#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

software security | Breaking Cybersecurity News | The Hacker News

Category — software security
Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

Dec 04, 2024 Vulnerability / Software Security
A critical security vulnerability has been disclosed in SailPoint's IdentityIQ identity and access management (IAM) software that allows unauthorized access to content stored within the application directory. The flaw, tracked as CVE-2024-10905 , has a CVSS score of 10.0, indicating maximum severity. It affects IdentityIQ versions 8.2. 8.3, 8.4, and other previous versions. IdentityIQ "allows HTTP access to static content in the IdentityIQ application directory that should be protected," according to a description of the flaw on NIST's National Vulnerability Database (NVD). The vulnerability has been characterized as a case of improper handling of file names that identify virtual resources ( CWE-66 ), which could be abused to read otherwise inaccessible files. There are currently no other details available about the flaw, nor has SailPoint released a security advisory. The exact list of versions impacted by CVE-2024-10905 is listed below - 8.4 and all 8.4 pa...
XML-RPC npm Library Turns Malicious, Steals Data, Deploys Crypto Miner

XML-RPC npm Library Turns Malicious, Steals Data, Deploys Crypto Miner

Nov 28, 2024 Software Security / Data Breach
Cybersecurity researchers have discovered a software supply chain attack that has remained active for over a year on the npm package registry by starting off as an innocuous library and later adding malicious code to steal sensitive data and mine cryptocurrency on infected systems. The package, named @0xengine/xmlrpc , was originally published on October 2, 2023 as a JavaScript-based XML-RPC server and client for Node.js. It has been downloaded 1,790 times to date and remains available for download from the repository. Checkmarx , which discovered the package, said the malicious code was strategically introduced in version 1.3.4 a day later, harboring functionality to harvest valuable information such as SSH keys, bash history, system metadata, and environment variables every 12 hours, and exfiltrate it via services like Dropbox and file.io. "The attack achieved distribution through multiple vectors: direct npm installation and as a hidden dependency in a legitimate-looking ...
Unlocking Google Workspace Security: Are You Doing Enough to Protect Your Data?

Crowdstrike Named A Leader In Endpoint Protection Platforms

Nov 22, 2024Endpoint Security / Threat Detection
CrowdStrike is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms for the fifth consecutive time, positioned highest on Ability to Execute and furthest to the right on Completeness of Vision.
Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers

Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers

Nov 27, 2024 Vulnerability / Software Security
A critical security flaw impacting the ProjectSend open-source file-sharing application has likely come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability, originally patched over a year-and-a-half ago as part of a commit pushed in May 2023 , was not officially made available until August 2024 with the release of version r1720 . As of November 26, 2024, it has been assigned the CVE identifier CVE-2024-11680 (CVSS score: 9.8).  Synacktiv, which reported the flaw to the project maintainers in January 2023, described it as an improper authorization check that allows an attacker to execute malicious code on susceptible servers. "An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files," it said in a report published in J...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
Google's AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects

Google's AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects

Nov 21, 2024 Artificial Intelligence / Software Security
Google has revealed that its AI-powered fuzzing tool, OSS-Fuzz, has been used to help identify 26 vulnerabilities in various open-source code repositories, including a medium-severity flaw in the OpenSSL cryptographic library. "These particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets," Google's open-source security team said in a blog post shared with The Hacker News. The OpenSSL vulnerability in question is CVE-2024-9143 (CVSS score: 4.3), an out-of-bounds memory write bug that can result in an application crash or remote code execution. The issue has been addressed in OpenSSL versions 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl. Google, which added the ability to leverage large language models (LLMs) to improve fuzzing coverage in OSS-Fuzz in August 2023, said the vulnerability has likely been present in the codebase for two decades and that it "wo...
Oracle Warns of Agile PLM Vulnerability Currently Under Active Exploitation

Oracle Warns of Agile PLM Vulnerability Currently Under Active Exploitation

Nov 20, 2024 Software Security / Vulnerability
Oracle is warning that a high-severity security flaw impacting the Agile Product Lifecycle Management (PLM) Framework has been exploited in the wild. The vulnerability, tracked as CVE-2024-21287 (CVSS score: 7.5), could be exploited sans authentication to leak sensitive information. "This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password," it said in an advisory. "If successfully exploited, this vulnerability may result in file disclosure." CrowdStrike security researchers Joel Snape and Lutz Wolf have been credited with discovering and reporting the flaw. There is currently no information available on who is exploiting the vulnerability, the targets of the malicious activity, and how widespread these attacks are. "If successfully exploited, an unauthenticated perpetrator could download, from the targeted system, files accessible under the privileges used ...
Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System

Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System

Nov 05, 2024 Mobile Security / Vulnerability
Google has warned that a security flaw impacting its Android operating system has come under active exploitation in the wild. The vulnerability, tracked as CVE-2024-43093, has been described as a privilege escalation flaw in the Android Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories, according to a code commit message . There are currently no details about how the vulnerability is being weaponized in real-world attacks, but Google acknowledged in its monthly bulletin that there are indications it "may be under limited, targeted exploitation." The tech giant has also flagged CVE-2024-43047, a now-patched security bug in Qualcomm chipsets, as having been actively exploited. A use-after-free vulnerability in the Digital Signal Processor (DSP) Service, a successful exploitation of the security flaw could lead to memory corrupti...
Critical Flaws in Ollama AI Framework Could Enable DoS, Model Theft, and Poisoning

Critical Flaws in Ollama AI Framework Could Enable DoS, Model Theft, and Poisoning

Nov 04, 2024 Vulnerability / Cyber Threat
Cybersecurity researchers have disclosed six security flaws in the Ollama artificial intelligence (AI) framework that could be exploited by a malicious actor to perform various actions, including denial-of-service, model poisoning, and model theft. "Collectively, the vulnerabilities could allow an attacker to carry out a wide-range of malicious actions with a single HTTP request, including denial-of-service (DoS) attacks, model poisoning, model theft, and more," Oligo Security researcher Avi Lumelsky said in a report published last week. Ollama is an open-source application that allows users to deploy and operate large language models (LLMs) locally on Windows, Linux, and macOS devices. Its project repository on GitHub has been forked 7,600 times to date. A brief description of the six vulnerabilities is below - CVE-2024-39719 (CVSS score: 7.5) - A vulnerability that an attacker can exploit using /api/create an endpoint to determine the existence of a file in the se...
Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine

Google's AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine

Nov 04, 2024 Artificial Intelligence / Vulnerability
Google said it discovered a zero-day vulnerability in the SQLite open-source database engine using its large language model (LLM) assisted framework called Big Sleep (formerly Project Naptime). The tech giant described the development as the "first real-world vulnerability" uncovered using the artificial intelligence (AI) agent. "We believe this is the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software," the Big Sleep team said in a blog post shared with The Hacker News. The vulnerability in question is a stack buffer underflow in SQLite, which occurs when a piece of software references a memory location prior to the beginning of the memory buffer, thereby resulting in a crash or arbitrary code execution. "This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of t...
Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

Oct 30, 2024 Cybercrim / Cryptocurrency
Cybersecurity researchers have discovered a new malicious Python package that masquerades as a cryptocurrency trading tool but harbors functionality designed to steal sensitive data and drain assets from victims' crypto wallets. The package, named "CryptoAITools," is said to have been distributed via both Python Package Index (PyPI) and bogus GitHub repositories. It was downloaded over 1,300 times before being taken down from PyPI. "The malware activated automatically upon installation, targeting both Windows and macOS operating systems," Checkmarx said in a new report shared with The Hacker News. "A deceptive graphical user interface (GUI) was used to distract vic4ms while the malware performed its malicious ac4vi4es in the background." The package is designed to unleash its malicious behavior immediately after installation through code injected into its "__init__.py" file that first determines if the target system is Windows or macOS ...
Fortinet Warns of Critical Vulnerability in FortiManager Under Active Exploitation

Fortinet Warns of Critical Vulnerability in FortiManager Under Active Exploitation

Oct 24, 2024 Vulnerability / Network Security
Fortinet has confirmed details of a critical security flaw impacting FortiManager that has come under active exploitation in the wild. Tracked as CVE-2024-47575 (CVSS score: 9.8), the vulnerability is also known as FortiJump and is rooted in the FortiGate to FortiManager ( FGFM ) protocol. "A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests," the company said in a Wednesday advisory. The shortcoming impacts FortiManager versions 7.x, 6.x, FortiManager Cloud 7.x, and 6.x. It also affects old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E that have at least one interface with fgfm service enabled and the below configuration on - config system global set fmg-status enable end Fortinet has also provided three workarounds for the flaw depending on the...
CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094)

CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094)

Oct 23, 2024 Vulnerability / Threat Intelligence
A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities ( KEV ) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-38094 (CVSS score: 7.2), has been described as a deserialization vulnerability impacting SharePoint that could result in remote code execution. "An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server," Microsoft said in an alert for the flaw. Patches for the security defect were released by Redmond as part of its Patch Tuesday updates for July 2024. The exploitation risk is compounded by the fact that proof-of-concept (PoC) exploits for the flaw are available in the public domain. "The PoC script [...] automates authentication to a target SharePoint site using NTLM, creates a spe...
Researchers Reveal 'Deceptive Delight' Method to Jailbreak AI Models

Researchers Reveal 'Deceptive Delight' Method to Jailbreak AI Models

Oct 23, 2024 Artificial Intelligence / Vulnerability
Cybersecurity researchers have shed light on a new adversarial technique that could be used to jailbreak large language models (LLMs) during the course of an interactive conversation by sneaking in an undesirable instruction between benign ones. The approach has been codenamed Deceptive Delight by Palo Alto Networks Unit 42, which described it as both simple and effective, achieving an average attack success rate (ASR) of 64.6% within three interaction turns. "Deceptive Delight is a multi-turn technique that engages large language models (LLM) in an interactive conversation, gradually bypassing their safety guardrails and eliciting them to generate unsafe or harmful content," Unit 42's Jay Chen and Royce Lu said. It's also a little different from multi-turn jailbreak (aka many-shot jailbreak) methods like Crescendo , wherein unsafe or restricted topics are sandwiched between innocuous instructions, as opposed to gradually leading the model to produce harmful outpu...
Security Flaw in Styra's OPA Exposes NTLM Hashes to Remote Attackers

Security Flaw in Styra's OPA Exposes NTLM Hashes to Remote Attackers

Oct 22, 2024 Vulnerability / Software Security
Details have emerged about a now-patched security flaw in Styra's Open Policy Agent ( OPA ) that, if successfully exploited, could have led to leakage of New Technology LAN Manager ( NTLM ) hashes. "The vulnerability could have allowed an attacker to leak the NTLM credentials of the OPA server's local user account to a remote server, potentially allowing the attacker to relay the authentication or crack the password," cybersecurity firm Tenable said in a report shared with The Hacker News. The security flaw, described as a Server Message Block (SMB) force-authentication vulnerability and tracked as CVE-2024-8260 (CVSS score: 6.1/7.3), impacts both the CLI and Go software development kit (SDK) for Windows. At its core, the issue stems from an improper input validation that can lead to unauthorized access by leaking the Net-NTLMv2 hash of the user who is currently logged into the Windows device running the OPA application. However, for this to work, the victim ...
Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser

Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser

Oct 18, 2024 Threat Intelligence / Browser Security
Microsoft has disclosed details about a now-patched security flaw in Apple's Transparency, Consent, and Control (TCC) framework in macOS that has likely come under exploitation to get around a user's privacy preferences and access data. The shortcoming, codenamed HM Surf by the tech giant, is tracked as CVE-2024-44133 (CVSS score: 5.5). It was addressed by Apple as part of macOS Sequoia 15 by removing the vulnerable code. HM Surf "involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user's data, including browsed pages, the device's camera, microphone, and location, without the user's consent," Jonathan Bar Or of the Microsoft Threat Intelligence team said . Microsoft said the new protections are limited to Apple's Safari browser, and that it's working with other major browser vendors to further explore the benefits of hardening local configuration file...
CISA Warns of Active Exploitation in SolarWinds Help Desk Software Vulnerability

CISA Warns of Active Exploitation in SolarWinds Help Desk Software Vulnerability

Oct 16, 2024 Vulnerability / Data Protection
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting SolarWinds Web Help Desk (WHD) software to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as CVE-2024-28987 (CVSS score: 9.1), the vulnerability relates to a case of hard-coded credentials that could be abused to gain unauthorized access and make modifications. "SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data," CISA said in an advisory. Details of the flaw were first disclosed by SolarWinds in late August 2024, with cybersecurity firm Horizon3.ai releasing additional technical specifics a month later. The vulnerability "allows unauthenticated attackers to remotely read and modify all help desk ticket details – often containing sensitive information like passwords from reset req...
New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution

New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution

Oct 11, 2024 DevOps / Vulnerability
GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches. Tracked as CVE-2024-9164, the vulnerability carries a CVSS score of 9.6 out of 10. "An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches," GitLab said in an advisory. Of the remaining seven issues, four are rated high, two are rated medium, and one is rated low in severity - CVE-2024-8970 (CVSS score: 8.2), which allows an attacker to trigger a pipeline as another user under certain circumstances CVE-2024-8977 (CVSS score: 8.2), which allows SSRF attacks in GitLab EE instances with Product Analytics Dashboard configured and enabled CVE-...
Firefox Zero-Day Under Attack: Update Your Browser Immediately

Firefox Zero-Day Under Attack: Update Your Browser Immediately

Oct 10, 2024 Vulnerability / Browser Security
Mozilla has revealed that a critical security flaw impacting Firefox and Firefox Extended Support Release (ESR) has come under active exploitation in the wild. The vulnerability, tracked as CVE-2024-9680 (CVSS score: 9.8), has been described as a use-after-free bug in the Animation timeline component. "An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines," Mozilla said in a Wednesday advisory.  "We have had reports of this vulnerability being exploited in the wild." Security researcher Damien Schaeffer from Slovakian company ESET has been credited with discovering and reporting the vulnerability. The issue has been addressed in the following versions of the web browser -  Firefox 131.0.2 Firefox ESR 128.3.1, and Firefox ESR 115.16.1. There are currently no details on how the vulnerability is being exploited in real-world attacks and the identity of the threat actors behind them. T...
Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited

Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited

Oct 08, 2024 Zero-Day / Vulnerability
Ivanti has warned that three new security vulnerabilities impacting its Cloud Service Appliance (CSA) have come under active exploitation in the wild. The zero-day flaws are being weaponized in conjunction with another flaw in CSA that the company patched last month, the Utah-based software services provider said. Successful exploitation of these vulnerabilities could allow an authenticated attacker with admin privileges to bypass restrictions, run arbitrary SQL statements, or obtain remote code execution. "We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381 are chained with CVE-2024-8963," the company said . There is no evidence of exploitation against customer environments running CSA 5.0. A brief description of the three shortcomings is as follows - CVE-2024-9379 (CVSS score: 6.5) - SQL injection in the admin web console of Ivanti CSA before version 5.0.2 all...
Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks

Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks

Oct 03, 2024 Mobile Security / Technology
Google has revealed the various security guardrails that have been incorporated into its latest Pixel devices to counter the rising threat posed by baseband security attacks. The cellular baseband (i.e., modem) refers to a processor on the device that's responsible for handling all connectivity, such as LTE, 4G, and 5G, with a mobile phone cell tower or base station over a radio interface. "This function inherently involves processing external inputs, which may originate from untrusted sources," Sherk Chung and Stephan Chen from the Pixel team, and Roger Piqueras Jover and Ivan Lozano from the company's Android team said in a blog post shared with The Hacker News. "For instance, malicious actors can employ false base stations to inject fabricated or manipulated network packets. In certain protocols like IMS (IP Multimedia Subsystem), this can be executed remotely from any global location using an IMS client." What's more, the firmware powering the...
Progress Software Releases Patches for 6 Flaws in WhatsUp Gold – Patch Now

Progress Software Releases Patches for 6 Flaws in WhatsUp Gold – Patch Now

Sep 27, 2024 Software Security / Vulnerability
Progress Software has released another round of updates to address six security flaws in WhatsUp Gold, including two critical vulnerabilities. The issues, the company said , have been resolved in version 24.0.1 released on September 20, 2024. The company has yet to release any details about what the flaws are other than listing their CVE identifiers - CVE-2024-46905 (CVSS score: 8.8)  CVE-2024-46906 (CVSS score: 8.8)  CVE-2024-46907 (CVSS score: 8.8)  CVE-2024-46908 (CVSS score: 8.8)  CVE-2024-46909 (CVSS score: 9.8), and CVE-2024-8785 (CVSS score: 9.8) Security researcher Sina Kheirkhah of Summoning Team has been credited with discovering and reporting the first four flaws. Andy Niu of Trend Micro has been acknowledged for CVE-2024-46909, while Tenable has been credited for CVE-2024-8785. It's worth noting that Trend Micro recently reported that threat actors are actively exploiting proof-of-concept (PoC) exploits for other recently disclosed security ...
Expert Insights / Articles Videos
Cybersecurity Resources