Archive for June, 2020

CVE-2020-9414

The MFT admin service component of TIBCO Software Inc.’s TIBCO Managed File Transfer Command Center and TIBCO Managed File Transfer Internet Server contains a vulnerability that theoretically allows an authenticated user with specific permissions to obtain the session identifier of another user. The session identifier when replayed could provide administrative rights or file transfer permissions to the affected system. Affected releases are TIBCO Software Inc.’s TIBCO Managed File Transfer Command Center: versions 8.2.1 and below and TIBCO Managed File Transfer Internet Server: versions 8.2.1 and below.
Source: NIST
CVE-2020-9414

CVE-2020-14059

An issue was discovered in Squid 5.x before 5.0.3. Due to an Incorrect Synchronization, a Denial of Service can occur when processing objects in an SMP cache because of an Ipc::Mem::PageStack::pop ABA problem during access to the memory page/slot management list.
Source: NIST
CVE-2020-14059

CVE-2020-14474

The Cellebrite UFED physical device 5.0 through 7.5.0.845 relies on key material hardcoded within both the executable code supporting the decryption process, and within the encrypted files themselves by using a key enveloping technique. The recovered key material is the same for every device running the same version of the software, and does not appear to be changed with each new build. It is possible to reconstruct the decryption process using the hardcoded key material and obtain easy access to otherwise protected data.
Source: NIST
CVE-2020-14474

CVE-2020-14058

An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string.
Source: NIST
CVE-2020-14058

CVE-2020-7049

Nozomi Networks OS before 19.0.4 allows /#/network?tab=network_node_list.html CSV Injection.
Source: NIST
CVE-2020-7049

CVE-2020-14482

Delta Industrial Automation DOPSoft, Version 4.00.08.15 and prior. Opening a specially crafted project file may overflow the heap, which may allow remote code execution, disclosure/modification of information, or cause the application to crash.
Source: NIST
CVE-2020-14482

CVE-2020-15307

Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS (in the web front end) by leveraging the ability to create a custom field with a crafted field name.
Source: NIST
CVE-2020-15307

CVE-2020-15049

An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing “+ “-” or an uncommon shell whitespace character prefix to the length field-value.
Source: NIST
CVE-2020-15049

Unauthorized Data Sharing Puts Companies at Risk

Unauthorized Data Sharing Puts Companies at Risk

Inappropriate data sharing continues to be a problem for companies, according to a survey from data discovery and auditing software vendor Netwrix. Although most companies have designated secure storage areas for their data, many find it leaking into insecure areas, its research found.


A quarter of companies have discovered data stored outside designated secure locations in the past year, according to the vendor’s “2020 Data Risk & Security” report.┬áIt took them considerable time to discover the stray data, with 23% reporting that it lay undiscovered for weeks.


This data seems to make its way into insecure storage because employees don’t follow data sharing policies, if they exist at all. According to the survey, 30% of systems administrators granted direct access to sensitive data based only on user requests. The results show up in audits and can lead to financial penalties. Of companies that experienced unauthorized data-sharing incidents, 54% ended up with non-compliance findings from audits.


Many companies don’t keep tabs on user data access privileges, the survey found. He reported that a little over half of all organizations don’t review these access privileges regularly.


This lack of visibility into access rights makes it hard to track data sharing. According to the survey, only half of all organizations are confident that employees are sharing data without the IT department’s knowledge. Of those, 29% cannot track employee data sharing at all, making their claims difficult to prove.


The survey examined all stages of the data life cycle from creation through to disposal. It found poor practices at the data-creation stage that have direct implications for other stages such as data sharing. Nearly two-thirds of the survey respondents said that they couldn’t confirm they only collect the minimum amount of customer data required. Of those, 34% are subject to the GDPR, which limits the amount of data they are allowed to collect. Companies that collect more customer data than they need to and fail to manage it properly later on compound their security risk.


The survey covered 1,045 IT professionals around the world, with the largest proportion (48%) coming from North America, followed by 26% from the EMEA region. Half the companies had 1,000 employees or fewer.


Source: Infosecurity
Unauthorized Data Sharing Puts Companies at Risk

Don't Slow Cybersecurity Spending: Steer into the Skid with a Tight Business Plan

We all know there are slippery conditions ahead, which is why it’s never been more important for organizations to maintain and even increase their spending on cybersecurity.
Source: DarkReading
Don’t Slow Cybersecurity Spending: Steer into the Skid with a Tight Business Plan