HackDig : Dig high-quality web security articles

Vulnerabilities in OpENer Stack Expose Industrial Devices to Attacks

Multiple vulnerabilities in the OpENer stack could be exploited in attacks aimed at supervisory control and data acquisition (SCADA) and other industrial systems that use OpENer.Maintained by EIPStackGroup and designed for I/O adapter devices, the OpENer EtherNet/IP (ENIP) stack offers support for multiple I/O and explicit connections, implements the ENIP an
Publish At:2021-04-16 15:20 | Read:196 | Comments:0 | Tags:ICS/OT NEWS & INDUSTRY Vulnerabilities

Critical Vulnerability Can Allow Attackers to Hijack or Disrupt Juniper Devices

A critical vulnerability patched recently by networking and cybersecurity solutions provider Juniper Networks could allow an attacker to remotely hijack or disrupt affected devices.The security hole, tracked as CVE-2021-0254 and affecting the Junos operating system, was discovered by Nguyễn Hoàng Thạch, aka d4rkn3ss, a researcher with Singapore-based cyberse
Publish At:2021-04-16 11:25 | Read:180 | Comments:0 | Tags:Network Security NEWS & INDUSTRY Vulnerabilities Vulnera

Google Project Zero Announces 2021 Updates to Vulnerability Disclosure Policy

Google’s Project Zero cybersecurity research unit on Thursday announced that it’s making some changes to its vulnerability disclosure policies, giving users 30 days to install patches before disclosing the technical details of a flaw.Project Zero has announced three major changes to its vulnerability disclosure policy in 2021, compared to 2020. Until now, if
Publish At:2021-04-16 07:30 | Read:73 | Comments:0 | Tags:NEWS & INDUSTRY Application Security Vulnerabilities Man

Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack

Security response professionals are scrambling to measure the fallout from a software supply chain compromise of Codecov Bash Uploader that went undetected since January and exposed sensitive secrets like tokens, keys and credentials from organizations around the world.The hack occurred four months ago but was only discovered in the wild by a Codecov custome
Publish At:2021-04-15 23:40 | Read:114 | Comments:0 | Tags:NEWS & INDUSTRY Incident Response Vulnerabilities hack

IBM: 44 Organizations Targeted in Attacks Aimed at COVID-19 Vaccine Cold Chain

More than 40 organizations have been targeted in a global campaign focused on the COVID-19 vaccine cold chain infrastructure, which handles the distribution of vaccines and their storage at the required temperatures.Following an initial report in December 2020, IBM Security X-Force now reveals that the number of affected organizations is higher compared to t
Publish At:2021-04-15 15:50 | Read:112 | Comments:0 | Tags:NEWS & INDUSTRY Vulnerabilities

Exploit for Second Unpatched Chromium Flaw Made Public Just After First Is Patched

A researcher has made public an exploit and details for an unpatched vulnerability affecting Chrome, Edge and other web browsers that are based on the open source Chromium project. This is the second Chromium proof-of-concept (PoC) exploit released this week.The second exploit was publicly disclosed by a researcher who uses the online moniker Frust and who w
Publish At:2021-04-15 11:55 | Read:53 | Comments:0 | Tags:NEWS & INDUSTRY Vulnerabilities exploit

NSA: Russian Hackers Exploiting VPN Vulnerabilities - Patch Immediately

The U.S. government on Thursday warned that Russian APT operators are exploiting five known -- and already patched -- vulnerabilities in corporate VPN infrastructure products, insisting it is “critically important” to mitigate these issues immediately.The urgent advisory was issued by the National Security Agency (NSA) to call attention to a quintet of CVEs
Publish At:2021-04-15 11:55 | Read:175 | Comments:0 | Tags:NEWS & INDUSTRY Vulnerabilities exploit hack

Reddit Launches Public Bug Bounty Program

Reddit this week announced the launch of a public bug bounty program on the vulnerability hunting platform HackerOne.Following a three-year private bug bounty program on HackerOne, which has resulted in over $140,000 being awarded in bug bounties for 300 vulnerability reports focusing on reddit.com, the program is going public with an expanded scope.The purp
Publish At:2021-04-15 11:55 | Read:192 | Comments:0 | Tags:NEWS & INDUSTRY Vulnerabilities

Siemens Releases Several Advisories for 'NAME:WRECK' Vulnerabilities

Siemens released a total of 14 new advisories on Tuesday, including five describing the impact and remediations for the NAME:WRECK vulnerabilities disclosed on the same day.IoT security company Forescout on Tuesday revealed that four popular TCP/IP stacks — specifically FreeBSD, Siemens’ Nucleus, IPnet and NetX — are affected by a total of nine DNS-related f
Publish At:2021-04-14 08:32 | Read:98 | Comments:0 | Tags:ICS/OT NEWS & INDUSTRY Vulnerabilities

Another Critical Vulnerability Patched in SAP Commerce

On Tuesday, as part of its April 2021 Security Patch Day, SAP announced the release of 14 new security notes and 5 updates to previously released notes. The only new Hot News note released with this round of patches addresses a critical vulnerability in SAP Commerce.Tracked as CVE-2021-27602 and featuring a CVSS score of 9.9, the critical security hole could
Publish At:2021-04-14 08:31 | Read:68 | Comments:0 | Tags:NEWS & INDUSTRY Vulnerabilities Vulnerability

At Least 100 Million Devices Affected by "NAME:WRECK" DNS Flaws in TCP/IP Stacks

Popular TCP/IP stacks are affected by a series of Domain Name System (DNS) vulnerabilities that could be exploited to take control of impacted devices, researchers with IoT security firm Forescout reveal.Collectively called NAME:WRECK and identified in the DNS implementations of FreeBSD, Nucleus NET, IPnet, and NetX, the flaws could also be abused to perform
Publish At:2021-04-14 00:40 | Read:108 | Comments:0 | Tags:ICS/OT NEWS & INDUSTRY Vulnerabilities IoT Security

Adobe Patches Critical Code Execution Vulnerabilities in Photoshop, Bridge

Adobe on Tuesday announced patches for vulnerabilities in four of its products, including critical code execution flaws affecting Photoshop and Bridge.In Photoshop, the company fixed two critical buffer overflow bugs that can be exploited for arbitrary code execution in the context of the targeted user.In its Bridge asset management software, Adobe resolved
Publish At:2021-04-13 16:50 | Read:113 | Comments:0 | Tags:NEWS & INDUSTRY Vulnerabilities

MS Patch Tuesday: NSA Reports New Critical Exchange Flaws

Just weeks after a wave of major in-the-wild zero-day attacks against Exchange Server installations globally, Microsoft is raising a fresh alarm for four new critical security flaws that expose businesses to remote code execution attacks.The four new Exchange Server vulnerabilities were fixed as part of this month’s Patch Tuesday bundle and because of the se
Publish At:2021-04-13 16:50 | Read:142 | Comments:0 | Tags:Endpoint Security Network Security NEWS & INDUSTRY Priva

Exploit Released for Critical Vulnerability Affecting QNAP NAS Devices

An exploit is now publicly available for a remote code execution vulnerability affecting QNAP network-attached storage (NAS) devices that run the Surveillance Station video management system.The bug, specifically a memory corruption issue, was found to impact QNAP NAS devices running Surveillance Station versions and, and was addressed in
Publish At:2021-04-13 12:55 | Read:141 | Comments:0 | Tags:NEWS & INDUSTRY Vulnerabilities Vulnerability exploit

PoC Exploit Released for Unpatched Flaw Affecting Chromium-Based Browsers

A researcher has made public a proof-of-concept (PoC) exploit for a recently discovered vulnerability affecting Chrome, Edge and other Chromium-based web browsers.On April 7, at the Pwn2Own 2021 hacking competition, Bruno Keith and Niklas Baumstark of Dataflow Security earned $100,000 for a remote code execution exploit that works against web browsers that a
Publish At:2021-04-13 09:00 | Read:145 | Comments:0 | Tags:NEWS & INDUSTRY Vulnerabilities exploit