The following advisory describes a FTP protocol stream injection vulnerability found in Oracle Java. Java is a general-purpose computer programming language that is concurrent, class-based, object-oriented, and specifically designed to have as few implementation dependencies as possible. It is intended to let application developers “write once, run anywhere” (WORA).
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
We have reported this vulnerability to Oracle, and have been waiting for several months for a patch for this vulnerability. Another researcher has discovered this vulnerability and went public with it – at which point we decided to publish the information without waiting for Oracle to release a patch.
Continue reading SSD Advisory – Oracle Java FTP Stream Injection
The following advisory describes 2 vulnerabilities found in HiSilicon application-specific integrated circuit (ASIC) chip set firmware.
HiSilicon provides ASICs and solutions for communication network and digital media. These ASICs are widely used in over 100 countries and regions around the world. In the digital media field, HiSilicon has already released the SoC and solution for network surveillance, videophone, DVB and IPTV.
The vulnerabilities found in HiSilicon ASIC firmware are:
- Buffer overflow in built-in webserver
- Directory path traversal built-in webserver
The list of vendors working with HiSilicon is unknown. We manage to identify 55 different vendors, all of them are still vulnerable.
Here is example of 10 vendors using the HiSilicon application-specific integrated circuit (ASIC) chip set in their products (the full list can be found in the end of this report):
An independent security researcher Istvan Toth has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
We tried to communicate with the vendor through emails and twitter, over the course of several months, we were unable to get any response.
Continue reading SSD Advisory – HiSilicon multiple vulnerabilities
You all know him from Twitter as “mr_me” (@steventseeley) we are proud to interview Steven Seeley! Vulnerability researcher, Ruxcon and HITB speaker, founder of Source Incite and a long time Wing Chun student!!
Continue reading Know your community – Steven Seeley
The following advisory describes a Local File Inclusion (LFI) vulnerability found in Tripwire IP360 version 7.2.6. Tripwire IP360 is a enterprise-class vulnerability and risk assessment, it’s provides visibility into the enterprise network, including all networked devices and their associated operating systems and application.
An independent security researcher Mohammed Shameem has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Tripwire has stated 7.2.6 which was vulnerable has reached end of life. No other version of Tripwire is affected by this LFI vulnerability. Tripwire customers still using version 7.2.6 should upgrade to version 7.5 or newer which is supported.
Continue reading SSD Advisory – Tripwire IP360 Local File Inclusion