September 22, SecurityWeek – (International) Flaws in Cisco Cloud Services Platform allow command execution. Cisco notified its customers that its Cloud Services Platform (CSP) 2100 version 2.0 was plagued with two vulnerabilities, one of which is a critical vulnerability caused by insufficient sanitization of user input that could allow an unauthenticated attacker to remotely execute arbitrary commands on the operating system with root privileges. Cisco reported the second vulnerability could allow an unauthenticated attacker to execute arbitrary code on a targeted system remotely by sending a malicious “dnslookup” request. Source
September 22, SecurityWeek – (International) Restriction bypass, XSS flaws patched in Drupal 8. The developers of the Drupal content management system (CMS) released versions 8.1.10 and 8.2.0-rc2 patching three serious vulnerabilities, including two restriction bypass issues and one cross-site scripting (XSS) flaw after reserachers discovered an attacker could exploit the flaws to execute arbitrary code in the victim’s browser if a targeted user accesses a maliciously crafted Universal Resource Locator (URL) due to inadequate sanitization in Hypertext Transfer Protocol (HTTP) exceptions. Drupal developers also patched a critical vulnerability in the feature that allows Drupal users to export their site’s configuration to a file, which could allow an attacker to download full configuration exports without administrative privileges, among other vulnerabilities. Source
September 21, SecurityWeek – (International) Firefox 49 patches critical, high severity vulnerabilities. Mozilla released Firefox 49 resolving several critical vulnerabilities, including multiple memory safety bugs that could be exploited to execute arbitrary code, as well as a high severity certificate pinning flaw caused by flaws in the process Mozilla uses to update Preloaded Public Key Pinning, which could allow a Man in the Middle (MitM) attacker to replace legitimate add-on updates with malicious versions and execute arbitrary code on a targeted system, among other vulnerabilities. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report
September 23, Dark Reading - Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Users. But still unconfirmed is whether the newly revealed attack is related to recently dumped Yahoo user credentials in an online cybercrime forum. The other shoe has dropped - maybe. Nearly two months after signs of a Yahoo data breach surfaced with leaked user credentials in the cybercrime underground, Yahoo today confirmed that it had suffered a cyberattack in late 2014 by what the company says was likely a nation-state actor. Some 500 million Yahoo user accounts were stolen and Yahoo is working with law enforcement in an investigation of the attack. Source