This vulnerability allows remote attackers to bypass authentication on affected installations of SolarWinds Access Rights Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2024-28990.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of mySCADA myPRO. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2024-4708.
Multiple issues were found in Git, a fast, scalable, distributed
revision control system, which may result in file overwrites outside the
repository, arbitrary configuration injection or arbitrary code
execution.
openssl-3.2.2-7.fc41
Fix CVE-2024-5535: SSL_select_next_proto buffer overread
Ireland’s Data Protection Commission launches inquiry into whether Google followed GDPR rules over AI model training
Starting October 1, WordPress plugin and theme developers must enable 2FA. This move aims to boost security and help prevent supply-chain attacks from targeting millions of websites.
Read more in my article on the Tripwire State of Security blog.
Microsoft is updating SymCrypt, its core cryptographic library, with new quantum-secure algorithms. Microsoft’s details are here. From a news article:
The first new algorithm Microsoft added to SymCrypt is called ML-KEM. Previously known as CRYSTALS-Kyber, ML-KEM is one of three post-quantum standards formalized last month by the National Institute of Standards and Technology (NIST). The KEM in the new name is short for key encapsulation. KEMs can be used by two parties to negotiate a shared secret over a public channel. Shared secrets generated by a KEM can then be used with symmetric-key cryptographic operations, which aren’t vulnerable to Shor’s algorithm when the keys are of a sufficient size.
The ML in the ML-KEM name refers to Module Learning with Errors, a problem that can’t be cracked with Shor’s algorithm. As explained here, this problem is based on a “core computational assumption of lattice-based cryptography which offers an interesting trade-off between guaranteed security and concrete efficiency.”
ML-KEM, which is formally known as FIPS 203, specifies three parameter sets of varying security strength denoted as ML-KEM-512, ML-KEM-768, and ML-KEM-1024. The stronger the parameter, the more computational resources are required.
The other algorithm added to SymCrypt is the NIST-recommended XMSS. Short for eXtended Merkle Signature Scheme, it’s based on “stateful hash-based signature schemes.” These algorithms are useful in very specific contexts such as firmware signing, but are not suitable for more general uses.
Ransomware gangs are targeting schools and higher education, with victims facing soaring ransom and recovery costs
TfL has revealed that some customer data was accessed in a recent cyber-attack, potentially including the bank details of 5000 people
It was discovered that a race condition existed in the Bluetooth subsystem
in the Linux kernel, leading to a null pointer dereference vulnerability. A
privileged local attacker could use this to possibly cause a denial of
service (system crash). (CVE-2024-24860)
It was discovered that the JFS file system contained an out-of-bounds read
vulnerability when printing xattr debug information. A local attacker could
use this to cause a denial of service (system crash). (CVE-2024-40902)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– MIPS architecture;
– PowerPC architecture;
– SuperH RISC architecture;
– x86 architecture;
– ACPI drivers;
– Serial ATA and Parallel ATA drivers;
– Drivers core;
– GPIO subsystem;
– GPU drivers;
– Greybus drivers;
– HID subsystem;
– I2C subsystem;
– IIO subsystem;
– InfiniBand drivers;
– Media drivers;
– VMware VMCI Driver;
– MMC subsystem;
– Network drivers;
– Pin controllers subsystem;
– S/390 drivers;
– SCSI drivers;
– USB subsystem;
– GFS2 file system;
– JFFS2 file system;
– JFS file system;
– File systems infrastructure;
– NILFS2 file system;
– IOMMU subsystem;
– Sun RPC protocol;
– Netfilter;
– Memory management;
– B.A.T.M.A.N. meshing protocol;
– CAN network layer;
– Ceph Core library;
– Networking core;
– IPv4 networking;
– IPv6 networking;
– IUCV driver;
– MAC80211 subsystem;
– NET/ROM layer;
– Network traffic control;
– HD-audio driver;
– SoC Audio for Freescale CPUs drivers;
(CVE-2024-42154, CVE-2024-42093, CVE-2024-42096, CVE-2024-40984,
CVE-2024-39502, CVE-2024-36901, CVE-2024-41044, CVE-2024-40961,
CVE-2024-40981, CVE-2024-42236, CVE-2024-42232, CVE-2024-41041,
CVE-2024-40958, CVE-2024-40905, CVE-2024-42084, CVE-2024-40934,
CVE-2024-42124, CVE-2024-39505, CVE-2024-39506, CVE-2024-39501,
CVE-2021-46926, CVE-2024-40941, CVE-2024-42145, CVE-2024-41089,
CVE-2024-40932, CVE-2024-42224, CVE-2024-41097, CVE-2024-40959,
CVE-2024-42157, CVE-2024-39469, CVE-2024-39499, CVE-2024-40974,
CVE-2024-42094, CVE-2024-36894, CVE-2024-42087, CVE-2024-42104,
CVE-2023-52803, CVE-2024-41034, CVE-2024-40995, CVE-2023-52629,
CVE-2024-40912, CVE-2024-39484, CVE-2024-41006, CVE-2023-52760,
CVE-2024-41095, CVE-2024-41046, CVE-2024-42070, CVE-2023-52887,
CVE-2024-40960, CVE-2024-41007, CVE-2024-40901, CVE-2024-42119,
CVE-2024-40987, CVE-2024-42148, CVE-2024-41049, CVE-2024-40963,
CVE-2024-41087, CVE-2024-42223, CVE-2024-42090, CVE-2024-42105,
CVE-2024-42089, CVE-2024-40916, CVE-2024-40942, CVE-2024-40978,
CVE-2024-40902, CVE-2024-26921, CVE-2024-39495, CVE-2024-40943,
CVE-2024-36978, CVE-2024-26929, CVE-2024-40988, CVE-2024-39503,
CVE-2024-42101, CVE-2024-40904, CVE-2024-42086, CVE-2024-42106,
CVE-2024-26830, CVE-2024-41035, CVE-2024-42153, CVE-2024-39509,
CVE-2024-37078, CVE-2024-42076, CVE-2024-36974, CVE-2024-40980,
CVE-2024-40945, CVE-2024-39487, CVE-2024-42092, CVE-2024-38619,
CVE-2024-42127, CVE-2024-40968, CVE-2024-42115, CVE-2024-42102,
CVE-2024-42097)
