Farmacia Gama version 1.0 suffers from an insecure direct object reference vulnerability.

**Farmacia Gama 1.0 Insecure Direct Object Reference**

Posted Aug 12, 2024

Authored by indoushka

Farmacia Gama version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 03b0ac64f0e5daeb38f4901ddbe680af2e5d9a8749a1b826aadf371e13ec4f05

Download | Favorite | View

**Farmacia Gama 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : Farmacia Gama v1.0 IDOR Vulnerability                                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Farmacia_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : allows users to access the administrative interface.[+] use payload : /main.php[+] http://127.0.0.1/farmacia-master/main.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,349)
*   Arbitrary (16,870)
*   BBS (2,859)
*   Bypass (1,861)
*   CGI (1,033)
*   Code Execution (7,810)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,390)
*   DoS (25,071)
*   Encryption (2,389)
*   Exploit (53,180)
*   File Inclusion (4,262)
*   File Upload (994)
*   Firewall (822)
*   Info Disclosure (2,890)
*   Intrusion Detection (915)
*   Java (3,144)
*   JavaScript (896)
*   Kernel (7,202)
*   Local (14,795)
*   Magazine (586)
*   Overflow (13,169)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,393)
*   Protocol (3,724)
*   Python (1,640)
*   Remote (31,655)
*   Root (3,635)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,027)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,276)
*   SQL Injection (16,609)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,967)
*   Web (9,963)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,250)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,096)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,707)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,485)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,737)
*   UNIX (9,435)
*   UnixWare (187)
*   Windows (6,672)
*   Other

Farmacia Gama 1.0 Insecure Direct Object Reference

Employee Management System version 1.0 suffers from an ignored default credential vulnerability.

**Employee Management System 1.0 Insecure Settings**

Posted Aug 12, 2024

Authored by indoushka

Employee Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 4c729820d6c74d0d245f5de6b7ade8e4cebaa60f462a3e7bd0e326402db59bf4

Download | Favorite | View

**Employee Management System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Employee Management System v1.0 Insecure Settings Vulnerability                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/16999/employee-management-system.html                                                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,349)
*   Arbitrary (16,870)
*   BBS (2,859)
*   Bypass (1,861)
*   CGI (1,033)
*   Code Execution (7,810)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,390)
*   DoS (25,071)
*   Encryption (2,389)
*   Exploit (53,180)
*   File Inclusion (4,262)
*   File Upload (994)
*   Firewall (822)
*   Info Disclosure (2,890)
*   Intrusion Detection (915)
*   Java (3,144)
*   JavaScript (896)
*   Kernel (7,202)
*   Local (14,795)
*   Magazine (586)
*   Overflow (13,169)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,393)
*   Protocol (3,724)
*   Python (1,640)
*   Remote (31,655)
*   Root (3,635)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,027)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,276)
*   SQL Injection (16,609)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,967)
*   Web (9,963)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,250)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,096)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,707)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,485)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,737)
*   UNIX (9,435)
*   UnixWare (187)
*   Windows (6,672)
*   Other

Employee Management System 1.0 Insecure Settings

Gentoo Linux Security Advisory 202408-20 - Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.0.11 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-20  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libde265: Multiple Vulnerabilities  
     Date: August 10, 2024  
     Bugs: #813486, #889876  
       ID: 202408-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in libde265, the worst of  
which could lead to arbitrary code execution.

Background  
==========

Open h.265 video codec implementation.

Affected packages  
=================

Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
media-libs/libde265  < 1.0.11      >= 1.0.11

Description  
===========

Multiple vulnerabilities have been discovered in libde265. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libde265 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libde265-1.0.11"

References  
==========

[ 1 ] CVE-2020-21594  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21594  
[ 2 ] CVE-2020-21595  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21595  
[ 3 ] CVE-2020-21596  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21596  
[ 4 ] CVE-2020-21597  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21597  
[ 5 ] CVE-2020-21598  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21598  
[ 6 ] CVE-2020-21599  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21599  
[ 7 ] CVE-2020-21600  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21600  
[ 8 ] CVE-2020-21601  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21601  
[ 9 ] CVE-2020-21602  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21602  
[ 10 ] CVE-2020-21603  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21603  
[ 11 ] CVE-2020-21604  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21604  
[ 12 ] CVE-2020-21605  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21605  
[ 13 ] CVE-2020-21606  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21606  
[ 14 ] CVE-2021-35452  
      https://nvd.nist.gov/vuln/detail/CVE-2021-35452  
[ 15 ] CVE-2021-36408  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36408  
[ 16 ] CVE-2021-36409  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36409  
[ 17 ] CVE-2021-36410  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36410  
[ 18 ] CVE-2021-36411  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36411  
[ 19 ] CVE-2022-1253  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1253  
[ 20 ] CVE-2022-43235  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43235  
[ 21 ] CVE-2022-43236  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43236  
[ 22 ] CVE-2022-43237  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43237  
[ 23 ] CVE-2022-43238  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43238  
[ 24 ] CVE-2022-43239  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43239  
[ 25 ] CVE-2022-43240  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43240  
[ 26 ] CVE-2022-43241  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43241  
[ 27 ] CVE-2022-43242  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43242  
[ 28 ] CVE-2022-43243  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43243  
[ 29 ] CVE-2022-43244  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43244  
[ 30 ] CVE-2022-43245  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43245  
[ 31 ] CVE-2022-43248  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43248  
[ 32 ] CVE-2022-43249  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43249  
[ 33 ] CVE-2022-43250  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43250  
[ 34 ] CVE-2022-43252  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43252  
[ 35 ] CVE-2022-43253  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43253  
[ 36 ] CVE-2022-47655  
      https://nvd.nist.gov/vuln/detail/CVE-2022-47655  
[ 37 ] CVE-2022-47664  
      https://nvd.nist.gov/vuln/detail/CVE-2022-47664  
[ 38 ] CVE-2022-47665  
      https://nvd.nist.gov/vuln/detail/CVE-2022-47665  
[ 39 ] CVE-2023-24751  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24751  
[ 40 ] CVE-2023-24752  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24752  
[ 41 ] CVE-2023-24754  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24754  
[ 42 ] CVE-2023-24755  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24755  
[ 43 ] CVE-2023-24756  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24756  
[ 44 ] CVE-2023-24757  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24757  
[ 45 ] CVE-2023-24758  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24758  
[ 46 ] CVE-2023-25221  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25221

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-20

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202408-20

In 2023, no fewer than 94 percent of businesses were impacted by phishing attacks, a 40 percent increase compared to the previous year, according to research from Egress.
What's behind the surge in phishing? One popular answer is AI – particularly generative AI, which has made it trivially easier for threat actors to craft content that they can use in phishing campaigns, like malicious emails

In 2023, no fewer than 94 percent of businesses were impacted by phishing attacks, a 40 percent increase compared to the previous year, according to research from Egress.

What's behind the surge in phishing? One popular answer is AI – particularly generative AI, which has made it trivially easier for threat actors to craft content that they can use in phishing campaigns, like malicious emails and, in more sophisticated cases, deepfake videos. In addition, AI can help write the malware that threat actors often plant on their victims' computers and servers as part of phishing campaigns.

Phishing as a Service, or PhaaS, is another development sometimes cited to explain why phishing threats are at an all-time high. By allowing malicious parties to hire skilled attackers to carry out phishing campaigns for them, PhaaS makes it easy for anyone with a grudge – or a desire to exfiltrate some money from unsuspecting victims – to launch phishing attacks.

**Phishing has become agile**

A true understanding of what's behind the surge in phishing requires an analysis of how threat actors are using AI and PhaaS to operate in new ways – specifically, by responding more quickly to changing events.

In the past, the time and effort required to create phishing content manually (as opposed to using generative AI) made it challenging for threat actors to capitalize on unexpected events in order to launch high-impact campaigns. Likewise, without PhaaS solutions, groups that wanted to target an organization with phishing often didn't have a quick and easy way of getting an attack underway. Recent developments, however, suggest that this is changing.

> See trending phishing and impersonation TTPs in The Phishing & Impersonation Protection Handbook

**Phishing Attacks Targeting Evolving Events**

Phishing has a habit of latching on to current events in the world to take advantage of excitement or fear surrounding these events. This is especially true when it comes to evolving events, such as the CrowdStrike "Blue Screen of Death" (BSOD).

**Phishing in the wake of the CrowdStrike BSOD**

CrowdStrike, the cybersecurity vendor, issued a buggy update on July 19 that rendered Windows machines unable to boot properly and left users staring into the infamous Blue Screen of Death (BSOD).

CrowdStrike fixed the problem relatively quickly – but not before threat actors had begun launching phishing campaigns designed to take advantage of individuals and businesses seeking a resolution to the failure. Within the first day following the CrowdStrike incident, Cyberint detected 17 typo-squatting domains related to it. At least two of these domains were copying and sharing Crowdstrike's workaround fix in what was apparently an effort to solicit donations via PayPal. By following the breadcrumbs, Cyberint traced the donation page to a software engineer named Aliaksandr Skuratovich, who also posted the website on his LinkedIn page.

Efforts to profit by collecting donations for a fix that originated elsewhere were among the more mild efforts to take advantage of the CrowdStrike incident. Other typosquatted domains claimed to offer a fix (which was available for free from CrowdStrike) in exchange for payments of up to 1,000 euros. The domains were taken down, but not before organizations fell victim to them. Cyberint's analysis shows that the crypto wallet linked to the scheme collected around 10,000 euros.

**Phishing Attacks Responding to Planned Events**

When it comes to planned events the attacks are often more diverse and detailed. Threat actors have more time to prepare than they do in the wake of unexpected events like the CrowdStrike outage.

**Phishing at the Olympics**

Phishing attacks related to the 2024 Olympics in Paris also showcased threat actors' ability to execute more effective campaigns by tying them to current events.

As one example of attacks in this category, Cyberint detected phishing emails claiming that recipients had won tickets to the Games and that, to collect the tickets, they needed to make a small payment to cover the delivery fee.

If recipients entered their financial information to pay the fee, however, the attackers used it to impersonate victims and make purchases using their accounts.

In another example of phishing linked to the Olympics, threat actors in March 2024 registered a professional-looking website claiming to offer tickets for sale. In actuality, it was a fraud.

Even though the site was not very old, and therefore did not have strong authority based on its history, it ranked near the top of Google searches, increasing the likelihood that people searching to purchase Olympics tickets online would fall for the ruse.

**Phishing and football**

Similar attacks played out during the UEFA Euro 2024 football championship, Most notably, threat actors launched fraudulent mobile apps that impersonated the UEFA, the sporting association that organized the event. Because the apps used the organization's official name and logo, it was presumably easy for some people to assume they were legitimate.

It's worth noting that these apps were not hosted in the app stores run by Apple or Google, which typically detect and take down malicious apps (although there's no guarantee they'll do so quickly enough to prevent abuse). They were available through unregulated third-party app stores, making them somewhat harder for consumers to find – but most mobile devices would have no controls in place to block the apps if a user were to browse to a third-party app store and try to download malicious software.

**Phishing and recurring events**

When it comes to recurring events, too, phishers know how to take advantage of situations to launch powerful attacks.

For instance, gift card fraud, non-payment scams and fake order receipts surge during the holiday season. So do phishing scams that attempt to lure victims into applying for fake seasonal jobs in a bid to collect their personal information.

The holidays create a perfect storm for phishing due to the rise in online shopping, attractive deals, and a flood of promotional emails. Scammers exploit these factors, leading to significant financial and reputational damage for businesses.

**When it comes to phishing, timing matters**

Unfortunately, AI and PhaaS have made phishing easier, and we should expect threat actors to continue adopting these sorts of strategies.

> See The Phishing & Impersonation Protection Handbook​ for strategies businesses and individuals can take.

Businesses can, however, anticipate spikes in attacks in response to specific developments or (in the case of recurring phishing campaigns) times of the year and take measures to mitigate the risk.

For example, they can educate employees and consumers to be extra cautious when responding to content associated with a current event.

While AI and PhaaS have made phishing easier, businesses and individuals can still defend against these threats. By understanding the tactics used by threat actors and implementing effective security measures, the risk of falling victim to phishing attacks can be reduced.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

How Phishing Attacks Adapt Quickly to Capitalize on Current Events

After a good year of sustained exuberance, the hangover is finally here. It’s a gentle one (for now), as the market corrects the share price of the major players (like Nvidia, Microsoft, and Google), while other players reassess the market and adjust priorities. Gartner calls it the trough of disillusionment, when interest wanes and implementations fail to deliver the promised breakthroughs.

After a good year of sustained exuberance, the hangover is finally here. It's a gentle one (for now), as the market corrects the share price of the major players (like Nvidia, Microsoft, and Google), while other players reassess the market and adjust priorities. Gartner calls it the trough of disillusionment, when interest wanes and implementations fail to deliver the promised breakthroughs. Producers of the technology shake out or fail. Investment continues only if the surviving providers improve their products to the satisfaction of early adopters.

Let's be clear, this was always going to be the case: the post-human revolution promised by the AI cheerleaders was never a realistic goal, and the incredible excitement triggered by the early LLMs was not based on market success.

**AI is here to stay**

What's next for AI then? Well, if it follows the Gartner hype cycle, the deep crash is followed by the slope of enlightenment where the maturing technology regains its footing, benefits crystallize, and vendors bring second and third-generation products to market. And if all goes well, it's followed by the hallowed plateau of productivity, where mainstream adoption takes off driven by the technology's broad market appeal. Gartner insists that there are a couple of big ifs: not every technology is destined to recover after the crash and what's important is that the product finds its market fit fast enough.

Right now, it looks almost certain that AI is here to stay. Apple and Google are bringing consumer products to market that repackage the technology into smaller, digestible, easy-to-use chunks (photo editing, text editing, advanced search). While the quality is still very uneven, it looks as if at least some players have found a way to productize generative AI in a way that's meaningful – both for consumers and their own bottom line.

**What did the LLM ever do for us?**

OK, where does this leave enterprise customers – and cybersecurity applications in particular? The fact is that generative AI still has significant drawbacks that hinder its adoption at scale. One of these is the fundamentally non-deterministic nature of generative AI. Since the technology itself is based on probabilistic models (a feature, not a bug!), there will be a variance in output. This might scare some industry veterans who are expecting old-school software behaviors. It also means that generative AI will not be a drop-in replacement for existing tools – it's rather an enhancement and augmentation for existing tools. Still, it has the potential to perform as one layer of a multi-layered defense, one that's difficult to predict for attackers as well.

The other drawback causing adoption friction is cost. The models are very costly to train and this high cost is currently being passed on to the consumers of the models. Consequently, there is a lot of focus on bringing down the per-query cost. Hardware advancements, coupled with breakthrough results in refining the models promise significant decreases in energy use of running AI models, and there's a reasonable expectation that (at least text-based output) will turn into a profitable business.

Cheaper and more accurate models are great but there is also a growing realization that the task of integrating these models into organizational workflows will be a significant challenge. As a society, we don't yet have the experience to know how to efficiently integrate AI technologies into day-to-day work practices. There is also the question of how the existing human workforce will accept and work with the new technologies. For example, we have seen cases where human workers and customers prefer to interact with a model that favors explainability over accuracy. A March 2024 study by the Harvard Medical School found that the effect of AI assistance was inconsistent and varied across a test sample of radiologists, with the performance of some radiologists improving with AI and worsening in others. The recommendation is that while AI tools should be introduced to clinical practice a nuanced, personalized, and carefully calibrated approach must be taken to ensure optimal results for patients.

What about the market fit we mentioned earlier? While generative AI will (probably) never replace a programmer (no matter what some companies claim), AI-assisted code generation has become a useful prototyping tool for a variety of scenarios. This is already useful to cybersecurity specialists: generated code or configuration is a reasonable starting point to build out something quickly before refining it.

The huge caveat: the existing technology has the chance to speed up the work of a seasoned professional, who can quickly debug and fix the generated text (code or configuration). But it can be potentially disastrous for a user who is not a veteran of the field: there's always a chance that unsafe configuration or insecure code is generated, that, if it makes its way to production, would lower the cybersecurity stance of the organization. So, like any other tool, it can be useful if you know what you're doing, and can lead to negative outcomes if not.

Here we need to warn about one special characteristic of the current generation of generative AI tools: they sound deceptively confident when proclaiming the results. Even if the text is blatantly wrong, all current tools offer it in a self-assured manner that easily misleads novice users. So, keep in mind: the computer is lying about how sure it is, and sometimes it's very wrong.

Another effective use case is customer support, more specifically level 1 support – the ability to help customers who don't bother reading the manual or the posted FAQs. A modern chatbot can reasonably answer simple questions, and route more advanced queries to higher levels of support. While this is not exactly ideal from a customer experience standpoint, the cost savings (especially for very large organizations with a lot of untrained users) could be meaningful.

The uncertainty around how AI will integrate into businesses is a boon for the management consultant industry. For example, Boston Consulting Group now earns 20% of its revenue from AI-related projects while McKinsey expects 40% of their revenue to come from AI projects this year. Other consultancies like IBM and Accenture are also on board. The business projects are quite varied: making it easy to translate ads from one language to another, enhanced search for procurement when evaluating suppliers, and hardened customer service chatbots that avoid hallucination and include references to sources to enhance trustworthiness. Although only 200 of 5000 customer queries go via the Chatbot at ING, this can be expected to increase as the quality of the responses increases. Analogous to the evolution of internet search, one can imagine a tipping point to where it becomes a knee-jerk reaction to "ask the bot" rather than grub about in the data mire oneself.

**AI Governance must address cybersecurity concerns**

Independent of specific use cases, the new AI tools bring a whole new set of cybersecurity headaches. Like RPAs in the past, customer-facing chatbots need machine identities with appropriate, sometimes privileged access to corporate systems. For example, a chatbot might need to be able to identify the customer and pull some records from the CRM system – which should immediately raise alarms for IAM veterans. Setting accurate access controls around this experimental technology will be a key aspect of the implementation process.

The same is true for code generation tools used in Dev or DevOps processes: setting the correct access to the code repository will limit the blast radius in case something goes wrong. It also reduces the effect of a potential breach, in case the AI tool itself becomes a cybersecurity liability.

And of course, there's always the third-party risk: by bringing in such a powerful but little-understood tool, organizations are opening themselves up to adversaries probing the limits of LLM technology. The relative lack of maturity here could be problematic: we don't yet have best practices for hardening LLMs, so we need to make sure they don't have writing privileges in sensitive places.

**The opportunities for AI in IAM**

At this point, use cases and opportunities for AI in access control and IAM are taking shape and being delivered to customers in products. Traditional areas of classical ML like role mining and entitlement recommendations are being revisited in the light of modern methods and UIs with role creation and evolution being more tightly woven into out-of-the-box governance workflows and UIs. More recent AI-inspired innovations such as peer group analysis, decision recommendations, and behavior-driven governance are becoming par for the course in the world of Identity Governance. Customers now expect enforcement point technologies like SSO Access Management systems and Privileged Account Management systems to offer AI-powered anomaly and threat detection based on user behavior and sessions.

Natural language interfaces are beginning to greatly improve UX across all these categories of IAM solution by allowing interactive natural language exchanges with the system. We still need static reports and dashboards but the ability for persons with different responsibilities and needs to express themselves in natural language and refine the search results interactively lowers the skills and training needed to ensure that organizations realize value from these systems.

**This is the end of the beginning**

One thing is certain: whatever the state of AI technology in mid-2024, it's not going to be the end of this field. Generative AI and LLMs are just one sub-field of AI, with multiple other AI-related fields making rapid progress thanks to advances in hardware and generous government and private research funding.

Whatever shape mature, enterprise-ready AI will take, security veterans already need to consider the potential benefits generative AI can bring to their defensive posture, what these tools can do to punch holes through the existing defenses, and how can we contain the blast radius if the experiment goes wrong.

**Note:** _This expertly written article is contributed by Robert Byrne, Field Strategist at One Identity. Rob has over 15 years of experience in IT, holding various roles such as development, consulting, and technical sales. His career has predominantly focused on identity management. Before joining Quest, Rob worked with Oracle and Sun Microsystems. He holds a Bachelor of Science degree in mathematics and computing._

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The AI Hangover is Here – The End of the Beginning 

Allan “dwangoAC” has made it his mission to expose speedrunning phonies. At the Defcon hacker conference, he’ll challenge one record that's stood for 15 years.

Speedrunning video games, the competitive field of playing through digital games as quickly as possible, has in recent years been elevated into something between a virtuosic form of fingers-and-thumbs athletics and a highly technical science. The best speedruns reduce epic games meant to take dozens of hours to single-digit minutes through a combination of exploiting glitch-enabled shortcuts and inhuman skill.

A little too inhuman, in some cases. Speedrunning, it turns out, is plagued with fake records set by cheaters who splice together video clips to falsify evidence or use rule-breaking software to gain unfair advantages. One speedrunner and hacker named Allan Cecil has made it his personal mission to catch them.

In a talk at the Defcon hacker conference in Las Vegas today, the details of which WIRED reviewed in advance, Cecil plans to present what he alleges is evidence that a speedrunning record for the 1996 PC game _Diablo_, which has stood for more than 15 years and holds a spot in the _Guinness Book of World Records_, was in fact the result of rule-breaking techniques that should disqualify it. If Cecil and the team of investigators who have worked with him over recent months succeed at tearing down that seemingly untouchable benchmark, it will be the third such high-profile speedrun that he'll have helped to debunk, and the second in just the last year.

Cecil, who is better known in the gaming world by his handle dwangoAC, came into this strange role as a speedrun debunker from an equally niche hobby: He's known as an expert practitioner of so-called “tool-assisted speedruns,” using emulator software to run a game in a controlled environment to find the limits of what that game’s speedrun can be—an area of speedrunning that some purists once considered, itself, to be a kind of cheating. Cecil maintains instead that those tool-assisted speedruns, in which players meticulously rewind, replay, hone, and perfect their runs frame by frame, can be its own valid form of competition, or even art.

Cecil says he arrived at his fixation with catching cheaters in part out of a determination to protect this lesser-known field of speedrunning from those who would surreptitiously use the same tools in deceptive ways, essentially turning tool-assisted speedruns into a kind of speedrun doping, rather than an honest avocation. “Making a tool-assisted speedrun is a transformative work of art that humans laboriously spend months on, or even years,” says Cecil. “But you definitely do _not_ use tool-assisted speedrun techniques and then try to pretend that it was just human effort. And seeing people do that pisses me off.”

As a staff member at the tool-assisted speedrun website TASvideos.org and an organizer of many epic speedrunning feats—such as one that famously used coding glitches in the Zelda game _Ocarina of Time_ to rewrite the game's ending—Cecil has become a fixture of the speedrunning world. He's also the creator of TASBot, a robot that connects to the controller ports of video game consoles to reproduce controller inputs, so that recorded speedruns can be replayed and verified on original gaming hardware, a spectacle that gamers love so much that livestreams featuring the robot have raised $1.5 million in donations to charitable causes, according to Cecil’s count.

In recent years, however, Cecil has taken his obsession with tool-assisted speedrunning in a different direction: He's turned it into a means to catch the cheaters that threaten his pastime's legitimacy. If he can show that even a polished tool-assisted speedrun in a certain game isn't as fast as a purported human record—as he's done in all three records he's attempted to debunk—that demonstration can serve as the first step in suggesting that a record was likely falsified. He's found, too, that the process of creating that tool-assisted run often produces new revelations about what's possible—or impossible—in an unassisted human attempt.

TASbot wearing Cecil’s Defcon speaker badge.Photograph: Roger Kisby

Cecil's latest record-busting effort may be the most controversial one he's undertaken yet. At Defcon, he'll present evidence that he alleges should disqualify the record of Maciej “groobo” Maselewski, a Polish speedrunner who holds the Guinness record for not only the fastest _Diablo_ speedrun but also the fastest role-playing game speedrun of any kind. Maselewski's _Diablo_ run, 3 minutes and 12 seconds long, has withstood all challengers since 2009.

Cecil says his suspicions that Maselewski had broken speedrunning rules were first triggered when he and another speedrunner, Matthew “funkmastermp” Petroff, set out to make a tool-assisted speedrun for _Diablo_ in January. They quickly came to the conclusion they'd never match Maselewski's 3-minute, 12-second time, no matter how much they perfected their run or how lucky they got in the game's randomized dungeon layouts. That led them to assemble a team of investigators who ultimately found what they believe to be a long list of inconsistencies in software versions and items, missing frames, and other signs of potential tampering in the video of Maselewski's run, all of which they've assembled in a detailed document posted to Cecil's website. “No one could get anywhere close to that time. Now we know why,” Cecil says. “The answer seemed to be that groobo had cheated in many, many ways.”

Maselewski, when WIRED reached him for a response, immediately denied any such foul play. In an email, he pointed to the fact that his run was always understood to be “segmented"—essentially edited together, level by level, a commonly accepted category of speedrun. “It was never passed off as anything else,” Maselewski writes. “Hearing that there has been a team of researchers working on this is wild.” In a subsequent text exchange with Cecil and his collaborators that Cecil shared with WIRED, Maselewski described the attempt to debunk his record as a “witch hunt.”

Maselewski's simple explanation that the speedrun was segmented, however, isn't enough, Cecil argues. He claims that some dungeon layouts in Maselewski's run couldn't be generated even in a single segment of a run without altering the game's data, and in one case, a crucial item conveniently appears that defies the game's logic—Naj's Puzzler, a staff that allows the player to teleport across distances—and alleges a piece of performance-enhancing software known as a “trainer” must have been used, all of which could disqualify Maselewski's run. (Maselewski did not immediately respond to WIRED’s follow-up question specifically about Cecil’s allegation that he had used a trainer.)

The night before Cecil's Defcon talk, Maselewski wrote in a final email to WIRED that he believes those alleging that he cheated are using faulty tools with an incomplete picture of _Diablo_'s complexities. “Dwango is out to tell a story. Did I cheat? No,” Maselewski writes. “But what is true or not does not matter at this point, because the wonder of exploration has already overstayed its welcome for a small group of people, and the script has already been written.”

When WIRED reached out to the _Guinness Book of World Records_ to ask if it would take down Maselewski's record, a spokesperson responded noncommittally that “we value any feedback on our record titles and are committed to maintaining the highest standards of accuracy.” An administrator for Speed Demos Archive or SDA, another speedrun record-keeping website where Maselewski holds a similar _Diablo_ record, seemed to be more persuaded by Cecil's evidence. That administrator, who goes by the handle “ktwo” and asked that WIRED not include their real name, says that SDA hasn't officially reached a verdict and is still waiting to hear Maselewski's explanation.

Things are not looking good for groobo, however. “To be clear, we have made a preliminary decision, based on the available information,” ktwo writes “The staff agrees that the analysis raises questions about the validity of the run that need to be addressed, or else the run will be unpublished from SDA. The admin team is currently discussing these questions with the runner. Once that discussion has concluded, a final decision will be made.”

Cecil's involvement in investigating gaming records began in 2017, when the speedrunner Eric “Omnigamer” Koziel, who was writing a book about speedrunning, began re-examining a record set by Todd Rogers for the Atari 2600 racing game _Dragster_. Rogers' record time, 5.51 seconds, had persisted for a remarkable 35 years. But when Koziel reverse engineered Dragster's code to try to understand how Rogers had achieved that time, he found that tricks Rogers said he'd used—such as starting the game in second gear—wouldn't have provided the advantage Rogers claimed.

“The goal was never to point to someone and say, ‘Hey, they're cheating,’” says Koziel. “It was to try to find the truth.”

Cecil, who knew Koziel from the speedrun community, offered to help develop a tool-assisted speedrun they could replay via TASBot on a real Atari 2600 to show that, even on that original hardware, Rogers' record was impossible. They found that TASBot's theoretically perfect performance was 5.57 seconds, slower than Rogers' alleged time. Despite Rogers’ objections, his three-and-a-half-decade-old record was erased from the annals of the gaming records keeper Twin Galaxies—along with all his other records on the site—and Guinness stripped his world record for “longest-standing video game record.”

"Although I disagree with their decision, I must applaud them for their strong stance on the matter of cheating," Rogers wrote in a lengthy public Facebook post responding to the Twin Galaxies decision.

After a seven year hiatus in which he was mostly focused on TASBot projects, Cecil found himself involved in investigating another legendary speedrun earlier this year when a group of gamers made it their goal to beat every level of _Super Mario Maker_. That Wii U game, released in 2015, allowed users to upload their own levels of the game for others to play—if they could prove that the level was beatable by recording a video of themselves finishing it. Yet one such level, called “Trimming the Herbs,” appeared to be impossible. For years, no one but its creator had been able to complete it.

In an effort to help this group of _Super Mario Maker_\-obsessed gamers, Cecil offered to develop a tool-assisted speedrun for the level. He found that it was nearly impossible to clear it reliably, in part due to variances in the Bluetooth communications between the Wii U and its controllers. In that case, the level's creator came forward in the midst of the investigation and confessed he'd beaten the level by altering the internal hardware of his Wii U gamepad—a trick he intended as a kind of friendly prank but had never publicly explained.

In his new attempt to debunk Maselewski's _Diablo_ record, Cecil doesn't expect any such amicable agreement on the facts—or a confession. But he's confident that he and the researchers who've worked with him can remove Maselewski's record and make room for speedrunners to approach the game again. To Cecil’s surprise, they found just in recent days that they _could_, in fact, beat Maselewski's record with a tool-assisted speedrun—thanks to new _Diablo_ techniques they found in their investigation—finishing the game in 2 minutes and 45 seconds without using any of his alleged rule-breaking alterations. Meanwhile, Cecil says _Diablo_ speedrunner “xavier\_sb” has completed a run of the game in just over 4 minutes and 40 seconds, which would stand as the new record if Maselewski's is expunged.

Cecil says this shows, already, how the “chilling effect” of what he alleges to be an impossible record is lifting. “People had just stopped trying, because there wasn't any point,” Cecil says. Now the _Diablo_ speedrunning race is on, once again.

Cecil says he hopes that his work to keep speedrunners honest will not only help traditional speedrunning to thrive, but fuel the tool-assisted kind that he has helped pioneer, too. The key, he maintains, will be drawing a clear line between those who use software tools to play games with inhuman precision as an honest art form, and those who use them for deception. “Both the jerk and the jester bend the established rules. We despise the vileness of the jerk and delight in the shenanigans of the jester,” Cecil says. “But one thing has held true: No one likes a cheat.”

The Hacker Who Hunts Video Game Speedrunning Cheaters

On the hunt for corporate devices being sold secondhand, a researcher found a trove of Apple corporate data, a Mac Mini from the Foxconn assembly line, an iPhone 14 prototype, and more.

It's probably been a while since anyone thought about Apple's router and network storage combo called Time Capsule. Released in 2008 and discontinued in 2018, the product has mostly receded into the sands of gadget time. So when independent security researcher Matthew Bryant recently bought a Time Capsule from the United Kingdom on eBay for $38 (plus more than $40 to ship it to the United States), he thought he would just be getting one of the stalwart white monoliths at the end of its earthly journey. Instead he stumbled on something he didn't expect: a trove of data that appeared to be a copy of the main backup server for all European Apple Stores during the 2010s. The information included service tickets, employee bank account data, internal company documentation, and emails.

“It had everything you can possibly imagine,” Bryant tells WIRED. “Files had been deleted off the drive, but when I did the forensics on it, it was definitely not empty.”

Bryant hadn't stumbled on the Time Capsule completely by accident. At the Defcon security conference in Las Vegas on Saturday, he's presenting findings from a months-long project in which he scraped secondhand electronics listings from sites like eBay, Facebook Marketplace, and China's Xianyu, and then ran computer vision analysis on them in an attempt to detect devices that were once part of corporate IT fleets.

Bryant realized that the sellers hawking office devices, prototypes, and manufacturing equipment often weren't aware of their products' significance, so he couldn't comb tags or descriptions to find enterprise gems. Instead, he devised an optical character recognition processing cluster by chaining together a dozen dilapidated second-generation iPhone SEs and harnessing Apple's Live Text optical character-recognition feature to find possible inventory tags, barcodes, or other corporate labels in listing photos. The system monitored for new listings, and if it turned up a possible hit, Bryant would get an alert so he could assess the device photos himself.

In the case of the Time Capsule, the listing photos showed a label on the bottom of the device that said “Property of Apple Computer, Expensed Equipment.” After he evaluated the Time Capsule's contents, Bryant notified Apple about his findings, and the company's London security office eventually asked him to ship the Time Capsule back. Apple did not immediately return a request from WIRED for comment about Bryant's research.

“The main company in the talk for proofs of concept is Apple, because I view them as the most mature hardware company out there. They have all their hardware specially counted, and they really care about the security of their operations quite a bit,” Bryant says. “But with any Fortune 500 company, it’s basically a guarantee that their stuff will end up on sites like eBay and other secondhand markets eventually. I can’t think of any company where I haven’t seen at least some piece of equipment and got an alert on it from my system.”

Another alert from his search system led Bryant to purchase a prototype iPhone 14 intended for developer use internally at Apple. Such iPhones are coveted by both bad actors and security researchers because they often run special versions of iOS that are less locked down than the consumer product and include debugging functionality that's invaluable for gaining insight into the platform. Apple runs a program to give certain researchers access to similar devices, but the company only grants these special iPhones to a limited group, and researchers have told WIRED that they are typically outdated iPhone models. Bryant says he paid $165 for the developer-use iPhone 14.

Finally, Bryant says that manufacturing and assembly-line devices can be particularly revealing and can also be found on secondhand markets—especially platforms in China, since so many electronics are assembled in the country. Bryant was curious to see if he could find any equipment that had formerly been used in a Foxconn factory where iPhones are notoriously assembled. By analyzing Chinese listings with his computer vision system, Bryant says he was able to piece together how Foxconn’s asset management system works and how the company labels its devices—particularly those used on the factory floor. Eventually he found a Mac Mini that had a bunch of the Foxconn tags on it and had seemingly been used on a Foxconn quality-and-assurance testing line. But the computer was simply listed for parts, because the photos clearly showed that it had a large drill hole running through the device.

After examining schematics of various generations of Mac Minis, though, Bryant concluded that it was possible the drill had missed the magnetic tray where data would be stored on the hard drive. He took a chance and ordered the computer from China and assessed it himself. Bryant isn't a hardware expert, but once he received the device, it also seemed to him that the physical destruction had likely not achieved its goal. So he sent the Mac Mini to a forensics lab in Los Angeles, which was ultimately able to recover all the data from the drive.

“It had the internal software that Apple uses on their factory line to do testing, including special interfaces for communicating with prototypes and QA units,” Bryant says. “And the computer also contained credentials for Foxconn and logs.”

Bryant again reported his findings to Apple and returned the Mac Mini to them.

The project contains a warning for companies, both about the inevitability of having some device attrition and the importance of taking asset management and deprovisioning seriously. For hackers and eagle-eyed deal seekers alike, though, rogue corporate devices may be a new item for the shopping list.

Apple Prototypes and Corporate Secrets Are for Sale Online—If You Know Where to Look

Six vulnerabilities in ATM-maker Diebold Nixdorf’s popular Vynamic Security Suite could have been exploited to control ATMs using “relatively simplistic attacks.”

There is a grand tradition at the annual Defcon security conference in Las Vegas of hacking ATMs. Unlocking them with safecracking techniques, rigging them to steal users' personal data and PINs, crafting and refining ATM malware and, of course, hacking them to spit out all their cash. Many of these projects targeted what are known as retail ATMs, freestanding devices like those you'd find at a gas station or a bar. But on Friday, independent researcher Matt Burch is presenting findings related to the “financial” or “enterprise” ATMs used in banks and other large institutions.

Burch is demonstrating six vulnerabilities in ATM-maker Diebold Nixdorf’s widely deployed security solution, known as Vynamic Security Suite (VSS). The vulnerabilities, which the company says have all been patched, could be exploited by attackers to bypass an unpatched ATM's hard drive encryption and take full control of the machine. And while there are fixes available for the bugs, Burch warns that, in practice, the patches may not be widely deployed, potentially leaving some ATMs and cash-out systems exposed.

“Vynamic Security Suite does a number of things—it has endpoint protection, USB filtering, delegated access, and much more,” Burch tells WIRED. “But the specific attack surface that I’m taking advantage of is the hard drive encryption module. And there are six vulnerabilities, because I would identify a path and files to exploit, and then I would report it to Diebold, they would patch that issue, and then I would find another way to achieve the same outcome. They’re relatively simplistic attacks.”

The vulnerabilities Burch found are all in VSS's functionality to turn on disk encryption for ATM hard drives. Burch says that most ATM manufacturers rely on Microsoft's BitLlocker Windows encryption for this purpose, but Diebold Nixdorf’s VSS uses a third-party integration to run an integrity check. The system is set up in a dual-boot configuration that has both Linux and Windows partitions. Before the operating system boots, the Linux partition runs a signature integrity check to validate that the ATM hasn't been compromised, and then boots it into Windows for normal operation.

“The problem is, in order to do all of that, they decrypt the system, which opens up the opportunity,” Burch says. “The core deficiency that I’m exploiting is that the Linux partition was not encrypted.”

Burch found that he could manipulate the location of critical system validation files to redirect code execution; in other words, grant himself control of the ATM.

Diebold Nixdorf spokesperson Michael Jacobsen tells WIRED that Burch first disclosed the findings to them in 2022 and that the company has been in touch with Burch about his Defcon talk. The company says that the vulnerabilities Burch is presenting were all addressed with patches in 2022. Burch notes, though, that as he went back to the company with new versions of the vulnerabilities over the past couple of years, his understanding is that the company continued to address some of the findings with patches in 2023. And Burch adds that he believes Diebold Nixdorf addressed the vulnerabilities on a more fundamental level in April with VSS version 4.4 that encrypts the Linux partition.

In spite of all of this, Burch says, it would probably still be possible to find a path to exploit similar vulnerabilities, but “it’s significantly harder now.” More importantly, though, he notes that it can involve significant infrastructure initiatives for large institutions to actually update enterprise ATMs and it's very possible that there are ATMs and cash-out systems that are still running old versions of VSS.

“We’re currently working to ensure our customers are up to date and using the current version appropriate for their environment,” Jacobsen tells WIRED. He added that Diebold Nixdorf's customers should not assume that implementing different disk encryption, like Microsoft BitLocker, would be feasible. “One of Matt’s recommendations for switching to an enterprise disk encryption product, especially Bitlocker, is vulnerable in our environments,” Jacobsen says. “A Bitlocker-encrypted machine can be compromised, and Microsoft will not address this, as the ATM use case is not in their scope.”

This may refer to ongoing, real-world attacks on ATM machines that use malware to steal cash from enterprise ATMs made by multiple manufacturers. These incidents illustrate that there are very real concerns about ATM vulnerabilities being exploited, even though most attacks require physically targeting ATMs and can't be carried out remotely.

“Doing the attack requires physical access where you open the top portion of the ATM, pull the hard drive out, and then patch the contents of the hard drive,” Burch says. “An unrehearsed execution would not be easy to do. But it's absolutely feasible if you know what you’re looking at. Similar attacks have been executed in under 10 minutes. Organized crime is presumably training people in how to do these attacks.”

As long as attackers are finding success and making money from ATM cash-out attacks, there will be Defcon talks about what the next frontiers of ATM hacking may look like.

ATM Software Flaws Left Piles of Cash for Anyone Who Knew to Look

Microsoft on Thursday disclosed four medium-severity security flaws in the open-source OpenVPN software that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE).
"This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information

Vulnerability / Network Security

Microsoft on Thursday disclosed four medium-severity security flaws in the open-source OpenVPN software that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE).

"This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information," Vladimir Tokarev of the Microsoft Threat Intelligence Community said.

That said, the exploit, presented by Black Hat USA 2024, requires user authentication and an advanced understanding of OpenVPN's inner workings. The flaws affect all versions of OpenVPN prior to version 2.6.10 and 2.5.10.

The list of vulnerabilities is as follows -

*   CVE-2024-27459 - A stack overflow vulnerability leading to a Denial-of-service (DoS) and LPE in Windows
*   CVE-2024-24974 - Unauthorized access to the "\\\\openvpn\\\\service" named pipe in Windows, allowing an attacker to remotely interact with it and launch operations on it
*   CVE-2024-27903 - A vulnerability in the plugin mechanism leading to RCE in Windows, and LPE and data manipulation in Android, iOS, macOS, and BSD
*   CVE-2024-1305 - A memory overflow vulnerability leading to DoS in Windows

The first three of the four flaws are rooted in a component named openvpnserv, while the last one resides in the Windows Terminal Access Point (TAP) driver.

All the vulnerabilities can be exploited once an attacker gains access to a user's OpenVPN credentials, which, in turn, could be obtained through various methods, including purchasing stolen credentials on the dark web, using stealer malware, or sniffing network traffic to capture NTLMv2 hashes and then using cracking tools like HashCat or John the Ripper to decode them.

An attacker could then be chained in different combinations -- CVE-2024-24974 and CVE-2024-27903 or CVE-2024-27459 and CVE-2024-27903 -- to achieve RCE and LPE, respectively.

"An attacker could leverage at least three of the four discovered vulnerabilities to create exploits to facilitate RCE and LPE, which could then be chained together to create a powerful attack chain," Tokarev said, adding they could leverage methods like Bring Your Own Vulnerable Driver (BYOVD) after achieving LPE.

"Through these techniques, the attacker can, for instance, disable Protect Process Light (PPL) for a critical process such as Microsoft Defender or bypass and meddle with other critical processes in the system. These actions enable attackers to bypass security products and manipulate the system's core functions, further entrenching their control and avoiding detection."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE

Gentoo Linux Security Advisory 202408-19 - Multiple vulnerabilities have been discovered in ncurses, the worst of which could lead to a denial of service. Versions greater than or equal to 6.4_p20230408 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-19  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: ncurses: Multiple Vulnerabilities  
     Date: August 09, 2024  
     Bugs: #839351, #904247  
       ID: 202408-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in ncurses, the worst of  
which could lead to a denial of service.

Background  
=========  
Free software emulation of curses in System V.

Affected packages  
================  
Package                  Vulnerable       Unaffected  
-----------------------  ---------------  ----------------  
sys-libs/ncurses         < 6.4_p20230408  >= 6.4_p20230408  
sys-libs/ncurses-compat  < 6.4_p20240330  >= 6.4_p20240330

Description  
==========  
Multiple vulnerabilities have been discovered in ncurses. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All ncurses users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-libs/ncurses-6.4_p20230408"  
  # emerge --ask --oneshot --verbose ">=sys-libs/ncurses-compat-6.4_p20240330"

References  
=========  
[ 1 ] CVE-2022-29458  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29458  
[ 2 ] CVE-2023-29491  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29491

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-19

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#mac