This week in Vulnerability Weekly
Full Details: [ Ссылка ]
This week there were mostly updates on existing flaws – Qnap, F5 discloses vulnerabilities,
This week features Raspberry Robin a windows malware work attacking QNAP, QNAP releasing bugfixes, F5 releasing Bugfixes, Github with more stringent controls on authentication
NPM NPMJS with new CDN due to Github MFA changes
Github Changes in 2FA and forcing users and maintainers to 2FA and TOTP
Windows – Raspberry Robin Vulnerability
A new Windows malware with worm-like affects Windows targeting QNAP. the malware has worm-like capabilities is propagated by means of removable USB devices.
QNAP
issue fixes for the following vulnerabilities
CVE-2021-38693 (CVSS score: 5.3) – A path traversal vulnerability in the httpd affecting QNAP devices running QTS, QuTS hero, QuTScloud, and QVR Pro Appliance, leading to information disclosure
CVE-2021-44051 (CVSS score: 8.8) – A command injection vulnerability in QNAP devices running QTS, QuTS hero, and QuTScloud, resulting in arbitrary command execution
CVE-2021-44052 (CVSS score: 6.5) – An improper link resolution before file access (“link following”) vulnerability in QNAP devices running QTS, QuTS hero, and QuTScloud, allowing attackers to read/write files in arbitrary file locations
CVE-2021-44053 (CVSS score: 5.7) – A cross-site scripting (XSS) vulnerability in QNAP devices running QTS, QuTS hero, and QuTScloud, leading to code injection
CVE-2021-44054 (CVSS score: 4.3) – An open redirect vulnerability in QNAP devices running QTS, QuTS hero, and QuTScloud, making it possible to redirect users to a rogue web pages
CVE-2021-44055 (CVSS score: 5.3) – A missing authorization vulnerability in QNAP devices running Video Station, allowing attackers to access data or perform unauthorized actions
CVE-2021-44056 (CVSS score: 7.1) – An improper authentication vulnerability in QNAP devices running Video Station, leading to system compromise
CVE-2021-44057 (CVSS score: 7.1) – An improper authentication vulnerability in QNAP devices running Photo Station, leading to system compromise
Zoom:
43 issues addressed, one is rated Critical, 17 are rated High, 24 are rated Medium, and one is rated low in severity.
Most notable vulnerability: CVE-2022-1388 with CVSS 9.8 and internal assessment Critical due to the front-facing and lack of authentication checks potentially allowing attacker to remotely execute code and attack affected system
Superglue – AWS Vulnerability retrospective
AWS Hotpatch of AWS Log4J
Ещё видео!