Aggregator

HackerNews 编译，转载请注明出处： 据Patchstack称，一款名为Modular DS的WordPress插件中一个严重性最高的安全漏洞正在野外被活跃利用。 该漏洞被追踪为CVE-2026-23550（CVSS评分：10.0），被描述为影响插件2.5.1及之前所有版本的未授权权限提升漏洞。该漏洞已在2.5.2版本中修复。该插件拥有超过40,000个有效安装。 “在2.5.1及以下版本中，由于直接路由选择、绕过身份验证机制以及自动以管理员身份登录等多种因素结合，该插件存在权限提升漏洞，” Patchstack表示。 问题根源在于其路由机制，该机制本应将某些敏感路由置于身份验证屏障之后。该插件将其路由暴露在/api/modular-connector/前缀下。 然而，研究发现，每当启用”直接请求”时，通过提供设置为”mo”的”origin”参数和设置为任意值（例如"origin=mo&type=xxx"）的”type”参数，即可绕过此安全层。这将导致请求被视作Modular直接请求。 “因此，一旦网站已连接到Modular（令牌存在/可续订），任何人都可以通过身份验证中间件：传入请求与Modular本身之间没有加密链接，” Patchstack解释道。 “这将暴露多个路由，包括/login/、/server-information/、/manager/和/backup/，这些路由允许执行从远程登录到获取敏感系统或用户数据等多种操作。” 由于此漏洞的存在，未经身份验证的攻击者可利用/login/{modular_request}路由获取管理员访问权限，从而导致权限提升。这可能为攻击者完全入侵网站铺平道路，使其能够引入恶意更改、植入恶意软件或将用户重定向到诈骗网站。 根据该WordPress安全公司分享的详细信息，利用该漏洞的攻击据称首次于2026年1月13日世界标准时间凌晨2点左右被检测到，攻击通过向端点/api/modular-connector/login/发起HTTP GET调用，随后尝试创建管理员用户。 攻击源自以下IP地址： 45.11.89[.]19 185.196.0[.]11 鉴于CVE-2026-23550正被活跃利用，建议插件用户尽快更新至已修复的版本。 “此漏洞突显了当暴露于公共互联网时，对内网请求路径的隐性信任可能有多么危险，” Patchstack指出。 “在此案例中，问题并非由单一错误引起，而是由多个设计选择共同导致：基于URL的路由匹配、宽松的’直接请求’模式、仅基于站点连接状态的身份验证，以及自动回退到管理员账户的登录流程。”   消息来源：thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

HackerNews 编译，转载请注明出处： 亚马逊网络服务CodeBuild中的一个关键配置错误，可能导致攻击者完全接管该云服务提供商自身的GitHub仓库，包括其AWS JavaScript SDK，从而使每个AWS环境面临风险。 该漏洞被云安全公司Wiz命名为CodeBreach。在2025年8月25日进行负责任披露后，AWS已于2025年9月修复了该问题。 “通过利用CodeBreach，攻击者可能注入恶意代码，发起一次平台级的入侵，不仅可能影响无数依赖该SDK的应用程序，还可能威胁到控制台本身，危及每一个AWS账户，”研究员Yuval Avrahami和Nir Ohfeld在分享给The Hacker News的一份报告中表示。 Wiz指出，该漏洞源于持续集成流水线中的一个弱点，可能使未经身份验证的攻击者入侵构建环境、泄露特权凭证（如GitHub管理员令牌），然后利用这些令牌向受入侵的仓库推送恶意更改——从而为供应链攻击开辟了路径。 换言之，该问题削弱了AWS引入的Webhook过滤器，这些过滤器旨在确保只有特定事件才会触发CI构建。例如，可以配置AWS CodeBuild，使其仅在代码变更提交到特定分支，或者GitHub或GitHub Enterprise Server账户ID（亦称ACTOR_ID或参与者ID）匹配正则表达式模式时才触发构建。这些过滤器旨在防范不受信任的拉取请求。 此配置错误影响了以下由AWS管理的开源GitHub仓库，这些仓库被配置为在拉取请求时运行构建：aws-sdk-js-v3 aws-lc amazon-corretto-crypto-provider awslabs/open-data-registry 这四个项目都实施了ACTOR_ID过滤器，但存在一个”致命缺陷”：它们未包含确保完全正则表达式（regex）匹配所需的两个字符——即起始锚点 ^ 和结束锚点 $。相反，正则表达式模式允许任何是受批准ID超字符串（例如，755743）的GitHub用户ID绕过过滤器并触发构建。 由于GitHub按顺序分配数字用户ID，Wiz表示能够预测新用户ID（目前为9位长）大约每五天就会”超过”一位受信任维护者的六位ID。这一洞察，结合使用GitHub应用来自动化应用创建（这反过来会创建一个对应的机器人用户），使得通过触发数百次新的机器人用户注册来生成目标ID（例如226755743）成为可能。 一旦获得了参与者ID，攻击者现在就可以触发构建，并获取aws-sdk-js-v3 CodeBuild项目的GitHub凭证，即属于aws-sdk-js-automation用户的个人访问令牌（PAT），该用户拥有对该仓库的完全管理员权限。 攻击者可以利用这种提升后的访问权限，直接将代码推送到主分支、批准拉取请求、窃取仓库机密，最终为供应链攻击铺平道路。 “上述仓库为AWS CodeBuild Webhook过滤器配置的正则表达式原本旨在限制受信任的参与者ID，但存在不足，允许通过可预测获取的参与者ID获得对受影响仓库的管理权限，” AWS在今天发布的一份公告中表示。 “我们可以确认，这些是这些仓库Webhook参与者ID过滤器特定于项目的错误配置，而非CodeBuild服务本身的问题。” 亚马逊还表示，它已修复了已识别的问题，并实施了额外的缓解措施，例如凭证轮换和保障包含GitHub令牌或内存中任何其他凭证的构建流程安全的步骤。它进一步强调，没有发现CodeBreach在野外被利用的证据。 为降低此类风险，必须确保不受信任的贡献不会触发特权CI/CD流水线，可通过启用新的”拉取请求评论批准”构建门控功能、使用CodeBuild托管的运行器通过GitHub工作流管理构建触发器、确保Webhook过滤器中的正则表达式模式使用锚点、为每个CodeBuild项目生成唯一的PAT、将PAT的权限限制在所需的最低范围，并考虑为CodeBuild集成使用一个专用的无特权GitHub账户来实现。 网络安全 “此漏洞是一个典型的例子，说明了为什么攻击者将CI/CD环境作为目标：一个微妙、容易被忽视的缺陷，却能被利用来造成巨大影响，” Wiz研究员指出。”复杂性、不可信数据和特权凭证的结合，为无需事先访问即可造成高影响入侵创造了完美风暴。” 这并非CI/CD流水线安全首次受到审视。去年，Sysdig的研究详细阐述了如何利用与pull_request_target触发器相关的、不安全的GitHub Actions工作流来窃取特权的GITHUB_TOKEN，并通过单个来自分叉的拉取请求，未经授权访问数十个开源项目。 Orca Security的一项类似的两部分分析发现，谷歌、微软、英伟达和其他财富500强公司的项目中存在不安全的pull_request_target配置，这可能允许攻击者运行任意代码、窃取敏感机密，并向受信任的分支推送恶意代码或依赖项。这种现象被称为pull_request_nightmare。 “通过滥用通过pull_request_target触发的、配置不当的工作流，攻击者可能从一个不受信任的分叉拉取请求，升级到在GitHub托管的甚至自托管的运行器上执行远程代码（RCE），”安全研究员Roi Nisimi指出。 “使用pull_request_target的GitHub Actions工作流，绝不应在没有适当验证的情况下检出不受信任的代码。一旦这样做，它们就面临完全入侵的风险。”     消息来源：thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability described as critical has been identified in Linux Kernel up to 6.1.159/6.6.119/6.12.63/6.18.2. Affected by this vulnerability is an unknown functionality of the component hwmon. Such manipulation leads to race condition. This vulnerability is documented as CVE-2025-71111. The attack requires being on the local network. There is not any exploit available. Upgrading the affected component is recommended.

A vulnerability has been found in Linux Kernel up to 6.12.63/6.18.2 and classified as critical. Impacted is the function UASM_i_LA_mostly of the component MIPS. This manipulation causes memory corruption. This vulnerability is handled as CVE-2025-71109. The attack can only be done within the local network. There is not any exploit available. The affected component should be upgraded.

A vulnerability has been found in Linux Kernel up to 6.18.2/6.19-rc1 and classified as critical. This affects the function defer_free. Performing a manipulation results in use after free. This vulnerability is known as CVE-2025-71110. Access to the local network is required for this attack. No exploit is available. The affected component should be upgraded.

A vulnerability was found in Linux Kernel up to 6.0.2 and classified as critical. Affected by this vulnerability is an unknown functionality of the file fs/ext4/inode.c of the component ext4. The manipulation results in allocation of resources. This vulnerability was named CVE-2022-50435. The attack needs to be approached within the local network. There is no available exploit. It is suggested to upgrade the affected component.

MuddyWater 使用 RustyWater 针对中东多个行业；“金眼狗”组织水坑网站攻击活动分析；DarkHotel利用U盘内安装程序传播恶意载荷；Void Blizzard组织利用慈善基金会诱饵针对乌克兰国防部署后门

Overview On January 14, NSFOCUS CERT detected that Microsoft released the January Security Update patch, which fixed 112 security issues involving widely used products such as Windows, Microsoft Office, Microsoft SQL Server, Azure, etc., including high-risk vulnerability types such as privilege escalation and remote code execution. Among the vulnerabilities fixed by Microsoft’s monthly update this […]

The post Microsoft’s January Security Update of High-Risk Vulnerability Notice for Multiple Products appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post Microsoft’s January Security Update of High-Risk Vulnerability Notice for Multiple Products appeared first on Security Boulevard.

上周日的直播，我们聊了关于安全BP工作的关键，获得了很多反馈，在我们的粉丝社群里，各位大佬们也进行了非常热烈的讨论。 在此要感谢大家给我直播内容的这些正反馈，也要感谢最初提出相关问题的朋友，一个好的问题才能有好的答案，也欢迎大家持续提出想讨论的话题和问题。 那与此同时，其实也有不少朋友在问，安全BP体系到底要怎么建才靠谱。虽然现在越来越多企业已经意识到，安全要落地，离不开贴近业务的BP支撑，但实际操作中却经常遇到职责不清、组织难搭、落地卡壳的问题。 那么安全BP到底该聚焦哪些核心职责？怎么搭建起适配企业的安全BP组织？建好之后又该如何稳步落地见效？ 本周日（1月18日）晚上19:30，我就专门聚焦“成熟的安全BP体系建设”这个主题，围绕大家关心的关键问题，从安全BP组织的职责定位、组织建设、体系落地三个维度，和大家深入拆解其中的逻辑与方法。 欢迎朋友们点击下方卡片预约直播，咱们一起把安全BP体系建设的思路捋清楚，解决实际落地中的痛点难题！

A vulnerability identified as critical has been detected in Linux Kernel up to 6.4.6. This affects an unknown function of the component udf. The manipulation leads to uninitialized pointer. This vulnerability is traded as CVE-2023-53165. Access to the local network is required for this attack to succeed. There is no exploit available. You should upgrade the affected component.

A vulnerability classified as critical was found in Linux Kernel up to 6.4.4. Affected is the function fc_bsg_to_rport of the component qla2xxx. Such manipulation leads to null pointer dereference. This vulnerability is referenced as CVE-2023-53150. The attack needs to be initiated within the local network. No exploit is available. Upgrading the affected component is advised.

A vulnerability was found in Linux Kernel up to 6.1.159/6.6.119/6.12.63/6.18.2/6.19-rc1. It has been rated as critical. This impacts the function mptcp_connect of the component mptcp. The manipulation leads to deadlock. This vulnerability is referenced as CVE-2025-71126. The attack needs to be initiated within the local network. No exploit is available. Upgrading the affected component is advised.

A vulnerability, which was classified as critical, has been found in Google Chrome. Affected by this vulnerability is an unknown functionality of the component ANGLE. Performing a manipulation results in use after free. This vulnerability is known as CVE-2026-0908. Remote exploitation of the attack is possible. No exploit is available. It is advisable to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Linux Kernel up to 6.1.159/6.6.119/6.12.63/6.18.2. The impacted element is the function f2fs_zero_range of the file fs/f2fs/extent_cache.c of the component f2fs. Such manipulation leads to allocation of resources. This vulnerability is uniquely identified as CVE-2025-68796. The attack can only be initiated within the local network. No exploit exists. You should upgrade the affected component.

A vulnerability described as critical has been identified in Linux Kernel up to 6.1.159/6.6.119/6.12.63/6.18.2. The affected element is the function x86_pmu_stop of the component NMI Handler. The manipulation results in null pointer dereference. This vulnerability is reported as CVE-2025-68798. The attacker must have access to the local network to execute the attack. No exploit exists. Upgrading the affected component is recommended.

A vulnerability was found in Linux Kernel up to 6.12.63/6.18.2/6.19-rc1. It has been classified as critical. This affects an unknown part. This manipulation of the argument num_syncs causes allocation of resources. The identification of this vulnerability is CVE-2025-68802. The attack needs to be done within the local network. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability was found in Linux Kernel up to 6.18.2/6.19-rc1. It has been declared as critical. This vulnerability affects the function drm_sched_stop of the component amdgpu. Such manipulation leads to use after free. This vulnerability is referenced as CVE-2025-68793. The attack needs to be initiated within the local network. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability categorized as critical has been discovered in Linux Kernel up to 6.1.159/6.6.119/6.12.63/6.18.2/6.19-rc1. Impacted is the function spectrum_router of the component mlxsw. Executing a manipulation can lead to improper update of reference count. This vulnerability is tracked as CVE-2025-68801. The attack is only possible within the local network. No exploit exists. It is advisable to upgrade the affected component.

A vulnerability labeled as critical has been found in Linux Kernel up to 6.1.159/6.6.119/6.12.63/6.18.2/6.19-rc1. Affected by this issue is the function spectrum_mr of the component mlxsw. Such manipulation leads to use after free. This vulnerability is documented as CVE-2025-68800. The attack requires being on the local network. There is not any exploit available. The affected component should be upgraded.