CyberAlerts

Description: Martin discusses how defenders can use threat intelligence to equip themselves against AI-based threats. Plus check out his introductory course to threat intelligence.

Source: Cisco Talos Blog

January 30th, 2025 (5 months ago)

Archivists Work to Identify and Save the Thousands of Datasets Disappearing From Data.gov

Description: More than 2,000 datasets have disappeared from data.gov since Trump was inaugurated. But analyzing exactly what happened and where it went is going to take some time.

Source: 404 Media

January 30th, 2025 (5 months ago)

John Paul Richard Inc and Jaya Apparel Group, LLC Have Fallen Victim to Cactus Ransomware

Description: John Paul Richard Inc and Jaya Apparel Group, LLC Have Fallen Victim to Cactus Ransomware

Source: DarkWebInformer

January 30th, 2025 (5 months ago)

Trump admin's purge of US cyber advisory boards was 'foolish,' says ex-Navy admiral

Source: TheRegister

January 30th, 2025 (5 months ago)

CVE-2025-0626

Contec Health CMS8000 Patient Monitor

Description: View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Contec Health Equipment: CMS8000 Patient Monitor Vulnerabilities: Out-of-bounds Write, Hidden Functionality (Backdoor), Privacy Leakage 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to remotely send specially formatted UDP requests or connect to an unknown external network that would allow them to write arbitrary data, resulting in remote code execution. The device may also leak patient information and sensor data to the same unknown external network. Simultaneous exploitation of all vulnerable devices on a shared network is possible. The Food and Drug Administration (FDA) has released a safety communication in connection with these vulnerabilities. CISA has released an additional Fact Sheet for CVE-2025-0626 and CVE-2025-0683. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Contec Health products are affected: CMS8000 Patient Monitor: Firmware version smart3250-2.6.27-wlan2.1.7.cramfs CMS8000 Patient Monitor: Firmware version CMS7.820.075.08/0.74(0.75) CMS8000 Patient Monitor: Firmware version CMS7.820.120.01/0.93(0.95) CMS8000 Patient Monitor: All versions (CVE-2025-0626, CVE-2025-0683) 3.2 Vulnerability Overview 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to send specially formatted UDP requests in order to write arbitrary data....

EPSS Score: 0.04%

Source: All CISA Advisories

January 30th, 2025 (5 months ago)

CVE-2025-0680

New Rock Technologies Cloud Connected Devices

Description: View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: New Rock Technologies Equipment: Cloud Connected Devices Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Improper Neutralization of Wildcards or Matching Symbols 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker full control of the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of New Rock Technologies Cloud Connected Devices are affected: OM500 IP-PBX: All versions MX8G VoIP Gateway: All versions NRP1302/P Desktop IP Phone: All versions 3.2 Vulnerability Overview 3.2.1 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-78 Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary devices connected to the cloud. CVE-2025-0680 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-0680. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.2.2 Improper Neutralization of Wildcards or Matching Symbols CWE-155 The Cloud MQTT service of the affected products supports wildcard topi...

EPSS Score: 0.04%

Source: All CISA Advisories

January 30th, 2025 (5 months ago)

[github.com/argoproj/gitops-engine] Argo CD GitOps Engine does not scrub secret values from patch errors

Description: Impact A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. Patches A patch for this vulnerability is available in the following Argo CD versions: v2.13.4 v2.12.10 v2.11.13 Workarounds There is no workaround other than upgrading. References Fixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca References https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v https://github.com/argoproj/gitops-engine/security/advisories/GHSA-274v-mgcv-cm8j https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca https://github.com/advisories/GHSA-274v-mgcv-cm8j

Source: Github Advisory Database (Go)

January 30th, 2025 (5 months ago)

[github.com/ethereum/go-ethereum] Go Ethereum vulnerable to DoS via malicious p2p message

Description: Impact A vulnerable node can be forced to shutdown/crash using a specially crafted message. More in-depth details will be released at a later time. Patches A fix has been included in geth version 1.14.13 and onwards. Workarounds Unfortunately, no workaround is available. Credits This issue was originally reported to Polygon Security by David Matosse (@iam-ned). References https://github.com/ethereum/go-ethereum/security/advisories/GHSA-q26p-9cq4-7fc2 https://github.com/advisories/GHSA-q26p-9cq4-7fc2

Source: Github Advisory Database (Go)

January 30th, 2025 (5 months ago)

[github.com/kubewarden/kubewarden-controller] Kubewarden-Controller information leak via AdmissionPolicyGroup Resource

Description: Impact The policy group feature, added to by the 1.17.0 release, introduced two new types of CRD: ClusterAdmissionPolicyGroup and AdmissionPolicyGroup. The former is cluster wide, while the latter is namespaced. By being namespaced, the AdmissionPolicyGroup has a well constrained impact on cluster resources. Hence, it’s considered safe to allow non-admin users to create and manage these resources in the namespaces they own. Kubewarden policies can be allowed to query the Kubernetes API at evaluation time; these types of policies are called “context aware“. Context aware policies can perform list and get operations against a Kubernetes cluster. The queries are done using the ServiceAccount of the Policy Server instance that hosts the policy. That means that access to the cluster is determined by the RBAC rules that apply to that ServiceAccount. The AdmissionPolicyGroup CRD allowed the deployment of context aware policies. This could allow an attacker to obtain information about resources that are out of their reach, by leveraging a higher access to the cluster granted to the ServiceAccount token used to run the policy. The impact of this vulnerability depends on the privileges that have been granted to the ServiceAccount used to run the Policy Server and assumes that users are using the recommended best practices of keeping the Policy Server's ServiceAccount least privileged. By default, the Kubewarden helm chart grants access to the following resources (cluster wide) only:...

Source: Github Advisory Database (Go)

January 30th, 2025 (5 months ago)

[github.com/kubewarden/kubewarden-controller] KubeWarden's AdmissionPolicy and AdmissionPolicyGroup policies can be used to alter PolicyReport reso...

Description: Impact By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy. There might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature. For example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. See this section of Kubewarden’s documentation for more details about PolicyReport resources. An attacker can use either an AdmissionPolicy or an AdmissionPolicyGroup to prevent the creation and update of PolicyReport objects to hide non-compliant resources. Moreover, the same attacker might use a mutating AdmissionPolicy to alter the contents of the PolicyReport created inside of the namespace. Patches Starting from the 1.21.0 release, the validation rules applied to AdmissionPolicy and AdmissionPolicyGroup have been tightened to prevent them from validating sensitive types of namespaced resources. The new validation will also restrict the usage of wildcards when defining apiGroups and resources rules for AdmissionPolicy and AdmissionPolicyGroup objects. Workarounds On clusters running Kubewarden < 1.21.0, the following Kubewarden policy can be applied to prevent the creation of AdmissionPolicy and AdmissionPolicyGroup resources that interact with PolicyReport resources: apiVersi...

Source: Github Advisory Database (Go)

January 30th, 2025 (5 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	Defeating Future Threats Starts Today Description: Martin discusses how defenders can use threat intelligence to equip themselves against AI-based threats. Plus check out his introductory course to threat intelligence. Source: Cisco Talos Blog January 30th, 2025 (5 months ago)
	Archivists Work to Identify and Save the Thousands of Datasets Disappearing From Data.gov Description: More than 2,000 datasets have disappeared from data.gov since Trump was inaugurated. But analyzing exactly what happened and where it went is going to take some time. Source: 404 Media January 30th, 2025 (5 months ago)
	John Paul Richard Inc and Jaya Apparel Group, LLC Have Fallen Victim to Cactus Ransomware Description: John Paul Richard Inc and Jaya Apparel Group, LLC Have Fallen Victim to Cactus Ransomware Source: DarkWebInformer January 30th, 2025 (5 months ago)
	Trump admin's purge of US cyber advisory boards was 'foolish,' says ex-Navy admiral Source: TheRegister January 30th, 2025 (5 months ago)
CVE-2025-0626	Contec Health CMS8000 Patient Monitor Description: View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Contec Health Equipment: CMS8000 Patient Monitor Vulnerabilities: Out-of-bounds Write, Hidden Functionality (Backdoor), Privacy Leakage 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to remotely send specially formatted UDP requests or connect to an unknown external network that would allow them to write arbitrary data, resulting in remote code execution. The device may also leak patient information and sensor data to the same unknown external network. Simultaneous exploitation of all vulnerable devices on a shared network is possible. The Food and Drug Administration (FDA) has released a safety communication in connection with these vulnerabilities. CISA has released an additional Fact Sheet for CVE-2025-0626 and CVE-2025-0683. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Contec Health products are affected: CMS8000 Patient Monitor: Firmware version smart3250-2.6.27-wlan2.1.7.cramfs CMS8000 Patient Monitor: Firmware version CMS7.820.075.08/0.74(0.75) CMS8000 Patient Monitor: Firmware version CMS7.820.120.01/0.93(0.95) CMS8000 Patient Monitor: All versions (CVE-2025-0626, CVE-2025-0683) 3.2 Vulnerability Overview 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to send specially formatted UDP requests in order to write arbitrary data.... EPSS Score: 0.04% Source: All CISA Advisories January 30th, 2025 (5 months ago)
CVE-2025-0680	New Rock Technologies Cloud Connected Devices Description: View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: New Rock Technologies Equipment: Cloud Connected Devices Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Improper Neutralization of Wildcards or Matching Symbols 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker full control of the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of New Rock Technologies Cloud Connected Devices are affected: OM500 IP-PBX: All versions MX8G VoIP Gateway: All versions NRP1302/P Desktop IP Phone: All versions 3.2 Vulnerability Overview 3.2.1 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-78 Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary devices connected to the cloud. CVE-2025-0680 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-0680. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.2.2 Improper Neutralization of Wildcards or Matching Symbols CWE-155 The Cloud MQTT service of the affected products supports wildcard topi... EPSS Score: 0.04% Source: All CISA Advisories January 30th, 2025 (5 months ago)
	[github.com/argoproj/gitops-engine] Argo CD GitOps Engine does not scrub secret values from patch errors Description: Impact A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. Patches A patch for this vulnerability is available in the following Argo CD versions: v2.13.4 v2.12.10 v2.11.13 Workarounds There is no workaround other than upgrading. References Fixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca References https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v https://github.com/argoproj/gitops-engine/security/advisories/GHSA-274v-mgcv-cm8j https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca https://github.com/advisories/GHSA-274v-mgcv-cm8j Source: Github Advisory Database (Go) January 30th, 2025 (5 months ago)
	[github.com/ethereum/go-ethereum] Go Ethereum vulnerable to DoS via malicious p2p message Description: Impact A vulnerable node can be forced to shutdown/crash using a specially crafted message. More in-depth details will be released at a later time. Patches A fix has been included in geth version 1.14.13 and onwards. Workarounds Unfortunately, no workaround is available. Credits This issue was originally reported to Polygon Security by David Matosse (@iam-ned). References https://github.com/ethereum/go-ethereum/security/advisories/GHSA-q26p-9cq4-7fc2 https://github.com/advisories/GHSA-q26p-9cq4-7fc2 Source: Github Advisory Database (Go) January 30th, 2025 (5 months ago)
	[github.com/kubewarden/kubewarden-controller] Kubewarden-Controller information leak via AdmissionPolicyGroup Resource Description: Impact The policy group feature, added to by the 1.17.0 release, introduced two new types of CRD: ClusterAdmissionPolicyGroup and AdmissionPolicyGroup. The former is cluster wide, while the latter is namespaced. By being namespaced, the AdmissionPolicyGroup has a well constrained impact on cluster resources. Hence, it’s considered safe to allow non-admin users to create and manage these resources in the namespaces they own. Kubewarden policies can be allowed to query the Kubernetes API at evaluation time; these types of policies are called “context aware“. Context aware policies can perform list and get operations against a Kubernetes cluster. The queries are done using the ServiceAccount of the Policy Server instance that hosts the policy. That means that access to the cluster is determined by the RBAC rules that apply to that ServiceAccount. The AdmissionPolicyGroup CRD allowed the deployment of context aware policies. This could allow an attacker to obtain information about resources that are out of their reach, by leveraging a higher access to the cluster granted to the ServiceAccount token used to run the policy. The impact of this vulnerability depends on the privileges that have been granted to the ServiceAccount used to run the Policy Server and assumes that users are using the recommended best practices of keeping the Policy Server's ServiceAccount least privileged. By default, the Kubewarden helm chart grants access to the following resources (cluster wide) only:... Source: Github Advisory Database (Go) January 30th, 2025 (5 months ago)
	[github.com/kubewarden/kubewarden-controller] KubeWarden's AdmissionPolicy and AdmissionPolicyGroup policies can be used to alter PolicyReport reso... Description: Impact By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy. There might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature. For example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. See this section of Kubewarden’s documentation for more details about PolicyReport resources. An attacker can use either an AdmissionPolicy or an AdmissionPolicyGroup to prevent the creation and update of PolicyReport objects to hide non-compliant resources. Moreover, the same attacker might use a mutating AdmissionPolicy to alter the contents of the PolicyReport created inside of the namespace. Patches Starting from the 1.21.0 release, the validation rules applied to AdmissionPolicy and AdmissionPolicyGroup have been tightened to prevent them from validating sensitive types of namespaced resources. The new validation will also restrict the usage of wildcards when defining apiGroups and resources rules for AdmissionPolicy and AdmissionPolicyGroup objects. Workarounds On clusters running Kubewarden < 1.21.0, the following Kubewarden policy can be applied to prevent the creation of AdmissionPolicy and AdmissionPolicyGroup resources that interact with PolicyReport resources: apiVersi... Source: Github Advisory Database (Go) January 30th, 2025 (5 months ago)