November 13, 2023 at 01:32AM
The UK’s Royal Mail has been found to have an open redirect flaw on one of its websites, which potentially exposes customers to malware infections and phishing attacks. The vulnerability allows attackers to use the legitimate website to redirect users to malicious sites. The Royal Mail has been notified of the flaw but has not responded. In other news, there are critical vulnerabilities that have been identified this week, including a vulnerability in the Service Location Protocol and vulnerabilities in Johnson Controls’ Quantum HD Unity and Veeam’s data management software. Maine’s government has admitted that its data was compromised when its MOVEit file transfer application was breached, with data belonging to approximately 1.3 million people being compromised. A radiology group in New York state has been fined $450,000 for failing to upgrade its systems and protect patient data from a ransomware attack.
Summary:
1. UK’s Royal Mail has left an open redirect flaw on one of its sites, potentially exposing customers to malware infections and phishing attacks. The specific site with the security flaw has not been disclosed, but it appears to still be exploitable.
2. There are several critical vulnerabilities to be aware of:
– CVE-2023-29552: A vulnerability in the Service Location Protocol allows unauthenticated remote attackers to register arbitrary services and conduct a denial-of-service attack.
– CVE-2023-4804: Johnson Controls’ Quantum HD Unity exposes debug features to unauthorized users.
– CVE-2023-38548: Veeam ONE product allows an unprivileged user to acquire the NTLM hash of the Veeam ONE Reporting Service account.
– CVE-2023-47610: Telit Cinterion modules write copy to buffers without checking input size, potentially allowing code execution with specially crafted SMS messages.
3. Maine’s state government’s MOVEit instance was compromised, potentially exposing data of approximately 1.3 million people. The stolen data includes personally identifiable information such as names, social security numbers, birthdates, tax information, and medical information.
4. US Radiology Specialists in New York has been fined $450,000 for failing to upgrade its systems, leading to a ransomware attack that compromised the personal information of 92,000 residents. The attackers stole names, birthdates, social security numbers, drivers license information, diagnoses, and other personal data.
Please note that these are only key takeaways from the meeting notes. For additional details or specific information, further investigation or contact with relevant parties may be required.