The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code via a crafted certificate.
Monthly Archives: March 2017
CVE-2016-10305
Trango Apex <= 2.1.1, ApexLynx < 2.0, ApexOrion < 2.0, ApexPlus <= 3.2.0, Giga <= 2.6.1, GigaLynx < 2.0, GigaOrion < 2.0, GigaPlus <= 3.2.3, GigaPro <= 1.4.1, StrataLink < 3.0, and StrataPro devices have a built-in, hidden root account, with a default password that was once stored in cleartext within a software update package on a Trango FTP server. This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it.
CVE-2016-10307
Trango ApexLynx 2.0, ApexOrion 2.0, GigaLynx 2.0, GigaOrion 2.0, and StrataLink 3.0 devices have a built-in, hidden root account, with a default password for which the MD5 hash value is public (but the cleartext value is perhaps not yet public). This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it.
CVE-2016-10309
In the GUI of Ceragon FibeAir IP-10 (before 7.2.0) devices, a remote attacker can bypass authentication by adding an ALBATROSS cookie with the value 0-4-11 to their browser.
CVE-2017-7323
The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier use http://rest.modx.com by default, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code by leveraging the lack of the HTTPS protection mechanism.
CVE-2016-10306
Trango Altum AC600 devices have a built-in, hidden root account, with a default password of abcd1234. This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it.
CVE-2017-7321
setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI.
U.S. Financial Firms Suffer Million Dollar Losses from Cybersecurity Incidents
According new data from the Kaspersky Lab Financial Institutions Security Risks 2016 , the costs associated with cyberattacks affecting the financial sector are rising as organizations face increasingly sophisticated threats. In the U.S., the cost of a cybersecurity incident to a financial institution can be as much as $1,165,000.
Cybersecurity Meets Art and Science: Eugene Kaspersky Returns from Inaugural Antarctic Biennale Expedition
Eugene Kaspersky, Chairman and CEO of Kaspersky Lab, has just returned from the first Antarctic Biennale expedition – a creative journey that brought together artists, researchers, technology visionaries and philosophers in search of a universal, cultural future for Antarctica.
xorgxrdp-0.2.1-1.fc25 xrdp-0.9.2-3.fc25
New upstream version of xorgxrdp and xrdp:
New features in xrdp:
– RemoteFX codec support is now enabled by default.
– Bitmap updates support is now enabled by default.
– TLS ciphers suites and version is now logged.
– Connected computer name is now logged.
– Switched to Xorg (xorgxrdp) as the default backend now.
– Miscellaneous RemoteFX codec mode improvements.
– Socket directory is configurable at the compile time.
Bugfixes in xrdp:
– Parallels client for MacOS / iOS can now connect (audio redirection must be disabled on client or xrdp server though).
– MS RDP client for iOS can now connect using TLS security layer.
– MS RDP client for Android can now connect to xrdp.
– Large resolutions (4K) can be used with RemoteFX graphics.
– Multiple RemoteApps can be opened throguh NeutrinoRDP proxy.
– tls_ciphers in xrdp.ini is not limited to 63 chars anymore, it’s variable-length.
– Fixed an issue where tls_ciphers were ignored and rdp security layer could be used instead.
– Kill disconnected sessions feature is working with Xorg (xorgxrdp) backend.
– Miscellaneous code cleanup and memory issues fixes.
Rebuild of xrdp requiring both xorgxrdp and tigervnc-minimal. VNC is still the default.