August 4, SecurityWeek – (International) Critical flaws found in Cisco small business routers. Cisco released patches for its small business RV series routers after researchers discovered a critical flaw affecting the Web interface that allows remote, unauthenticated attackers to execute arbitrary code with root privileges, a high severity flaw that can be exploited remotely to perform a directory traversal and access arbitrary files on the system, and a medium severity command shell injection flaw that could allow a local attacker to inject arbitrary shell commands that are then executed by the device, among other vulnerabilities. Source
August 4, SecurityWeek – (International) Google patches 10 vulnerabilities in Chrome 52. Google released an update for Chrome 52 resolving 10 security vulnerabilities after third-party developers discovered 4 high risk flaws affecting the Web browser including an address bar spoofing flaw, a use-after-free bug in Blink, and heap overflow bugs in pdfium, as well as 3 medium risk bugs including a same origin bypass for imagines in Blink, and parameter sanitization failure bugs in DevTools. Source
August 3, Help Net Security – (International) Four high-profile vulnerabilities in HTTP/2 revealed. Imperva released a report at the Black Hat USA 2016 conference documenting four high-profile vulnerabilities in Hypertext Transfer Protocol (HTTP)/2 after researchers from the Imperva Defense Center found a HPACK Bomb attack resembling a zip bomb, a dependency cycle attack that takes advantage of HTTP/2’s flow control mechanisms for network optimization, stream multiplexing abuse that results in denial-of-service to legitimate users, and Slow Read attacks in server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The vendors of the HTTP/2 protocol mechanisms released patches for the issues. Source
August 3, Softpedia – (International) Venmo fixes hole that allowed attackers to steal $2,999.99 per week using Siri. Venmo patched an attack vector in its digital wallet service after a security researcher discovered attackers could exploit design flaws in Venmo and Apple’s iPhone operating system (iOS) to approve roughly $3,000 a week in money requests if a malicious actor had physical access to a victim’s iPhone by instructing Siri to send a message to a Venmo five-digit phone number on an iOS device that would handle the payment request instead of showing app notifications to the user. Venmo removed the Short Message Service (SMS) “reply-to-pay” functionality, as well as other smaller patches that made the service vulnerable to similar attacks. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report