dcsimg

MikroTik RouterOS Vulnerabilities: There’s More to CVE-2018-14847

In the course of preparing his Derbycon 8.0 presentation on RouterOS vulnerabilities, Tenable Researcher Jacob Baines discovered more to CVE-2018-14847 than originally known. Here’s how it could allow an unauthenticated remote attacker to gain access to the underlying operating system of MikroTik routers. While preparing for his Oct. 7 Derbycon 8.0 presentation on RouterOS vulnerabilities, … [Read more...]

Tenable Research Advisory: Multiple Vulnerabilities Discovered in MikroTik’s RouterOS

Tenable Research has discovered several vulnerabilities in RouterOS, an operating system used in MikroTik routers, the most critical of which would allow attackers to potentially gain full system access. Tenable Research has discovered several vulnerabilities in RouterOS, an operating system used in MikroTik routers. Jacob Baines, the Tenable researcher who made the discovery, presented the talk … [Read more...]

Tenable Research Advisory: Peekaboo Critical Vulnerability in NUUO Network Video Recorder

Tenable Research has discovered a critical vulnerability named Peekaboo permitting remote code execution in IoT network video recorders for video surveillance systems that would allow attackers to remotely view feeds and tamper with recordings. Tenable Research discovered two vulnerabilities in NUUO’s Network Video Recorder software. The first is a critical unauthenticated stack buffer overflow … [Read more...]

Peekaboo: Don’t Be Surprised by These Not So Candid Cameras

Tenable Research discovered a major software flaw, dubbed Peekaboo, which gives cyber criminals control of certain video surveillance cameras, allowing them to secretly monitor, tamper with and even disable feeds. Here’s a quick look at what we know today. What’s Peekaboo? Peekaboo is a security vulnerability in software made by NUUO, a global video surveillance vendor. The software is used in … [Read more...]

Cisco Critical Advisories for September Includes Patch for Struts Vulnerability

Cisco has released advisories for 29 issues, including three critical vulnerabilities. The update also includes a patch for CVE-2018-11776 in Apache Struts. Background On Wednesday, September 5, Cisco released security advisories for 29 issues, rating three of them as critical. One of these critical vulnerabilities is the Apache Struts vulnerability (CVE-2018-11776) that we wrote about last month. … [Read more...]

August Vulnerability of the Month: Critical Vulnerability in Oracle WebLogic Targeted by Attackers

In August, Tenable Research voted to highlight CVE-2018-2893 in Oracle WebLogic Server because it was almost immediately exploited by multiple threat actors. Novelty, sophistication or just plain weirdness are some of the potential criteria we use to select the Tenable vulnerability of the month. We collect nominations from our 70+ research team members, shortlist the finalists and give the entire … [Read more...]

Leaky Amazon S3 Buckets: Challenges, Solutions and Best Practices

Amazon Web Service (AWS) S3 buckets have become a common source of data loss for public and private organizations alike. Here are five solutions you can use to evaluate the security of data stored in your S3 buckets. For business professionals, the public cloud is a smorgasbord of micro-service offerings which provide rapid delivery of hardware and software solutions. For security and IT … [Read more...]

Underminer Exploit Kit: How Tenable Can Help

The “Underminer” exploit kit is having widespread impact in Asian countries, particularly Japan. Thankfully, mitigation is relatively simple and involves patching and other well-known security best practices. Contrary to popular belief, the exploit kit is not dead yet. “Underminer,” an exploit kit named and discovered by Trend Micro, is having widespread impact in Asian countries, particularly … [Read more...]

July Vulnerability of the Month: Two Zero-Days Caught in Development

An Adobe Reader double free vulnerability on Windows and macOS systems earns the nod for its interesting discovery and patch story. Novelty, sophistication or just plain weirdness are some of the potential criteria we use to select the Tenable vulnerability of the month. We collect nominations from our 70+ research team members, shortlist the finalists and give the entire team the chance to vote … [Read more...]

Tenable Research Advisory: Patches Issued For Critical Vulnerabilities in 2 AVEVA SCADA/OT Apps

A new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition can be exploited to compromise sensitive operational technology. AVEVA has released a patch and we advise urgent attention and response from affected end users. Tenable Research discovered a new critical remote code execution (RCE) vulnerability in AVEVA’s Indusoft Web Studio and InTouch … [Read more...]