Archive for June, 2019

CVE-2019-13114 (exiv2)

http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character.
Source: NIST
CVE-2019-13114 (exiv2)

CVE-2019-13111 (exiv2)

A WebPImage::decodeChunks integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (large heap allocation followed by a very long running loop) via a crafted WEBP image file.
Source: NIST
CVE-2019-13111 (exiv2)

CVE-2019-13109 (exiv2)

An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a chunkLength – iccOffset subtraction.
Source: NIST
CVE-2019-13109 (exiv2)

CVE-2019-13113 (exiv2)

Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to assertion failure) via an invalid data location in a CRW image file.
Source: NIST
CVE-2019-13113 (exiv2)

CVE-2019-13112 (exiv2)

A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.
Source: NIST
CVE-2019-13112 (exiv2)

CVE-2019-13110 (exiv2)

A CiffDirectory::readDirectory integer overflow and out-of-bounds read in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file.
Source: NIST
CVE-2019-13110 (exiv2)

CVE-2019-13108 (exiv2)

An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a zero value for iccOffset.
Source: NIST
CVE-2019-13108 (exiv2)

CVE-2019-13107

Multiple integer overflows exist in MATIO before 1.5.16, related to mat.c, mat4.c, mat5.c, mat73.c, and matvar_struct.c
Source: NIST
CVE-2019-13107

Four in 10 North American Banks Don't Use EV Certificates

Four in 10 North American Banks Don’t Use EV Certificates

Despite the fact that all of the largest banks analyzed across Europe and North America do use some form of SSL certificates, a number of banks are leaving their customers vulnerable to phishing attacks, according to a new report released by Sectigo.   


According to the Secure Impressions: Online Banking Study, 40% of the North American banks studied did not receive the highest rating, which was only given to those banks that used extended validation (EV) certificates to demonstrate the website’s true, authenticated identity. 



“In Europe, 25% of banks did not receive the highest rating,” a June 27 press release stated. “Websites without EV certificates on the home and/or login pages received a lesser rating (yellow status). No banks in the study displayed ‘Not Secure’ warnings (red status).”


“Online criminals routinely use counterfeit websites to trick consumers into unknowingly providing valuable information such as account logins, credit card numbers, and personally identifiable information that can be used for identity theft,” said Tim Callan, senior fellow at Sectigo. 



“Protecting against phishing is definitely an important function in the overall cybersecurity program of almost all organizations around the world. Enabling best-practice security measures can certainly help reduce the impact of phishing that IT security teams face,” said Jonathan Deveaux, head of enterprise data protection at comforte AG



Because other threat vectors and vulnerabilities can still be exploited, organizations should consider additional security measures.  



The press release also noted that 76% of data breaches are financially motivated. As banks house a treasure trove of personal data, they will continue to be targets of cyber-attacks. 



“Since it is your data that they ultimately want, another effective method for improving cybersecurity posture is the data-centric protection model. Data-centric protection means to activate security on the data itself – de-identify personal information by anonymizing the data elements, and remove credit card numbers and social security numbers by replacing them with fake numbers,” Deveaux said. 



“Even with improved cybersecurity defenses, hackers have proved that they can still find a way to get through in order to steal data. So why not give them something they can’t use. A combined approach to cybersecurity may be the best approach for many organizations.”



Source: Infosecurity
Four in 10 North American Banks Don’t Use EV Certificates

CVE-2018-20849

Arastta eCommerce 1.6.2 is vulnerable to XSS via the PATH_INFO to the login/ URI.
Source: NIST
CVE-2018-20849