SecLists.Org Security Mailing List Archive

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe to nmap-dev here.

• Previous Quarter
• Archived Posts
• RSS Feed
• About List
• nmap-devLatest Posts

Re: .NET Wrapper for Npcap Verde Denim (Jun 11)
Stop

.NET Wrapper for Npcap Altaffer, Steven via dev (Jun 11)
Not sure if this is off topic, Npcap took me to this mail list.

We developed a Visual C# app using Winpcap and PcapDotNet v1.0.4 wrapper to allow integrating into the C# project. I
have performed several searches for the equivalent wrapper or C++/CLI project for Npcap with no luck. If someone knows
of one out there, I would appreciate a link.

Thanks

Steve Altaffer - Donatech Corp

Issue with ssh2-enum-algos? Frank Bergmann (Jun 08)
Hi,

while playing around with the ssh protocol I noticed that ssh2-enum-algos
lists different algorithms for kex_algorithms, encryption_algorithms and
mac_algorithms than what I get from the same ssh server.

I also made a test with ssh itself for encryption_algorithms and it did show
up exactly the same list like I get with my own tool.
ssh2-enum-algos shows also aes256-cbc which doesn't appear in my tool and in
ssh client:

$...

Windows 10/11: Ncat: A message sent on a datagram socket was larger than the internal message buffer ... Ken Kayser (Feb 20)
*Describe the bug*
When listening to a port with ncat, as soon as a UDP packet is received, I
receive a constant stream of errors with the following text: "Ncat: A
message sent on a datagram socket was larger than the internal message
buffer or some other network limit, or the buffer used to receive a
datagram into was smaller than the datagram itself. ."

*To Reproduce*

1. In either a Windows command line or Powershell I enter...

Reverse DNS (issue #3007) Matteo Nicoli (Feb 13)
Hi all,

I noticed a cool feature proposal on GitHub (issue 3007 <https://github.com/nmap/nmap/issues/3007>). It basically
suggests a new feature for returning the (complete) list of DNS records obtained — through reverse DNS lookups — from
an IP address. If it matches with the map product roadmap, I’d like to start implementing it. Is there some maintainer
who could give me a brief feedback about it?

Cheers,
Matteo

Re: Mail stoppage Gordon Fyodor Lyon (Feb 12)
Yes, this was my fault. Mail to the Nmap dev list from non-subscribers
goes through moderation to keep out the spam. I regularly go through the
moderation queue to find and approve the "real" messages, but I was a bit
slow this time. We strongly recommend that folks posting to the list first
subscribe to it. This avoids the moderation delay and prevents them from
missing any responses which might only be sent to the list.

Cheers,...

Mail stoppage Dave Close (Feb 12)
Several messages received today seem to have been stuck on nmap.org for
up to a month. Example (edited for clarity):

Version: 7.94+SVN TypeError: Couldn't find foreign struct converter for 'cairo.Context' Hendrick Halim (Feb 12)
Version: 7.94+SVN
TypeError: Couldn't find foreign struct converter for 'cairo.Context'

topology tab crash Genny and Doug Kent (Feb 12)
zenmap crashes when topology tab clicked.

Output message below

Version: 7.94+SVN
TypeError: Couldn't find foreign struct converter for 'cairo.Context'

Doug Kent

PR #2954, Fix out of bounds reads in packet parsing Domen Puncer Kugler via dev (Feb 12)
Hi,

I've submitted a pull request a few months ago:
https://github.com/nmap/nmap/pull/2954

The PR includes following three commits:
- Fix out of bounds read in HopByHopHeader::validate
- Fix out of bounds read in PacketParser::split
- Add AFL test code for PacketParser

This was found as a part of a short Hackathon at NCC Group.
As far as I can tell, there is no security impact, but it would still be nice
to see this fixed.

Kind regards

High-Priority HTML Parsing script astrotoki via dev (Feb 12)
Hello,

I noticed that under the high priority script ideas was the need for a library that parses HTML info from sites. I
wrote a script that uses a web crawler and extracts html info from attached pages and accompanying urls within the html
body. Let me know if this is what yall were after?

Thanks!
Ryan LaPierre <Astro>_______________________________________________
Sent through the dev mailing list...

URL Pathfinder astrotoki via dev (Feb 12)
Hello all!

I just wrote up another script, trying to practice and maybe have some added to the master list for nmap. This script
enumerates possible hidden path extensions on urls. As always, Id love input on it, changes or updates.

Thanks all!
Ryan LaPierre <Astro>_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

Null Byte Poisoning NSE astrotoki via dev (Feb 12)
Here is my submission of a script I wrote that should test a site for null byte poisoning vulnerabilities._______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

Re: First Go astrotoki via dev (Feb 12)
Here is an updated version with more XSS patterns integrated into it. As well as some clean up!

I also created a separate .lua with just the http crawler function.

Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

First Go astrotoki via dev (Feb 12)
Hello!,

I just started learning Lua for writing NSEs and had a go at a HTTP crawler that identifies XSS vulnerabilities on
sites. I used Juice-Shop OWASP to confirm it works. (Thats why the source code uses port 3000 in addition to 80) Id
love feedback! Doing my best to learn as much as I can. I attached the http_xss_crawler.nse below!

PS. I had used ChatGPTo1 and Github CoPilot to aid in debugging and syntax issues. The overall code is my...

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe to stay informed.

• Current Year
• Archived Posts
• RSS Feed
• About List
• nmap-announceLatest Posts

Npcap Version 1.82 Released with VLAN Tagging and More Gordon Fyodor Lyon (Apr 28)
Dear Nmap Community,

In preparation for an imminent Nmap release (hopefully this week!), we have
released Version 1.82 of our Npcap Windows packet capture and transmission
driver. It builds upon the recent 1.81 release to add support for VLAN
tagging. This allows you to select for packets directed to a certain VLAN
or just inspect the VLAN headers on any packets received. It's especially
useful for Wireshark users. You can also now send...

Nmap 7.95 released: OS and service detection signatures galore! Gordon Fyodor Lyon (May 05)
Dear Nmap Community,

I just arrived in San Francisco for the RSA conference and am delighted to
announce our Nmap Version 7.95 release! I'm most excited that we finally
tackled our backlog of OS and service detection fingerprint submissions.
We're not talking about dozens or hundreds of them-we processed more than
6,500 fingerprints!

For OS detection, we added 336 signatures, bringing the new total to 6,036.
Additions include iOS 15...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

• Current Month
• Archived Posts
• RSS Feed
• About List
• fulldisclosureLatest Posts

Multi-Protocol Traceroute Usman Saeed via Fulldisclosure (Aug 18)
#!/usr/bin/env python3
"""
Adaptive Multi-Protocol Traceroute

Author: Usman Saeed
email: u () defzero net<mailto:u () defzero net>
Website: www.defzero.net<http://www.defzero.net>

Description:
This script is a TTL-based path mapper that reveals routes even when classic traceroute is
filtered. The idea was that it would run in passes: first a conventional trace (ICMP Echo and
rotating TCP SYN ports) to capture the...

SEC Consult SA-20250728-0 :: Stored Cross-Site-Scripting in Optimizely Episerver CMS SEC Consult Vulnerability Lab via Fulldisclosure (Aug 18)
Confidentiality class: Internal & Partner

SEC Consult Vulnerability Lab Security Advisory < publishing date 20250728-0 >
=======================================================================
title: Multiple Stored Cross-Site Scripting Vulnerabilities
product: Optimizely Episerver Content Management System (EPiServer.CMS.Core)
vulnerable version: Version 11.X: <11.21.4
Version 12.X:...

SEC Consult SA-20250807-0 :: Race Condition in Shopware Voucher Submission SEC Consult Vulnerability Lab via Fulldisclosure (Aug 18)
Confidentiality class: Internal & Partner

SEC Consult Vulnerability Lab Security Advisory < publishing date 20250807-0 >
=======================================================================
title: Race Condition in Shopware Voucher Submission
product: Shopware 6
vulnerable version: v6.6.10.4
fixed version: No fixed version available yet
CVE number: CVE-2025-7954
impact: medium...

Insufficient Resource Allocation Limits in nopCommerce v4.10 and v4.80.3 Excel Import Functionality Ron E (Aug 18)
nopCommerce is vulnerable to Insufficient Resource Allocation Limits when
handling large Excel file imports. Although the application provides a
warning message recommending that users avoid importing more than 500–1,000
records at once due to memory constraints, the system does not enforce hard
limits on file size, record count, or concurrent imports.

An attacker can exploit this by uploading excessively large Excel files or
automating...

CSV Injection in nopcommerce v4.10 and 4.80.3 Ron E (Aug 18)
nopCommerce versions v4.10 and v4.80.3 are vulnerable to *C*SV Injection
(Formula Injection) when exporting data to CSV. The application does not
properly sanitize user-supplied input before including it in CSV export
files.

An attacker can inject malicious spreadsheet formulas into fields that will
later be exported (for example, order details, product names, or customer
information). When the exported file is opened in spreadsheet software...

Insufficient Session Cookie Invalidation in nopCommerce v4.10 and 4.80.3 Ron E (Aug 18)
nopCommerce v4.10 and 4.80.3 is vulnerable to Insufficient Invalidation of
Session Cookies. The application does not properly invalidate or expire
authentication cookies after logout or session termination.

An attacker who obtains a valid session cookie (e.g., via network
interception, XSS, or system compromise) can continue to use the cookie to
access privileged endpoints (such as /Admin) even after the legitimate user
has logged out. This flaw...

Session Fixation Vulnerability in iDempiere WebUI v 12.0.0.202508171158 Ron E (Aug 18)
The application does not issue a new session identifier (JSESSIONID) after
successful authentication. An attacker who can set or predict a victim’s
session ID prior to login may hijack the victim’s authenticated session
once they log in, resulting in full account takeover.

POST /webui HTTP/2

Host: <host>

Cookie: JSESSIONID=node01***.node0;

CSV Injection in iDempiere WebUI 12.0.0.202508171158 Ron E (Aug 18)
A CSV Injection vulnerability exists in iDempiere WebUI
v12.0.0.202508171158. The application fails to properly sanitize
user-supplied input before including it in exported CSV files. An
authenticated attacker can inject malicious spreadsheet formulas
(e.g., =cmd|'/C
notepad'!A1) into fields that are later exported. When the CSV is opened in
spreadsheet software such as Microsoft Excel or LibreOffice Calc, the
injected formula is...

liblcf v0.8.1 liblcf/lcf2xml: Untrusted LCF data triggers uncaught std::length_error via negative vector resize (DoS) Ron E (Aug 18)
lcf2xml (part of liblcf) aborts when parsing specially crafted RPG Maker
2000/2003 files that supply a negative element count for vectors of
structured records. The generic reader:

template <class S>

void Struct<S>::ReadLcf(std::vector<S>& vec, LcfReader& stream) {

int count = stream.ReadInt();

vec.resize(count); // <— negative -> huge size_t -> throws
length_error

for (int i = 0; i...

liblcf v0.8.1 Integer Overflow in liblcf `ReadInt()` Leads to Out-of-Bounds Reads and Denial of Service Ron E (Aug 18)
A crafted RPG Maker save file (`.lsd`) can trigger an integer overflow in
liblcf’s lcfstrings compressed integer decoding logic
(`LcfReader::ReadInt()`), resulting in an unbounded shift and accumulation
loop. The overflowed value is later used in buffer size allocations and
structure parsing, causing large memory access requests and parsing errors.

*Steps to Reproduce*

1. Use the attached `.lsd` file (see PoC section).

2. Run: `./lcfstrings...

Piciorgros TMO-100: Unauthorized configuration change via TFTP (CVE-2025-29617) Georg Lukas (Aug 18)
<PDF advisory:
https://rt-solutions.de/piciorgros/Piciorgros_TMO-100_TFTP_en.pdf >

Classification
--------------

- CWE-306: Missing Authentication for Critical Function

- CWE-940: Improper Verification of Source of a Communication Channel

- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

- CVSS 4.0 Score: 8.4 / High
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:N/SA:H

- CVSS 3.1 Score: 8.3...

Piciorgros TMO-100: Unauthorized log data access Georg Lukas (Aug 18)
PDF advisory: https://rt-solutions.de/piciorgros/Piciorgros_TMO-100_IP-Logger_en.pdf

Classification
--------------

- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

- CVSS 4.0 Score: 5.3 / Medium
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

- CVSS 3.1 Score: 4.3 / Medium
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected systems
----------------

- Piciorgros TMO-100 V3/V4 with software version...

[tool] CRSprober Jozef Sudolsky (Aug 18)
Dear community,

I’d like to share a small tool I’ve recently released - CRSprober.

This utility is designed to remotely detect the version of the OWASP
CRS as well as the configured paranoia level on a target protected by
ModSecurity + CRS.

It works by sending specific payloads and analyzing the WAF's
responses to determine this information. This can be useful for
testing, research, or verification purposes, especially when...

iOS 18.6 - Undocumented TCC Access to Multiple Privacy Domains via preflight=yes josephgoyd via Fulldisclosure (Aug 18)
TITLE: Undocumented TCC Access to Multiple Privacy Domains via 'preflight=yes' in iOS 18.6
AUTHOR: Joseph Goydish II
DISCOVERY DATE: 2025-08-13
DEVICE: iPhone 14 Pro Max
OS VERSION: iOS 18.6 (non-jailbroken, stock)
SEVERITY: High
ACCESS: USB debugging or local log access
IMPACT: Silent, undocumented system access to sensitive user data across multiple TCC domains...

Kigen eUICC issue (custom backdoor vs. FW update bug) Security Explorations (Aug 12)
Dear All,

On Jul 28, 2025 we provided Kigen with a report describing new security
issue potentially affecting company's eUICC cards. We did it regardless
of Kigen refusal to provide us with patches / patching instructions, so
that we could verify the content / quality of the fixes released by the
company for previously reported JavaCard issues [1] (more on that and
patching formula proposed by the company can be found on eSIM project...

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

• Archived Posts
• RSS Feed
• About List

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

• Archived Posts
• RSS Feed
• About List

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

• Archived Posts
• RSS Feed
• About List

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

• Archived Posts
• RSS Feed
• About List

Firewall Wizards — Tips and tricks for firewall administrators

• Archived Posts
• RSS Feed
• About List

IDS Focus — Technical discussion about Intrusion Detection Systems. You can also read the archives of a previous IDS list

• Archived Posts
• RSS Feed
• About List

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

• Archived Posts
• RSS Feed
• About List

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

• Previous Quarter
• Archived Posts
• RSS Feed
• About List
• dailydaveLatest Posts

On becoming a carpenter Dave Aitel via Dailydave (Jun 12)
[image: image.png]

Every so often I poke my head out, gopher-like, from the tunnels where I am
furiously vibe-coding, or as it's going to be known a couple years from
now, coding. I think it's probably true that coding used to be a high
octane sport for concentration freaks as deep in the zone as a sperm whale
hunting giant squid by listening to the faint echoes of pings off squishy
bodies leagues away. But coding is now a juggling...

Re: Typey typey Jordan Wiens via Dailydave (May 30)
Worth pointing out that the RE//verse videos are also online though I don't
think we advertised it super well:

https://www.youtube.com/watch?v=yzcNJn_EOwg&list=PLBKkldXXZQhAW5QKjUQOUWaMAHAxDtgio

Typey typey Dave Aitel via Dailydave (May 27)
https://www.linkedin.com/mwlite/feed/posts/daveaitel_for-the-offensive-information-professionals-activity-7331470514927865856-
<https://www.linkedin.com/mwlite/feed/posts/daveaitel_for-the-offensive-information-professionals-activity-7331470514927865856-yRnO>
yRnO

So I wanted to point this contracting gig out because I think it's a good
opportunity for someone who can do quick vulnerability triage and either
replicate or disprove that...

Announcing the Parity Release of Volatility 3 and the Deprecation of Volatility 2 Andrew Case via Dailydave (May 27)
The Volatility Team is very excited to announce the official Parity
Release of Volatility 3!

This release is not only capable of fully replacing all of Volatility
2’s features, but it also incorporates support for all the latest
operating system versions plus all the latest memory forensics
research.

With this release, Volatility 2 is now deprecated, and its GitHub
project has been archived.

Our announcement blog post details the new...

Re: Typey typey Dave Aitel via Dailydave (May 27)
https://www.linkedin.com/jobs/view/4233405535/

I am bad at links it seems ? Anyways, clicky clicky assuming you are the
type of person who uses Binja for fun and maybe a little bit of profit.

Also here is the OffensiveCon25 Youtube List - it's amazing to me they
managed to get these out so soon.
https://youtu.be/kF31SYIVob8?si=QWPps_--UsILr0mR

-dave

OpenAI Security Research Dave Aitel via Dailydave (Mar 28)
So a few things:
1. https://openai.com/index/security-on-the-path-to-agi/ I feel like this
blog is worth reading. :)
2. We're throwing a post-RSAC conference in SanFran to talk about AI and
Security (in particular, securing cybery things with AI) and if I'm very
lucky I'll even get to do a quick demo of the software I've been working
on, not that it will surprise anyone on this list! We have a few tickets
left I think and if...

Re: Cyber Reasoning Systems A K via Dailydave (Mar 28)
Have you already reviewed https://github.com/open-crs ?

Cyber Reasoning Systems Dave Aitel via Dailydave (Mar 04)
I continue to believe there are a lot of interesting questions around
building cyber reasoning systems for vuln finding. Even the very basics
seem hard to study and understand, and the eval datasets available
are....sparse or incomplete. For example, what you really want if you're
analyzing git repos is the commit a bug was introduced, and the commit it
was fixed. But usually you get "a commit where it maybe existed".

Likewise,...

on your child going to college in Christchurch, NZ and velvet worms Dave Aitel via Dailydave (Feb 11)
*on your child going to college in Christchurch, NZ and velvet worms*

By mid‑August the garden already practices absence — stems turning hollow,
the robin leaving its notes hanging in the air like torn corners of a song.
Under the chirp of palmetto bugs, a log eases itself back into earth.
Inside, hidden from the light, a velvet worm does the impossible: offers
herself to a spill of pale, blind threads. For days she is nothing but
hunger...

Re: (the root of the root and the bud of the bud) Sean Heelan via Dailydave (Jan 13)
As it happens, I’ve found the most effective way to use LLMs is to de-anthropomorphise them entirely and treat them
very like fuzzers (large scale generation of results, lots of false positives/nonsense, filtered by some oracle).

The “conversation with an AI” approach where you imagine yourself as having a single artificial brain to interact with
is (currently at least) practically far less useful than one in which you are content with...

Anthropological "Hacker" Map A K via Dailydave (Jan 13)
Hi all,

In the latest "Security Weekly" (https://www.youtube.com/watch?v=CXefYdEGW04
)
they present the Anthropological "Hacker" Map
https://wherewarlocksstayuplate.com/map/

While the map is incomplete (how can it ever be complete?), I think it is
one of the few times, outside of David Aitel's writings about the cross-cut
between the "underground" (for a lack of a better term) and subsequent
commercial...

Re: (the root of the root and the bud of the bud) Don A. Bailey via Dailydave (Jan 12)
I designed one of the first working fuzzers (albeit unintentionally) back
in the late 90's. I don't remember if I published it, but I still have the
code. It, however, worked - badly - but it worked. I was heavily flamed,
however, because as you stated - it was not hip. It only attacked
environment variable and command-line argument based vulnerabilities. But,
in the 90's and early 00's, we had no shortage of local suid-based...

Re: (the root of the root and the bud of the bud) Thomas Dullien via Dailydave (Jan 12)
Hey,

I have one quibble: We are using "reasoning" in a qualitative, not
descriptive, form here -- "fuzzing is or is not reasoning", "LLMs reason or
do not reason". I am not sure this is helpful. Fuzzing is empirically
successful at finding crashes. Somebody that needs to light a fire and
smashes two stones together until they throw sparks does not, once the fire
burns, need to justify that 'stones perform...

Re: (the root of the root and the bud of the bud) Darren Bounds via Dailydave (Jan 12)
Everything old is new and the way we reason is the same way LLMs reason. It's
not about looking for the same problem the same way it's about going to
searching for that flaw the same way with unlimited (nearly) resources.

Traditional human-led vulnerability research and discovery is, today, a short
lived venture.

Things will change very rapidly over the coming 24 months.

Memories and thoughts are the same thing, someone tried to...

(the root of the root and the bud of the bud) Dave Aitel via Dailydave (Jan 11)
Memories and thoughts are the same thing, someone tried to explain to me
recently. You have to think to remember, in other words. This is hard to
grasp for a lot of people because they *think *they have *memories*. They
wrongly think memory is a noun instead of a verb, which is ok in philosophy
and psychology but in cutting edge computer science we have to be precise
about these sorts of things.

Twenty-five years ago, when I first started...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

• Archived Posts
• RSS Feed
• About List

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

• Archived Posts
• RSS Feed
• About List

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

• Archived Posts
• RSS Feed
• About List

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

• Archived Posts
• RSS Feed
• About List

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

• Archived Posts
• RSS Feed
• About List
• certLatest Posts

Apple Releases Security Updates for Multiple Products CISA (Mar 28)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated and is now available.

Apple Releases Security Updates for Multiple Products [
https://www.cisa.gov/news-events/alerts/2023/03/28/apple-releases-security-updates-multiple-products ] 03/28/2023 01:00
PM EDT

Apple...

CISA Releases Six Industrial Control Systems Advisories CISA (Mar 23)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.

CISA Releases Six Industrial Control Systems Advisories [
https://www.cisa.gov/news-events/alerts/2023/03/23/cisa-releases-six-industrial-control-systems-advisories ] 03/23/2023
08:00 AM EDT...

CISA Releases Eight Industrial Control Systems Advisories CISA (Mar 21)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.

CISA Releases Eight Industrial Control Systems Advisories [
https://www.cisa.gov/news-events/alerts/2023/03/21/cisa-releases-eight-industrial-control-systems-advisories ]
03/21/2023 08:00 AM...

CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management CISA (Mar 21)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.

CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management [...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

• Current Quarter
• Archived Posts
• RSS Feed
• About List
• oss-secLatest Posts

libssh2 Base64 Encoding Heap Overflow in Known Hosts SHA1 Hash Processing Dhiraj Mishra (Aug 26)
*Summary:*

I've successfully created a libFuzzer harness targeting the
libssh2_knownhost_readline() API, used for parsing SSH known_hosts files.
The fuzzer discovered a heap buffer overflow vulnerability in the
_libssh2_base64_encode() function when processing malformed hashed hostname
entries.

*minimal_poc.c:*

#include <stdio.h>
#include <string.h>
#include "libssh2.h"

int main() {

const char *evil =...

CVE-2025-43023 in HPLIP for Use of 1024-bit DSA Key Alan Coopersmith (Aug 22)
CVE-2025-43023 is a bit of an odd vulnerability.

https://support.hp.com/us-en/document/ish_12804224-12804228-16/hpsbpi04033
says:

HP Linux Imaging and Printing Software - Use of DSA Key

A potential security vulnerability has been identified in the HP Linux Imaging
and Printing Software documentation. This potential vulnerability is due to
the use of a weak code signing key, Digital Signature Algorithm (DSA)....

CVE-2025-54813: Apache Log4cxx: Improper escaping with JSONLayout Piotr Karwasz (Aug 22)
Severity: moderate

Affected versions:

- Apache Log4cxx 0.11.0 before 1.5.0

Description:

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx.

When using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain
non-printable characters, these will be passed along in the message and written out as part of the JSON message. This
may prevent applications that consume these...

CVE-2025-54812: Apache Log4cxx: Improper HTML escaping in HTMLLayout Piotr Karwasz (Aug 22)
Severity: low

Affected versions:

- Apache Log4cxx before 1.5.0

Description:

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx.

When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file.
If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript
in order to hide information from logs or steal data from the user.
In order to...

CVE-2024-48988: Apache StreamPark: SQL injection vulnerability Huajie Wang (Aug 22)
Severity: low

Affected versions:

- Apache StreamPark 2.1.4 before 2.1.6

Description:

SQL Injection vulnerability in Apache StreamPark.

This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.

Users are recommended to upgrade to version 2.1.6, which fixes the issue.

This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven
artifacts.
It can only be exploited after a user has...

Re: CVE-2025-54988: Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA Hanno Böck (Aug 20)
Probably this commit:
https://github.com/apache/tika/commit/bfee6d5569fe9197c4ea947a96e212825184ca33

I recently looked into XXE vulnerabilities, and I believe this is
primarily a vulnerabiltiy in Java's standard library, not in any
single piece of software. I also consider it to be a flaw in the XML
spec itself.

XXE vulnerabilities are a well-known problem, and overwhelmingly, XML
libraries and APIs have adopted safer defaults, which is...

Re: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames Nick Tait (Aug 20)
One more was published today:

- Jetty - CVE-2025-5115

https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h

----------

Jetty's Team Notes

CVE-2025-54988: Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA Tim Allison (Aug 20)
Severity: critical

Affected versions:

- Apache Tika PDF parser module (org.apache.tika:tika-parser-pdf-module) 1.13 through 3.2.1

Description:

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms
allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may
be able to read sensitive data or trigger malicious requests to...

CVE-2025-54988: Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA Tim Allison (Aug 20)
Severity: critical

Affected versions:

- Apache Tika PDF parser module
(org.apache.tika:tika-parser-pdf-module) 1.13 through 3.2.1

Description:

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika
1.13 through and including 3.2.1 on all platforms allows an attacker
to carry out XML External Entity injection via a crafted XFA file
inside of a PDF. An attacker may be able to read sensitive data or
trigger malicious requests to...

Security pre-notification policy for vLLM project Huzaifa Sidhpurwala (Aug 19)
Hello all,

The vLLM project has introduced a security pre-notification policy.
Details are available at:
https://github.com/vllm-project/vllm/blob/main/SECURITY.md

Currently this is open only to open source operating system distributors.

Re: Question about (in)security of fdk-aac-free in linux distros Demi Marie Obenour (Aug 19)
Is it worthwhile for distros to even try to ship an unencumbered AAC decoder,
or should they leave multimedia support to third-party platforms that can
freely ship full codecs? With Flathub that is much more feasible than it
used to be.

Re: Question about (in)security of fdk-aac-free in linux distros Martin Storsjö (Aug 19)
Not sure about what to recommend. From what has been shared, fdk-aac-free
does indeed seem insecure and/or hard to maintain.

If someone has time to invest in it, it could be fixable by trying to
recreate the transformation from fdk-aac to fdk-aac-free in the form of a
small patchset that can be rebased, or a script, ripping out the unwanted
parts. Unfortunately, going forward with newer versions of fdk-aac, there
can be more new algorithms...

Re: blocking weird file names (was: xterm terminal crash due to malicious character sequences in file name) Ali Polatel (Aug 19)
You may also consider the syd sandbox for an unprivileged, per-process solution
which has filename limitations since version 3.17.4, see:
https://man.exherbo.org/syd.7.html#Enhanced_Path_Integrity_Measures

I noticed syd's implementation, which is largely based on Safename LSM of Mr. Wheeler (huge thanks!),
does not include any checks for Unicode space characters. I'll look into improving that.
Thank you very much for the idea!

Best,...

Re: blocking weird file names (was: xterm terminal crash due to malicious character sequences in file name) Simon McVittie (Aug 19)
If it isn't a core kernel enhancement like
/proc/sys/fs/protected_symlinks, then it would be better to have this as
a new LSM, or perhaps extend an existing "small" LSM like Yama.

Only one "big" LSM (with labelling) can be active at a time, so loading
AppArmor excludes SELinux and vice versa, meaning that each distro has
to choose whether they will have SELinux, AppArmor, Smack or none of
those by default. Lifting...

Re: blocking weird file names (was: xterm terminal crash due to malicious character sequences in file name) Jacob Bachmeyer (Aug 18)
My understanding is that POSIX allows almost any syscall to return EPERM.

If you do that, please make absolutely certain that any processes
running from files that would be hidden (and therefore blocked from
exec(2)) are killed when the policy becomes effective.  I once (years
ago) cleaned out a backdoor that was named 'syslogd ' (with the trailing
space).  (Clever, except that the real syslogd does not open a raw
socket and...

Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.

• Archived Posts
• RSS Feed
• About List

Educause Security Discussion — Securing networks and computers in an academic environment.

• Archived Posts
• RSS Feed
• About List

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

• Current Month
• Archived Posts
• RSS Feed
• About List
• nanogLatest Posts

Re: Digital Element, Neustar (Transunion) & ipinsight.io) Jon Lewis via NANOG (Aug 26)
I did mention the policy had since changed, and that [with IPv4 runout] it
was largely moot at this point. But, the last time I started the process
of requesting an additional allocation, we got bit by the old policy
(which was, IIRC, not explicitly stated anywhere in the NRPM) as $work was
a CDN with global footprint and had infrastructure in regions served by
ARIN, RIPE, APNIC, and Registro.br/NIC.br, and had used ARIN IPs all
around the...

Re: Digital Element, Neustar (Transunion) & ipinsight.io) John Sweeting via NANOG (Aug 26)
ARIN’s current Out of Region policy can be found in Section 9 of the ARIN Number Resource Policy Manual, see
https://www.arin.net/participate/policy/nrpm/#9-out-of-region-use
From: Jon Lewis via NANOG <nanog () lists nanog org>
Date: August 25, 2025 at 11:36:59 AM EDT
To: David Conrad via NANOG <nanog () lists nanog org>
Cc: Jon Lewis <jlewis () lewis org>
Subject: Re: Digital Element, Neustar (Transunion) &...

Re: Re[2]: Where else do you hangout? michael brooks - ESC via NANOG (Aug 26)
This.

I may not speak much, but I lurk and learn, a lot (moreso, I now know much
more the amount of things I do not know ...). However, when I do speak,
responses are respectful, and even if the comment is, I am not made to feel
"stupid." I like the mailing list, it suits me well. There may be other
"better" platforms, but this one just works.

michael brooks
Network/Systems Administrator IV
Adams 12 Five Star Schools...

Re: Re[2]: Where else do you hangout? Saku Ytti via NANOG (Aug 25)
I got the same feeling from stack exchange networking and stopped
using it entirely after a few moments of active use. Gamifying aspects
is problematic, because people are often competitive and if you need
help you are almost certainly not well equipped to evaluate competency
of an answer but you have to rely on some attribute substitution.
Particularly nasty aspect of gamification is that people who have high
scores might be incentivized to...

RE: Digital Element, Neustar (Transunion) & ipinsight.io Tony Patti via NANOG (Aug 25)
Hi Jon,

My statement is based on the Netflix message which I received on July 25,
2025 stating:
"Your device [which is one of my desktop PC's at home] isn't part of the
NETFLIX HOUSEHOLD [my emphasis] for this account."
Which is followed by the second statement:
"Did we get it wrong? Watch temporarily until you're back ON YOUR NETFLIX
HOUSEHOLD WI-FI [my emphasis] or sign out".

Clearly, the statement...

Re: Digital Element, Neustar (Transunion) & ipinsight.io David Conrad via NANOG (Aug 25)
Jon,

RIRs behaved differently (adding to the confusion).

Historically, the definition of geographic location for address blocks in the context of RIRs frequently devolved to
the location of an organization’s headquarters, not where addresses were actually used. Worse, at least from the
perspective of the routing system, in the very earliest days, multi-nationals were supposed to go to the RIR where
their headquarters were, even if the...

Re[2]: Where else do you hangout? 7riw77--- via NANOG (Aug 25)
I tried this for a bit ... it was largely a matter of people trying to
get "upvotes" rather than reasoned conversation, and newcomers were
actively discouraged from speaking.

I figured it would be another space I could contribute, particularly to
newb's, but I dropped out after a couple of weeks. My answers are always
too "nuanced" and tradeoff oriented, which doesn't get upvotes.

:-) /r

RE: Digital Element, Neustar (Transunion) & ipinsight.io Jon Lewis via NANOG (Aug 25)
What is this based on?
My first thought was, you're worried Netflix would flag you for account
sharing if they see the same account used by different IPs, but whatever
they have for account sharing detection is, I'm pretty sure, not that
simple.
A lot of IP geo data doesn't even get as specific as physical [street]
addresses. i.e. $Work's geofeed only gets as specific as US-state, city.
For most IP geo consumers, that...

Re: Digital Element, Neustar (Transunion) & ipinsight.io Jon Lewis via NANOG (Aug 25)
Huh? It wasn't that many years ago, ARIN considered "out of region"
utilized IP space to not qualify as "utilized" for purposes of qualifying
for additional allocations by showing your existing allocations were
sufficiently utilized.

Though that issue is relatively moot at this point, that policy did
eventually change.

This varies quite a bit from one IP Geo provider to the next. Some are
pretty good (have web...

Re: Re[2]: Link-state EGP Saku Ytti via NANOG (Aug 25)
I have not, I will take a peek, thanks.

Securing topology information would be a big win with link-state.

Re[2]: Link-state EGP 7riw77--- via NANOG (Aug 25)
Have you ever looked at soBGP or Path State Vectors. Happy to hang out
and explain if it would be helpful, but these are/were effectively BGP
security efforts that were ultimately driving to a DAG overlay.

They failed because the community became extremely focused on securing
"BGP operation" rather than securing the base topology information.

:-) /r

------ Original Message ------

To nanog () immibis com
Cc "North American...

Re: Link-state EGP Saku Ytti via NANOG (Aug 24)
Oh I'm definitely not writing a paper. But I'm not sure a novel
algorithm is needed (nor am I sure it is not needed). Certainly the
graph cannot be a symmetric directed graph. That is the directions or
arrows represent direction. You have edges which are reachable through
you (customers) and you have edges which can be used to reach your
customers (upstreams).

So my link-state would have AS2[123] edges as reachable through me and...

Re: Digital Element, Neustar (Transunion) & ipinsight.io nanog--- via NANOG (Aug 24)
Of course they would like Netflix to provide them service. As I said though, their only recourse is to whine. And
cancel the service (they're not getting it anyway). That's the free market, take it or leave it.

A lot of people don't like the free market, but I gather that they're still a relative minority.

Optionally pay a $200 court fee to get your last $20 monthly payment back.

Re: Link-state EGP nanog--- via NANOG (Aug 24)
It has to be a shortest path or at least you have to know their shortest path doesn't go back through you. Perhaps
AS21's shortest path to AS23 is through you. In a link-state protocol you can't do shit to stop them using you as
transit, besides outright blocking their traffic (breaking the internet) or splitting your AS in 3.

How many times do I have to say it, maybe with big enough letters? ***A LINK STATE ROUTING PROTOCOL IS...

Re: Link-state EGP Jeffrey Haas via NANOG (Aug 24)
This practical matter regularly comes up when we're doing BGP extensions.

We need to design the protocol to be safe on a hop by hop basis so that
iBGP safely works - especially with reflectors.

You can get away with all sorts of murder if you promise you tunnel edge
to edge.

-- Jeff

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

• Archived Posts
• RSS Feed
• About List

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

• Current Quarter
• Archived Posts
• RSS Feed
• About List
• risksLatest Posts

(no subject) RISKS List Owner (Aug 18)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 34.75

RISKS-LIST: Risks-Forum Digest Monday 18 August 2025 Volume 34 : Issue 75

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org...

(no subject) RISKS List Owner (Jul 31)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 34.76

RISKS-LIST: Risks-Forum Digest Thursday 31 July 2025 Volume 34 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org...

(no subject) RISKS List Owner (Jul 29)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 34.74

RISKS-LIST: Risks-Forum Digest Tuesday 29 July 2025 Volume 34 : Issue 74

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org...

(no subject) RISKS List Owner (Jul 22)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 34.73

RISKS-LIST: Risks-Forum Digest Tuesday 22 July 2025 Volume 34 : Issue 73

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org...

(no subject) RISKS List Owner (Jul 19)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 34.72

RISKS-LIST: Risks-Forum Digest Saturday 19 July 2025 Volume 34 : Issue 72

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org...

(no subject) RISKS List Owner (Jul 07)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 34.70

RISKS-LIST: Risks-Forum Digest Monday 7 July 2025 Volume 34 : Issue 70

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org>...

(no subject) RISKS List Owner (Jun 28)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 34.69

RISKS-LIST: Risks-Forum Digest Saturday 28 June 2025 Volume 34 : Issue 69

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org...

(no subject) RISKS List Owner (Jun 23)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 34.68

RISKS-LIST: Risks-Forum Digest Monday 23 June 2025 Volume 34 : Issue 68

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org...

Risks Digest 34.66 RISKS List Owner (May 29)
RISKS-LIST: Risks-Forum Digest Thursday 29 May 2025 Volume 34 : Issue 66

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.66>
The current issue can also be found at
<...

Risks Digest 34.65 RISKS List Owner (May 27)
RISKS-LIST: Risks-Forum Digest Tuesday 27 May 2025 Volume 34 : Issue 65

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.65>
The current issue can also be found at
<...

Risks Digest 34.63 RISKS List Owner (May 17)
RISKS-LIST: Risks-Forum Digest Saturday 17 May 2025 Volume 34 : Issue 63

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.63>
The current issue can also be found at
<...

Risks Digest 34.62 RISKS List Owner (May 11)
RISKS-LIST: Risks-Forum Digest Sunday 11 May 2025 Volume 34 : Issue 62

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.62>
The current issue can also be found at
<...

Risks Digest 34.61 RISKS List Owner (Apr 18)
RISKS-LIST: Risks-Forum Digest Friday 18 April 2025 Volume 34 : Issue 61

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.61>
The current issue can also be found at
<...

Risks Digest 34.60 RISKS List Owner (Apr 01)
RISKS-LIST: Risks-Forum Digest Tuesday 1 April 2025 Volume 34 : Issue 60

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.60>
The current issue can also be found at
<...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

• Archived Posts
• RSS Feed
• About List
• datalossLatest Posts

Healthcare organizations face rising ransomware attacks – and are paying up Matthew Wheeler (Jun 03)
https://www.theregister.com/2022/06/03/healthcare-ransomware-pay-sophos/

Healthcare organizations, already an attractive target for ransomware given
the highly sensitive data they hold, saw such attacks almost double between
2020 and 2021, according to a survey released this week by Sophos.

The outfit's team also found that while polled healthcare orgs are quite
likely to pay ransoms, they rarely get all of their data returned if they
do...

A digital conflict between Russia and Ukraine rages on behind the scenes of war Matthew Wheeler (Jun 03)
https://wskg.org/npr_story_post/a-digital-conflict-between-russia-and-ukraine-rages-on-behind-the-scenes-of-war/

SEATTLE — On the sidelines of a conference in Estonia on Wednesday, a
senior U.S. intelligence official told British outlet Sky News that the
U.S. is running offensive cyber operations in support of Ukraine.

“My job is to provide a series of options to the secretary of defense and
the president, and so that’s what I do,” said...

Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network Matthew Wheeler (Jun 03)
https://thehackernews.com/2022/06/researchers-uncover-malware-controlling.html

The Parrot traffic direction system (TDS) that came to light earlier this
year has had a larger impact than previously thought, according to new
research.

Sucuri, which has been tracking the same campaign since February 2019 under
the name "NDSW/NDSX," said that "the malware was one of the top infections"
detected in 2021, accounting for more than...

FBI, CISA: Don't get caught in Karakurt's extortion web Matthew Wheeler (Jun 03)
https://www.theregister.com/2022/06/03/fbi_cisa_warn_karakurt_extortion/

The Feds have warned organizations about a lesser-known extortion gang
Karakurt, which demands ransoms as high as $13 million and, some
cybersecurity folks say, may be linked to the notorious Conti crew.

In a joint advisory [PDF] this week, the FBI, CISA and US Treasury
Department outlined technical details about how Karakurt operates, along
with actions to take,...

DOJ Seizes 3 Web Domains Used to Sell Stolen Data and DDoS Services Matthew Wheeler (Jun 02)
https://thehackernews.com/2022/06/doj-seizes-3-web-domains-used-to-sell.html

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of
three domains used by cybercriminals to trade stolen personal information
and facilitate distributed denial-of-service (DDoS) attacks for hire.

This includes weleakinfo[.]to, ipstress[.]in, and ovh-booter[.]com, the
former of which allowed its users to traffic hacked personal data and
offered a...

Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability Matthew Wheeler (Jun 02)
https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html

An advanced persistent threat (APT) actor aligned with Chinese state
interests has been observed weaponizing the new zero-day flaw in Microsoft
Office to achieve code execution on affected systems.

"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using
URLs to deliver ZIP archives which contain Word Documents that use the
technique,"...

US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command Matthew Wheeler (Jun 02)
https://www.three.fm/news/world-news/us-military-hackers-conducting-offensive-operations-in-support-of-ukraine-says-head-of-cyber-command/

US military hackers have conducted offensive operations in support of
Ukraine, the head of US Cyber Command has told Sky News.

In an exclusive interview, General Paul Nakasone also explained how "hunt
forward" operations were allowing the United States to search out foreign
hackers and identify...

SideWinder Hackers Launched Over a 1, 000 Cyber Attacks Over the Past 2 Years Matthew Wheeler (May 31)
https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html

An "aggressive" advanced persistent threat (APT) group known as SideWinder
has been linked to over 1,000 new attacks since April 2020.

"Some of the main characteristics of this threat actor that make it stand
out among the others, are the sheer number, high frequency and persistence
of their attacks and the large collection of encrypted and obfuscated...

Hackers are Selling US University Credentials Online, FBI Says Matthew Wheeler (May 31)
https://tech.co/news/hackers-are-selling-us-university-credentials-online-fbi-says

The Federal Bureau of Investigation has warned US universities and colleges
that it has found banks of login credentials and other data relating to VPN
access circulating on cybercriminals forums.

The fear is that such data will be sold and subsequently used by malicious
actors to orchestrate attacks on other accounts owned by the same students,
in the hope...

Interpol Nabs 3 Nigerian Scammers Behind Malware-based Attacks Matthew Wheeler (May 31)
https://thehackernews.com/2022/05/interpol-nabs-3-nigerian-scammers.html

Interpol on Monday announced the arrest of three suspected global scammers
in Nigeria for using remote access trojans (RATs) such as Agent Tesla to
facilitate malware-enabled cyber fraud.

"The men are thought to have used the RAT to reroute financial
transactions, stealing confidential online connection details from
corporate organizations, including oil and gas...

U.S. Warns Against North Korean Hackers Posing as IT Freelancers Matthew Wheeler (May 18)
https://thehackernews.com/2022/05/us-warns-against-north-korean-hackers.html

Highly skilled software and mobile app developers from the Democratic
People's Republic of Korea (DPRK) are posing as "non-DPRK nationals" in
hopes of landing freelance employment in an attempt to enable the regime's
malicious cyber intrusions.

That's according to a joint advisory from the U.S. Department of State, the
Department of the...

FBI and NSA say: Stop doing these 10 things that let the hackers in Matthew Wheeler (May 18)
https://www.zdnet.com/article/fbi-and-nsa-say-stop-doing-these-10-things-that-let-the-hackers-in/

Cyber attackers regularly exploit unpatched software vulnerabilities, but
they "routinely" target security misconfigurations for initial access, so
the US Cybersecurity and Infrastructure Security Agency (CISA) and its
peers have created a to-do list for defenders in today's heightened threat
environment.

CISA, the FBI and National...

Fifth of Businesses Say Cyber-Attack Nearly Broke Them Matthew Wheeler (May 18)
https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/

A fifth of US and European businesses have warned that a serious
cyber-attack nearly rendered them insolvent, with most (87%) viewing
compromise as a bigger threat than an economic downturn, according to
Hiscox.

The insurer polled over 5000 businesses in the US, UK, Ireland, France,
Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox
Cyber...

Hacker And Ransomware Designer Charged For Use And Sale Of Ransomware, And Profit Sharing Arrangements With Cybercriminals Matthew Wheeler (May 18)
https://www.shorenewsnetwork.com/2022/05/16/hacker-and-ransomware-designer-charged-for-use-and-sale-of-ransomware-and-profit-sharing-arrangements-with-cybercriminals/

A criminal complaint was unsealed today in federal court in Brooklyn, New
York, charging Moises Luis Zagala Gonzalez (Zagala), also known as
“Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” a citizen of France and
Venezuela who resides in Venezuela, with attempted...

State of Ransomware shows huge growth in threat and impacts Matthew Wheeler (May 04)
https://www.continuitycentral.com/index.php/news/technology/7275-state-of-ransomware-shows-huge-growth-in-threat-and-impacts

Sophos has released its annual survey and review of real-world ransomware
experiences in its ‘State of Ransomware 2022’ report. This shows that 66
percent of organizations surveyed were hit with ransomware in 2021, up from
37 percent in 2020.

The average ransom paid by organizations that had data encrypted in their...

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

• Archived Posts
• RSS Feed
• About List

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

• Archived Posts
• RSS Feed
• About List

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

• Current Quarter
• Archived Posts
• RSS Feed
• About List
• snortLatest Posts

Snort Subscriber Rules Update 2025-08-26 Research via Snort-sigs (Aug 26)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-08-21 Research via Snort-sigs (Aug 21)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the policy-other and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-08-19 Research via Snort-sigs (Aug 19)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-other,
malware-backdoor, malware-cnc, os-windows and server-webapp rule sets
to provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-08-14 Research via Snort-sigs (Aug 14)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-other,
policy-other and server-webapp rule sets to provide coverage for
emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-08-12 Research via Snort-sigs (Aug 12)
Talos Snort Subscriber Rules Update

Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2025-49743:
A coding deficiency exists in Microsoft Windows Graphics Component that
may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with:
Snort 2: GID 1, SIDs 65236 through 65237,
Snort...

Snort Subscriber Rules Update 2025-08-07 Research via Snort-sigs (Aug 07)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the policy-other and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-08-05 Research via Snort-sigs (Aug 05)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-image,
file-other and server-webapp rule sets to provide coverage for emerging
threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-07-31 Research via Snort-sigs (Jul 31)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-cnc,
malware-other and server-webapp rule sets to provide coverage for
emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-07-29 Research via Snort-sigs (Jul 29)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-pdf,
malware-cnc, malware-other and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-07-24 Research via Snort-sigs (Jul 24)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-cnc,
malware-other, server-mail and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-07-21 Research via Snort-sigs (Jul 21)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-backdoor,
malware-cnc, malware-other, os-solaris and server-webapp rule sets to
provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-07-17 Research via Snort-sigs (Jul 17)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-cnc and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-07-15 Research via Snort-sigs (Jul 15)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-cnc,
malware-other, policy-other and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-07-10 Research via Snort-sigs (Jul 10)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-07-08 Research via Snort-sigs (Jul 08)
Talos Snort Subscriber Rules Update

Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2025-47981:
A coding deficiency exists in Microsoft SPNEGO Extended Negotiation
(NEGOEX) Security Mechanism that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with:
Snort 2: GID 1, SID...