D-Link is warning that four remote code execution (RCE) flaws impacting all hardware and firmware versions of its DIR-846W router will not be fixed as the products are no longer supported.

https://www.bleepingcomputer.com/news/security/d-link-says-it-is-not-fixing-four-rce-flaws-in-dir-846w-routers/

CVE-2024-45310: runc can be tricked into creating empty files/directories on host

https://seclists.org/oss-sec/2024/q3/237

[RSS] From a GLPI patch bypass to RCE.

https://sensepost.com/blog/2024/from-a-glpi-patch-bypass-to-rce/

SecureLayer7: CVE-2024-37084: Spring Cloud Remote Code Execution
SecureLayer7 has been churning out zero-day vulnerabilities (publicly releasing information about vulnerabilities without a coordinated vulnerability disclosure with the impacted vendor or assigning CVEs) and proofs of concepts for vulnerabilities. According to Spring.io, Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing platform deployed in Cloud Foundry and Kubernetes. CVE-2024-37084 (9.8 CRITICAL) is an arbitrary file write. SecureLayer7 used patch diffing to determine that it’s an insecure deserialization vulnerability that leads to remote code execution, and provides a proof of concept for it.

#vulnerability #CVE_2024_37084 #spring #cve #proofofconcept #poc

Mozilla Foundation security advisories:

• 2024-39 Security Vulnerabilities fixed in Firefox 130
• 2024-40 Security Vulnerabilities fixed in Firefox ESR 128.2
• 2024-41 Security Vulnerabilities fixed in Firefox ESR 115.15
• 2024-42Security Vulnerabilities fixed in Focus for iOS 130

No mention of Firefox for iOS or Thunderbird (which would arrive in 2 separate advisories). Expect future advisories likely later today. No mention of exploitation.

Edited to include late advisory for Focus for iOS 130.

#mozilla #firefox #PatchTuesday #vulnerability #cve

@jerry Hi! infosec.place throwing 504's again for the main timeline :( Could you please take a look?

The recording of our @WEareTROOPERS presentation is now online, enjoy!

#TROOPERS24 - IBM i for Wintel Hackers

https://www.youtube.com/watch?v=t4fUvfzgUbY

#IBMi

Recordings from this year's @WEareTROOPERS :

Track 1: https://www.youtube.com/watch?v=z-ug2dwcSz8&list=PL1eoQr97VfJmkXx9LNNY9RzQOKb6DOytP

Track 2: https://www.youtube.com/watch?v=2s6l0IkK52E&list=PL1eoQr97VfJkHzRHFEFyEzwyx-8m9Fbzp

Track 3: https://www.youtube.com/watch?v=Gmtwtw1uKss&list=PL1eoQr97VfJlIiZL-rP6jq3MFJAgzFYTZ

#TROOPERS24 #TROOPERS2024

Analysis of CVE-2024-37084: Spring Cloud Remote Code Execution https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/

Off-By-One 2024 recordings:

- Day 1: https://www.youtube.com/watch?v=tAmjkfO3-Ow&list=PLiIDIO1Gp6V_I4mSvz8WDfLVt6xy85RvP

- Day 2: https://www.youtube.com/watch?v=508ng3J1FgI&list=PLiIDIO1Gp6V90DvDxshqdD1YgAjZRFDEj

Off-by-One 2024 Day 1 - Keynote : Breaking Into Vulnerability Research: Dr Silvio Cesare

https://www.youtube.com/watch?v=tAmjkfO3-Ow

#CanSecWest24 There Will Be Bugs Exploiting Basebands in Radio L2

https://static1.squarespace.com/static/5f3c7479f4b3c702571a047d/t/66692aa7da38a0750670bc5c/1718168234675/CSW24-There-Will-Be-Bugs-SlideDeck.pdf

:O

"The TMS9900 is bonkers. Big endian, has no stack pointer, and there's an instruction to execute the contents of a register as if it were an instruction in memory." - @travisgoodspeed

"Mike Brent (tursilion) made an awesome TMS9900 code generator for CVBasic, so now it can target TI-99/4A computers. The picture shows Viboritas running in the Classic99 emulator." - @nanochess

https://github.com/nanochess/cvbasic

CVE-2023-41111: Samsung Baseband RLC Data Re-Assembly Buffer Overflow

https://labs.taszk.io/blog/post/93_rlc_bof/

Traceeshark: Deep Linux runtime visibility meets Wireshark https://github.com/aquasecurity/traceeshark

'The Dutch Data Protection Authority imposes a fine of 30.5 million euro and orders subject to a penalty for non-compliance up to more than 5 million euro on Clearview AI... Clearview has built an illegal database with billions of photos of faces, including of Dutch people. The Dutch DPA warns that using the services of Clearview is also prohibited.' https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-on-clearview-because-of-illegal-data-collection-for-facial-recognition #Netherlands #clearview #law #tech #ai #privacy #dataprotection #surveillance

Come for the #OffensiveRust content, stay for the #ThrashMetal revival 🎸 https://infosec.exchange/@hnsec/113072354880406361

[RSS] The Co­Initialize­Security function demands an absolute security descriptor

https://devblogs.microsoft.com/oldnewthing/20240902-00/?p=110201

[RSS] [Breaking Videogames] save-splicing

https://banyaszvonat.github.io/breaking-videogames/2024/09/03/save-splicing.html

Zero Trust Environments