Search This Blog

Showing posts with label Security vulnerability. Show all posts

Several Vulnerabilities Identified In Emerson OpenEnterprise


Recently four vulnerabilities were found in Emerson OpenEnterprise and were accounted for to the vendor in December 2019 with the patches released a couple of months later.

Roman Lozko, a researcher at Kaspersky's ICS CERT unit, was responsible for the identification of the flaws, and the security holes found by him have been depicted as 'heap-based cushion buffer, missing authentication, improper ownership management, and weak encryption issues.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Kaspersky published advisories for three of the vulnerabilities a week ago. The rest of the vulnerability was described by Kaspersky in a previous advisory.

As indicated by Emerson, OpenEnterprise is explicitly intended to address the prerequisites of associations focusing on oil and gas production, transmission, and distribution.

The initial two followed as CVE-2020-6970 and CVE-2020-10640 are depicted as critical, as they can allow an attacker to remotely execute discretionary code with 'elevated privileges' on devices running OpenEnterprise.

Vladimir Dashchenko, a security expert at Kaspersky, says an attacker could misuse these vulnerabilities either from the system or directly from the internet. Notwithstanding, there don't give off an impression of being any occurrences of the affected product exposed to the internet.

“The most critical vulnerabilities allow remote attackers to execute any command on a computer with OpenEnterprise on it with system privileges, so this might lead to any possible consequences,”

 “Based on Shodan statistics, currently there are no directly exposed OpenEnterprise SCADA systems available,” Dashchenko explained. “It means that asset owners with installed OpenEnterprise are definitely following the basic security principles for industrial control systems.”

The rest of the vulnerabilities can be exploited to 'escalate privileges' and to acquire passwords for OpenEnterprise user accounts, yet exploitation in the two cases requires local access to the targeted system.

User Accounts and Phone Numbers Exposed; Confirms Instagram


Social Media Giant and Instagram senior, Facebook affirms that a newfound security vulnerability may have put the user data in danger, leaving many open to attack by 'threat actors'.

The vulnerability is said to be so strong to the point that through it the attacker would effectively access 'secure' user data like the users' real names, Instagram account numbers and handles, and full phone numbers.

An Israeli hacker known by the handle @ZHacker13 found the vulnerability with Instagram and said that misusing it would empower an attacker utilizing a multitude of bots and processors to manufacture an accessible/attackable database of users, bypassing protections protecting that information.

The attacker utilizes a simple algorithm against Instagram's login form, checking each phone number in turn for those linked to a live Instagram account, and since there is no restriction on the number of algorithms that can be kept running in parallel, the attacker can do it as many number of times as he wants.


After this while exploiting the advantages of Instagram's Sync Contacts feature he can figure out how to discover the account name and number linked to the phone number.


Anyway as of now, there is no proof that any user data has been misused or mishandled via utilizing this vulnerability—in any case; on the other hand, there is no proof that it hasn't.

Probably the fact that the endeavour required two separate procedures may imply that the attackers have chosen to withdraw.

Meanwhile, @ZHacker13 tested his Instagram exploit post Facebook's fix and affirmed that it no longer worked.

10,000 Clients Affected in Aegon Life Insurance Data Leak


Around 10,000 customers of Aegon Life Insurance, a joint venture between the Netherlands-based Aegon and India's Times Group, fall prey to a data leak which was caused through website's support channels, which clients used to communicate with the insurer regarding their grievances.

Reportedly, the data compromised included all the details ranging from the very basic demographic ones like name, gender, age to more specific ones such as health policy problems and annual income. It occurred due to a security vulnerability in the company's website.

Renie Ravin, Indian web developer and co-founder of the independent blogging platform, 'IndiBlogger', discovered the vulnerability which led to the data leak and reported it to the company in July 2019.

However, there is no evidence of the exposed data being illegally accessed or misused.

Referencing from the statements given by the company, "Aegon Life Insurance, India announces that a vulnerability on their website exposed information of some Indian customers who had used web forms to get in touch with Aegon Life."

"Aegon Life immediately fixed the vulnerability and have since informed all customers of this exposure. Aegon Life estimates that up to 10,000 customers were possibly affected."

"We will initiate an outreach program in the coming days to offer guidance to affected customers and to let them know what information was exposed. At Aegon Life, data security and customer privacy are of utmost importance and we will continue to be transparent with customers as we investigate further," the company added.