SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Questions about custom IP/UDP/RPC packets ste0640 (Apr 05)
Hi everyone,

I hope I am not at the wrong place here for questions.

I tried to write a script to discover profinet devices on an ip address and get information about them. Mostly to test
the knowledge I gathered about this topic in an internship and maybe make it useable for others too.

I am new to lua and the nmap libs but they seemed suitable for this task.

So I used a hex string for my packet and tried to send first with bind, connect and...

Re: Replicable problem with later versions of npcap Daniel Miller (Apr 04)
Kurt,

Thanks for reporting this. We'll look into it, and will be tracking the
issue at http://issues.nmap.org/1541

Dan

On Wed, Mar 27, 2019 at 1:58 PM Kurt Buff - GSEC, GCIH <kurt.buff () gmail com>
wrote:

Re: Feature: per-target port specification (with patch!) Jan Gocník (Apr 02)
Hey Dan,

thanks for the reply! It's a shame that I didn't find the GitHub issue you
link to before implementing this, as it does raise a lot of valid
concerns.

First, let me say that the company I work for wants this feature, so even
if it doesn't end up in upstream, I will try to keep it at least as a fork
- as I'll have to maintain it internally anyway, I wanted to share with
the community, in case others have a need...

Re: Feature: per-target port specification (with patch!) Daniel Miller (Apr 02)
Some initial notes from building and testing this:

./nmap scanme.nmap.org^22-80 -d
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-04-02 18:37 UTC
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0...

NSE MikroTik Neighbor Discovery Protocol (NMDP) broadcast discovery script Brendan Coles (Apr 02)
Hi all.

New NSE script PR [1].

Discovers MikroTik devices on a LAN by sending a MikroTik Neighbor
Discovery Protocol (NMDP) network broadcast probe.

[1] https://github.com/nmap/nmap/pull/1510

Re: Feature: per-target port specification (with patch!) Daniel Miller (Apr 02)
Jan,

Thanks for this contribution. We've had many requests for this type of
feature in the past, but have elected not to include it for a variety of
reasons. There is an open discussion on our issue tracker that lays out
some of the challenges in correctly implementing such a feature:
http://issues.nmap.org/1217

It looks like your patch has tried to handle some of these situations, for
example the "Ports scanned" output for...

NSE script to enum CIP tags in SCADA AB controllers Luís Rosa (Apr 02)
Hi folks,

I've submitted a new scan [0] to discover CIP tags in AB Logix5000
controllers.

[0] https://github.com/nmap/nmap/pull/1539

Feature: per-target port specification (with patch!) Jan Gocník (Apr 02)
Hey,

I would like to propose a feature enabling specifying ports for each
target separately.

Rationale:
It often happens that we already have an nmap scan of 200 machines, and we
want to do a service scan on those same machines. Usually that forces us
to scan the whole network for all the ports that appeared at least once.
That is a big waste of time and bandwidth. What we want to have is
essentially a rescan-like feature, that would rescan...

GItHub PR #1538 - HTTP fingerprint for teapot devices (MERGE ASAP) Kostas Milonas (Apr 01)
Hello everyone.

Internet-exposed teapots are now getting their place in everyone's home.
You can imagine the importance of such a device staying secure, not just
obscure.

Let's put this tiny bit of code to the security toolset of the humanity and
consider it
as a starting point to help innocent people around the globe keep their
teapots safe.

The pull request is:
https://github.com/nmap/nmap/pull/1538

I would also appreciate any...

Re: How to estimate Coverage and number of scanning ports nnposter (Mar 31)
My own results of internal scanning, unobstructed by firewalls:

* top 16 ports represent 50% of all ports open
* top 74 ports represent 75% of all ports open
* top 627 ports represent 90% of all ports open
* top 4,313 ports represent 95% of all ports open

These numbers represent one large corporate entity so the curve is
obviously compressed to the left, when compared to the universe.

Cheers,
nnposter

How to estimate Coverage and number of scanning ports Yusuke Osumi (Mar 30)
Hi,

Now I research how to scan quickly and effectively, and I try lowering
number of ports.
(I mean that I want more effective result with fewer ports).

According to the book "Nmap Network Scanning" by Fyodor, at p.141,
- 576 ports : 90% Effectivenss
- 1558 ports : 95% Effectiveness
I take "Effectiveness" as Coverage,
so when I scan 600 ports, I guess coverage is over 90%. I want to
estimate such number.

However, I think I...

Re: help me please/email keeps going to JUNK cmwDev (Mar 30)
This is a function of Hotmail. Google "add safe sender to hotmail", and I
would add the domain of nmap dot org to the safe senders list.

Nmap scan compare and automation Bora Özden (Mar 29)
Hi all,

I have made a nmap batch file which will run on a scheduled task on
windows server , and will scan the systems which are written on a target
text file. But i also like to send the scan results to the admin by email
and also would like to compare each scan tasks and also alert the diffences
between the each scan and also alert the admin by email. I checked a little
bit ndiff etc but currently too busy to tune . Can anyone help to...

help me please/email keeps going to JUNK Mike . (Mar 29)
i have now messaged this 3 times. can i PLEASE get someone to address it? i have windows live mail and have had it for
6 yrs or more?? i'm happy with it UNTIL , and for whatever reason i am not aware of, nmap email activity is ALWAYS
flagged as JUNK!? why??????? (this never used to happen) i continue to set rules .i have asked to always move it to
inbox, etc. wth is the deal????????

Mike

NPCAP BUGCHECK Mike . (Mar 29)
getting no responses to this never-ending saga . maybe some of you coders can do somethig with this. i have enclosed
the crashdump. -----Mike

*crash dump is too damn big, this a direct copy/paste from windbg, best i can do

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {80000003, 887a720e, 89341ae8, 893416c0}

*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
*** ERROR: Symbol file could...

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap 7.70 released! Better service and OS detection, 9 new NSE scripts, new Npcap, and much more. Fyodor (Mar 20)
Nmap Community,

We're excited to make our first Nmap release of 2018--version 7.70! It
includes hundreds of new OS and service fingerprints, 9 new NSE scripts
(for a total of 588), a much-improved version of our Npcap windows packet
capturing library/driver, and service detection improvements to make -sV
faster and more accurate. And those are just a few of the dozens of
improvements described below.

Nmap 7.70 source code and binary...

Nmap GSoC 2017 Success Reports Fyodor (Oct 10)
Hello Nmap Community,

Nmap celebrated its 20th birthday last month and we also just completed our
13th Google Summer of Code. We focused on a fairly small team of four
students this year (http://seclists.org/nmap-announce/2017/2), and I'm
happy to report that every one passed! And they all have code integrated
into Nmap 7.60 already, with even more to follow for the next release.
Also this year, for the first time, every student wrote a...

Nmap 7.60 released! SSH support, SMB2/SMB3 improvements, 14 more scripts, new Npcap, GSoC work, and more Fyodor (Aug 01)
Hello everyone. I'm back from Defcon and excited to announce the new Nmap
7.60 release! It has only been a month and a half since 7.50, but we still
packed a lot into this one. Mostly because we have such an awesome GSoC
team of 8 students and mentors working on so many cool projects. The
program hasn't even ended yet, but much of their work has already been
integrated into this release.

One of the things I'm most excited...

Nmap 7.50 Released! 14 new NSE scripts, 300+ fingerprints, new Npcap, and more Fyodor (Jun 13)
Dear Nmap Community:

The Nmap project is delighted to announce the release of Nmap 7.50! It is
our first big release since last December and has hundreds of improvements
that we hope you will enjoy.

One of the things we have been worked the hardest on recently is our Npcap
packet capturing driver and library for Windows (https://nmap.org/npcap/).
It is a replacement for WinPcap, which served us well for many years, but
is no longer maintained....

Introducing the 2017 Nmap/Google Summer of Code Team! Fyodor (May 18)
Nmap community:

Thanks for all of your applications and referrals of talented students to
the Summer of Code program. Google has agreed to sponsor four students to
spend this summer enhancing the Nmap Security Scanner and I'm proud to
introduce our 2017 team! We normally mentor coders working all over the
Nmap/Zenmap/Ncat/Nping spectrum, but this year we're doubling down on the
Nmap Scripting Engine component. All four of our...

Nmap Project Seeking Talented Programmers for GSoC 2017 Fyodor (Mar 27)
Hi folks. I'm delighted to report that Nmap has been accepted by Google to
participate in this year's Summer of Code internship program. This
innovative and extraordinarily generous program provides $5,500 stipends to
college and graduate students anywhere in the world who spend the summer
improving Nmap from home! They gain valuable experience, get paid,
strengthen their résumés, and write code for millions of users. We're one...

Nmap GSoC 2016 Success Report Fyodor (Feb 07)
Happy belated new year from the Nmap Project! I'd like to take this
opportunity to send you the belated results from our 2016 Summer of Code
team. I was going to send them right after the program finished, but some
of the students were still finishing some great things so I decided to
wait. As you may recall from the team intro mail (
http://seclists.org/nmap-announce/2016/2), we had 5 students last year and
I'm happy to report that...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

WordPress plugin Contact Form by WD [CSRF → LFI] Panagiotis Vagenas (Apr 05)
# Exploit Title: Contact Form by WD [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/contact-form-maker
# Version: 1.13.1
# Tested on: WordPress 5.1.1

Description
-----------

Plugin implements the following AJAX actions:

- `manage_fm`
- `get_stats`
- `generete_csv`
- `generete_xml`
- `formmakerwdcaptcha`
- `nopriv_formmakerwdcaptcha`...

WordPress Plugin Form Maker by WD [CSRF → LFI] Panagiotis Vagenas (Apr 05)
# Exploit Title: Form Maker by WD [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/form-maker
# Version: 1.13.2
# Tested on: WordPress 5.1

Description
-----------

Plugin implements the following AJAX actions:

- `generete_csv`
- `generete_xml`
- `formmakerwdcaptcha`
- `formmakerwdmathcaptcha`
- `product_option`
-...

Arris Touchstone TG1672 Administrative Login Vulnerabilities Harley A.W. Lorenzo via Fulldisclosure (Apr 05)
================================================================================
Title: Arris Touchstone TG1672 Administrative Login Vulnerabilities
Product: Arris Touchstone TG1672
Version: TS0901103AS_092216_16XX.GW_SIP (most likely other versions
affected by unconfirmed)
Product Page: https://www.arris.com/products/
touchstone-telephony-gateway-tg1672/
Published: 2019-04-05...

Uniqkey Password Manager 1.14 - Remote Denial Of Service [CVE-2019-10845] gionreale (Apr 05)
An issue was discovered in Uniqkey Password Manager 1.14.
When entering new credentials to a site that isn't registered within
this product, a pop-up window will appear asking the user if
they want to save these new credentials. The code of the pop-up window
can be read and, to some extent, manipulated by remote servers. This
pop-up window will stay on any page the user visits within the browser
until a decision is made. A malicious web...

hardwear.io 2019 Call For Papers is Open - USA & Netherlands Yuliya Pliavaka (Apr 04)
Dear InfoSec Gurus,

Hardwear.io Security Conference and Training is a platform for hardware and
security community where researchers showcase and discuss their innovative
research on attacking and defending hardware.

Submission Topics

hardwear.io accepts papers on any topic that discusses in-depth hardware
and firmware security both from the offensive as well as defensive
perspective. Example topics: IC, Processors, IoT, Automotive,...

SphereFTP 2.0 Denial Of Service Sachin Wagh (Apr 04)
#!/usr/bin/python
# Exploit Title: SphereFTP Server v2.0 Remote Denial of Service
Vulnerability
# Date: 2019-31-03
# Exploit Author: Sachin Wagh (@tiger_tigerboy)
# Software Link: http://www.menasoft.com/sphereftp/sphereftp_win32_v20.zip
# Tested on: Windows 10 64-bit

import socket
import sys

evil = "A"*3000
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.56.1',21))

s.recv(1024)...

DSA-2019-031: Dell EMC IsilonSD Management Server Cross-Site Scripting (XSS) Vulnerabilities secure (Apr 04)
Dell EMC Product Taxonomy IsilonSD Management Server

Role Security Advisory Technically Signed Off by
Product Management John Harr
Engineering Team Phillip Nordwall
Program Management David Geijsbeek
Service Product Lead (SDS) Jeremy Johnson

DSA-2019-031: Dell EMC IsilonSD Management Server Cross-Site Scripting (XSS) Vulnerabilities

Dell EMC Identifier: DSA-2019-031
CVE Identifier: CVE-2019-3708, CVE-2019-3709...

CVE-2019-7727 - JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution Red Timmy Sec - (Apr 04)
Description
===========
NICE Engage is an interaction recording platform. The default configuration in versions <= 6.5 (and possible higher)
binds an unauthenticated JMX/RMI interface to all network interfaces, without restricting registration of MBeans, which
allows remote attackers to execute arbitrary code via the RMI protocol by using the JMX connector. The observed
affected TCP port is 6338 but based on product's configuration a...

c0c0n XII | The cy0ps c0n - Call For Papers & Call For Workshops Prajwal Panchmahalkar (Apr 04)
#################################################################
c0c0n XII | The cy0ps c0n - Call For Papers & Call For Workshops
#################################################################

Sep 25-28, 2019 - Grand Hyatt, Kochi (Cochin), Kerala, India

Buenos Dias from the God's Own Country!

We are extremely delighted to announce the Call for Papers and Call for
Workshops for c0c0n 2019 <http://www.is-ra.org/c0c0n/>, a...

Open-Xchange Security Advisory 2019-04-01 Open-Xchange GmbH via Fulldisclosure (Apr 04)
Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: 61771 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable...

Uniqkey Password Manager 1.14 - Remote Credential Disclosure gionreale (Apr 04)
CVE-2019-10676

Various vulnerabilities in Lupusec XT2 Plus home alarm system Dan Fabian (Apr 04)
=======================================================================
title: Multiple Vulnerabilities
product: Lupusec XT2 Plus Main Panel
version: Firmware 0.0.2.19E
homepage: https://www.lupus-electronics.de/
found: 01/2019
by: D. Fabian
=======================================================================

Vendor description:
-------------------
"The new...

APPLE-SA-2019-3-27-1 watchOS 5.2 Apple Product Security via Fulldisclosure (Mar 29)
APPLE-SA-2019-3-27-1 watchOS 5.2

watchOS 5.2 is now available and addresses the following:

CFString
Available for: Apple Watch Series 1 and later
Impact: Processing a maliciously crafted string may lead to a denial
of service
Description: A validation issue was addressed with improved logic.
CVE-2019-8516: SWIPS Team of Frifee Inc.

configd
Available for: Apple Watch Series 1 and later
Impact: A malicious application may be able to elevate...

[SAUTH-2019-0002] - Pydio 8 Multiple Vulnerabilities SecureAuth Advisories (Mar 29)
SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

Pydio 8 Multiple Vulnerabilities

1. *Advisory Information*

Title: Pydio 8 Multiple Vulnerabilities
Advisory ID: SAUTH-2019-0002
Advisory URL:
https://www.secureauth.com/labs/advisories/pydio-8-multiple-vulnerabilities
Date published: 2019-03-28
Date of last update: 2019-03-28
Vendors contacted: Pydio
Release mode: Coordinated release

2. *Vulnerability Information*

Class:...

[RT-SA-2019-005] Cisco RV320 Command Injection Retrieval RedTeam Pentesting GmbH (Mar 27)
Advisory: Cisco RV320 Command Injection

RedTeam Pentesting discovered a command injection vulnerability in the
web-based certificate generator feature of the Cisco RV320 router which
was inadequately patched by the vendor.

Details
=======

Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others
Affected Versions: 1.4.2.15 through 1.4.2.20
Fixed Versions: none
Vulnerability Type: Remote Code Execution
Security Risk: medium
Vendor URL:...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

WordPress plugin Contact Form by WD [CSRF → LFI] Panagiotis Vagenas (Apr 05)
# Exploit Title: Contact Form by WD [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/contact-form-maker
# Version: 1.13.1
# Tested on: WordPress 5.1.1

Description
-----------

Plugin implements the following AJAX actions:

- `manage_fm`
- `get_stats`
- `generete_csv`
- `generete_xml`
- `formmakerwdcaptcha`
- `nopriv_formmakerwdcaptcha`...

WordPress Plugin Form Maker by WD [CSRF → LFI] Panagiotis Vagenas (Apr 05)
# Title: Form Maker by WD [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/form-maker
# Version: 1.13.2
# Tested on: WordPress 5.1

Description
-----------

Plugin implements the following AJAX actions:

- `generete_csv`
- `generete_xml`
- `formmakerwdcaptcha`
- `formmakerwdmathcaptcha`
- `product_option`
- `FormMakerEditCountryinPopup`...

[SECURITY] [DSA 4424-1] pdns security update Sebastien Delafond (Apr 04)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4424-1 security () debian org
https://www.debian.org/security/ Sebastien Delafond
April 04, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : pdns
CVE ID : CVE-2019-3871
Debian Bug : 924966...

Various vulnerabilities in Lupusec XT2 Plus home alarm system Dan Fabian (Apr 04)
=======================================================================
title: Multiple Vulnerabilities
product: Lupusec XT2 Plus Main Panel
version: Firmware 0.0.2.19E
homepage: https://www.lupus-electronics.de/
found: 01/2019
by: D. Fabian
=======================================================================

Vendor description:
-------------------
"The new...

[SECURITY] [DSA 4423-1] putty security update Moritz Muehlenhoff (Apr 03)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4423-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
April 03, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : putty
CVE ID : CVE-2019-9894 CVE-2019-9895...

[SECURITY] [DSA 4422-1] apache2 security update Salvatore Bonaccorso (Apr 03)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4422-1 security () debian org
https://www.debian.org/security/ Stefan Fritsch
April 03, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : apache2
CVE ID : CVE-2018-17189 CVE-2018-17199...

[slackware-security] ghostscript (SSA:2019-092-01) Slackware Security Team (Apr 02)
[slackware-security] ghostscript (SSA:2019-092-01)

New ghostscript packages are available for Slackware 14.2 and -current to
fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/ghostscript-9.26-i586-1_slack14.2.txz: Upgraded.
Fixes security issues:
A specially crafted PostScript file could have access to the file system
outside of the constrains imposed by -dSAFER....

[slackware-security] wget (SSA:2019-092-02) Slackware Security Team (Apr 02)
[slackware-security] wget (SSA:2019-092-02)

New wget packages are available for Slackware 14.2 and -current to
fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/wget-1.20.2-i586-1_slack14.2.txz: Upgraded.
Fixed an unspecified buffer overflow vulnerability.
(* Security fix *)
+--------------------------+

Where to find the new packages:
+-----------------------------+...

CVE-2019-7727 - JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution Red Timmy Sec - (Apr 01)
Description
===========
NICE Engage is an interaction recording platform. The default configuration in versions <= 6.5 (and possible higher)
binds an unauthenticated JMX/RMI interface to all network interfaces, without restricting registration of MBeans, which
allows remote attackers to execute arbitrary code via the RMI protocol by using the JMX connector. The observed
affected TCP port is 6338 but based on product's configuration a...

[SECURITY] [DSA 4421-1] chromium security update Michael Gilbert (Apr 01)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4421-1 security () debian org
https://www.debian.org/security/ Michael Gilbert
March 31, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2019-5787 CVE-2019-5788...

[SECURITY] [DSA 4420-1] thunderbird security update Moritz Muehlenhoff (Apr 01)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4420-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
March 30, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2018-18506 CVE-2019-9788...

[SECURITY] [DSA 4419-1] twig security update Sebastien Delafond (Mar 31)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4419-1 security () debian org
https://www.debian.org/security/ Sebastien Delafond
March 29, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : twig
CVE ID : CVE-2019-9942

Fabien Potencier...

[SECURITY] [DSA 4418-1] dovecot security update Salvatore Bonaccorso (Mar 28)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4418-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
March 28, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : dovecot
CVE ID : CVE-2019-7524

A vulnerability was...

[SAUTH-2019-0002] - Pydio 8 Multiple Vulnerabilities SecureAuth Advisories (Mar 28)
SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

Pydio 8 Multiple Vulnerabilities

1. *Advisory Information*

Title: Pydio 8 Multiple Vulnerabilities
Advisory ID: SAUTH-2019-0002
Advisory URL:
https://www.secureauth.com/labs/advisories/pydio-8-multiple-vulnerabilities
Date published: 2019-03-28
Date of last update: 2019-03-28
Vendors contacted: Pydio
Release mode: Coordinated release

2. *Vulnerability Information*

Class:...

[slackware-security] gnutls (SSA:2019-086-01) Slackware Security Team (Mar 27)
[slackware-security] gnutls (SSA:2019-086-01)

New gnutls packages are available for Slackware 14.2 and -current to
fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/gnutls-3.6.7-i586-1_slack14.2.txz: Upgraded.
Fixes security issues:
libgnutls, gnutls tools: Every gnutls_free() will automatically set
the free'd pointer to NULL. This prevents possible...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Manual vs Automated analysis Dave Aitel (Apr 04)
I think looking at the entire suite of reverse engineering tools available
(Ghidra/IDAPro/Binary Ninja/R2/etc) now is exciting in the sense that they
all have different philosophies from the beginning design. However, since
I'm not a full time reverser anymore, I wanted to talk to the team over at
Vector35 about it, and we did it on WebEx so you can listen in. :)

Some topics covered (and illustrated by the below screenshot) include:

-...

t2'19: Call For Papers 2019 (Helsinki, Finland) Tomi Tuominen (Apr 03)
#
# t2'19 - Call For Papers
# We’re back. October 24-25 in Helsinki. CFP and ticket sales are now open.
#

Looking for an event worthy of your 0days or world class research? Prefer conference disclosure over jumping through
hoops with uninterested vendors? Worried of sponsors doing shady backroom deals to block your talk? We’ve got your
back. As an independent, vendor-neutral, practically-non-profit conference we value freedom of...

Talks. Dave Aitel (Mar 19)
It's almost INFILTRATE dry-run time! Some part of me prefers the slow pace
of two talks a day to the firehose that is a one-track focused conference
where each speaker has been told to not walk us through the basics. This is
the balance of "We liked a ton more talks than we have slots" and "my brain
hurts".

Because there's about a thousand conferences now, there's also so many
talks you could do nothing but...

(no subject) Steve Lord (Feb 27)
44CON is the UK's premier annual technical security conference and
training event. From the evening of the
11th of September till the 13th of September 2019, expect a top-tier
international technical conference
with fast wifi, loose 0day, a village pub and of course, Gin O'Clock.

__ __ __ __ __________ _ __
/ // / / // / / ____/ __ \/ | / / | "You can hack us
/ // /_/ // /_/ / / / / / |/ / | You can...

Re: The dream of the LISP machine is alive in the 90ies the grugq (Feb 18)
inline...

I like to think I'm as good an armchair philosopher as anyone else that

Attacking information processing systems is what I’ve been researching for
the last few years. The only way to create propaganda or implement
deceptions is if you have a model of how the entity processes data. Once
you have that model you can craft information that will force the entity to
respond in the manner you chose. This is the theory anyway. There...

The dream of the LISP machine is alive in the 90ies Bas Alberts (Feb 15)
I ate some bad chicken last night.

Really it all started a few days ago when I saw a chick-fil-a
commercial about their heart shaped 30pc nugget Valentines day
special. That's where that particular piece of data first entered my
system.

I didn't think much of it at the time.

If you're wondering how I could let delicious chicken trump my ethics
I would counter that, if you're reading this, you are probably an
information...

0days Post Dave Aitel (Feb 13)
When in the course of human events, it becomes necessary for one person to
communicate information about an unknown vulnerability to the public, they
often do not do so in the manner to which you might expect: With all due
pomp and circumstance, a ringing of the sacred bells, a phone call to Kim
Zetter, and that sort of thing.

Instead, they announce their talk title as "TBD LOL!", put a code fragment
into their Keynote slidepack with...

Re: Static and Dynamic Analysis Jared DeMott (Feb 13)
We use and have access to a number of both types of tools when we do dev
training and pentesting. We find them fairly useful both for dev and for
red teaming.

Static and Dynamic Analysis Dave Aitel (Feb 11)
So one thing I often find weird about our industry is how it gets taken
over by marketing language and the utility of entire classes of products
gets clouded over. For example, part of any SDLC is going to be static and
dynamic analysis. However, if you ask a normal security manager what kinds
of bugs these sorts of products find or don't find, and what the false
positive levels are, they find it hard to answer, even assuming they use
them....

Web Hacking and CVSS Dave Aitel (Feb 06)
A lot of the trainings at INFILTRATE<http://infiltratecon.com/training/> have sold out (and we are going to be sold out
of Tier 2 Tickets soon as well), but one that is not sold out, and yet is my favorite, is the Web Hacking class. The
thing we realized a million years ago when we started doing trainings, is that the only thing that works is hands on
exercises, so the whole class is basically a guided CTF.

This brings me to CVSS. You...

INFILTRATE Talks Dave Aitel (Jan 28)
We've announced all but one of the INFILTRATE 2019 speakers!
http://infiltratecon.com/speakers/

Probably the hardest question to answer about a CFP I've found is "Why
wasn't this particular great talk chosen?" and I've gotten a few of these
since the announcement letters went out. Part of the answer sometimes is
balance. You don't want an entire conference of Heap Overflows or Fuzzing
or Mobile attacks any of...

Make your stack executable! Dave Aitel (Jan 25)
So in case you missed it, we announced last week that we've teamed up with
Azeria and Vector35 to do two extra classes at INFILTRATE this year. They
are already filling up, so I wanted to make sure that everyone knew about
them and I didn't have to deal with last minute complaining about lack of
seats. :)

[image: image.png]

-dave

Modern Meanness Dave Aitel (Jan 24)
"Every man loves what he is good at", said Thomas Shadwell, poet laureate
of England, a few hundred years ago. Coincidentally, a few years ago I was
on a TF2 server with a different Thomas Shadwell. I actually grew up with
Team Fortress Classic, and then when I had kids I got back into TF2 because
its advanced level of whimsey is oddly addictive, not just to meet British
hackers.

Zoom forward to today and Thomas <https://zemn.me/...

INFILTRATE talk announcement: Marco Ivaldi, The Story of a Solaris 0day Dave Aitel (Jan 22)
[cid:2f7cd9e5-b7e5-402e-8627-97751f587af5]

I don't want to talk too much about the talk, but I do want to talk a bit about INFILTRATE and what it was like in the
2000's to be a Unix hacker. Because almost everyone wrote _some_ exploits. These days, the supply chain is as vertical
as a glowworm's saliva lure, and equally sticky. You could specialize in blockchain security and literally never even
venture off the particular...

Bring a question, and sunblock. Dave Aitel (Jan 14)
https://twitter.com/daveaitel/status/1084837761796980736

Project Zero released about five different bugs today in Windows:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1683

This is my favorite bit:
"""
*Ultimately I warned you after cases 36544 and 37954 that you should be
fixing the root cause of normal user’s being able to use the Session
Moniker not playing whack-a-mole with COM objects. Of course you didn’t...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

BHIS Sorta Top Used Tools of 2018 John - Black Hills Information Security (Dec 06)
Free Webcast

Hello all,

For our next webcast we will cover some of the core tools we use all the time at Black Hills Information Security.
However, there will be a twist. We will not talk about Nessus, Nmap, or Metasploit. Why? Because there are a ton of new
(and older) tools we use that fall outside of the standard tools you see in every security book/blog out there.

Basically, we are trying to be edgy and different.

You may want to come...

BHIS Webcast - Tues 10/2 @ 11am MDT John Strand - Black Hills Information Security (Sep 26)
Hello All,

In this next webcast I want to cover what I am doing with the BHIS Systems team to create a C2/Implant/Malware test
bed. Testing our C2/malware solutions is important because vendors tend to lie or over-hype their capabilities. I will
cross reference some different malware specimens to the MITRE ATT&CK framework and we will cover how you can use these
techniques to test your defensive solutions at both the endpoint and the...

BHIS Webcast: The PenTest Pyramid of Pain 9/4 - 11am MDT Sierra - Black Hills Information Security (Aug 29)
Hello!

How are you all? We had a fantastic webcast last week with John Strand and Chris Brenton and we're still working
through some unexpected hiccups to get the recording up and posted. The podcast version is on our blog, and the YouTube
version will be posted shortly on the Active Countermeasures channel and blog as well. Thanks for all of you who
ventured over to attend!

Ready for another awesome BHIS webcast? Dakota is back and...

Webcast with CJ: Tues 7/24 at 11am Sierra - Black Hills Information Security (Jul 19)
Our upcoming webcast will be about POLICY...

Did you check out when you heard “policy”? Policy can often seem like a drudgery, but it’s also an important and
potentially overlooked part of business and procedure; it’s the framework on which security is really built!

CJ, our COO and Head of Sales has experience writing, assessing and implementing policies for many different kinds of
companies. And if you are worried it will be dry and...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Update Minor Revisions Microsoft (Dec 11)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: December 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision
increment:

* CVE-2018-8172

Revision Information:
=====================

- CVE-2018-8172 | Visual Studio Remote Code Execution
Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Nov 14)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: November 14, 2018
********************************************************************

Summary
=======

The following CVEs and advisory have undergone a minor revision
increment:

* CVE-2018-8454
* CVE-2018-8552
* ADV990001

Revision Information:
=====================

- CVE-2018-8454 | Windows Audio Service...

Microsoft Security Update Minor Revisions Microsoft (Oct 24)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 24, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8512

Revision Information:
=====================

- CVE-2018-8512 | Microsoft Edge Security Feature Bypass
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 19)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 19, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8569

Revision Information:
=====================

- CVE-2018-8569 | Yammer Desktop Application Remote Code Execution
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 17)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 17, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2010-3190

Revision Information:
=====================

- CVE-2010-3190 | MFC Insecure Library Loading Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8531

Revision Information:
=====================

- CVE-2018-8531 | Azure IoT Device Client SDK Memory Corruption
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8292

Revision Information:
=====================

- CVE-2018-8292 | .NET Core Information Disclosure Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following bulletin has undergone a major revision increment:

* MS11-025

Revision Information:
=====================

- https://docs.microsoft.com/en-us/security-updates/
SecurityBulletins/2011/ms11-025:...

Microsoft Security Update Summary for October 9, 2018 Microsoft (Oct 09)
********************************************************************
Microsoft Security Update Summary for October 9, 2018
Issued: October 9, 2018
********************************************************************

This summary lists security updates released for October 9, 2018.

Complete information for the October 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Please note the...

Microsoft Security Update Releases Microsoft (Oct 02)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 2, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-0952

Revision Information:
=====================

- CVE-2018-0952 | Diagnostic Hub Standard Collector Elevation of
Privilege Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 12, 2018
********************************************************************

Security Advisories Released or Updated on September 12, 2018
===================================================================

* Microsoft Security Advisory ADV180022

- Title: Windows Denial of Service Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: September 12, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a minor revision increment:

* CVE-2018-8421
* CVE-2018-8468

Revision Information:
=====================

- CVE-2018-8421 | .NET Framework Remote Code Execution
Vulnerability...

Microsoft Security Update Summary for September 11, 2018 Microsoft (Sep 11)
********************************************************************
Microsoft Security Update Summary for September 11, 2018
Issued: September 11, 2018
********************************************************************

This summary lists security updates released for September 11, 2018.

Complete information for the September 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>....

Microsoft Security Update Releases Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Update Releases
Issued: September 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-8154

Revision Information:
=====================

- CVE-2018-8154 | Microsoft Exchange Memory Corruption
Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 11, 2018
********************************************************************

Security Advisories Released or Updated on September 11, 2018
===================================================================

* Microsoft Security Advisory ADV180002

- Title: Guidance to mitigate speculative execution...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

XSS in roundup bug tracker 404 page Hanno Böck (Apr 05)
Hi,

I recently discovered that the python bug tracker had a trivial
reflected Cross Site Scripting vulnerability on the 404 error page.

It essentially just reflected the URL path, so anything like
http://hostname/<img src=x onerror=alert(1)>
(properly URL-encoded, but browsers do this automatically)
would result in XSS.

The software python is using here is the Roundup issue tracker, it's
been reported there as well [2] and fixed in...

Linux kernel < 4.8 local generic ASLR bypass for setuid binaries Federico Manuel Bento (Apr 03)
Hi list,

As far as I know, commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 wasn't
backported to earlier kernels, which fixed a vulnerability (unknown at
the time?) that allows local attackers to derandomize the base address
of .text and stack generically for all setuid binaries. My guess is that
such change was done as a later response to one of Jann Horn's reports
(https://bugs.chromium.org/p/project-zero/issues/detail?id=807)...

Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 03)
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:

* Netsparker Cloud Scan Plugin 1.1.6
* Youtrack Plugin 0.7.2

Additionally, these plugin have security vulnerabilities that have been made
public, but have no releases containing a fix yet:

* Amazon SNS Build Notifier Plugin
* Aqua Security...

CVE-2019-3837: RHEL6: memory leak in tcp_recvmsg() with NET_DMA Vladis Dronov (Apr 03)
Heololo,

It was found that the net_dma code in tcp_recvmsg() in the RHEL6 kernel is
thread-unsafe. So an unprivileged multi-threaded userspace application
calling recvmsg() for the same network socket in parallel executed on
ioatdma-enabled hardware with net_dma enabled can leak the memory,
crash the host leading to a denial-of-service, or cause a random memory
corruption.

This flaw was assigned an id of CVE-2019-3837.

net_dma was disabled in...

CVE-2019-3882: Linux kernel: DoS through vfio/type1 DMA mappings Vladis Dronov (Apr 03)
Heololo,

A flaw was found in the Linux kernel's vfio interface implementation that permits
violation of the user's locked memory limit. If a device is bound to a vfio driver,
such as vfio-pci, and the local attacker is administratively granted ownership of
the device, it may cause a system memory exhaustion and thus a denial of service (DoS).

CVE-2019-3882 was allocated for this flaw.

References:...

CVE-2019-0220: URL normalization inconsistincies Daniel Ruggeri (Apr 02)
CVE-2019-0220: URL normalization inconsistincies

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.39

Description:
When the path component of a request URL contains multiple consecutive slashes
('/'), directives such as LocationMatch and RewriteRule must account for
duplicates in regular expressions while other aspects of the servers processing
will implicitly collapse them.

Mitigation:...

CVE-2019-0217: mod_auth_digest access control bypass Daniel Ruggeri (Apr 02)
CVE-2019-0217: mod_auth_digest access control bypass

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.38

Description:
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition
in mod_auth_digest when running in a threaded server could allow a
user with valid credentials to authenticate using another username,
bypassing configured access control restrictions.

Mitigation:
All httpd...

CVE-2019-0215: mod_ssl access control bypass Daniel Ruggeri (Apr 02)
CVE-2019-0215: mod_ssl access control bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.27 to 2.4.38

Description:
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a
bug in mod_ssl when using per-location client certificate
verification with TLSv1.3 allowed a client to bypass
configured access control restrictions.

Mitigation:
This issue can be mitigated by disabling the TLSv1.3...

CVE-2019-0211: Apache HTTP Server privilege escalation from modules' scripts Daniel Ruggeri (Apr 02)
CVE-2019-0211: Apache HTTP Server privilege escalation from modules' scripts

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.38

Description:
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event,
worker or prefork, code executing in less-privileged child processes
or threads (including scripts executed by an in-process scripting
interpreter) could execute arbitrary code with...

CVE-2019-0197: mod_http2, possible crash on late upgrade Daniel Ruggeri (Apr 02)
CVE-2019-0197: mod_http2, possible crash on late upgrade

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.34 to 2.4.38

Description:
When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2
on a https: host, an Upgrade request from http/1.1 to http/2 that was
not the first request on a connection could lead to a misconfiguration
and crash. Servers that never enabled the h2 protocol or only...

CVE-2019-0196: mod_http2, read-after-free on a string compare Daniel Ruggeri (Apr 02)
CVE-2019-0196: mod_http2, read-after-free on a string compare

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.38

Description:
Using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
comparision when determining the method of a request and
thus process the request incorrectly.

Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.39...

Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 28)
CVE-2019-1003040 (Script Security) and CVE-2019-1003041 (Pipeline: Groovy)

CVE-2019-1003042

CVE-2019-1003043

CVE-2019-1003044

CVE-2019-1003045

CVE-2019-1003047

CVE-2019-1003046

CVE-2019-1003048

CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files Aki Tuomi (Mar 28)
Dear subscribers,

we're sharing our latest advisory with you and would like to thank
everyone who contributed in finding and solving those vulnerabilities.
Feel free to join our bug bounty programs (open-xchange, dovecot,
powerdns) at HackerOne. Please find patches for v2.2.36 and v2.3.5 attached,
or download new version.

Yours sincerely,
Aki Tuomi
Open-Xchange Oy

Product: Dovecot

Vendor: OX Software GmbH

Internal reference: DOV-2964...

[CVE-2019-0212] Apache HBase REST Server incorrect user authorization Josh Elser (Mar 27)
CVE-2019-0212: HBase REST Server incorrect user authorization

Description: In all previously released Apache HBase 2.x versions,
authorization was incorrectly applied to users of the HBase REST server.
Requests sent to the HBase REST server were executed with the
permissions of the REST server itself, not with the permissions of the
end-user. This issue is only relevant when HBase is configured with
Kerberos authentication, HBase...

[ANNOUNCE] CVE-2019-0222 - Apache ActiveMQ: Corrupt MQTT frame can cause broker shutdown Dejan Bosanac (Mar 27)
The following security vulnerability was reported against Apache
ActiveMQ 5.15.8 and older versions.

Please check the following document and see if you’re affected by the issue.

http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt

Apache ActiveMQ 5.15.9 has been released with appropriate fixes and is
available for upgrade.

Educause Security Discussion — Securing networks and computers in an academic environment.

Update : TargetX vulnerability post Brian Kelly (Apr 05)
I wanted to update the community regarding my post yesterday.
The CEO of TargetX reached out to me immediately and provided the information below.
We had a great conversation today and he shares the spirit and intent of our Cybersecurity community and the value of
information sharing.
"Yesterday a blog post described an incident where an applicant accessed only his own data through a Salesforce default
page without authorization. Due to...

Re: [EXTERNAL]Re: [SECURITY] Cybersecurity Students Jessica Murray (Apr 05)
Hi Michael!

+1 for bounty programs with a scope and rules defined. We also have classes that come to us with final project ideas.

BTW, MIT’s bounty is something custom, not using a platform.

Data Protection Officer (DPO) Dave Broucek (Apr 05)
Almost a year into GDPR being live, I am curious as to how everyone has been handling the assignment of the Data
Protection Officer (DPO) position.

Is there someone specifically designated to handle the role completely and what their position is?

Is there someone designated to handle the role with a team assigned to assist? What position is the DPO and those on
the team?

Committee?

Other?

Regards,

Dave Broucek
Harper College...

Re: Cybersecurity Students Bob Mahoney (Apr 05)
[Disclaimer: I am no longer at MIT, and am only here as a guest associate, which I appreciate.]

Some time back now, I started and ran MIT’s first Network Security Team. Through need and an appreciation of the
untapped resource, we employed a number of student staff.

This worked out fabulously. “Win-win” doesn’t begin to do it justice.

The relevance to this discussion is that using students served to seed some security awareness out...

Re: [EXTERNAL]Re: [SECURITY] Cybersecurity Students Michael Duff (Apr 05)
We wanted to keep it simple, so we're just using ServiceNow to accept submissions and a Google spreadsheet to track
status. We modeled our program after MIT's (https://bounty.mit.edu), which I believe is using one of those platforms.

p.s. Recent Today Show segment that mentioned the program:
https://www.today.com/video/college-freshman-getting-paid-to-hack-into-companies-1443781699757

Michael Duff
Chief Information Security...

Re: [EXTERNAL]Re: [SECURITY] Cybersecurity Students Baillio, Aaron (Apr 05)
Michael,

Are you all leveraging a platform to manage the bounty program, like through Bugcrowd or Hackerone?

I've been playing with this idea and I thought it was interesting.

B. Aaron Baillio, Sec+, CEH, CISSP
University of Oklahoma, Information Technology
Deputy CISO
O: 405-325-7948
C: 254-400-6404

From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael
Duff
Sent: Friday,...

Re: Cybersecurity Students Michael Duff (Apr 05)
https://bounty.stanford.edu -- rolled it out in January -- very successful thus far! Feel free to reuse anything on
the website.

Michael Duff
Chief Information Security Officer and Interim Chief Privacy Officer
Stanford | University IT
michael.duff () stanford edu
650-721-3111

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Giacobe, Nick
<nxg13 ()...

Re: Cybersecurity Students Giacobe, Nick (Apr 05)
I think you should have a bug bounty program. However, it should be structured and controlled. Students involved in
it should be vetted. They should be given limited targets - especially on systems that you know are of concern and you
have control to change.

For example, do you want students openly poking at systems that you have no control to change? Do you want them
actively trying to penetrate systems that have confidential data on...

Re: Cybersecurity Students Giacobe, Nick (Apr 05)
Yes, there are definitely concerns with establishing a culture of freedom to attack the university’s infrastructure in
an unstructured manner.

We’re on the other extreme side of things – where, honestly, students do not get administrative rights to systems that
are connected to the University’s network in any shape or manner. That makes it difficult to teach network and system
administration, except in sandboxed environments. Since...

Re: Cybersecurity Students Rob Milman (Apr 05)
I've met with our cybersecurity students numerous times and they have always asked the same question, can we practice
on your network? The answer has always been no. This is reinforced by them having to sign a document that outlines the
repercussions for doing so. We do provide them with air-gapped labs so they can attack as hard as they want. Recently
they started asking a new question, would you consider putting up a bug bounty? That...

Re: Cybersecurity Students Brian Basgen (Apr 05)
Agree with everything that has been said, one more bit that may help you.
When I taught graduate level security courses a couple of years ago, I
built out a virtual environment. I leveraged our IT resources to do it, of
course, and we segregated it, etc.

It was a core part of my curriculum: we have a virtual playground
precisely so that my students can exploit, hack, and investigate within
that environment. In my view, ethics review should be...

Re: Cybersecurity Students Pete, Andrew (Apr 05)
Thanks for the responses everyone. This has been very beneficial.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Nicholas
Garigliano
Sent: Friday, April 5, 2019 9:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cybersecurity Students

I guess it depends on how "evaluate the security posture" is defined. If we are talking about reviewing published...

Re: Cybersecurity Students Nicholas Garigliano (Apr 05)
I guess it depends on how "evaluate the security posture" is defined. If
we are talking about reviewing published policies, doing Shodan research,
going through publicly accessible web sites for information that could be
used against the school etc., then I don't see an issue. If we are
talking about using something like Kali to do a "pentest" or even just
performing a vulnerability assessment using a scanner, i.e....

Re: Cybersecurity Students Burns, Denis (Apr 05)
Hi Andrew,

I think my take on this question is a little different than some others. Are you asking whether they should be allowed
to test your infrastructure, or are they being asked to evaluate it from an academic methodology.

You have had plenty of responses to the former and I agree wholeheartedly that all such activity should occur in a lab
setting that is isolated from any of your live network.

To the latter, I would caution against...

Re: Cybersecurity Students Frank Barton (Apr 04)
While I haven't taught any such class, I have been invited in to present to
similar classes. I would agree that you should not allow the students to
actively try to penetrate the school's systems. However, I would make sure
that you have the conversation that "if you do see or find something, let
us know"

It is a delicate balance that you need to strike "You are not permitted to
do this outside of the small, isolated...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Microsoft Mark Stevens (Apr 05)
Good afternoon,

If a network engineer from Microsoft could contact me offline it would
be great.

Reason: Attacks to my an IP on my network udp port 20480 from Microsoft
IPs in the USA and the UK.

Thanks

Mark

Centurylink-MSN issue in Dallas area? Nathanael Catangay Cariaga (Apr 05)
Dear Nanog,

Anyone here having problems with Centurylink and MSN?

I hope Centurylink - MSN engineers here who can reach back to me off the
list?

I'm noticing high latency between the 2 in Dallas area (>180ms).

Regards,

Re: DNS Qtypes and class values are a social construct Scott Morizot (Apr 05)
Hello Phillip,

I feel like I have to say this, saying stuff like that "#triggered" is
insensitive and as Alfie said, pretty tone deaf.

Some of us live with and are working to better manage PTSD from complex
trauma. I agree with Cynthia and can assure you "triggered" is not a joke
or laughing matter for us.

I also agree with Alfie and Cynthia regarding the original content.

Scott

Re: AS4134/AS4847 - Appear to be hijacking some ip space. Louie Lee via NANOG (Apr 05)
Hey folks,

I'm on it for solving both immediate issue and long term "fix".

Louie

Re: AS4134/AS4847 - Appear to be hijacking some ip space. Christopher Morrow (Apr 05)
yes!

ok, cool. This is sort of on my plate, at least from the internal
viz/evangelizing perspective, and I'll go spend time chatting up the
folk in fiber-land.
having a: "See, doing this would prevent this" is helpful.

thanks!

Weekly Routing Table Report Routing Analysis Role Account (Apr 05)
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG
TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG.

Daily listings are sent to bgp-stats () lists apnic net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith <pfsinoz...

Re: AS4134/AS4847 - Appear to be hijacking some ip space. Jay Borkenhagen (Apr 05)
Hi Chris,

It would be great if the Google Fiber / AS16591 folks could publish a
ROA in ARIN's hosted RPKI authorizing exactly 136.32.0.0/11 to be
originated only in AS16591. That ROA would have addressed this matter
from AS7018's point of view.

In the interim, I have added a temporary whitelist (slurm) entry into
our RPKI caches, causing the AS7018 network to disregard the
more-specific /24s under 136.32.0.0/11.

Good luck....

Re: DNS Qtypes and class values are a social construct Shawn Ritchie (Apr 05)
Nick Morrison wrote on 4/4/2019 3:31 PM:

I'll third this. And to note that that use of "triggered" is a good way
to figure out that a person should just be ignored overall. Childish and
lacking in empathy. "Ha ha, you CARE about something!" Christ. Grow up.

Re: SFP supplier in Europe? Radu-Adrian Feurdean (Apr 05)
+1

They ship from the Netherlands, and delivery for France is 1-2 days (because we usually send them orders after 17h00
CET/CEST).

AS4134/AS4847 - Appear to be hijacking some ip space. Christopher Morrow (Apr 05)
Howdy gentle folks:

It looks like AS4847 - "China Networks Inter-Exchange"

Is taking some time to announce reachability for at least:
136.38.33.0/24

which they ought not, given that this /24 is part of a /11 assigned to
AS16591 (google fiber)... Looking at routeviews data, I see the
following as-paths for this one /24:
$ grep -A1 Refresh /tmp/x | grep 4847
1239 174 4134 4847
3549 3356 174 4134 4847
701 174 4134 4847
4901...

Re: SFP supplier in Europe? Daniel Melzer (Apr 05)
+1

Best regards,
Daniel

Re: SFP supplier in Europe? fwessling--- via NANOG (Apr 05)
fs.com for sure

Frederick Wessling (CIO)
Succinct Systems LLC
Cell: +1(561) 571-2799
Office: +1(904) 758-9915 ext. 9925
Fax: +1(904) 758-9987
www.SuccinctSystems.com

Re: DNS Qtypes and class values are a social construct Nick Morrison (Apr 05)
Completely agree, Alfie.

(And hi, nanog, I'm Nick. Do we do introduction rounds here?)

Nick

Re: DNS Qtypes and class values are a social construct Cynthia Revström (Apr 05)
Hello Phillip,

I feel like I have to say this, saying stuff like that "#triggered" is
insensitive and as Alfie said, pretty tone deaf.

You are pretty much proving Alfie's point by being like that.

(I am transgender, so I do feel quite strongly about this)

- Cynthia

Re: SFP supplier in Europe? nanog-isp (Apr 05)
Only short haul is in stock.

Jared

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 31.15 RISKS List Owner (Apr 02)
RISKS-LIST: Risks-Forum Digest Monday 1 April 2019 Volume 31 : Issue 15

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.15>
The current issue can also be...

Risks Digest 31.14 RISKS List Owner (Mar 26)
RISKS-LIST: Risks-Forum Digest Tuesday 26 March 2019 Volume 31 : Issue 14

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.14>
The current issue can also be...

Risks Digest 31.13 RISKS List Owner (Mar 21)
RISKS-LIST: Risks-Forum Digest Thursday 21 March 2019 Volume 31 : Issue 13

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.13>
The current issue can also be...

Risks Digest 31.12 RISKS List Owner (Mar 18)
RISKS-LIST: Risks-Forum Digest Monday 18 March 2019 Volume 31 : Issue 12

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.12>
The current issue can also be...

Risks Digest 31.11 RISKS List Owner (Mar 12)
RISKS-LIST: Risks-Forum Digest Tuesday 12 March 2019 Volume 31 : Issue 11

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.11>
The current issue can also be...

Risks Digest 31.10 RISKS List Owner (Mar 07)
RISKS-LIST: Risks-Forum Digest Thursday 7 March 2019 Volume 31 : Issue 10

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.10>
The current issue can also be...

Risks Digest 31.09 RISKS List Owner (Mar 03)
RISKS-LIST: Risks-Forum Digest Sunday 3 March 2019 Volume 31 : Issue 09

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public
Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.09>
The current issue can also be...

Risks Digest 31.08 RISKS List Owner (Feb 26)
RISKS-LIST: Risks-Forum Digest Tuesday 26 February 2019 Volume 31 : Issue 08

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.08>
The current issue can also...

Risks Digest 31.07 RISKS List Owner (Feb 20)
RISKS-LIST: Risks-Forum Digest Wednesday 20 February 2019 Volume 31 : Issue 07

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.07>
The current issue can also...

Risks Digest 31.06 RISKS List Owner (Feb 13)
RISKS-LIST: Risks-Forum Digest Wednesday 13 February 2019 Volume 31 : Issue 06

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.orgas
<http://catless.ncl.ac.uk/Risks/31.06>
The current issue can also be...

Risks Digest 31.05 RISKS List Owner (Feb 04)
RISKS-LIST: Risks-Forum Digest Monday 4 February 2019 Volume 31 : Issue 05

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.05>
The current issue can also be...

Risks Digest 31.04 RISKS List Owner (Jan 28)
RISKS-LIST: Risks-Forum Digest Monday 28 January 2019 Volume 31 : Issue 04

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.04>
The current issue can also be...

Risks Digest 31.03 RISKS List Owner (Jan 17)
RISKS-LIST: Risks-Forum Digest Thursday 17 January 2019 Volume 31 : Issue 03

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.03>
The current issue can also...

Risks Digest 31.02 RISKS List Owner (Jan 11)
RISKS-LIST: Risks-Forum Digest Friday 11 January 2019 Volume 31 : Issue 02

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.02>
The current issue can also be...

Risks Digest 31.01 RISKS List Owner (Jan 04)
RISKS-LIST: Risks-Forum Digest Friday 4 January 2019 Volume 31 : Issue 01

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.01>
The current issue can also be...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

How to improve LUA dissector performance? David Aldrich (Apr 04)
Hi
I have written a LUA dissector that analyses large packets that consist of
control information and IQ data (complex numbers). Until recently I
displayed the IQ data as a string and performance was fine. However, I now
dissect and display each IQ value and the user has complained of very slow
performance when analysing a large capture set of packets.

I imagined that dissection of the IQ data would only occur when the tree
was expanded to...

Re: Wireless Timeline? Ross Jacobs (Apr 03)
Better yet, post a link to the capture (google drive/dropbox) so it can be
evaluated.

Re: Wireless Timeline? Simon Barber via Wireshark-dev (Apr 03)
The timeline will not show up unless hardware timestamps are present for
*all* frames in the capture, and there are no large negative jumps in time.
Where does the capture file you are using come from?

Simon

Re: Bug Report for packet-cip.c dissectors Guy Harris (Apr 03)
This is probably best reported as a bug on the Wireshark Bugzilla:

http://bugs.wireshark.org/

That makes it easier for others to find the problem (and avoid submitting a duplicate), and provides us with a way to
track the fix process (and find it when generating the release notes if it's fixed in the new release).

Re: Statistical Analysis of pcapng files Moshe Kaplan (Apr 03)
It may be easiest to extract the pcap data as JSON with: "tshark -r mypcap
-T json"

Moshe

Bug Report for packet-cip.c dissectors Marc Bommert (Apr 03)
Hello guys,

a "Forward Open Response" CIP response message with a failure CIP status code of 0x1E (CIP_GSR_SERVICE_ERROR) is
interpreted by the dissector with a success reply frame layout. Pretty sure this is wrong. The error response message
structure applies for all error status codes.

This is in line 6850 of master/epan/dissectors/packet-cip.c

- -> if( gen_status == CI_GRC_SUCCESS || gen_status ==...

Wireless Timeline? Do m (Apr 03)
Greetings...

I came across this:
https://meraki.cisco.com/blog/2019/02/wireshark-where-did-the-time-go/

Running wireshark 3.0 on Win10... can't seem to get the wireless timeline
to show up. Am I missing something obvious (apart from configuring the
dissector preferences to enable the experimental feature?)

Re: Statistical Analysis of pcapng files Ross Jacobs (Apr 03)
Hi Paul,

It looks like there is a package called crafter
<https://github.com/hrbrmstr/crafter> to work with pcap files, which fits
with extracting/processing. If are you looking for something more you may
want to be more detailed in your use case.

Cheers,
Ross

Statistical Analysis of pcapng files -0- -1- (Apr 03)
I am a statistician and would like to extract and process Wireshark capture
files with R Statistical language. Before I reinvent yet another wheel, is
anyone aware of code or apps that already do this?

Thanks,
Paul

Re: BinPAC with Wireshark Guy Harris (Apr 02)
BinPAC++ was renamed to Spicy, and its home appears to be at

http://www.icir.org/hilti/

They link to a paper that speaks of a Wireshark plugin:

We have integrated Spicy into Wireshark by developing a proof-of-concept Wireshark dissector plugin that works
with any Spicy module. Figure 9 shows a screenshot of Spicy’s DNS dissector operating inside Wireshark. At startup, our
plugin compiles Spicy modules just-in-time, and then...

BinPAC with Wireshark Joey Lord (Apr 02)
Hey everyone!

I was wondering if anyone was successful using BinPAC for doing a Wireshark
dissector? I know Robin Sommer kind of made a wink to the idea where his
tool, BinPAC++ , could perhaps be used for Wireshark (
https://www.zeek.org/brocon2014/brocon2014_sommer_binpac.pdf). Interested
to know your thoughts on the matter.

Cheers!

Joey

Re: Wireshark hosts file location Jasper Bongertz (Apr 02)
Yes, I tried it again after Chris Maynard said the same thing, and it worked. So it must have been one of those "I did
something wrong even though I was sure I didn't" situations :-)

But the good thing is that Roland is now aware of all this for his planned rewrite of the profile handling code.

Cheers,
Jasper

Re: Wireshark hosts file location Sake Blok | SYN-bit (Apr 02)
Strange, in Wireshark -2.6.7 on my Mac, I do get resolved names from the "hosts" file in my configuration profile
(after turning on Network layer name resolution). Which is how I expect it to work, just like you :-)

Cheers,
Sake

Re: How to interpret RTT graph Sake Blok | SYN-bit (Apr 02)
Hi,

I fully agree with Hugo with regards to needing to look at the (individual) packets to be able to explain this
behaviour. There can be tons of reasons.

I do have a hunch though, based on the two graphs. As the packet sizes are mostly below MSS, there might be a
Nagle/DelayedACK issue in this traffic. Nagle would cause segments to not be sent immediately and DelayaedACK would
could ACK's after the delayed ack timer expires (usually...

Code signing of plugins on MacOS Jason Cohen (Apr 01)
I'm only beginning to look at this...

Did something knowingly change with loading plugins on macos betweew 2.9.0
and 3.0.0? When I build a plugin with the 2.9.0 source tree, I can copy
the plugin to a system with 2.9.0 installed from the official installer and
it works. If I build the same plugin with the 3.0.0 source, and copy to a
system with 3.0.0 installed from the official installer I get an error
complaining about the code not being...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: how to store snort 2 log in human readeable format Joel Esler (jesler) via Snort-users (Apr 04)
You should look into the -A command line switch at manual.snort.org <http://manual.snort.org/>

Snort Subscriber Rules Update 2019-04-04 Research (Apr 04)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-flash,
file-other, file-pdf, indicator-compromise, malware-cnc, os-windows,
server-other and sql rule sets to provide coverage for emerging threats
from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

how to store snort 2 log in human readeable format Divyanshu Banerjee via Snort-users (Apr 04)
Dear member
Have any idea , how to store snort 2.9.12 log into a text file , with out
encrypting ,
and how to store those log in one file . the file name should be simple.

thanks and regards
divyanshu

Re: Should I go to Amazon backup my Linux server under Kali Linux Debian server... Dorian ROSSE via Snort-users (Apr 04)
Now the radio works because I become some files in executing mode :)

Télécharger Outlook pour Android<https://aka.ms/ghei36>

________________________________
From: Dorian ROSSE
Sent: Thursday, April 4, 2019 11:33:43 AM
To: wkitty42 () windstream net; snort-users () lists snort org
Subject: Re: [Snort-users] Should I go to Amazon backup my Linux server under Kali Linux Debian server...

Hello everybody,

I went tout receive this...

Re: Should I go to Amazon backup my Linux server under Kali Linux Debian server... Dorian ROSSE via Snort-users (Apr 04)
Hello everybody,

I went tout receive this advertising for back up on Amazon by free using,

https<https://www.facebook.com/1546215762283224/posts/2645803852159985/>://www.facebook.com/1546215762283224/<https://www.facebook.com/1546215762283224/posts/2645803852159985/>posts<https://www.facebook.com/1546215762283224/posts/2645803852159985/>/2645803852159985/<https://www.facebook.com/1546215762283224/posts/2645803852159985/>...

Re: New to Snort Michael Steele (Apr 03)
Has WinPcap or nPcap been installed?

If not, install…

WINSNORT.com Management Team Member

Re: New to Snort Blair Sonnek via Snort-users (Apr 03)
I am trying to learn how to unsubscribe from this list. Why won’t unsubscribe work!!? Let me out of here.

Sent from my iPhone

New to Snort Daniel Acosta via Snort-users (Apr 03)
I am trying to learn how to use Snort and I am having to run this on
Windows 10 due to restrictions.

I have everything working and configured - However...when I run (snort - W)
it shows no adapters available -

I have attached a Snipping attachment to show the error.

When I try and run snort - using the -i 0 command - I get an odd fatal
error - and I believe its because of the no adapters showing up.

running the command with -T (everything...

(no subject) Kwame Kankam-Boadu via Snort-users (Apr 03)

confirm Trang Duong via Snort-sigs (Apr 03)
áddas

Re: Understanding SNORT ID 47649 Alex McDonnell (Apr 03)
Real quick:

content:"|23|_memberAccess"; fast_pattern:only; http_uri:; <- this content
is looking for @_memberAccess, an ognl command, in the URI field of HTTP
traffic.

content:"ognl."; http_uri:; <- this content looks for the first part of an
ognl command in the URI

pcre:"/ognl\x2e(OgnlContext|ClassResolver|TypeConverter|MemberAccess)/Ui";
<- this PCRE looks for the same ognl string followed by some...

Re: Understanding SNORT ID 47649 wkitty42--- via Snort-sigs (Apr 03)
see those two reference lines above? look up the CVE and visit the cwiki site
link...

aside from that, looking at the rule will tell you what the matches are for the
rule... if the traffic made it to your server, the server logs should tell you
exactly what was being looked for...

the only other thing i can think of is to look at the snort.log.xxxxxxxxxxxx
file containing the pcap of the traffic... the pcap will tell you what the
server...

Understanding SNORT ID 47649 Migell Roberts (Apr 03)
I've been looking in the snort manual for an explanation on SID 47649 below and unfortunately, I can't find what I need:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
msg:"SERVER-WEBAPP Apache Struts remote code execution attempt";
flow:to_server;
content:"|23|_memberAccess";
fast_pattern:only;
http_uri:;...

Re: help! help!：how to use reload_policy and reload_module in snort shell ? I have tried failed. Nihal Desai (nihdesai) via Snort-users (Apr 03)
Hello:

Thank you for reporting the issues.
We’re looking into it.

Thanks!

Re: What is SO rule actually? Russ via Snort-devel (Apr 03)
Checkout the updated example in the snort3_demo repo on github now:
tests/ips_actions/so_and_soid/. That has a contrived but more complete
implementation based on content matching and use of the Cursor and
FlowData. The test.bats shows all the steps you need to implement your
own: generate the include, compile, link the so, dump the stub, and
then run using stub and so. Hope that helps.

Russ

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.