每日安全动态推送(8-23)
2024-8-23 17:32:1 Author: mp.weixin.qq.com(查看原文) 阅读量:1 收藏

Tencent Security Xuanwu Lab Daily News

• IoT Hardware Security: A Growing Concern:
https://www.bankinfosecurity.com/iot-hardware-security-growing-concern-a-26071

   ・ 揭示了Sonos设备中的严重漏洞,特别影响了Wi-Fi和安全启动功能。 – SecTodayBot

• Urgent Chrome Update: Active Zero-Day Exploit Detected (CVE-2024-7971):
https://securityonline.info/urgent-chrome-update-active-zero-day-exploit-detected-cve-2024-7971/

   ・ Chrome浏览器发布了紧急更新以应对CVE-2024-7971的零日漏洞,该漏洞可能导致远程代码执行 – SecTodayBot

• GitHub - AI-Voodoo/Red_Reaper_v2: Stage 1: Sensitive Email/Chat Classification for Adversary Agent Emulation (espionage). This project is meant to extend Red Reaper v1 which was presented at RSA San Francisco 2024.:
https://github.com/AI-Voodoo/Red_Reaper_v2

   ・ Red Reaper项目着眼于自动化识别可能被恶意利用的敏感通信,结合了数据科学和网络安全。 – SecTodayBot

• CVE-2024-43403: Kanister Vulnerability Opens Door to Cluster-Level Privilege Escalation:
https://securityonline.info/cve-2024-43403-kanister-vulnerability-opens-door-to-cluster-level-privilege-escalation/

   ・ Kanister工具存在严重漏洞CVE-2024-43403,攻击者可利用该漏洞获取对Kubernetes集群的完全控制。 – SecTodayBot

• CVE-2024-7272: Critical Heap Overflow Vulnerability Discovered in FFmpeg, PoC Published:
https://securityonline.info/cve-2024-7272-critical-heap-overflow-vulnerability-discovered-in-ffmpeg-poc-published/

   ・ FFmpeg的关键堆溢出漏洞CVE-2024-7272可能导致远程攻击,需要立即升级以减轻风险。  – SecTodayBot

• Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names:
https://seclists.org/oss-sec/2024/q3/229

   ・ 披露了一个影响CPython 'zipfile'模块的DoS漏洞 – SecTodayBot

• Zero Day Initiative — From Pwn2Own Automotive: Taking Over the Autel Maxicharger:
https://www.zerodayinitiative.com/blog/2024/8/22/from-pwn2own-automotive-taking-over-the-autel-maxicharger

   ・ 研究人员在 Pwn2Own Automotive 2024 活动中披露的 Autel Maxicharger 固件中的两个漏洞,以及Autel对这些漏洞的响应和修补。文章详细分析了漏洞的根本原因,包括发现漏洞的逆向工程过程以及新固件中观察到的修正代码。 – SecTodayBot

• “YOLO” is not a valid hash construction:
https://blog.trailofbits.com/2024/08/21/yolo-is-not-a-valid-hash-construction/

   ・ 讨论了在密码学实践中常见的构造错误和最佳实践,特别是针对哈希函数的使用。它强调了YOLO构造的问题,并提出了更好的替代方案 – SecTodayBot

• Nexus Podcast: Alon Dankner on Extracting Private Crypto Keys from PLCs:
https://hubs.li/Q02M1cmQ0

   ・ 介绍了在黑帽大会上有关对可编程逻辑控制器和西门子S7协议以及PLC存在的漏洞的研究和攻击,揭示了PLC的配置漏洞可能会将其私钥置于风险之中。研究人员开发了六种攻击方式来利用他们在PLC中发现的设计缺陷。 – SecTodayBot

* 查看或搜索历史推送内容请访问:
https://sec.today

* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab


文章来源: https://mp.weixin.qq.com/s?__biz=MzA5NDYyNDI0MA==&mid=2651959771&idx=1&sn=fb7fded21f28c09de21bb17e3d1b4894&chksm=8baed144bcd9585273941cd4f1760bf210da44bc41ae78f03747972e40a519dd31ebeed46189&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh