Aggregator

HackerNews 编译，转载请注明出处： Palo Alto Networks三款防火墙模型经全面评估，发现存在大量已知安全漏洞，这些漏洞影响了设备的固件及安全功能的配置。安全厂商Eclypsium在一份向The Hacker News提供的报告中指出：“这些并非罕见或边缘案例的漏洞，而是非常知名的问题，甚至在消费级笔记本电脑上都不应出现。如果被利用，这些问题可能让攻击者绕过最基本的安全保护机制，如安全启动，并修改设备固件。” 该公司分析的三款Palo Alto Networks防火墙型号分别为PA-3260、PA-1410和PA-415，其中PA-3260已于2023年8月31日正式停售，而其他两款型号仍在全面支持范围内。网络安全方面，发现的漏洞被统称为“PANdora’s Box”，具体包括： CVE-2020-10713（又称BootHole，影响PA-3260、PA-1410和PA-415），指Linux系统中启用了安全启动功能的缓冲区溢出漏洞，可导致安全启动绕过。 CVE-2022-24030、CVE-2021-33627、CVE-2021-42060、CVE-2021-42554、CVE-2021-43323和CVE-2021-45970（影响PA-3260），指一组影响Insyde Software的InsydeH2O UEFI固件的系统管理模式（SMM）漏洞，可能导致权限提升和安全启动绕过。 LogoFAIL（影响PA-3260），指在统一可扩展固件接口（UEFI）代码中发现的一组关键漏洞，利用固件中嵌入的图像解析库漏洞，在系统启动时绕过安全启动并执行恶意代码。 PixieFail（影响PA-1410和PA-415），指UEFI参考实现中TCP/IP网络协议栈的一组漏洞，可能导致代码执行和信息泄露。不安全的闪存访问控制漏洞（影响PA-415），指SPI闪存访问控制配置不当，可能允许攻击者直接修改UEFI并绕过其他安全机制。 CVE-2023-1017（影响PA-415），指可信平台模块（TPM）2.0参考库规范中的越界写入漏洞。 Intel BootGuard泄露密钥绕过（影响PA-1410）。 Eclypsium表示：“这些发现凸显了一个关键事实：即使是为保护而设计的设备，如果安全和维护不当，也可能成为攻击途径。随着威胁行为者继续瞄准安全设备，组织必须采取更全面的供应链安全方法，包括严格的供应商评估、定期固件更新和持续的设备完整性监控。通过了解和解决这些隐藏漏洞，组织可以更好地保护其网络和免受利用安全工具发起的复杂攻击。” 消息来源：The Hacker News, 编译：zhongx；本文由 HackerNews.cc 翻译整理，封面来源于网络；转载请注明“转自 HackerNews.cc”并附上原文

hackernews

Stop credential stuffing! #cybersecurity #credentialtheft #networksecurity

Red Carnary: YouTube Channel

1 year 3 months ago

Red Canary

State and Federal Healthcare Cyber Regs to Watch in 2025

DataBreachToday.com

1 year 3 months ago

Under the Trump administration, the proposed update to the HIPAA Security Rule - issued in the final weeks of the Biden administration - is likely to get trimmed but not totally cut, predicts regulatory attorney Sharon Klein of the law firm Blank Rome. What else should the health sector expect?

Breach Roundup: Researchers Find Flaws in Palo Alto Firewalls

DataBreachToday.com

1 year 3 months ago

Also: US Prosecutors Charge Suspected North Korean IT Worker Collaborators
This week, researchers spied Palo Alto firewall flaws, a North Korean IT worker conspiracy, ChatGPT as DDoS vector. Chinese hackers targeted a VPN maker, a fake PyPI package and a Russian threat actor shifted tactics. BreachForums' admin faces prison, and scammers used the release of Ross Ulbricht.

Securing APIs at Scale: How to Achieve Comprehensive API Visibility and Threat Detection

DataBreachToday.com

1 year 3 months ago

APIs are the backbone of modern applications, enabling connectivity and functionality across diverse systems. However, the growing complexity of API ecosystems introduces vulnerabilities that attackers exploit to disrupt operations, steal data or launch other malicious activities. Without real-time visibility and robust threat detection, businesses face significant risks.

CISA Warns of Flaws in Aircraft Collision Avoidance Systems

DataBreachToday.com

1 year 3 months ago

Hackers Unlikely to Exploit Flaws in the Wild
Security researchers found an unpatchable flaw in the system that prevents commercial aircraft from crashing into each other, the U.S. federal government said in a Tuesday advisory that called the likelihood of its exploitation "unlikely" outside of a laboratory setting.

Lawsuit Claims LinkedIn Used Private Messages to Train AI

DataBreachToday.com

1 year 3 months ago

California User's Class Action Suit Says LinkedIn Violated Contract, Privacy Regs
A LinkedIn user has sued the company for flouting privacy requirements by allowing third-party companies to access user data - including Premium users' private messages - to train their artificial intelligence models. A LinkedIn spokesperson called the lawsuit "false claims with no merit."