The non-profit said its systems were compromised between August 2021 and April 2022
Yearly Archives: 2023
Remote Vulnerabilities in Automobiles
Centos Web Panel 7 Unauthenticated Remote Code Execution – CVE-2022-44877
Posted by Numan TÜRLE on Jan 06
[+] Centos Web Panel 7 Unauthenticated Remote Code Execution
[+] Centos Web Panel 7 – < 0.9.8.1147
[+] Affected Component ip:2031/login/index.php?login=$(whoami)
[+] Discoverer: Numan Türle @ Gais Cyber Security
[+] Vendor: https://centos-webpanel.com/ – https://control-webpanel.com/changelog#1669855527714-450fb335-6194
[+] CVE: CVE-2022-44877
Description
————–
Bash commands can be run because double quotes are used to log incorrect…
14 UK schools suffer cyberattack, highly confidential documents leaked
More than a dozen schools in the UK have suffered a cyberattack which has led to highly confidential documents being leaked online by cybercriminals. That’s according to a report from the BBC which claimed that children’s SEN information, child passport scans, staff pay scales and contract details have been stolen by notorious cybercrime group Vice Society, known for disproportionately targeting the education sector with ransomware attacks in the UK and other countries.
Passport, contract data stolen and posted on dark web
Pates Grammar School in Gloucestershire is one of 14 to have been impacted by the data breach, the BBC reported, with Vice Society hackers using generic search terms to steal documents. “One folder marked ‘passports’ contains passport scans for pupils and parents on school trips going back to 2011, whereas another marked ‘contract’ contains contractual offers made to staff alongside teaching documents on muscle contractions. Another folder marked ‘confidential’ contains documents on the headmaster’s pay and student bursary fund recipients,” the BBC wrote. The hack at Pates is estimated to have taken place on September 28 before data was published on the dark web. The UK Information Commissioner’s Office (ICO) and Gloucestershire Police confirmed they were investigating the alleged breaches in 2022.
CVE-2014-125049
** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in typcn Blogile. Affected is the function getNav of the file server.js. The manipulation of the argument query leads to sql injection. The name of the patch is cfec31043b562ffefe29fe01af6d3c5ed1bf8f7d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217560. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2014-125048
A vulnerability, which was classified as critical, has been found in kassi xingwall. This issue affects some unknown processing of the file app/controllers/oauth.js. The manipulation leads to session fixiation. The name of the patch is e9f0d509e1408743048e29d9c099d36e0e1f6ae7. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217559.
Twitter’s mushrooming data breach crisis could prove costly
Since Elon Musk purchased Twitter in late October, non-stop turmoil and controversy have dogged the company, from massive staff firings and resignations to reputational damage from Musk’s careless and often bizarre tweets. Now, mushrooming concern around a possible data breach stemming from a now-fixed Twitter flaw is poised to drive the company further down unless Twitter takes quick action.
Even as regulators in Europe begin to probe what appears to be a massive Twitter data breach, Twitter and Elon Musk have failed to comment publicly on the true extent of the breach. Experts say that unless Twitter gets ahead of the curve, informs regulators of the facts, and notifies users of how much of their public and private information has been exposed, the company could suffer serious financial and operating consequences.
CVE-2014-125047
A vulnerability classified as critical has been found in tbezman school-store. This affects an unknown part. The manipulation leads to sql injection. The name of the patch is 2957fc97054216d3a393f1775efd01ae2b072001. It is recommended to apply a patch to fix this issue. The identifier VDB-217557 was assigned to this vulnerability.
UK Schools Hit by Mass Leak of Confidential Data
Confidential data including child passport scans and staff pay scales have been leaked following cyber-attacks in 2022
How do the latest iPhone updates address Cybersecurity issues?
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Apple is typically known for its minimal design, user-friendly UI, and hardware. But, the success of their products, especially iPhones, has long relied upon timely cybersecurity updates and their effectiveness. The prolonged support that they promise to their devices, in addition to hardware, also revolves around the OS and security updates.
That’s why you may still see security updates for older devices that aren’t upgradable to iOS 16 still being released. We’ll talk about a few latest security updates that have recently surfaced because of known and unknown vulnerabilities.
However, as a user, you may like to know how these updates are prioritized and why you should update your devices regularly.
Every vulnerability that has been detected gets ranked by a Common Vulnerability Scoring System (CVSS) and is denoted by a CVE serial number (CVE-Year-XXXXXX) that is used to track its status. For example, the log4j vulnerability, which impacted millions of systems worldwide, was ranked 10 out of 10. The updates are prioritized and released depending on that score.
iOS 15.7.2 security update
The major security updates of iOS 15.7.2 are discussed below.
AppleAVD (Malicious Video File)
With a CVSS score of 7.8 and regarded as a high risk, AppleAVD vulnerability (CVE-2022-46694) increases the potential risk of a malicious video file writing out-of-bound and executing kernel code. Although user interaction is required for the vulnerability to be efficacious, risky downloaded videos may present issues with privacy and cybersecurity with this. The vulnerability was patched with improved input validation.
AVEVideoEncoder (Kernel Privileges)
Like AppleAVD, AVEVideoEncoder vulnerability (CVE-2022-42848) also has a 7.8 CVSS score. However, the difference between these two is the AVEVideoEncoder vulnerability is related to an app that can access kernel privileges through user interaction and execute arbitrary code to jeopardize user security. The issue was fixed with improved checks.
File System (Sandbox Issue)
In cybersecurity, sandbox defines a virtually isolated environment to run, observe, and analyze code. Typically, sandboxing is facilitated to imitate user interaction without involving active users. However, in complex operating systems like iOS, each app is caged in its own sandbox to limit its activity. The File System Vulnerability (CVE-2022-426861) revolves around malicious apps breaking out of the sandbox and executing kernel code. As it doesn’t require user interaction to act maliciously, it has a very high CVSS rating of 8.8. The issue was patched with improved checks. This vulnerability is one of the most critical reasons why you should stay updated with the latest iPhone releases.
Graphics Driver (Malicious Video File, System Termination)
With a medium CVSS rating of 5.5, the CVE-2022-42846 Graphics Driver vulnerability is capable of terminating systems through buffer overflow with malicious video files crafted for that particular purpose. Although user interaction is required, the impact of such attacks has severe implications on user experience and integrity. The issue was patched in the security update 15.7.2 with improved memory handling.
libxml2
libXML2 is generally used for parsing XML documents that transport text files containing structured data. This particular vulnerability with libxml2 (CVE-2022-40304) is assigned a CVSS base score of 7.8 and is capable of corrupting a hash table key—ultimately leading to logic errors—making the programs behave arbitrarily. This issue had occurred due to an integer overflow and was mitigated through improved input validation.
WebKit (Processing Malicious Web Content)
Websites without security certifications and compliances often contain malicious codes that may lead to cybersecurity issues. As these malicious actors do their best to hide the fact, this particular WebKit issue (CVE-2022-46691) comes with a CVSS score of 8.8 and is considered a direct threat to the security of iPhones and iPads. This was patched in the latest update through improved memory handling.
iOS 16.2 security update
Most of the updates mentioned in the 15.7.2 update are also present in the 16.2 security patch released on 13th December 2022 for devices like the Apple iPhone 14 Plus. We won’t be discussing them again unless there is a major difference present in how the vulnerability was patched.
Accounts (Unauthorized User Access)
The CVE-2022-42843 vulnerability, AKA Accounts, is a 5.5-grade low-level issue that has been patched in the 16.2 security update. The issue mainly revolves around users viewing sensitive information of other users. While it has a high confidentiality impact, it doesn’t particularly affect the integrity of the apps or the database. The issue was fixed through improved data protection measures.
AppleMobileFileIntegrity (Bypass Privacy Preferences)
Privacy is considered paramount for iPhones. Although still a medium risk (5.5) vulnerability, the AppleMobileFileIntegrity issue (CVE-2022-42865) was prioritized in the recent updates due to apps using this to bypass privacy preferences and breach user confidentiality. This issue was fixed by enabling hardened runtime that prevents code injection, process memory tampering, and DLL hijacking.
CoreServices (Removal of Vulnerable Code)
Owing to the close nature of Apple, the CoreServices update (CVE-2022-42859) doesn’t specify any major changes that were made to the codes, but it promises to have removed a piece of vulnerable code that could enable an app to bypass privacy preferences to jeopardize confidentiality. The CVSS score is a medium 5.5 for this update.
GPU Drivers (Disclose Kernel Memory)
An issue with the GPU drivers in the CVE-2022-46702 vulnerability was detected for a malicious app to be able to disclose kernel memory. Kernel memory is strictly local memory loaded in the physical device’s RAM. As user interaction is required for the app to act maliciously, a medium 5.5 CVSS score was given. The issue was fixed to better memory handling.
ImageIO (Arbitrary Code Execution)
Mostly related to iCloud, but also seen in iOS itself, ImageIO issue with CVE-2022-46693 was detected to empower malicious files to execute arbitrary code. It was given a high CVSS score of 7.8 due to the arbitrary nature of the vulnerability. However, it requires user interaction, like locating and downloading that file(s). This out-of-bound issue was mitigated through improved input validation.
The bottom line
As you may already have understood, these updates are critical for your device to function securely and keep you safe from identity thefts and literal monetary risks. As these vulnerabilities are often made public for development purposes, malicious criminals often try to target devices that are yet to be updated. Therefore, you shouldn’t wait even a single day to install them.