Security News

SEC Consult SA-20241015-0 :: Multiple Vulnerabilities in Rittal IoT Interface & CMC III Processing Unit (CVE-2024-47943, CVE-2024-47944, CVE-2024-47945)

Full Disclosure - 20 October, 2024 - 21:43

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 20

No message preview for long message of 359314 bytes.

CVE-2024-48939: Unauthorized enabling of API in Paxton Net2 software

Full Disclosure - 20 October, 2024 - 21:42

Posted by Jeroen Hermans via Fulldisclosure on Oct 20

CloudAware Security Advisory

CVE-2024-48939: Unauthorized enabling of API in Paxton Net2 software

========================================================================
Summary
========================================================================
Bypass of Paxton Net2 API license. Possible leaking of PII and access to
admin functionality.
No physical access to computer running Paxton Net2 is required....

Grace Hopper and the Rebirth of US Conferences

Daily Dave - 10 October, 2024 - 08:43

Posted by Dave Aitel via Dailydave on Oct 10

I spent some time watching all the Grace Hopper videos on the youtubes, as
I prepared for what up North is a horrible storm, but here in Miami is, so
far, a breezy and clear day. You can hear her talk about how subroutines
used to be literal handwritten pages of instructions in notebooks. When you
wanted SIN or COS you would go over to whoever had the notebook with the
working version, and copy it out into your code.

It was this experience that...

SEC Consult SA-20241009-0 :: Local Privilege Escalation via MSI installer in Palo Alto Networks GlobalProtect (CVE-2024-9473)

Full Disclosure - 9 October, 2024 - 22:32

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 09

<<< image/webp; name="cmd.webp": Unrecognized >>>

Developing Clairvoyance

Daily Dave - 30 September, 2024 - 12:04

Posted by Dave Aitel via Dailydave on Sep 30

As you know, humans like to invent comfort words. One of my favorites is
"luck". The theory being that yes, the universe has dice, but they are
loaded in your favor. Properly used, these words are a spell - they allow
us to have courage when a sober mind would quail. But when you become a
professional, you have to give up these crutches. Only poor poker players
believe in "luck".

In computer science, and especially in machine...

Re: sboms and LLMs

Daily Dave - 12 September, 2024 - 15:19

Posted by Adrian Sanabria via Dailydave on Sep 12

We've been talking about and giving "Beyond the SBOM" presentations for a
while now, but to your point, I don't see anyone actually doing it.

If Solarwinds said "here's a script that will lock down your host firewall
to just the outbound access our tools need to update themselves", that
would be amazing, and would have saved everyone some time and trouble a few
years ago.

[image: image.png]
And Biden's EO...

Re: sboms and LLMs

Daily Dave - 12 September, 2024 - 05:18

Posted by Isaac Dawson via Dailydave on Sep 12

Well this is rather timely! Although I'm not sure using an LLM for the
behavioral aspect is entirely necessary. I've been working on an
experimental system that does just what you talk about for dependencies (
https://docs.gitlab.com/ee/user/application_security/dependency_scanning/experiment_libbehave_dependency.html,
pre-alpha!). My solution uses static analysis because I'm a fan of
determinism.

Snark aside, looking at behaviors...

sboms and LLMs

Daily Dave - 11 September, 2024 - 12:52

Posted by Dave Aitel via Dailydave on Sep 11

People doing software security often use LLMs more as orchestrators than
anything else. But there's so many more complicated ways to use them in our
space coming down the pipe. Obviously the next evolution of SBOMs
<https://www.cisa.gov/resources-tools/resources/cisa-sbom-rama> is that
they represent not just what is contained in the code as some static tree
of library dependencies, but also what that code does in a summary fashion...
Syndicate content