عکس کاور برای بلاگ دوم

Old Cisco Routers Won’t Be Patched Against RCE Bug

Remote management needs to be blocked.

Cisco has disclosed two critical vulnerabilities in a number of small business routers, along with high-severity vulnerabilities in three other products.

In its first patch release for 2023, the networking giant said its RV016, RV042, RV042G and RV082 routers are vulnerable to an authentication bypass bug (CVE-2023-20025) and a remote command execution (RCE) bug (CVE-2023-20026).

The authentication bypass can be exploited by sending crafted HTTP packets to the management interface, giving the attacker root access to the target system.

The RCE bug is similar, but can only be exploited by a remote attacker who has admin credentials on the affected system.

Cisco said it is aware of proof-of-concept code for the vulnerabilities.

The affected units are approaching end-of-life and won’t be patched. However, admins can disable remote management and block access to TCP/IP ports 443 and 60443.

A successful exploit could allow the attacker to cause all subsequent requests to be dropped, resulting in a DoS condition”, the advisory stated.

 

مامین-انگبسیی

Tiny throat mic can detect and broadcast silently mouthed words

A small patch worn on the throat can pick up even silently mouthed speech and broadcast it, which could help some people who are unable to speak

A patch worn outside the throat can detect your speech and broadcast it even when you silently mouth words. It could help workers in noisy environments or people with speech difficulties communicate.

Some throat microphones already exist, but they tend to be bulky and can only detect vibrations from quiet speech, not silently mouthed words.

To improve on this, Qisheng Yang at Tsinghua University in Beijing, China, and his colleagues have created a patch just 25 micrometres thick and …

Untitled-2

Python’s PyPI registry suffers another supply-chain attack

PyTorch-nightly dependency compromised.

Unknown attackers have compromised a package in the Python PyPI registry, injecting a malicious binary into it, the maintainers of the open source machine learning framework PyTorch are warning.The compromised package is torchtriton, which is part of the Triton language and compiler which is used for writing custom deep-learning primitives.PyTorch maintainers said the compromised dependency affected the nightly release of their code, but not the stable packages.The compromised torchtriton dependency would gather system information such as nameservers, the logged in username, working directory and operating system environment variables.It would also read system and files in the user’s home directory, and upload the information to an attacker-controlled server via encrypted domain name system (DNS) queries.Users who installed PyTorch-nightly between December 26 and December 31 Australian time are advised to uninstall the torch, torchvision, torchaudio and torchtriton packages, and use newer binaries instead.
The torchtriton package has been replaced as a dependency for PyTorch with pytorch-triton, and a dummy binary registered on PyPI to avoid a repeat of the issue.

According to security vendor Snyk, torchtriton package receives just over 2700 downloads a week on average, and is not considered to be a popular dependency.PyTorch said it has contacted the PyPI the security team to get ownership of torchtriton and to delete the malicious version.

The PyPI registry has suffered several supply-chain attacks over the past few years, with malicious code injection.