#git

Disney was hit by two major 2024 cyberattacks, an ex-employee’s sabotage and a hacker’s AI trap, exposing internal…

## Impact: A security issue has been found in `terraform-provider-windns` before version `1.0.5`. The `windns_record` resource did not santize the input variables. This can lead to authenticated command injection in the underlyding powershell command prompt. ## Patches: [`83ef736 (fix: better input validation)`](https://github.com/nrkno/terraform-provider-windns/commit/c76f69610c1b502f90aaed8c4f102194530b5bce) ## Fixed versions: - `v1.0.5`

### Affected Environments Note that this issue only affects the V0 engine, which has been off by default since v0.8.0. Further, the issue only applies to a deployment using tensor parallelism across multiple hosts, which we do not expect to be a common deployment pattern. Since V0 is has been off by default since v0.8.0 and the fix is fairly invasive, we have decided not to fix this issue. Instead we recommend that users ensure their environment is on a secure network in case this pattern is in use. The V1 engine is not affected by this issue. ### Impact In a multi-node vLLM deployment using the V0 engine, vLLM uses ZeroMQ for some multi-node communication purposes. The secondary vLLM hosts open a `SUB` ZeroMQ socket and connect to an `XPUB` socket on the primary vLLM host. https://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L295-L301 When data is received on this `SUB` socket, it is deserializ...

About Remote Code Execution & Arbitrary File Reading – Apache HTTP Server (CVE-2024-38475) vulnerability. Improper escaping of output in mod_rewrite module leads to remote code execution or arbitrary file reading. Successful exploitation does not require authentication. 🔻 Apache HTTP Server 2.4.60, which includes a fix for this vulnerability, was released on July 1, 2024. Orange […]

A relatively new app called Raw that aims to rewrite the rules of dating is the latest to trip over its coattails by exposing user data to anyone who asked for it.

New research shows Google Cloud and smaller providers have the highest cloud vulnerability rates as compared to AWS…

Security policies like [`allowed-gadgets`](https://inspektor-gadget.io/docs/latest/reference/restricting-gadgets), [`disallow-pulling`](https://inspektor-gadget.io/docs/latest/reference/disallow-pulling), [`verify-image`](https://inspektor-gadget.io/docs/latest/reference/verify-assets#verify-image-based-gadgets) can be bypassed by a malicious client. ### Impact Users running `ig` in daemon mode or IG on Kubernetes that rely on any of the features mentioned above are vulnerable to this issue. In order to exploit this, the client needs access to the server, like the correct TLS certificates on the `ig daemon` case or access to the cluster in the Kubernetes case. ### Patches The issue has been fixed in v0.40.0 ### Workarounds There is not known workaround to fix it.

The communications app TeleMessage, which was spotted on former US national security adviser Mike Waltz's phone, has suspended “all services” as it investigates reports of at least one breach.

### Summary A LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information. ### Details `XMLToolMessage` uses `lxml` without safeguards: https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52 `lxml` is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default. Check here: https://pypi.org/project/defusedxml/#python-xml-libraries ### PoC A typical Quadratic blowup XML payload looks like this: ```xml <!DOCTYPE bomb [ <!ENTITY a "aaaaaaaaaa"> <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;"> ]> <bomb>&c;</bomb> ``` Here, &a; expands to 10 characters, &b; expands to 100, and &c; expands to 1000, causing exponential memory usage and potentially crashing the application. ### Fix Langroid 0.53.4 initializes `XMLParser` with...

The fix to https://cantina.xyz/code/c486d600-bed0-4fc6-aed1-de759fd29fa2/findings/21 has a typo that still results in the highest limb of `pc` being range checked to 8-bits instead of 6-bits. In the AIR, we do https://github.com/openvm-org/openvm/blob/0f94c8a3dfa7536c1231465d1bdee5fc607a5993/extensions/rv32im/circuit/src/auipc/core.rs#L135 ``` for (i, limb) in pc_limbs.iter().skip(1).enumerate() { if i == pc_limbs.len() - 1 { ``` It should be ``` for (i, limb) in pc_limbs.iter().enumerate().skip(1) { ``` Right now the if statement is never triggered because the enumeration gives `i=0,1,2` when we instead want `i=1,2,3`. What this means is that `pc_limbs[3]` is range checked to 8-bits instead of 6-bits. This leads to a vulnerability where the `pc_limbs` decomposition differs from the true `pc`, which means a malicious prover can make the destination register take a different value than the AUIPC instruction dictates, by making the decomposition overflow t...