Security by design can’t be just a best practice — it has to become a fundamental part of software development.
Related Posts
In Other News: WEF’s Unsurprising Cybersecurity Findings, KyberSlash Cryptography Flaw
In Other News: WEF’s Unsurprising Cybersecurity Findings, KyberSlash Cryptography Flaw
Noteworthy stories that might have slipped under the radar: WEF releases a cybersecurity report with unsurprising findings, and KyberSlash cryptography vulnerabilities.
The post In Other News: WEF’s Unsurprising Cybersecurity Findings, KyberSlash Cryptography Flaw appeared first on SecurityWeek.
SecurityWeek RSS Feed
WinRAR Flaw Let Attackers Execute Remote Code: Update Now!
WinRAR Flaw Let Attackers Execute Remote Code: Update Now!
An arbitrary code execution vulnerability was discovered in WinRAR, which can be exploited by opening a specially crafted RAR file. The CVE for this vulnerability is given as CVE-2023-40477, and the severity is 7.8 (High) as per Zero Day Initiative.
This vulnerability was reported to WinRAR by security researcher “goodbyeselene”. It is an archive manager for the Windows Platform, used by millions of users worldwide.
WinRAR can zip and unzip archive files with formats AR, ZIP, CAB, ARJ, LZH, TAR, GZip, UUE, ISO, BZIP2, Z, and 7-Zip.
CVE-2023-40477 – Remote Code Execution Vulnerability
This vulnerability exists due to improper validation of user-supplied input, which can result in accessing memory passing the end of the allocated buffer.
An attacker can exploit this vulnerability by creating a specially crafted file that could leverage the current process to execute arbitrary codes on the system.
As per reports from ZDI, this vulnerability requires user interaction for exploitation. The user must either visit a malicious page or open a malicious file which could result in this specific flaw in processing recovery volumes.
WinRAR 6.23
In response to this vulnerability, WinRAR released a patch in their new version 6.23 along with a security advisory about the new features and security patches. “a security issue involving out-of-bounds write is fixed in RAR4 recovery volumes processing code,” reads the security advisory by WinRAR.
In addition to this, new features and another vulnerability that was discovered by Group-IB, which was mentioned as “a wrong file after a user double-clicked an item in a specially crafted archive,” was also fixed by WinRAR.
Though WinRAR has existed for decades, Microsoft has been working on its own archive manager for opening .7z, ZIP, and RAR files without using third-party software like WinRAR.
Users of WinRAR are advised to upgrade to the latest version to prevent this vulnerability from getting exploited.
Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.
The post WinRAR Flaw Let Attackers Execute Remote Code: Update Now! appeared first on Cyber Security News.
Cyber Security News
CISA Warns of 4 New Vulnerabilities Exploited in the Wild
CISA Warns of 4 New Vulnerabilities Exploited in the Wild
The Cybersecurity and Infrastructure Security Agency (CISA) has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting significant security risks for various devices used worldwide.
These vulnerabilities, which have been actively exploited in the wild, emphasize the need for organizations to prioritize their mitigation efforts to safeguard their infrastructure and data.
Details of the Vulnerabilities
CVE-2018-14933 – NUUO NVRmini Devices OS Command Injection
This vulnerability affects NUUO NVRmini devices, allowing remote attackers to execute commands using shell metacharacters in the uploaddir
parameter during a writeuploaddir
command.
Classified as an OS command injection flaw (CWE-78), it enables unauthorized remote access to critical operations. Since these devices are now End-of-Life (EoL) or End-of-Service (EoS), CISA recommends users discontinue their use to mitigate associated security risks.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
CVE-2022-23227 – NUUO NVRmini 2 Devices Missing Authentication
This flaw impacts NUUO NVRmini 2 devices and arises from a missing authentication mechanism (CWE-306). Exploitation allows attackers to upload encrypted TAR archives, which can be abused to add arbitrary users to the system.
Since the affected product is EoL or EoS, users are strongly advised to phase it out and explore alternative solutions.
CVE-2019-11001 – Reolink Multiple IP Cameras OS Command Injection
This vulnerability affects Reolink IP cameras, including models such as RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W. It allows authenticated administrators to exploit the “TestEmail” functionality and inject OS commands as root.
This OS command injection issue (CWE-78) poses a critical security threat. CISA recommends discontinuing usage of the product if no effective mitigations are available.
CVE-2021-40407 – Reolink RLC-410W OS Command Injection
This vulnerability specifically impacts the Reolink RLC-410W camera. An authenticated OS command injection flaw (CWE-78) exists in the device’s network settings functionality, providing attackers with the ability to execute commands.
If no mitigations are in place, users should immediately cease product usage.
The KEV catalog, maintained by CISA, serves as a vital resource for organizations to address vulnerabilities that attackers are actively exploiting.
Updated in multiple formats (CSV, JSON, JSON Schema), this catalog helps network defenders prioritize vulnerability management in alignment with real-world threat activity.
Organizations are encouraged to assess their systems for exposure to these vulnerabilities and implement necessary measures before CISA’s recommended deadline of January 8, 2025.
By leveraging the KEV catalog, security teams can enhance their defenses and reduce the risk of exploitation.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
The post CISA Warns of 4 New Vulnerabilities Exploited in the Wild appeared first on Cyber Security News.