每日安全动态推送(5-17)
2024-5-17 10:49:12 Author: mp.weixin.qq.com(查看原文) 阅读量:7 收藏

Tencent Security Xuanwu Lab Daily News

• OpenSSL Security Advisory:
https://seclists.org/oss-sec/2024/q2/243

   ・ OpenSSL公开了一个新的漏洞CVE-2023-3446,该漏洞会导致使用EVP_PKEY_param_check()或EVP_PKEY_public_check()函数进行DSA公钥或DSA参数检查的应用程序出现长时间延迟。漏洞由fuzzer最先检测到,并在OpenSSL的git存储库中提供了修复。 – SecTodayBot

• oss-security - CVE-2024-21823: Intel DSA and Intel IAA advisory:
https://www.openwall.com/lists/oss-security/2024/05/15/1

   ・ 介绍了英特尔处理器中的潜在安全漏洞及其解决方案,重点是硬件逻辑不安全的去同步问题 – SecTodayBot

• Understanding AddressSanitizer: Better memory safety for your code:
https://blog.trailofbits.com/2024/05/16/understanding-addresssanitizer-better-memory-safety-for-your-code/

   ・ 介绍了使用AddressSanitizer (ASan)来检测代码中可能导致远程代码执行攻击的内存问题,重点讨论了ASan在C++中的应用 – SecTodayBot

• Let's check the qdEngine game engine, part three: 10 more bugs:
https://pvs-studio.com/en/blog/posts/cpp/1123/?utm_source=firefly&utm_medium=twitter

   ・ 使用PVS-Studio静态代码分析工具发现并修复qdEngine游戏引擎中的缺陷和潜在漏洞 – SecTodayBot

• oss-security - CVE-2024-32113: Apache OFBiz: Path traversal leading to RCE:
https://www.openwall.com/lists/oss-security/2024/05/09/1

   ・ 披露了Apache OFBiz 18.12.13版本之前的CVE-2024-32113漏洞,该漏洞由Qiyi Zhang (RacerZ) @secsys from Fudan (finder)发现。漏洞的根本原因是路径遍历,可能导致远程代码执行。 – SecTodayBot

• linux input handles:
https://redplait.blogspot.com/2024/05/linux-input-handles.html

   ・ 讨论了在Linux内核中安装键盘记录器的方法,以及如何从Linux内核结构中提取信息。 – SecTodayBot

• Offensive IoT for Red Team Implants (Part 2):
https://www.blackhillsinfosec.com/offensive-iot-for-red-team-implants-part-2/

   ・ 介绍了如何使用树莓派 Pico 作为物理植入设备进行攻击,并通过扩展 LoRa 模块来增强攻击能力。 – SecTodayBot

• Researchers Uncover 11 Security Flaws in GE HealthCare Ultrasound Machines:
https://thehackernews.com/2024/05/researchers-uncover-11-security-flaws.html

   ・ GE HealthCare Vivid Ultrasound产品系列存在多个安全漏洞,可能被恶意利用,影响患者数据安全,并甚至安装勒索软件。其中最严重的漏洞是CVE-2024-27107,涉及使用硬编码凭据。 – SecTodayBot

• Adventures and Accidental Honeypots in Network Infrastructure: Unravelling Internet Shenanigans:
https://labs.jumpsec.com/adventures-and-accidental-honeypots-in-network-infrastructure-unravelling-internet-shenanigans/

   ・ Adventures and Accidental Honeypots in Network Infrastructure: Unravelling Internet Shenanigans – SecTodayBot

* 查看或搜索历史推送内容请访问:
https://sec.today

* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab


文章来源: https://mp.weixin.qq.com/s?__biz=MzA5NDYyNDI0MA==&mid=2651959642&idx=1&sn=7141793fc382a4695bea170c27894ffe&chksm=8baed1c5bcd958d3a6d579aef7ceec4cde83ae98d455fa115f458fa924a64139e89402c49fd3&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh