CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Name: ASA-2025-002: Malicious peer can stall network by disseminating seemingly valid block parts
Component: CometBFT
Criticality: High (Catastrophic Impact; Possible Likelihood per ACMv1.2)
Affected versions: <= v0.38.16, v1.0.0
Affected users: Validators, Full nodes, Users
Description
A bug was identified in the CometBFT validation of block part indices and the corresponding proof part indices that can lead to incorrect processing and dissemination of invalid parts, which in turn could lead to a network halt. Additional validation was added to prevent this condition from happening.
Patches
The new CometBFT releases v1.0.1 and v0.38.17 fix this issue.
Unreleased code in the main branch is patched as well.
Workarounds
There are no known workarounds for this issue. If a node is producing these malicious proofs, the only mitigation is to upgrade CometBFT. After upgrading, the validators then will eventually conclude the correct value.
Technical Deep-Dive
When the next proposer creates a block, it is split into many block parts (64kB each). Each block part is then disseminated via p2p layer in a gossip fashion. The block part contains the following fields:
type Part struct {
Index uint32 `json:"index"`
Bytes cmtbytes.HexBytes `json:"bytes"`
Proof merkle.Proof `json:"proof"`
}
Index - represents the index of a block part
Bytes - the actual content
Proof - Merkle proof, which allows the receiving node to quickly verify that a Part is indeed a piece...
February 3rd, 2025 (5 months ago)
|
|
|
Description: A Threat Actor Claims to be Selling Data from an Unidentified U.S. Company
February 3rd, 2025 (5 months ago)
|
|
|
Description: This issue was reported to TShock by @ohayo, but was found by the Discord user by the name of sofurry.com. Please note that this user does not own this domain on the internet, just the discord handle.
TShock overrides certain Terraria vanilla systems, including chat, and the connection handling, for its own purposes, like enforcing bans. When clients connect but do not complete the connection handshake (e.g., send message number 6), they can "exist" on the server, occupy a player slot, chat, and receive data from the server despite not being fully connected. Individuals who exploit this will be able to effectively harass the server, observe the server, and utilize server resources even if banned from the server.
For servers that operate with a proxy that strictly enforces the connection handshake/sequence, this is not an issue, but for smaller servers or servers running vanilla TShock this is an issue worth patching for.
PR body supplied by @ohayo (patch writer):
Terraria's standard server by default checks for bans upon the client sending the ConnectRequest packet, however, TShock instead chooses to check if the client connecting is banned upon the Request World Data packet.
A malicious client can easily just not send this packet, and still join the server even while being banned.
Also by not sending Request World Data, the malicious client is still able to receive all packets from the server & even chat.
Other clients will not be notified of their join/leave but will be...
February 3rd, 2025 (5 months ago)
|
CVE-2023-6080 |
Description: Written By: Jacob Paullus, Daniel McNamara, Jake Rawlins, Steven Karschnia
Executive Summary
Mandiant exploited flaws in the Microsoft Software Installer (MSI) repair action of Lakeside Software's SysTrack installer to obtain arbitrary code execution.
An attacker with low-privilege access to a system running the vulnerable version of SysTrack could escalate privileges locally.
Mandiant responsibly disclosed this vulnerability to Lakeside Software, and the issue has been addressed in version 11.0.
Introduction
Building upon the insights shared in a previous Mandiant blog post, Escalating Privileges via Third-Party Windows Installers, this case study explores the ongoing challenge of securing third-party Windows installers. These vulnerabilities are rooted in insecure coding practices when creating Microsoft Software Installer (MSI) Custom Actions and can be caused by references to missing files, broken shortcuts, or insecure folder permissions. These oversights create gaps that inadvertently allow attackers the ability to escalate privileges.
As covered in our previous blog post, after software is installed with an MSI file, Windows caches the MSI file in the C:\Windows\Installer folder for later use. This allows users on the system to access and use the "repair" feature, which is intended to address various issues that may be impacting the installed software. During execution of an MSI repair, several operations (such as file creation or execution) may be triggere...
February 3rd, 2025 (5 months ago)
|
|
|
Description: Threat actors are taking advantage of the rise in popularity of the DeepSeek to promote two malicious infostealer packages on the Python Package Index (PyPI), where they impersonated developer tools for the AI platform. [...]
February 3rd, 2025 (5 months ago)
|
|
|
Description: Mr Hamza Targeted the Website of XTB Online Investing
February 3rd, 2025 (5 months ago)
|
|
|
Description: Anthropic, the developer of the conversational AI assistant Claude, doesn’t want prospective new hires using AI assistants in their applications, regardless of whether they’re in marketing or engineering.
February 3rd, 2025 (5 months ago)
|
|
|
Description: European regulators are raising alarms over DeepSeek, a Chinese AI chatbot, due to concerns about data privacy and security. The Netherlands’ data protection authority (AP) issued a warning against using the service, while Italy has taken more aggressive action, blocking the chatbot outright. Both countries cite the risk of European user data being stored in …
The post Europe Cracks Down on DeepSeek Over Data Privacy Concerns appeared first on CyberInsider.
February 3rd, 2025 (5 months ago)
|
|
|
Description: Qilin Ransomware Claims Many Victims
February 3rd, 2025 (5 months ago)
|
|
|
Description: Name: ASA-2025-001: Malicious peer can disrupt node's ability to sync via blocksync
Component: CometBFT
Criticality: Medium (Considerable Impact; Possible Likelihood per ACMv1.2)
Affected versions: <= v0.38.16, v1.0.0
Affected users: Validators, Full nodes
Impact
A malicious peer may be able to interfere with a node's ability to sync blocks with peers via the blocksync mechanism.
In the blocksync protocol peers send their base and latest heights when they connect to a new node (A), which is syncing to the tip of a network. base acts as a lower ground and informs A that the peer only has blocks starting from height base. latest height informs A about the latest block in a network. Normally, nodes would only report increasing heights:
B: {base: 100, latest: 1000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...
If B fails to provide the latest block, B is removed and the latest height (target height) is recalculated based on other nodes latest heights.
The existing code hovewer doesn't check for the case where B first reports latest height X and immediately after height Y, where X > Y. For example:
B: {base: 100, latest: 2000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...
A will be trying to catch up to 2000 indefinitely. Even if B disconnects, the latest height (target height) won't be recalculated because A "doesn't know where 2000" came from per see.
Impact Qualification
This condition requires the introduction of malicious code in the full...
February 3rd, 2025 (5 months ago)
|