FreeBSD Releases Urgent Patch for High-Severity OpenSSH Vulnerability

August 12, 2024 at 07:12AM The FreeBSD Project released security updates to fix a high-severity flaw in OpenSSH (CVE-2024-7589), allowing remote code execution with elevated privileges. The issue involves a signal handler in sshd(8) that calls a non-async-signal-safe logging function, potentially leading to a race condition for unauthenticated remote code execution as root. Users are … Read more

Hello? Are you talking on a Cisco SPA300 or SPA500 IP phone? Now’s the time to junk ’em

August 8, 2024 at 08:35PM A BAE boffin discovered 3 critical flaws in Cisco’s Small Business SPA300 and SPA500 IP phones, none of which will be fixed. The flaws allow unauthenticated remote attackers to gain root privileges. Cisco won’t release updates as the products have entered the end-of-life process. No known exploits exist at this … Read more

Microsoft, Late to the Game on Dangerous DNSSEC Zero-Day Flaw

June 13, 2024 at 10:42AM Microsoft released a patch for a serious denial-of-service (DoS) vulnerability in the Domain Name System Security Extensions (DNSSEC) protocol. The vulnerability (CVE-2023-50868) affects multiple vendors and projects, including Unbound, BIND, dnsmasq, and PowerDNS. Despite patches being released earlier by other vendors, Microsoft issued a fix only recently, making it a … Read more

Critical Fluent Bit bug affects all major cloud providers, say researchers

May 21, 2024 at 01:54PM Infosec researchers have flagged a critical vulnerability (CVE-2024-4323) in Fluent Bit, a widely used logging component. Tenable discovered the flaw, potentially leading to denial of service, information leakage, and remote code execution. The issue affects versions 2.0.7 through 3.0.3 and may compromise the security of major cloud providers and blue … Read more

Patch Tuesday: Code Execution Flaws in Multiple Adobe Software Products

April 9, 2024 at 01:42PM Adobe issued urgent security updates for its enterprise products, including Adobe Commerce and Magento Open Source, to address code execution vulnerabilities that hackers could exploit. The company also fixed security flaws in Adobe Experience Manager, Adobe Media Encoder, Adobe After Effects, Adobe Photoshop, Adobe InDesign, and Adobe Animate through Patch … Read more

New HTTP/2 DoS Attack Potentially More Severe Than Record-Breaking Rapid Reset

April 4, 2024 at 07:30AM Researcher Bartek Nowotarski has unveiled a new denial-of-service (DoS) attack method named HTTP/2 Continuation Flood, potentially posing a greater threat than the previous Rapid Reset vulnerability. The attack exploits a flaw in the handling of HTTP/2 frames and has affected various implementations. Patches and mitigations are being issued, and the … Read more

Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks

April 3, 2024 at 01:31PM Ivanti, an IT security software company, has released patches for multiple high-severity security vulnerabilities in its Connect Secure and Policy Secure gateways. Attackers can exploit these flaws for remote code execution and DoS attacks. The U.S. CISA has issued an emergency directive to secure Ivanti systems following zero-day attacks. Thousands … Read more

Cisco Patches DoS Vulnerabilities in Networking Products

March 28, 2024 at 09:12AM Cisco announced patches for multiple high-severity vulnerabilities in IOS and IOS XE software, including denial-of-service risks, privilege escalation, command injection, and protection bypass issues. The flaws could be exploited without authentication, potentially leading to serious consequences if not addressed promptly. Additional details can be found on Cisco’s security advisories page. … Read more

New ‘Loop DoS’ Attack Impacts Hundreds of Thousands of Systems

March 20, 2024 at 11:36AM A new DoS attack vector, dubbed Loop DoS attacks, targets UDP-based application-layer protocols, leading to reflected DoS attacks. Researchers discovered that certain UDP protocol implementations can be weaponized, creating self-perpetuating attack loops. Potentially impacting around 300,000 hosts and networks, the attack has been flagged as trivial to exploit. Multiple products … Read more

Microsoft’s March Updates Fix 61 Vulnerabilities, Including Critical Hyper-V Flaws

March 13, 2024 at 02:03AM Microsoft released a monthly security update addressing 61 vulnerabilities, including 2 critical issues in Windows Hyper-V with potential for denial-of-service and remote code execution. None of the flaws were publicly known or under active attack, but updates were also made to the Chromium-based Edge browser. Other vendors have also released … Read more