December 1, Securityweek – (International) Unpatched flaws allow hackers to compromise Belkin routers. A researcher discovered multiple vulnerabilities affecting Belkin’s N150 wireless home routers, including an HTML/script injection that affects the “language” parameter present and causes the device’s web interface to become inoperable; a session hijacking vulnerability that allows an attacker to easily obtain data through a brute force attack due to the fixed state of the session ID as a hexadecimal string; and a remote control access flaw that allows an attack to gain root privileges, among other vulnerabilities. Source
December 1, Securityweek – (International) Schneider patches RCE flaws in ProClima software. Schneider Electric released security updates for its ProClima product addressing a series of vulnerabilities, including a remote control execution (RCE) flaw that can enable a remote attacker to execute unauthorized code via ActiveX controls connected to the Internet Explorer web browser. The products were distributed to the U.S. and Europe and affect sectors such as energy, critical manufacturing, and commercial facilities. Source
December 1, Securityweek – (International) Videofied Alarm System flaws allow hackers to intercept data. Researchers from U.K.-based Cybergibbons identified high severity vulnerabilities in RSI Video Technologies’ Videofied alarm systems including the CVE-2015-8252 and CVE-2015-8253 flaws that allows remote attackers to obtain the device’s authentication key from its serial number transmitted through plain text and enables hackers to spoof alarms and intercept data including messages and videos in the form of plain text and MJPEG files. The vulnerabilities affect devices sold in over 70 countries. Source
November 30, Securityweek – (International) OpenSSL to patch several vulnerabilities. The OpenSSL Project announced November 30 that it will be releasing scheduled updates December 3 addressing several OpenSSL vulnerabilities, including several threats ranging from low to high security levels, including flaws that can be exploited remotely to compromise server private key, vulnerabilities that disclose contents of server memory, and flaws where remote code execution is possible in common situations. Source