Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the information security community. CVE Numbering Authorities (CNAs) are major OS
vendors, security researchers, and research organizations that assign CVE Identifiers to
newly discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/February 22, 2016
-------------------------------------------------------
Contents:
1. CVE Identifier "CVE-2015-7547" Cited in Numerous Security Advisories and News Media
References about a Severe Linux Vulnerability
2. CVE Mentioned in Article about a Vulnerability in a Teddy Bear on eWeek
3. CVE Mentioned in Article about HPE's Cyber Risk Report 2016 on IT World Canada
4. CVE Mentioned in Article about Vulnerabilities in VoIP Phones on Bank Info Security
5. Also in this Issue
6. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Identifier "CVE-2015-7547" Cited in Numerous Security Advisories and News Media
References about a Severe Linux Vulnerability
"CVE-2015-7547" is cited in numerous major advisories, posts, and news media references
related to a recent severe Linux stack-based buffer overflow vulnerability, including
the following examples:
* http://www.cio.co.nz/article/594074/use-linux-stop-what-re-doing-apply-patch/
*
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-a
pps-and-devices-vulnerable/
*
http://www.infoworld.com/article/3033862/security/patch-now-unix-bug-puts-linux-android-
and-ios-systems-at-risk.html
*
https://threatpost.com/critical-glibc-vulnerability-puts-all-linux-machines-at-risk/1162
61/
* http://www.eweek.com/security/linux-systems-patched-for-critical-glibc-flaw.html
* http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
*
http://www.techtimes.com/articles/134191/20160217/deadly-linux-bug-puts-millions-of-syst
ems-at-risk-patch-now-available.htm
* https://threatpost.com/magnitude-of-glibc-vulnerability-coming-to-light/116296/
*
http://www.itpro.co.uk/security/26060/linux-vulnerability-leaves-thousands-open-to-dns-a
ttack
*
http://www.pcworld.com/article/3033451/linux/use-linux-stop-what-youre-doing-and-apply-t
his-patch.html
*
http://www.straitstimes.com/tech/major-computer-security-bug-threatens-thousands-of-devi
ces
*
http://news.softpedia.com/news/buffer-overflow-bug-in-glibc-exposes-users-to-attack-from
-rogue-dns-servers-500484.shtml
Other news articles may be found by searching on "CVE-2015-7547" using your preferred
search engine. Also, the CVE Identifier page
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547 includes a list of
advisories used as references.
LINKS:
CVE-IDs -
https://cve.mitre.org/cve
News page article -
https://cve.mitre.org/news/index.html#february182016_CVE_Identifier_CVE_2015_7547_Cited_
in_Numerous_Security_Advisories_and_News_Media_References_about_a_Severe_Linux_Vulnerabi
lity
---------------------------------------------------------------
CVE Mentioned in Article about a Vulnerability in a Teddy Bear on eWeek
CVE is mentioned in a February 2, 2016 article entitled "Fisher-Price Smart Teddy Bear
Latest IoT Toy Under Hacker Scrutiny" on eWeek. The main topic of the article is that
"When it comes to the emerging Internet of things world, security vulnerabilities can
exist almost anywhere, including in a child's teddy bear. Security vendor Rapid7 .
disclosed a vulnerability in the Fisher-Price Smart Toy, which could have enabled an
attacker to gain access to user information. Rapid7 responsibly disclosed the flaw to
Fisher-Price, and the toy vendor has already patched the issue."
CVE is mentioned as follows: "Fisher-Price did not properly secure the Web APIs it uses
for the back end of the Smart Toy, potentially giving an attacker access to customer
profile information, including name, birthday, gender, language and which toys have been
registered. Going a step further . an attacker could have deleted or modified a child's
profile. The core flaw, which is identified as CVE-2015-8269, is an improper
authentication handling vulnerability. [This means that the] Web back end for the Smart
Toy would let anyone attempting to access the site assert that they were any customer
ID. Fisher-Price [has] fixed the remote security issues . [and since] . the disclosed
issues are all remote, there is no need for end users to patch the local device."
Visit the CVE Identifier page for CVE-2015-8269 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8269 to learn more about this
issue.
LINKS:
eWeek article -
http://www.eweek.com/security/fisher-price-smart-teddy-bear-latest-iot-toy-under-hacker-
scrutiny.html
CVE-IDs -
https://cve.mitre.org/cve
News page article -
https://cve.mitre.org/news/index.html#february42016_CVE_Mentioned_in_Article_about_a_Vul
nerability_in_a_Teddy_Bear_on_eWeek
---------------------------------------------------------------
CVE Mentioned in Article about HPE's Cyber Risk Report 2016 on IT World Canada
CVE is mentioned in a February 17, 2016 article entitled "Security industry has learned
nothing from patching lapses: Report" on IT World Canada.
CVE is mentioned as part of the main topic of this article, which is that
Hewlett-Packard Enterprise's "HPE Security Research Cyber Risk Report 2016" states that
the "most exploited bug in 2015 was a Windows Shell vulnerability (CVE-2010-2568) that
was discovered along with a patch issued in 2010 - and patched again in early 2015."
Visit the CVE Identifier page for CVE-2010-2568 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568 to learn more about this
issue.
LINKS:
IT World Canada article -
http://www.eweek.com/security/apple-updates-os-x-ios-with-numerous-security-fixes.html
CVE-IDs -
https://cve.mitre.org/cve
News page article -
https://cve.mitre.org/news/index.html#february182016_CVE_Mentioned_in_Article_about_HPE%
27s_Cyber_Risk_Report_2016_on_IT_World_Canada
---------------------------------------------------------------
CVE Mentioned in Article about Vulnerabilities in VoIP Phones on Bank Info Security
CVE is mentioned throughout a February 15, 2016 article entitled "VoIP Phones:
Eavesdropping Alert" on Bank Info Security. The main topic of the article is that "VoIP
devices built by the likes of Cisco and Snom can be easily exploited with just a couple
of lines of JavaScript . if they use the devices' default security settings. Once
attackers compromise a device, they can monitor or reroute all calls, surreptitiously
activate microphones built into the device to listen to what's being said locally, or
upload malicious firmware, amongst other potential attacks."
CVE is mentioned when the author discusses how the "attack would also work against some
Cisco VoIP devices. Cisco has confirmed a related vulnerability - CVE-2015-0670 -
affects some Cisco Small Business IP phones, but so far has released no patches."
Visit the CVE Identifier page for CVE-2015-0670 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0670 to learn more about this
issue.
LINKS:
Bank Info Security article -
http://www.bankinfosecurity.com/voip-phones-eavesdropping-alert-a-8869/op-1
CVE-IDs -
https://cve.mitre.org/cve/cna.html
News page article -
https://cve.mitre.org/news/index.html#february182016_CVE_Mentioned_in_Article_about_Vuln
erabilities_in_VoIP_Phones_on_Bank_Info_Security
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Multiple Android Vulnerabilities on InfoWorld
* CVE Mentioned in Article about Two High-Priority OpenSSL Vulnerabilities on InfoWorld
* CVE Is Main Topic of Numerous News Media Articles about Products with Most
Vulnerabilities in 2015
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send
an email to cve@mitre.org.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment