Original release date: July 31, 2015 The National Cybersecurity and Communications Integration Center (NCCIC) and its partners responded to a series of data breaches in the public and private sector over the last year, helping organizations through incident response actions, conducting damage assessments, and implementing restoration and mitigation actions. During NCCIC’s recent work, following best practices proved extremely effective in protecting networks, the information residing on them, and the equities of information owners. The recently updated National Institute of Standards and Technology Cybersecurity Framework highlights best practices
Vulnerability Note VU#360431 Chiyu Technology fingerprint access control contains multiple vulnerabilities Original Release date: 31 Jul 2015 | Last revised: 31 Jul 2015 Overview Multiple models of Chiyu Technology fingerprint access control devices contain a cross-site scripting (XSS) vulnerability and an authentication bypass vulnerability. Description CWE-80 : Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) – CVE-2015-2870 According to the reporter, tags are not filtered out of a URL passed to the device, allowing an attacker to perform a reflected XSS attack
VU#577140: BIOS implementations fail to properly set UEFI write protections after waking from sleep mode
Vulnerability Note VU#577140 BIOS implementations fail to properly set UEFI write protections after waking from sleep mode Original Release date: 30 Jul 2015 | Last revised: 30 Jul 2015 Overview Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash. Description According to Cornwell, Butterworth, Kovah, and Kallenberg, who reported the issue affecting certain Dell client systems (CVE-2015-2890): There are a number of chipset mechanisms on Intel x86-based computers that provide protection of the BIOS from arbitrary reflash with attacker-controlled data. One of these is the BIOSLE and BIOSWE pair of bits found in the BIOS_CNTL register in the chipset.
Original release date: July 28, 2015 ISC has released security updates to address a vulnerability in BIND. Exploitation of this vulnerability may allow a remote attacker to cause a denial of service condition. Updates available include: BIND 9-version 9.9.7-P2 BIND 9-version 9.10.2-P3 Users and administrators are encouraged to review ISC Knowledge Base Article AA-01272 and apply the necessary updates.
Original release date: July 28, 2015 Android devices running Android versions 2.2 through 5.1.1_r4 contain vulnerabilities in the Stagefright media playback engine. Exploitation of these vulnerabilities may allow an attacker to access multimedia files or potentially take control of a vulnerable device. Users and administrators are encouraged to review Vulnerability Note VU#924951 for more information
Vulnerability Note VU#924951 Android Stagefright contains multiple vulnerabilities Original Release date: 28 Jul 2015 | Last revised: 28 Jul 2015 Overview Stagefright is the media playback service for Android, introduced in Android 2.2 (Froyo). Stagefright contains multiple vulnerabilities, including several integer overflows, which may allow a remote attacker to execute code on the device. Description According to a Zimperium zLabs blog post , Android’s Stagefright engine contains multiple vulnerabilities, including several integer overflows, allowing a remote attacker to access files or possibly execute code on the device.
Original release date: July 27, 2015 A vulnerability affecting the Uconnect software from FCA has been reported. Exploitation of this vulnerability may allow an unauthorized user to take remote control of an affected vehicle, but the attack requires access to Sprint’s cellular network, which connects FCA vehicles to the Internet
Original release date: July 27, 2015 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information.
Last week, FortiGuard Labs announced a remote denial of service vulnerability in the Teradata Gateway and Teradata Express. Teradata is a leading provider of big data solutions including business intelligence, data warehousing, CRM, and more. Many hi…