Tag: vulnerability

Introduction Initially three vulnerabilities were discovered, which are described here: Advisory Vulnerabilities CVE-2022-20964 – Command Injection – CWE-78 CVE-2022-20964 - Command Injection - CWE-78 PRODUCT LINE VERSION SCORE IMPACT Cisco Identity Services Engine 2.7 < 3.2 P1 CNA: 6.3NIST: 8.8 High OWASP CATEGORY OWASP CONTROL A03 - Injection WSTG-INPV-12 AFFECTED ENDPOINT - AFFACTED PARAMETER https://ciscoise.server/admin/rs/uiapi/mnt/tcpdump/Starthttps://ciscoise.server/admin/rs/uiapi/mnt/tcpdump/DeleteFile […]

Introduction Through the internal project called Saguri, we started with the analysis of the Cisco Identity Service Engine - 3.1.0.518-Patch3-22042809, the Cisco ISE is a useful tool in the management of one's own network and not only, it allows the implementation and application in a dynamic and automated way of security and 'management' policies, simplifying […]

Introduction In July 2022 the Yoroi advisory team, in the context of its internal project Saguri, started analysing the Cisco Identity Service Engine (ver. 3.1.0.518-Patch3-22042809).Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable precise controls over who can access the network, what they have access […]

Introduction In July 2022 the Yoroi advisory team, in the context of its internal project Saguri, started analysing the Cisco Identity Service Engine (ver. 3.1.0.518-Patch3-22042809).Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable precise controls over who can access the network, what they have access […]

Introduction The vulnerability has been found during a security assessment on Netlink CCD Onboard version 3.74 and Firmware version 3.80.The Netlink CCD is an IoT control device with 3 DALI-compliant outputs and one LM-Bus interface for open-loop control of maximum 250 luminaires and motors. It can be operated locally or by using an external litenet […]

CERT Yoroi informa che nella giornata del 19 Gennaio 2023 è stata rilasciata la patch risolutiva di tre vulnerabilità critiche RCE su Git; in particolare: CVE-2022-23521, CVE-2022-41903, CVE-2022-41953. Il team di Git evidenzia come le prime due vulnerabilità (CVE-2022-23521 e CVE-2022-41903) permettano ad un attaccante di eseguire codice arbitrario da remoto. La prima, in modo […]

Con la presente CERT-Yoroi intende informarla riguardo un nuovo attacco sul framework PyTorch, sul quale è stata scoperta una dipendenza malevola chiamata 'torchtriton', caricata sul registro registro Python Package Index (PyPI). Il nome era lo stesso di una libreria ufficiale pubblicata da PyTorch, una piattaforma di apprendimento automatico open source. Nell'importazione delle dipendenze in ambiente […]

Introduction Initially three vulnerabilities were discovered, which are described here: https://yoroi.company/?s=saguri. Further research prompted the discovery of four other vulnerabilities including a Command Injection, which if exploited allows one to gain root access to the system shell.Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable […]

Introduction Through the internal project called Saguri, we started with the analysis of the Cisco Identity Service Engine - 3.1.0.518-Patch3-22042809, the Cisco ISE is a useful tool in the management of one's own network and not only, it allows the implementation and application in a dynamic and automated way of security and 'management' policies, simplifying […]

Introduction During a security assessment on FusionDirectory version 1.3 two criticalities have been identified.FusionDirectory allows to manage data archived in LDAP directories so, as you might imagine, security problems leading to an exposure of personal and enterprise could have a serious impact on the business. Advisory CVE-2022-36180 - Cross Site Scripting – CWE 79 CVE-2022-36180 […]

Introduction In July 2022 the Yoroi advisory team, in the context of its internal project Saguri, started analysing the Cisco Identity Service En-gine (ver. 3.1.0.518-Patch3-22042809).Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable precise controls over who can access the network, what they have access […]

Introduction In July 2022 the Yoroi advisory team, in the context of its internal project Saguri, started analysing the Cisco Identity Service Engine (ver. 3.1.0.518-Patch3-22042809). Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable precise controls over who can access the network, what they have […]