Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings. This review is for the week ending Saturday, September 28, 2024.
FreeBSD flagged with a Critical Vulnerability CVE-2024-41721
A critical vulnerability has been disclosed affecting FreeBSD’s bhyve hypervisor. If exploited, this flaw could allow malicious code execution, posing a serious threat to systems running vulnerable versions of FreeBSD. The vulnerability tracked as CVE-2024-41721, with a CVSS score of 9.8, found in bhyve’s USB emulation functionality, specifically when it is configured to emulate devices on a virtual USB controller (XHCI). The issue arises from insufficient boundary validation in the USB emulation code.
A privileged guest operating system can trigger an out-of-bounds read on the heap, which can potentially escalate to arbitrary writes. This flaw opens the door to a range of attacks, including crashing the hypervisor or achieving code execution in the host’s bhyve userspace process, which usually runs with root privileges…..
CrowdStrike comes with a CISA strategy to make future proof
CrowdStrike introduced a new framework designed to catch errors early and mitigate the fragility of systems, CEO George Kurtz said last week. The release follows the company’s defective software update that caused one of the largest global IT outages in history over the summer.
The framework, dubbed resilient by design, borrows language and principles from the Cybersecurity and Infrastructure Security Agency’s secure by design initiative, which aims to shift the responsibility for security from customers to vendors. CrowdStrike was one of the first companies to sign CISA’s voluntary secure-by-design pledge in May……
Grafana fixes Critical Vulnerability CVE-2024-8986
A critical security vulnerability has been discovered in the Grafana Plugin SDK for Go, that could lead to the inadvertent leakage of sensitive information, including repository credentials.
The vulnerability tracked as CVE-2024-8986 with a CVSS score of 9.1, triggers when developers include credentials within their repository URIs, which used to enable the fetching of private dependencies. In such cases, the final plugin binary ends up containing the complete URI, including these sensitive credentials……
SUBSCRIBE TO OUR BLOG TODAY !
We understand the importance of staying on top of the latest threats and vulnerabilities that can harm your digital life. You’ll receive the latest cybersecurity news, insights, resources, offers and analysis straight to your inbox every day
CISA adds Ivanti CVE-2024-7593 to its KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Ivanti Virtual Traffic Manager authentication bypass vulnerability CVE-2024-7593 with a CVSS score 9.8 to its Known Exploited Vulnerabilities (KEV) catalog.
Back in August 2024, Ivanti addressed the vulnerability CVE-2024-7593 that impacts Virtual Traffic Manager (vTM) appliances, allowing attackers to create rogue administrator accounts…..
Meta fined by Irish DPC over data encryption
Ireland’s privacy regulator has fined Meta Platforms, whopping €91 million over a security flaw in its internal systems that came to light five years ago, and DPC has reprimanded.
In January 2019, Meta discovered that it had stored several hundred million account passwords in an unencrypted or plaintext format. The issue mostly affected users of Facebook Light, Tens of millions of other Facebook users were affected as well, along with a smaller number of Instagram accounts…..
TeamViewer Fixes CVE-2024-7479 and CVE-2024-7481
TeamViewer has addressed two critical vulnerabilities impacting its Remote Client and Remote Host products for Windows.
The vulnerabilities tracked as CVE-2024-7479 and CVE-2024-7481 both with a CVSS score of 8.8, stems from improper verification of cryptographic signatures during the installation of specific drivers. Specifically, these flaws affect the installation of VPN drivers and printer drivers via the TeamViewer_service.exe component of TeamViewer Remote Clients……
This brings end of this week in review security coverage. Thanks for visiting TheCyberThrone. If you like us please follow us on Facebook, Twitter, Instagram
