Security Flaws & Fixes - W/E - 030416
Advisories Provide Details on Multiple Cisco Vulnerabilities (03/03/2016)
Cisco has released multiple advisories due to several different vulnerabilities affecting its product line. Advisories have been posted for the Nexus 3000 Series and 3500 Platform Switches, NX-OS Software, the Web Security Appliance, and to address a packet denial-of-service bug in the SNMP input packet processor of NX-OS Software.
Apple TV Receives Security Update (03/03/2016)
Apple has released updates for Apple TV to fix more than 60 vulnerabilities in various components. Users are encouraged to update as soon as possible since some of the bugs could enable an attacker to take control of an affected device.
Critical DROWN Vulnerability Affects One-Third of HTTPS Servers (03/03/2016)
Security researchers have posted an advisory regarding DROWN, a severe vulnerability that affects HTTPS and other services that rely on SSL and TLS. DROWN allows attackers to break the encryption and steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. According to the researchers, 33% of all HTTPS servers are vulnerable to the attack which affects any communication between users and an affected server, including usernames and passwords, credit card numbers, emails, instant messages, and sensitive documents. Under some common scenarios, an attacker can impersonate a secure Web site and intercept or change the content the user sees. A list provides information on affected Web sites, including Yahoo, CBS Sports, Samsung, and BuzzFeed. OpenSSL has stated that its latest update disables the SSLv2 protocol by default, as well as removes SSLv2 EXPORT ciphers to mitigate risks.
Google Announces Chrome 49 (03/03/2016)
Google released version 49 of Chrome, fixing 26 security issues. It is recommended that users immediately update their browser to rectify any vulnerabilities in earlier versions.
ICS-CERT Warns of XSS Bug in Rockwell Automation's CompactLogix App (03/03/2016)
According to an ICS-CERT advisory, a cross-site scripting vulnerability has been identified in Rockwell Automation's CompactLogix application. This vulnerability has been publicly disclosed. Rockwell Automation has produced a new firmware version for mitigation purposes. CompactLogix is a Web-based SCADA system.
Schneider Electric Application Server Affected by Critical Bug (03/03/2016)
Schneider Electric's Application Server, V1.7 and prior, is affected by a vulnerability that can be exploited so that an attacker can circumvent access controls. Application Server is a building automation system for small and medium-sized buildings that is used throughout the world. Schneider Electric released a security notification and updates for this vulnerability. ICS-CERT has posted its own advisory.
Cisco has released multiple advisories due to several different vulnerabilities affecting its product line. Advisories have been posted for the Nexus 3000 Series and 3500 Platform Switches, NX-OS Software, the Web Security Appliance, and to address a packet denial-of-service bug in the SNMP input packet processor of NX-OS Software.
Apple TV Receives Security Update (03/03/2016)
Apple has released updates for Apple TV to fix more than 60 vulnerabilities in various components. Users are encouraged to update as soon as possible since some of the bugs could enable an attacker to take control of an affected device.
Critical DROWN Vulnerability Affects One-Third of HTTPS Servers (03/03/2016)
Security researchers have posted an advisory regarding DROWN, a severe vulnerability that affects HTTPS and other services that rely on SSL and TLS. DROWN allows attackers to break the encryption and steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. According to the researchers, 33% of all HTTPS servers are vulnerable to the attack which affects any communication between users and an affected server, including usernames and passwords, credit card numbers, emails, instant messages, and sensitive documents. Under some common scenarios, an attacker can impersonate a secure Web site and intercept or change the content the user sees. A list provides information on affected Web sites, including Yahoo, CBS Sports, Samsung, and BuzzFeed. OpenSSL has stated that its latest update disables the SSLv2 protocol by default, as well as removes SSLv2 EXPORT ciphers to mitigate risks.
Google Announces Chrome 49 (03/03/2016)
Google released version 49 of Chrome, fixing 26 security issues. It is recommended that users immediately update their browser to rectify any vulnerabilities in earlier versions.
ICS-CERT Warns of XSS Bug in Rockwell Automation's CompactLogix App (03/03/2016)
According to an ICS-CERT advisory, a cross-site scripting vulnerability has been identified in Rockwell Automation's CompactLogix application. This vulnerability has been publicly disclosed. Rockwell Automation has produced a new firmware version for mitigation purposes. CompactLogix is a Web-based SCADA system.
Schneider Electric Application Server Affected by Critical Bug (03/03/2016)
Schneider Electric's Application Server, V1.7 and prior, is affected by a vulnerability that can be exploited so that an attacker can circumvent access controls. Application Server is a building automation system for small and medium-sized buildings that is used throughout the world. Schneider Electric released a security notification and updates for this vulnerability. ICS-CERT has posted its own advisory.