Yarn, Pip, Composer & friends: Learn about 3 types of vulnerabilities we found in popular package managers that can be used by attackers to target developers.

Contribute to Accenture/VulFi development by creating an account on GitHub.

BHI (or Spectre-BHB) is a revival of cross-privilege Spectre-v2 attacks on modern systems deploying in-hardware defenses. And we have a very neat end-to-end exploit leaking arbitrary kernel memory on modern Intel CPUs to prove it

Local privilege escalation flaw in the Linux Kernel was disclosed on Monday, nicknamed “Dirty Pipe” ID CVE-2022-0847.

Based on the CrowdSec data shared by the community, this first edition of the report provides an overview of the main cyber threats identified worldwide.

Posted in r/netsec by u/albinowax • 101 points and 0 comments

------ Update 03/12/2022 Reuters has published new information on this incident, which initially matches the proposed scenario. You can find...

Casper-fs is a Custom Hidden Linux Kernel Module generator. Each module works in the file system to protect and hide secret files. - GitHub - CoolerVoid/casper-fs: Casper-fs is a Custom Hidden Linu...

Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system.

An automated setup for fuzzing Redis w/ AFL++. Contribute to 0xbigshaq/redis-afl development by creating an account on GitHub.

An automated setup for compiling & fuzzing Apache httpd server - 0xbigshaq/apache-afl

CVE-ID: CVE-2021-34979 ZDI Identifier: ZDI-CAN-13512

FirmWire is a full-system baseband firmware emulation platform for fuzzing, debugging, and root-cause analysis of smartphone baseband firmwares - GitHub - FirmWire/FirmWire: FirmWire is a full-syst...

CVE-2022-0847 or "Dirty Pipe", is a Linux kernel flaw that allows attackers to escalate privileges. We analyze the vulnerability in-depth in this blog.

Posted in r/netsec by u/D4r1 • 208 points and 7 comments

An AWS/GitLab CICD themed CTF.

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, “Kubernetes Hardening Guidance,” today. This report

Posted in r/netsec by u/yawkat • 0 points and 0 comments

Posted in r/netsec by u/Late_Ice_9288 • 63 points and 3 comments

JFrog’s Security Research team discovered 7 vulnerabilities in the ClickHouse database management software. Learn about the issues and how to mitigate the risks.

In October 2021, Apple released a fix for CVE-2021-30833. This was an arbitrary file-write vulnerability in the xar utility and was due to improper handling of path separation (forward-slash) characters when processing files contained within directory symlinks.…