VMware on Tuesday shipped security updates to address a critical security flaw in its VMware Cloud Foundation product.

Tracked as CVE-2021-39144, the issue has been rated 9.8 out of 10 on the CVSS vulnerability scoring system, and relates to a remote code execution vulnerability via XStream open source library.

“Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance,” the company said in an advisory.

images from Hacker News

A high-severity vulnerability has been disclosed in the SQLite database library, which was introduced as part of a code change dating all the way back to October 2000 and could enable attackers to crash or control programs.

Tracked as CVE-2022-35737 (CVSS score: 7.5), the 22-year-old issue affects SQLite versions 1.0.12 through 3.39.1, and has been addressed in version 3.39.2 released on July 21, 2022.

“CVE-2022-35737 is exploitable on 64-bit systems, and exploitability depends on how the program is compiled,” Trail of Bits researcher Andreas Kellas said in a technical write-up published today.

“Arbitrary code execution is confirmed when the library is compiled without stack canaries, but unconfirmed when stack canaries are present, and denial-of-service is confirmed in all cases.”

images from Hacker News

The Hive ransomware-as-a-service (RaaS) group has claimed responsibility for a cyber attack against Tata Power that was disclosed by the company less than two weeks ago.

The incident is said to have occurred on October 3, 2022. The threat actor has also been observed leaking stolen data exfiltrated prior to encrypting the network as part of its double extortion scheme.

This allegedly comprises signed client contracts, agreement documents, as well as other sensitive information such as emails, addresses, phone numbers, passport numbers, taxpayer data, among others.

The Mumbai-based firm, which is India’s largest integrated power company, is part of the Tata Group conglomerate.

images from Hacker News

Cybersecurity researchers have disclosed details about a pair of vulnerabilities in Microsoft Windows, one of which could be exploited to result in a denial-of-service (DoS).

The exploits, dubbed LogCrusher and OverLog by Varonis, take aim at the EventLog Remoting Protocol (MS-EVEN), which enables remote access to event logs.

While the former allows “any domain user to remotely crash the Event Log application of any Windows machine,” OverLog causes a DoS by “filling the hard drive space of any Windows machine on the domain,” Dolev Taler said in a report shared with The Hacker News.

OverLog has been assigned the CVE identifier CVE-2022-37981 (CVSS score: 4.3) and was addressed by Microsoft as part of its October Patch Tuesday updates. LogCrusher, however, remains unresolved.

images from Hacker News

Introduction

In many ways, the software supply chain is similar to that of manufactured goods, which we all know has been largely impacted by a global pandemic and shortages of raw materials.

However, in the IT world, it is not shortages or pandemics that have been the main obstacles to overcome in recent years, but rather attacks aimed at using them to harm hundreds or even thousands of victims simultaneously. If you’ve heard of a cyber attack between 2020 and today, it’s likely that the software supply chain played a role.

When we talk about an attack on the software supply chain, we are actually referring to two successive attacks: one that targets a supplier, and one that targets one or more downstream users in the chain, using the first as a vehicle.

In this article, we will dive into the mechanisms and risks of the software supply chain by looking at a typical vulnerability of the modern development cycle: the presence of personal identifying information, or “secrets”, in the digital assets of companies. We will also see how companies are adapting to this new situation by taking advantage of continuous improvement cycles.

The supply chain, at the heart of the IT development cycle

What is the supply chain?

Today, it is extremely rare to see companies producing software 100% in-house. Whether it’s open source libraries, developer tools, on-premise or cloud-based deployment and delivery systems, or software-as-a-service (SaaS) services, these building blocks have become essential in the modern software factory.

Each of these “bricks” is itself the product of a long supply chain, making the software supply chain a concept that encompasses every facet of IT: from hardware, to source code written by developers, to third-party tools and platforms, but also data storage and all the infrastructures put in place to develop, test and distribute the software.

The supply chain is a layered structure that allows companies to implement highly flexible software factories, which are the engine of their digital transformation.

images from Hacker News