每日安全动态推送(9-5)
2024-9-5 17:19:34 Author: mp.weixin.qq.com(查看原文) 阅读量:3 收藏

Tencent Security Xuanwu Lab Daily News

• oss-security - [OSSA-2024-003] OpenStack Ironic: Unvalidated image data passed to qemu-img (CVE-2024-44082):
https://openwall.com/lists/oss-security/2024/09/04/4

   ・ OpenStack Ironic存在一个安全漏洞(CVE-2024-44082),可以通过特制的镜像来利用qemu-img中的不良行为,可能导致未经授权的访问。 – SecTodayBot

• Linux Kernel 5.6.13 Use-After-Free ≈ Packet Storm:
https://packetstormsecurity.com/files/181335

   ・ 针对Linux内核版本5.6.13中use-after-free漏洞的利用 – SecTodayBot

• Compromising ByteDance's Rspack using GitHub Actions Vulnerabilities | Praetorian:
https://www.praetorian.com/blog/compromising-bytedances-rspack-github-actions-vulnerabilities/

   ・ 在GitHub Actions中发现的关键性漏洞,该漏洞可能允许攻击者提交恶意拉取请求,并获取特权访问权限。漏洞的利用可能导致NPM部署令牌和GitHub个人访问令牌被泄露,进而对Rspack的下游用户进行供应链攻击。 – SecTodayBot

• Revival Hijack - PyPI hijack technique exploited in the wild, puts 22K packages at risk:
https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/

   ・ 该文章主要介绍了一种名为“Revival Hijack”的PyPI供应链攻击技术,该技术利用了PyPI软件包被删除后重新注册的漏洞,可以成功劫持现有的22,000个PyPI软件包,并导致数十万次恶意软件包的下载。这个新的漏洞信息对于开源软件安全具有重要影响,需要引起关注。  – SecTodayBot

• YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel:
https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

   ・ YubiKey 5系列存在加密漏洞,导致可被复制。该漏洞属于侧信道攻击,使得攻击者可以在短暂物理访问后对设备进行复制。  – SecTodayBot

• oss-security - CVE-2024-45310: runc can be tricked into creating empty files/directories on host:
https://openwall.com/lists/oss-security/2024/09/03/1

   ・ runc容器运行时存在CVE-2024-45310漏洞,可以被欺骗在主机上创建空文件/目录。 – SecTodayBot

• SUDO_KILLER: identify and exploit sudo rules' misconfigurations and vulnerabilities within sudo:
https://meterpreter.org/sudo_killer-identify-and-exploit-sudo-rules-misconfigurations-and-vulnerabilities-within-sudo/

   ・ SUDO_KILLER是一个用于在Linux环境中滥用SUDO进行特权升级的工具。它能够识别SUDO规则的错误配置和漏洞,提供了一系列功能和检查,包括对SUDO版本的CVE检查,危险二进制文件的识别等。 – SecTodayBot

* 查看或搜索历史推送内容请访问:
https://sec.today

* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab


文章来源: https://mp.weixin.qq.com/s?__biz=MzA5NDYyNDI0MA==&mid=2651959783&idx=1&sn=098ee22c3757dc461862a6a30acb6a20&chksm=8baed178bcd9586e6d54973ff063ccb3d5ce821f77904cc2aef52c877deddc5cd3405d1e84b0&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh