Vulnerability Note VU#566724 Embedded devices use non-unique X.509 certificates and SSH host keys Original Release date: 25 Nov 2015 | Last revised: 25 Nov 2015 Overview Embedded devices use non-unique X.509 certificates and SSH host keys that can be leveraged in impersonation, man-in-the-middle, or passive decryption attacks. Description CWE-321 : Use of Hard-coded Cryptographic Key – Multiple CVEs Research by Stefan Viehböck of SEC Consult has found that numerous embedded devices accessible on the public Internet use non-unique X.509 certificates and SSH host keys. Products are identified as vulnerable if unpacked firmware images are found to contain hard-coded keys or certificates whose fingerprints can be matched to data from the Internet-wide scan data repository, scans.io (specifically, see SSH results and SSL certificates )
Vulnerability Note VU#925497 Dell System Detect installs root certificate and private key (DSDTestProvider) Original Release date: 24 Nov 2015 | Last revised: 24 Nov 2015 Overview Dell System Detect installs the DSDTestProvider certificate into theTrusted Root Certificate Store on Microsoft Windows systems. The certificate includes the private key. This allows attackers to create trusted certificates and perform impersonation, man-in-the-middle (MiTM), and passive decryption attacks, resulting in the exposure of sensitive information
Vulnerability Note VU#428280 CSL DualCom GPRS CS2300-R alarm signalling boards contain multiple vulnerabilties Original Release date: 23 Nov 2015 | Last revised: 23 Nov 2015 Overview CSL DualCom GPRS CS2300-R alarm signalling boards, firmware versions v1.25 to v3.53, contain multiple vulnerabilties. Description CSL DualCom GPRS CS2300-R alarm signalling boards are secure premises transmitters (SPT) that notify alarm receiving centers (ARC) when an alarm system is tripped. According to researcher Andrew Tierney, CS2300-R boards are vulnerable to signal spoofing and tampering due to the vendor’s use of a weak communications protocol and proprietary encryption scheme
VU#419568: Arris cable modems generate passwords deterministically and contain XSS and CSRF vulnerabilities
Vulnerability Note VU#419568 Arris cable modems generate passwords deterministically and contain XSS and CSRF vulnerabilities Original Release date: 20 Nov 2015 | Last revised: 20 Nov 2015 Overview Multiple models of Arris cable modems contain multiple, deterministically generated backdoor passwords, as well as multiple cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities. Description CWE-255 : Credentials Management – CVE-2009-5149 The ‘password of the day’ for multiple models of Arris cable modems is generated using a publicly known algorithm .
Original release date: November 17, 2015 Adobe has released security updates to address multiple vulnerabilities in ColdFusion, LiveCycle Data Services, and Adobe Premiere Clip.
Overview WooCommerce is an open source e-commerce plugin for WordPress. It is designed for small to large-sized online merchants using WordPress.
Original release date: November 16, 2015 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT).
Overview Infoblox is a network controller company that provides network automation and domain name system (DNS) security through appliance-based solutions. These products enable and secure dynamic network and data center infrastructures.