae13e8d9b3a71e89d59768914f60af. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220751.
On Pig Butchering Scams
“Pig butchering” is the colorful name given to online cons that trick the victim into giving money to the scammer, thinking it is an investment opportunity. It’s a rapidly growing area of fraud, and getting more sophisticated.
Cybersecurity Experts Warn Against Valentine’s Day Romance Scams
Victim losses associated with online romance scams nationwide totaled approximately $5.9bn in 2021