LATEST IN INFO SEC

OpenSSL HeartBleed

Following the major Heartbleed vulnerability, OpenSSL will again experience another significant update. A denial-of-service (DoS) vulnerability classified with a "high severity" rating, was reported on February 26 by David Ramos of Stanford University (CVE-2015-0291). CVE-2015-0291 being the worst of a dozen vulnerabilities found in OpenSSL. The following vulnerabilities were also found in OpenSSL,

  • Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
  • Multiblock corrupted pointer (CVE-2015-0290)
  • Segmentation fault in DTLSv1_listen (CVE-2015-0207)
  • Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
  • Segmentation fault for invalid PSS parameters (CVE-2015-0208)
  • ASN.1 structure reuse memory corruption (CVE-2015-0287)
  • PKCS7 NULL pointer dereferences (CVE-2015-0289)
  • Base64 decode (CVE-2015-0292)
  • DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
  • Empty CKE with client auth and DHE (CVE-2015-1787)
  • Handshake with unseeded PRNG (CVE-2015-0285)
  • Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
  • X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)

READ MORE

MICROSOFT MS15-034

CVE-2015-1635 Identifies the latest vulnerability in HTTP.sys of Microsoft's Window's operating system, affecting Internet Information Server (IIS). On Tuesday April 14, Microsoft released security update KB3042553 addressing the vulnerability. If you would like to test your servers for this vulnerability, please use the following Python Script. Please be advised, this may crash your server! I assume NO responsibility for any and all damages done to your system(s).

READ MORE