November 2, The Register – (International) Multiple RCE flaws found in Memcached web speed tool. Web performance tool Memcached received security patches after a security researcher from Cisco Systems, Inc., discovered that Memcached version 1.4.31 and earlier were plagued with three integer overflow vulnerabilities that could be exploited to achieve remote code execution (RCE) on a targeted system, and are manifested in Memcached functions used to insert, append, or modify key-value data pairs. The researcher reported that systems with Memcached compiled with support for Simple Authentication and Security Layer (SASL) authentication were also vulnerable to another flaw due to how Memcached handles SASL authentication commands. Source
November 2, SecurityWeek – (International) Security firm discloses unpatched flaws in Schneider HMI product. CRITIFENCE discovered two unpatched denial-of-service (DoS) flaws, dubbed PanelShock affecting several of Schneider Electric’s Magelis human-machine interface (HMI) panels, which could allow attackers to cause the affected devices to enter into a DoS condition by sending maliciously crafted Hypertext Transfer Protocol (HTTP) requests due to a faulty implementation of HTTP request methods and resource consumption management mechanisms. Schneider Electric was working to release patches for the security holes. Source
November 1, SecurityWeek – (International) Vulnerability impacts web-exposed SAP systems. A security researcher from Quenta Solutions reported that an information disclosure vulnerability affecting SAP systems that was patched in September affects over 941 SAP systems exposed to the Internet. The flaw could be exploited to remotely access the list of SAP users from the system and obtain information such as usernames, user IDs, and email addresses that can be used to launch phishing campaigns. Source
October 30, Softpedia – (International) Teen behind Titanium DDoS Stresser pleads guilty in London. A British national pleaded guilty to running the Titanium Stresser, a distributed denial-of-service (DDoS) for-hire service that malicious actors used to launch a total of 1.7 million DDoS attacks internationally. Authorities reported that the service operator made over $385,000 in profits from renting his DDoS tools to hackers. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report