Category: US Cert

VU#305096: Comodo Chromodo browser with Ad Sanitizer does not enforce same origin policy and is based on an outdated version of Chromium 0

VU#305096: Comodo Chromodo browser with Ad Sanitizer does not enforce same origin policy and is based on an outdated version of Chromium

Vulnerability Note VU#305096 Comodo Chromodo browser with Ad Sanitizer does not enforce same origin policy and is based on an outdated version of Chromium Original Release date: 04 Feb 2016 | Last revised: 05 Feb 2016 Overview Comodo Chromodo browser, version 45.8.12.391, and possibly earlier, bundles the Ad Sanitizer extension, version 1.4.0.26, which disables same origin policy, allowing for the possibility of cross-domain attacks by malicious or compromised web hosts. Chromodo is based on an outdated release of Chromium with known vulnerabilities

VU#305096: Comodo Chromodo browser does not enforce same origin policy and is based on an outdated version of Chromium 0

VU#305096: Comodo Chromodo browser does not enforce same origin policy and is based on an outdated version of Chromium

Vulnerability Note VU#305096 Comodo Chromodo browser does not enforce same origin policy and is based on an outdated version of Chromium Original Release date: 04 Feb 2016 | Last revised: 04 Feb 2016 Overview Comodo Chromodo browser, version 45.8.12.392, 45.8.12.391, and possibly earlier, does not enforce same origin policy, which allows for the possibility of cross-domain attacks by malicious or compromised web hosts. Chromodo is based on an outdated release of Chromium with known vulnerabilities. Description Comodo Chromodo is a web browser that comes packaged with Comodo Internet Security

VU#777024: Netgear Management System NMS300 contains arbitrary file upload and path traversal vulnerabilities 0

VU#777024: Netgear Management System NMS300 contains arbitrary file upload and path traversal vulnerabilities

Vulnerability Note VU#777024 Netgear Management System NMS300 contains arbitrary file upload and path traversal vulnerabilities Original Release date: 03 Feb 2016 | Last revised: 03 Feb 2016 Overview Netgear Management System NMS300, version 1.5.0.11 and earlier, is vulnerable to arbitrary file upload, which may be leveraged by unauthenticated users to execute arbitrary code with SYSTEM privileges. A directory traversal vulnerability enables authenticated users to download arbitrary files. Description Netgear Management System NMS300 is a configuration, monitoring, and diagnostics utility for managing SNMP networked devices via a web interface

VU#544527: OpenELEC and RasPlex have a hard-coded SSH root password 0

VU#544527: OpenELEC and RasPlex have a hard-coded SSH root password

Vulnerability Note VU#544527 OpenELEC and RasPlex have a hard-coded SSH root password Original Release date: 02 Feb 2016 | Last revised: 02 Feb 2016 Overview OpenELEC and derivatives utilize a hard-coded default root password, and enable SSH root access by default. Description CWE-259 : Use of Hard-coded Password OpenELEC has a hard-coded root password. The root partition is by default read-only, preventing a user from changing the password once installed; furthermore, SSH access is enabled by default

VU#719736: Fisher-Price Smart Toy platform allows some unauthenticated web API commands 0

VU#719736: Fisher-Price Smart Toy platform allows some unauthenticated web API commands

Vulnerability Note VU#719736 Fisher-Price Smart Toy platform allows some unauthenticated web API commands Original Release date: 02 Feb 2016 | Last revised: 02 Feb 2016 Overview The Fisher-Price Smart Toy does not perform proper authentication of some API commands, and it may also use a vulnerable version of Android. Description The Fisher-Price Smart Toy bear is a new WiFi-connected Internet of Things (IoT) toy

VU#972224: Huawei Mobile WiFi E5151 and E5186 routers use insufficiently random values for DNS queries 0

VU#972224: Huawei Mobile WiFi E5151 and E5186 routers use insufficiently random values for DNS queries

Vulnerability Note VU#972224 Huawei Mobile WiFi E5151 and E5186 routers use insufficiently random values for DNS queries Original Release date: 01 Feb 2016 | Last revised: 01 Feb 2016 Overview Huawei Mobile WiFi E5151, firmware version 21.141.13.00.1080, and E5186, firmware version V200R001B306D01C00, use insufficiently random values for DNS queries and are vulnerable to DNS spoofing attacks. Description CWE-330 : Use of Insufficiently Random Values – CVE-2015-8265 Huawei Mobile WiFi E5151 and E5186 routers use static source ports for all DNS queries originating from the local area network (LAN).

SB16-032: Vulnerability Summary for the Week of January 25, 2016 0

SB16-032: Vulnerability Summary for the Week of January 25, 2016

Original release date: February 01, 2016 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT)

FTC Announces Enhancements to IdentityTheft.gov 0

FTC Announces Enhancements to IdentityTheft.gov

Original release date: January 29, 2016 The Federal Trade Commission (FTC) has upgraded its IdentityTheft.gov site to provide improved help to victims of identity theft. Enhancements include more personalized response plans for consumers, automatic generation of documents to aid in recovery, and better integration of the site with the FTC’s consumer complaint system

IRS Releases Tenth Security Tip 0

IRS Releases Tenth Security Tip

Original release date: January 25, 2016 The Internal Revenue Service (IRS) has released the tenth in a series of tips intended to help the public protect personal and financial data online and at home. This tip describes steps tax preparers can take to protect sensitive information. Recommendations include conducting a full scan of all computer drives and files, making sure that tax preparers’ security software updates automatically, and using robust security software that helps block malware and viruses