Search This Blog

Showing posts with label Arbitrary code execution. Show all posts

CERT-In Alerts Mozilla Firefox Users to Update their Browsers Immediately


Mozilla Firefox users are receiving alerts regarding multiple vulnerabilities in the web browser by the Indian Computer Emergency Response Team (CERT-In). An advisory has also been issued in the regard asking the users to update their web browsers as soon as possible.

While rating the severity of the vulnerability as 'High' on all the versions of Mozilla Firefox that have been released before version 75 and version 68.7 on Mozilla Firefox ESR, the CERT-In stated in the advisory that remote hackers can take advantage of these browser flaws to acquire sensitive data through the browser.

According to the CERT-In advisory, “Out-of-Bounds Read Vulnerability in Mozilla Firefox ( CVE-2020-6821 ). This vulnerability exists in Mozilla Firefox due to a boundary condition when using the WebGLcopyTexSubImage method. A remote attacker could exploit this vulnerability by specially crafted web pages. Successful exploitation of this vulnerability could allow a remote attacker to disclose sensitive information,”

“Information Disclosure Vulnerability in Mozilla Firefox ( CVE-2020-6824). This vulnerability exists in Mozilla Firefox to generate a password for a site but leaves Firefox open.A  remote attacker could exploit this vulnerability by revisiting the same site of the victim and generating a new password. The generated password will remain the same on the targeted system,” the advisory further reads.

The aforementioned vulnerability also allows the attacker to execute 'arbitrary code' on the targeted system, letting them run any chosen command onto it. As per sources, another flaw was also found to be existing in the internet browser that concerns with a boundary condition in GMP Decode Data as images exceeding 4GB are being processed on 32-bit builds. The exploitation of this flaw requires the attacker to trick users into opening specially designed images. Upon successful exploitation, the attacker can yet again execute arbitrary code on the targeted system.

Another way by which a remote attacker can take advantage of this exploit is by convincing a user to install a crafted extension, on doing so the attacker will be able to obtain sensitive information.

Cisco Vulnerable Again; May Lead To Arbitrary Code Execution!


Earlier this year Cisco was in the headlines for the Zero-day vulnerabilities that were discovered in several of its devices including IP Phones, routers, cameras and switches.

The vulnerabilities that were quite exploitable were found in the Cisco Discovery Protocol (CDP), which is a layer 2 network protocol so that any discrepancies of the devices could be tracked.

Now again, Cisco has been found to be more unreliable than ever. Only this time the researchers learnt about numerous severe security vulnerabilities.

These susceptibilities could let the attackers or hackers execute “arbitrary commands” with the supposed “consent” of the user. Per sources, the affected Cisco parts this time happen to be the software, namely the Cisco UCS Manager Software, Cisco NX-OS Software and Cisco FXOS Software.

Reports reveal that the vulnerability in the Cisco FXOS and NX-OS Software admits unauthorized “adjacent” attackers into the system and lets them execute arbitrary code in order to achieve the “DoS”. (Denial of Service)

The vulnerabilities in Cisco FXOS and UCS Manager Software lets unauthenticated “local attackers” to execute arbitrary commands on the victim’s devices.

The reason for this vulnerability rises from the absence of “input validation”. The misuse of this makes it way easy for attackers to execute the arbitrary code making use of the user’s authority (which they don’t even know about) who’s logged in, per sources.

The other vulnerabilities in the Cisco FXOS and UCS Software include allowing unauthenticated local attackers to execute arbitrary commands.

A hacker could also try to send specially structures “arguments” to certain commands. This exploit if successful could grant admittance to the hacker to not only enter but also execute arbitrary commands.

All the exploitable loopholes of the Cisco software are really dangerous and critical in all the possible terms. Cisco has been in the limelight for more times than that could be overlooked. It is up to the users now to be well stacked with respect to security mechanisms.

However, understanding the seriousness of the vulnerabilities in the software, Cisco has indeed released various security updates that work for all the vulnerable software, in its Software Security Advisory.

The users are advised to get on top of the updates as soon as possible.