May 26, Softpedia – (International) Apache HBase fixes denial-of-service, info disclosure flaw. Apache released a fix for a vulnerability in its HBase software in which a remote attacker with network access could create a denial-of-service (DoS) condition and read sensitive information by exploiting insecure Access Control Lists (ACLs) on the ZooKeeper quorum. Source
May 26, Securityweek – (International) Synology fixes XSS, command injection vulnerabilities in NAS software. Taiwan-based Synology released software updates addressing security vulnerabilities in DiskStation Manager (DSM) network attached storage (NAS) software that runs on the company’s DiskStation and RackStation devices, including a cross-site scripting (XSS) bug that could allow attackers to steal victims session tokens and login credentials or perform arbitrary actions, and a command injection flaw that exposes devices to cross-site request forgery (CSRF) attacks. Source
May 26, Help Net Security – (International) Massive campaign uses router exploit kit to change routers’ DNS servers. A security researcher discovered an active campaign in which attackers are targeting Google Chrome browser users with cross-site request forgery (CSRF) code attacks via compromised Web sites with the intent of compromising routers and changing their domain name system (DNS) settings to point to a hacker-controlled server. Researchers believe that millions of devices across 55 router models made by several manufacturers have been affected in the campaign. Source
May 25, Securityweek – (International) New PoS malware hits victims via spam campaign: FireEye. Security researchers at FireEye discovered a new type of point-of-sale (PoS) malware dubbed NitlovePoS that can capture and exfiltrate both track one and two data from payment cards by running process on compromised machines, and is distributed via emails containing Word documents with embedded malicious macros. Source
May 22, Securityweek – (International) Emerson patches SQL injection vulnerability in ICS product. Emerson’s Process Management group released a software addressing a structured query language (SQL) injection vulnerability in its AMS Device Manager in which an attacker could escalate privileges and gain access to administrative functions by supplying a malformed input to the software. The AMS Device Manager is part of the AMS Suite and is used in many industrial control systems (ICS) worldwide, especially in the oil, gas, and chemical industries. Source