Alert News -
Update 14.10.2018 21:38:01
|26.9.2018||TP-Link EAP Controller |
lacks RMI authentication
and is vulnerable to deserialization attacks
|The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices. EAP Controller for Linux lacks user authentication for RMI service commands, as well as utilizes an outdated vulnerable version of Apache commons-collections, which may allow an attacker to implement deserialization attacks and control the EAP Controller server.||Zero-Day|
|5.9.2018||Problems with automatic|
DNS registration and autodiscovery
|Problems with automatic DNS registration and autodiscovery. If an attacker with access to the network adds a malicious device to the network with the name 'WPAD', such an attacker may be able to utilize DNS autoregistration and autodiscovery to act as a proxy for victims on the network, resulting in a loss of confidentiality and integrity of any network activity||Zero-Day|
Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges. We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code.
Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage Ghostscript, such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others.
Speculative execution is a technique used by many modern processors to improve performance by predicting which instructions may be executed based on past execution history. When a program attempts to access data in memory, the logical memory address is translated to a physical address by the hardware. Accessing a logical or linear address that is not mapped to a physical location on the hardware will result in a terminal fault. Once the fault is triggered, there is a gap before resolution where the processor will use speculative execution to try to load data. During this time, the processor could speculatively access the level 1 data cache, potentially allowing side-channel methods to infer information that would otherwise be protected. More information about L1 terminal fault can be found
Many Android mobile devices come with OEM-pre-installed apps. Some apps have been identified as having incorrect access control settings, allowing malicious third-party apps to exploit and bypass system permissions and settings. Additionally, some Android and iOS apps embed a hard-coded cryptographic key or use a weak cryptographic algorithm that allows an attacker to obtain elevated access.
The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. (CVE-2018-5389). It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode however, only an online attack against PSK authentication was thought to be feasible.
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2018-5391. The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2018-5390.Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2018-6922. A TCP data structure in supported versions of FreeBSD (11, 11.1, 11.2, 10, and 10.4) use an inefficient algorithm to reassemble the data.For both vulnerabilities, an attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port. Thus, the attacks cannot be performed using spoofed IP addresses.
ASLR is an exploit mitigation technique used by modern Windows platforms. For ASLR to function, Windows executables must contain a relocations table. Despite containing the "Dynamic base" PE header, which indicates ASLR compatibility, Windows executables produced by mingw-w64 have the relocations table stripped from them by default. This means that executables produced by mingw-w64 are vulnerable to return-oriented programming (ROP) attacks.
Bluetooth utilizes a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices. The ECDH key pair consists of a private and a public key, and the public keys are exchanged to produce a shared pairing key. The devices must also agree on the elliptic curve parameters being used. Previous work on the "Invalid Curve Attack" showed that the ECDH parameters are not always validated before being used in computing the resulted shared key, which reduces attacker effort to obtain the private key of the device under attack if the implementation does not validate all of the parameters before computing the shared key.
CWE-124: Buffer Underwrite ('Buffer Underflow') - CVE-2018-5388. In stroke_socket.c, a missing packet length check could allow a buffer underflow, which may lead to resource exhaustion and denial of service while reading from the socket.According to the vendor, an attacker must typically have local root permissions to access the socket. However, other accounts and groups such as the vpn group (if capability dropping in enabled, for example) may also have sufficient permissions, but this configuration does not appear to be the default behavior.
Speculative execution is a technique used by many modern processors to improve performance by predicting which instructions may be executed based on past execution history. An attacker with local user access may be able to utilize sequences of speculative execution to perform a cache timing side-channel analysis.