Tencent Security Xuanwu Lab Daily News

• oss-security - [OSSA-2024-003] OpenStack Ironic: Unvalidated image data passed to qemu-img (CVE-2024-44082):
https://openwall.com/lists/oss-security/2024/09/04/4

   ・ OpenStack Ironic存在一个安全漏洞(CVE-2024-44082)，可以通过特制的镜像来利用qemu-img中的不良行为，可能导致未经授权的访问。 – SecTodayBot

• Linux Kernel 5.6.13 Use-After-Free ≈ Packet Storm:
https://packetstormsecurity.com/files/181335

   ・ 针对Linux内核版本5.6.13中use-after-free漏洞的利用 – SecTodayBot

• Compromising ByteDance's Rspack using GitHub Actions Vulnerabilities | Praetorian:
https://www.praetorian.com/blog/compromising-bytedances-rspack-github-actions-vulnerabilities/

   ・ 在GitHub Actions中发现的关键性漏洞，该漏洞可能允许攻击者提交恶意拉取请求，并获取特权访问权限。漏洞的利用可能导致NPM部署令牌和GitHub个人访问令牌被泄露，进而对Rspack的下游用户进行供应链攻击。 – SecTodayBot

• Revival Hijack - PyPI hijack technique exploited in the wild, puts 22K packages at risk:
https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/

   ・ 该文章主要介绍了一种名为“Revival Hijack”的PyPI供应链攻击技术，该技术利用了PyPI软件包被删除后重新注册的漏洞，可以成功劫持现有的22,000个PyPI软件包，并导致数十万次恶意软件包的下载。这个新的漏洞信息对于开源软件安全具有重要影响，需要引起关注。  – SecTodayBot

• YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel:
https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

   ・ YubiKey 5系列存在加密漏洞，导致可被复制。该漏洞属于侧信道攻击，使得攻击者可以在短暂物理访问后对设备进行复制。  – SecTodayBot

• oss-security - CVE-2024-45310: runc can be tricked into creating empty files/directories on host:
https://openwall.com/lists/oss-security/2024/09/03/1

   ・ runc容器运行时存在CVE-2024-45310漏洞，可以被欺骗在主机上创建空文件/目录。 – SecTodayBot

• SUDO_KILLER: identify and exploit sudo rules' misconfigurations and vulnerabilities within sudo:
https://meterpreter.org/sudo_killer-identify-and-exploit-sudo-rules-misconfigurations-and-vulnerabilities-within-sudo/

   ・ SUDO_KILLER是一个用于在Linux环境中滥用SUDO进行特权升级的工具。它能够识别SUDO规则的错误配置和漏洞，提供了一系列功能和检查，包括对SUDO版本的CVE检查，危险二进制文件的识别等。 – SecTodayBot

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab