A selection of this week’s more interesting vulnerability disclosures and cyber security news. From a dearth of interesting items to a nice long list this week. First up is quite an amusing one in some ways; the Linux beep tool:
This one though is a little more scary and taking into account the false missile alarm in Hawaii a while back, the effectiveness of abuse in the current political climate:
Something that didn’t appear in my news feeds, and only came to our attention as it triggered an investigation into discovering an active attack on a control panel in use by others on one of our hosting providers. Apart from the obvious impact the vulnerability had on that user base (we don’t use the product ourselves), the comments in the forums in particular draw my interest because of the way the mitigation was handled.
Essentially, a web control operating on a particular port had a vulnerability in some way which resulted in take over and subsequent DDoS attacks from the that host. A number of methods used to mitigate it were sound such as noticing if a DDoS flood from a host with that port open and triggering the shutdown and/or block of network activity for that host.
Fair enough. It stops the spread and the DDoS from having an effect, however, some comments were that others were using that port for other things and for whatever reason the port was being blocked and so they were unfairly impacted by a mitigation method not applicable to them. There was all sorts of fallout with this from many sources such as the hosting, the control panel providers and the users. Its an interesting set of threads to take a look at:
- https://twitter.com/ionCube/status/983008727304429568
- https://www.digitalocean.com/community/questions/how-do-i-determine-the-impact-of-vestacp-vulnerability-from-april-8th-2018
- https://forum.vestacp.com/viewtopic.php?f=10&t=16556
The rest of the news:
