• Sc chevron_right

    Inconsistencies in the Common Vulnerability Scoring System (CVSS) / Schneier · Friday, 1 September - 21:41 · 1 minute

Interesting research :

Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities

Abstract: The Common Vulnerability Scoring System (CVSS) is a popular method for evaluating the severity of vulnerabilities in vulnerability management. In the evaluation process, a numeric score between 0 and 10 is calculated, 10 being the most severe (critical) value. The goal of CVSS is to provide comparable scores across different evaluators. However, previous works indicate that CVSS might not reach this goal: If a vulnerability is evaluated by several analysts, their scores often differ. This raises the following questions: Are CVSS evaluations consistent? Which factors influence CVSS assessments? We systematically investigate these questions in an online survey with 196 CVSS users. We show that specific CVSS metrics are inconsistently evaluated for widespread vulnerability types, including Top 3 vulnerabilities from the ”2022 CWE Top 25 Most Dangerous Software Weaknesses” list. In a follow-up survey with 59 participants, we found that for the same vulnerabilities from the main study, 68% of these users gave different severity ratings. Our study reveals that most evaluators are aware of the problematic aspects of CVSS, but they still see CVSS as a useful tool for vulnerability assessment. Finally, we discuss possible reasons for inconsistent evaluations and provide recommendations on improving the consistency of scoring.

Here’s a summary of the research.

  • chevron_right

    MOVEit app mass-exploited last month patches new critical vulnerability / ArsTechnica · Friday, 7 July - 19:10 · 1 minute

Stylized photo of desktop computer.

Enlarge (credit: Lino Mirgeler/picture alliance via Getty Images )

MOVEit, the file-transfer software exploited in recent weeks in one of the biggest cyberattacks ever , has received yet another security update that fixes a critical vulnerability that could be exploited to give hackers access to vast amounts of sensitive data.

On Thursday, MOVEit maker Progress Software published a security bulletin that included fixes for three newly discovered vulnerabilities in the file-transfer application. The most serious of them, tracked as CVE-2023-36934, allows an unauthenticated attacker to gain unauthorized access to the application database. It stems from a security flaw that allows for SQL injection, one of the oldest and most common exploit classes.

The vulnerability contains the same elements—and, likely, the same potentially devastating consequences—as one that came to light in late May when members of the Clop ransomware crime syndicate began mass-exploiting it on vulnerable networks around the world. To date, the Clop offensive has hit 229 organizations and spilled data affecting more than 17 million people, according to statistics tracked by Brett Callow, an analyst with security firm Emsisoft. Casualties include Louisiana and Oregon DMVs , the New York City Department of Education, and energy companies Schneider Electric and Siemens Electric.

Read 7 remaining paragraphs | Comments

  • chevron_right

    Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking / ArsTechnica · Thursday, 6 July - 19:45

Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking


The maintainers of the open-source software that powers the Mastodon social network published a security update on Thursday that patches a critical vulnerability making it possible for hackers to backdoor the servers that push content to individual users.

Mastodon is based on a federated model. The federation comprises thousands of separate servers known as "instances." Individual users create an account with one of the instances, which in turn exchange content to and from users of other instances. To date, Mastodon has more than 24,000 instances and 14.5 million users, according to , a site that tracks statistics related to Mastodon.

A critical bug tracked as CVE-2023-36460 was one of two vulnerabilities rated as critical that were fixed on Thursday . In all, Mastodon on Thursday patched five vulnerabilities.

Read 11 remaining paragraphs | Comments

  • chevron_right

    Hackers exploit WordPress plugin flaw that gives full control of millions of sites / ArsTechnica · Friday, 31 March - 22:40

Hackers exploit WordPress plugin flaw that gives full control of millions of sites

Enlarge (credit: Getty Images)

Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.

The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the site—say a subscriber or customer—can create new accounts that have full administrator privileges.

The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, released version 3.11.7, which patched the flaw. In a post published on Tuesday, Bruandet wrote:

Read 7 remaining paragraphs | Comments

  • chevron_right

    Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity / ArsTechnica · Wednesday, 29 March - 00:24 · 1 minute

Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity

Enlarge (credit: Getty Images )

Threat actors are exploiting a critical vulnerability in an IBM file-exchange application in hacks that install ransomware on servers, security researchers have warned.

The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBM’s proprietary FASP—short for Fast, Adaptive, and Secure Protocol—to better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow that’s similar to email.

In late January, IBM warned of a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier and urged users to install an update to patch the flaw. Tracked as CVE-2022-47986, the vulnerability makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The ease of exploiting the vulnerability and the damage that could result earned CVE-2022-47986 a severity rating of 9.8 out of a possible 10.

Read 4 remaining paragraphs | Comments

  • Sc chevron_right

    Mass Ransomware Attack / Schneier · Thursday, 23 March, 2023 - 02:56

A vulnerability in a popular data transfer tool has resulted in a mass ransomware attack :

TechCrunch has learned of dozens of organizations that used the affected GoAnywhere file transfer software at the time of the ransomware attack, suggesting more victims are likely to come forward.

However, while the number of victims of the mass-hack is widening, the known impact is murky at best.

Since the attack in late January or early February—the exact date is not known—Clop has disclosed less than half of the 130 organizations it claimed to have compromised via GoAnywhere, a system that can be hosted in the cloud or on an organization’s network that allows companies to securely transfer huge sets of data and other large files.

  • chevron_right

    Federal agency hacked by 2 groups thanks to flaw that went unpatched for 4 years / ArsTechnica · Thursday, 16 March, 2023 - 20:24

Federal agency hacked by 2 groups thanks to flaw that went unpatched for 4 years

Enlarge (credit: Getty Images)

Multiple threat actors—one working on behalf of a nation-state—gained access to the network of a US federal agency by exploiting a four-year-old vulnerability that remained unpatched, the US government warned.

Exploit activities by one group likely began in August 2021 and last August by the other, according to an advisory jointly published by the Cybersecurity and Infrastructure Security Agency, the FBI, and the Multi-State Information Sharing and Analysis Center. From last November to early January, the server exhibited signs of compromise.

Vulnerability not detected for 4 years

Both groups exploited a code-execution vulnerability tracked as CVE-2019-18935 in a developer tool known as the Telerik user interface (UI) for ASP.NET AJAX, which was located in the agency’s Microsoft Internet Information Services (IIS) web server. The advisory didn’t identify the agency other than to say it was a Federal Civilian Executive Branch Agency under the CISA authority.

Read 9 remaining paragraphs | Comments