The verify function in the Stark Bank Node.js ECDSA library (ecdsa-node) 1.1.2 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.

CVE-2021-43571: Release v1.1.3 · starkbank/ecdsa-node

Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.

**Impact**

Sean Wright from Secureworks has discovered an enumeration vulnerability. An attacker can make use of the Harbor API to make unauthenticated calls to the Harbor instance. Based on the HTTP status code in the response, an attacker is then able to work out which resources exist, and which do not. This would likely be accomplished by either providing a wordlist or enumerating through a sequence an  
unauthenticated attacker is able to enumerate resources on the system. This provides them with information such as existing projects, repositories, etc.

The vulnerability was immediately fixed by the Harbor team.

**Issue**

The following API resources where found to be vulnerable to enumeration attacks:  
/api/chartrepo/{repo}/prov (POST)  
/api/chartrepo/{repo}/charts (GET, POST)  
/api/chartrepo/{repo}/charts/{name} (GET, DELETE)  
/api/chartrepo/{repo}/charts/{name}/{version} (GET, DELETE)  
/api/labels?name={name}&scope=p (GET)  
/api/repositories?project\_id={id} (GET)  
/api/repositories/{repo\_name}/ (GET, PUT, DELETE)  
/api/repositories/{repo\_name}/tags (GET)  
/api/repositories/{repo\_name}/tags/{tag}/manifest?version={version} (GET)  
/api/repositories/{repo\_name/{tag}/labels (GET)  
/api/projects?project\_name={name} (HEAD)  
/api/projects/{project\_id}/summary (GET)  
/api/projects/{project\_id}/logs (GET)  
/api/projects/{project\_id} (GET, PUT, DELETE)  
/api/projects/{project\_id}/metadatas (GET, POST)  
/api/projects/{project\_id}/metadatas/{metadata\_name} (GET, PUT)

**Known Attack Vectors**

Successful exploitation of this issue will lead to bad actors identifying which resources exist in Harbor without requiring authentication for the Harbor API.

**Patches**

If your product uses the affected releases of Harbor, update to version 1.10.3 or 2.0.1 to patch this issue immediately.

https://github.com/goharbor/harbor/releases/tag/v1.10.3  
https://github.com/goharbor/harbor/releases/tag/v2.0.1

**Workarounds**

There is no known workaround

**For more information**

If you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io  
View our security policy at https://github.com/goharbor/harbor/security/policy

CVE-2019-19030: Unauthenticated users can exploit an enumeration vulnerability in Harbor (CVE-2019-19030)

US telecom providers have been infiltrated to a worrying level by an APT group. The advice is to use encrypted messaging.

A years-long infiltration into the systems of eight telecom giants, including AT&T and Verizon, allowed a state sponsored actor to steal vast amounts of data on where, when and who individuals have been communicating with.

Speaking to Reuters, a senior US official said the attack telecommunications infrastructure was broad and that the hacking was still ongoing.

The state-sponsored actor behind the attack is an Advanced Persistent Threat (APT) group known as Salt Typhoon, believed to be tied to the People’s Republic of China (PRC).

Sophisticated state-sponsored campaigns from China are constantly targeting network appliances and devices. Among the culprits are four major APT groups: Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant. Volt Typhoon made headlines earlier this year when the FBI removed their malware from hundreds of routers across the US.

The infrastructure that the US government relies to communicate on is made up of the same private sector systems that everybody else uses. By abusing their components that make up part of the infrastructure, the Chinese are said to have been able to eavesdrop on political and industrial leaders in multiple countries.

Speaking to Reuters, the official said they believed a “large number” of American’s metadata was taken. When asked if that might include every Americans’ phone records, they said:

> “We do not believe it’s every cell phone in the country, but we believe it’s potentially a large number of individuals that the Chinese government was focused on.”

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have been investigating the incident since late spring, but admitted that there are still many unanswered questions, including the extent of the breach itself.

They have been working with the telecom companies to remove the intruders, but the companies have not been able to fully remove the hackers from their systems.

Anne Neuberger, the US deputy national security adviser for cyber and emerging technologies stated the “Chinese access was broad in terms of potential access to communications of everyday Americans” but she said the hackers only targeted prominent individuals.

According to NBC news, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at CISA– both recommended using encrypted messaging apps to Americans who want to minimize the chances of China’s intercepting their communications.

If you plan to follow that advice, but are new to encrypted messaging, make sure to use an app that offers E2EE (End-to-end encryption). What that means is only the person sending it and the person receiving it can read it.

To achieve this, a message gets encrypted on your device before it is sent out. During transit the message remains encrypted the entire time it is moving across the internet.  Only when the message reaches the recipient’s device can it be decrypted and read.

You don’t need an expensive app to achieve this. Several popular messaging apps and services support end-to-end encryption, such as WhatsApp, Signal, iMessage, Wire, and Telegram.

The FBI official added:

> “People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant multi-factor authentication for email, social media, and collaboration tool accounts.”

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Americans urged to use encrypted messaging after large, ongoing cyberattack 

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

**Description**

Improperly handeling username and password . And unable to detect the hostname .

**Proof of Concept**

url-parse not able verify basic authentication credential and also wrongly verifying hostname .This allow to bypass hostname validation .  
Lets username is `admin` and password is `password123@` and hostname is `127.0.0.1` .  
so the url will be `http://admin:password123@@127.0.0.1` .  
And there is blacklist check for domain `127.0.0.1` and every request to `127.0.0.1` will be blocked .\\

Now lets use url-parse

    // PoC.js
     var parse = require('url-parse')
    var cc=parse("http://admin:password123@@127.0.0.1")
    

**result**

    { slashes: true,
      protocol: 'http:',
      hash: '',
      query: '',
      pathname: '/',
      auth: 'admin:password123',
      host: '@127.0.0.1',
      port: '',
      hostname: '@127.0.0.1',
      password: 'password123',
      username: 'admin',
      origin: 'http://@127.0.0.1',
      href: 'http://admin:password123@@127.0.0.1/' }
    

Here see its incorrretly detecting `auth` ,`origin`,`password` and `hostname` .  
Here hostname check `cc.hostname` is `@127.0.0.1` and also `cc.origin` is `http://@127.0.0.1` which will clearly bypass above `127.0.0.1` blacklist check .  
Now if you use `cc.href` to fetch url then it will fetch `127.0.0.1` .

**Impact**

Bypass hostname check

**Occurrences**

CVE-2022-0512: Authorization Bypass Through User-Controlled Key in url-parse

**Description**

Improperly handeling username and password . And unable to detect the hostname .

**Proof of Concept**

url-parse not able verify basic authentication credential and also wrongly verifying hostname .This allow to bypass hostname validation .  
Lets username is admin and password is password123@ and hostname is 127.0.0.1 .  
so the url will be http://admin:password123@@127.0.0.1 .  
And there is blacklist check for domain 127.0.0.1 and every request to 127.0.0.1 will be blocked .\\

Now lets use url-parse

    // PoC.js
     var parse = require('url-parse')
    var cc=parse("http://admin:password123@@127.0.0.1")
    

**result**

    { slashes: true,
      protocol: 'http:',
      hash: '',
      query: '',
      pathname: '/',
      auth: 'admin:password123',
      host: '@127.0.0.1',
      port: '',
      hostname: '@127.0.0.1',
      password: 'password123',
      username: 'admin',
      origin: 'http://@127.0.0.1',
      href: 'http://admin:password123@@127.0.0.1/' }
    

Here see its incorrretly detecting auth ,origin,password and hostname .  
Here hostname check cc.hostname is @127.0.0.1 and also cc.origin is http://@127.0.0.1 which will clearly bypass above 127.0.0.1 blacklist check .  
Now if you use cc.href to fetch url then it will fetch 127.0.0.1 .

**Impact**

Bypass hostname check

**Occurrences**

The undocumented migrant community in the United States is using social networks and other digital platforms to send alerts about raids and the presence of immigration agents around the US.

The Coalition for Humane Immigrant Rights of Los Angeles (Chirla) estimates that in recent days, around 300 migrants have been detained in California as part of raids carried out by Immigration and Customs Enforcement (ICE), in compliance with an order issued by the Trump administration.

This figure is based on collaborative reports compiled by the Rapid Response Network, an alliance comprised of dozens of organizations that provide support to migrants and disseminate information about immigration detentions and operations.

Angelica Salas, director of Chirla, described the raids as a phenomenon “never seen before” in the three decades she has been defending migrant communities, according to statements reported by The Los Angeles Times.

Jorge Mario Cabrera, spokesman for the same organization, told the EFE news agency that most of the detainees are not criminals, “as the US government has tried to portray them.” He indicated that most of those arrested are workers from Los Angeles, although arrests have also been documented in other parts of the state.

In the midst of intense protests against Trump's immigration policies, these operations are expected to continue in Los Angeles for at least 30 days, according to US representative Nanette Barragan, citing data provided by the White House. Likewise, an escalation of these actions is anticipated nationwide, after the administration announced its goal of making up to 3,000 arrests per day.

Several migrant-rights organizations have warned about possible violations of due process of people targeted by ICE. They have denounced ICE for restricting access to detainees on multiple occasions, which could limit their right to adequate legal representation.

**Watching ICE**

This situation has generated concern among the undocumented population, most of whom are of Hispanic origin, which has intensified the use of social networks to alert people about the presence of immigration agents in different regions of the US.

In a search conducted by the WIRED en Español team, several groups and pages were identified on digital platforms dedicated to receiving, verifying, and disseminating reports about ICE checkpoints, patrols, and raids. The origin of these profiles is diverse: Some are managed by well-known nongovernmental organizations and activist collectives, while others were created by private members of the migrant community.

The family of a man apprehended by ICE agents demands that the victim be returned.

Genaro Molina/Los Angeles Times via Getty Images

Alerts about operations are disseminated through direct messages, WhatsApp, or posts on each page's feed. In turn, it is possible to anonymously report the presence of immigration agents through private text messages or calls to specific phone numbers.

In general, users are asked for basic data such as time, date, city, state, and exact location of the operation, as well as photographs or videos when it is possible to document them. In addition to issuing real-time alerts, many of these pages offer free legal guidance, not only on migration issues, but also on labor rights, access to health, education, and other key services.

Some of the networks active in this work include:

Union del Barrio California

This grassroots pro-immigrant organization maintains an active presence on Facebook. It conducts community patrols to detect ICE movement, shares urgent alerts, and organizes workshops on legal rights.

Chirla

With constant activity on Facebook and other platforms, Chirla publishes notifications about raids, provides legal advice, and calls for citizen mobilizations in the face of new raids.

Stop ICE Raids Alert Network

This network distributes emergency alerts and offers assistance to people affected by ICE raids. In addition to its social network accounts, it has a web page that allows people to receive geolocalized notifications in real time.

Siembra NC

This organization operates primarily in North Carolina. Through its Facebook page, it promotes a whistleblower hotline (336-543-0353). Although its focus is on Alamance, Durham, Forsyth, Guilford, Orange, Wake, Randolph, and Rockingham counties, it has a statewide presence across North Carolina.

RadarSafe

This project uses the Common Alerting Protocol (CAP), a system for sending out digital emergency alerts, to provide secure information on immigration stops and operations. It also publishes community-submitted reports and verifies information with support from local residents.

Inmigración y Visas

Focused on immigration issues, this portal offers a WhatsApp channel where users can report raids, exchange experiences, and receive advice. It also shares informative content on its Facebook page and website.

SignalSafe

Adding to this assistance network is SignalSafe, an application created by a team of anonymous developers that provides real-time alerts on ICE activity. Through collaborative reporting, the app maps sightings of federal agents and unidentified vehicles, allowing migrants to avoid potential checkpoints.

Since Trump's return to the presidency, SignalSafe has gained widespread popularity. The tool allows the integration of various filters based on the user's location, type of activity by immigration authorities, and time range.

This platform is fed by citizen reports, which are verified by a group of specialized moderators. The system is bilingual, with support for Spanish and English, and has advanced security protocols to help protect user privacy.

**Key Access**

Given the growing number of raids in the United States and the lack of certainty about the safety of those detained in these operations, examples such as the above show that some sectors of the citizenry seem to have taken an active role in digital spaces against the implementation of immigration policies.

In this context, the widespread use of social networks among the migrant community has turned these platforms into key tools within the resistance movement. According to data from the International Organization for Migration, by 2023, 64 percent of migrants in transit through Central America, Mexico, and the Dominican Republic—mostly bound for the United States—had access to a smartphone and internet connection during their journey. Of these, 47 percent of men and 35 percent of women used these devices to access social networks.

_This story was originally published on_ WIRED _en Español_ _and has been translated from Spanish._

Social Media Is Now a DIY Alert System for ICE Raids

Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.

ModSecurity is an open-source Web Application Firewall (WAF) engine maintained by Trustwave. This blog post discusses an issue with four transformation actions that could enable a Denial of Service (DoS) attack by a malicious actor. The issue has been addressed with fixes in v3.0.10. ModSecurity v2 is not affected. 

**Vulnerability Details**

Included in ModSecurity functionality are dozens of transformation actions which support altering the representation of values so that further processing can be done on the modified values. This may be either more convenient to work with, or less prone to rule evasion.

The ModSecurity team was recently alerted to a possible DoS issue in four of these transformations in ModSecurity v3. Thanks to the reporter for the investigation and for responsibly disclosing the issue. The affected transformations are: removeWhitespace, removeNull, replaceNull, and removeCommentsChar.

The affected transformations were functionally correct. However, the implemented solutions would be inefficient if a malicious user were to submit a specially crafted HTTP request that triggered worst-case performance.

The most dramatic delays can typically be prevented through common configuration items such as SecRequestBodyNoFilesLimit with the default value of 131072 suggested in modsecurity.conf-recommended. However, even with this limit in place, a dozen or more executions of these transformations could result in multiple seconds of delay for a single HTTP transaction. If a large enough number of such malicious requests are running simultaneously, this could render the webserver unable to respond to legitimate requests in a timely manner.

**Mitigation**

For installations where immediate upgrade to the new version of the software is impractical, some mitigation possibilities are available.

The nature of the issue results in large values causing a much greater effect on resources than numerous smaller values. A separate ModSecurity rule could be included to limit the size of each value to be processed, but still allow legitimate content to be processed unimpeded. For example, if there are many rules with the affected transformations executing against the ARGS collection, a rule such as the following could be included before other phase 2 rules:

SecRule ARGS "@gt 16000" "id:1,phase:2,t:length,deny,status:403,msg:’ARG exceeds length limit'"

Optionally, combined with further reducing the configured value for SecRequestBodyNoFilesLimit, potential delays precipitated by worst-case input can be significantly reduced.

CVE-2023-38285: ModSecurity v3: DoS Vulnerability in Four Transformations (CVE-2023-38285)

The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.11 performs a capability check in an incorrect namespace, which allows local users to gain privileges via PID spoofing.

CVE-2013-4300

An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device.

1.  Homepage
2.  404 Error

**The page you have requested cannot be found. The page you are trying to access may have been removed, had its name changed, or is temporarily unavailable. If you typed the address, please verify that the spelling is correct. Please use the following pages to find the information you need:**

*   ![Advanced Search](https://www.zyxel.com/library/assets/404_page/Advanced_search.png)
    
    Advanced  
    Search
    
*   ![Homepage](https://www.zyxel.com/library/assets/404_page/Homepage.png)
    
    Homepage
    
*   ![Contact Us](https://www.zyxel.com/library/assets/404_page/Contact_Us.png)
    
    Contact Us
    
*   ![Support](https://www.zyxel.com/library/assets/404_page/Support.png)
    
    Support

CVE-2022-0342: 404 Error | Zyxel

Sengled Dimmer Switch V0.0.9 contains a denial of service (DOS) vulnerability, which allows a remote attacker to send malicious Zigbee messages to a vulnerable device and cause crashes. After receiving the malicious command, the device will keep reporting its status and finally drain its battery after receiving the 'Set_short_poll_interval' command.

Sengled is a smart lighting expert that puts the power of lighting at your fingertips.  
Industry recognition from major publications, 16 Innovation Awards, and more than 1,100 global patents.

Easy. Versatile. Brilliant.

3 WAYS TO CONNECT

Whether you are a new user, already have Sengled products, or prefer one  
wireless protocol over another, we offer 3 great options.  
Click one of the connection types below to learn more.

VOICE OF OUR CUSTOMERS

Easy to Install on Alexa and works great

— TurtleRunner - Ohio

Excellent product & company

— LindaK - New York

Best Buy For The Price

— Ronald - US

Search

lenovo warranty check/lookup | check warranty status | lenovo support us