Related Posts

Serious Vulnerabilities Discovered in Treck TCP/IP Stack Impacting Millions of IoT Devices

The US Cybersecurity Infrastructure and Security Agency (CISA) has issued a warning regarding significant vulnerabilities in a low-level TCP/IP software library created by Treck. If exploited, these vulnerabilities could enable remote attackers to execute arbitrary commands and conduct denial-of-service (DoS) attacks. The identified flaws affect Treck TCP/IP stack version 6.0.1.67 and earlier, and were reported to Treck by Intel. Among these, two are classified as critical. Treck’s embedded TCP/IP stack is widely utilized across various sectors, including manufacturing, information technology, healthcare, and transportation.

The most critical vulnerability is a heap-based buffer overflow (CVE-2020-25066) found in the Treck HTTP Server component, which may allow an attacker to crash or reset the target device and potentially execute remote code, receiving a CVSS score of 9.8 out of 10. The second flaw, an out-of-bounds write within the IPv6 component (CVE-2020-27337), also poses a significant threat with a CVSS score of 9.1.

Google Unveils Unpatched and Poorly Fixed Windows 0-Day Vulnerability

Dec 24, 2020

Google’s Project Zero team has disclosed details about a poorly addressed zero-day security flaw in the Windows print spooler API, potentially allowing malicious actors to execute arbitrary code. The flaw was made public after Microsoft failed to resolve it within 90 days of responsible disclosure on September 24. Initially identified as CVE-2020-0986, the vulnerability involves an elevation of privilege exploit in the GDI Print / Print Spooler API (“splwow64.exe”) reported to Microsoft by an anonymous user collaborating with Trend Micro’s Zero Day Initiative (ZDI) in late December 2019. With no patch provided for nearly six months, ZDI publicly issued a zero-day advisory on May 19, which led to exploitation in a campaign known as “Operation PowerFall” targeting an unnamed South Korean company. “splwow64.exe” is a core Windows system binary that facilitates 32-bit application compatibility.