• VayFul®
  • Posts
  • VayFul Security Issue - June 28 2024

VayFul Security Issue - June 28 2024

VayFul Security - June 28 2024

Hi all!

Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…

📰 SECURITY BYTES

Wiz reported “Probllama" Vulnerability Exposes AI Infrastructure (CVE-2024-37032) - Probllama" (CVE-2024-37032), threatens modern AI infrastructure. This vulnerability affects Ollama, a popular open-source project for running AI models. The exploit allows attackers to remotely execute malicious code, potentially compromising sensitive data or disrupting AI operations. #wiz #AI #rce

Popular JavaScript Library Polyfill.io Injected Malware in Over 100,000 Websites - A recent supply chain attack compromised the popular JavaScript library Polyfill.io, impacting over 100,000 websites. Hackers inject malicious code that redirect mobile users to fraudulent websites. #suppy-chain-attack #JS-lib

Multiple Vulnerabilities in the Open Source CMS Bludit - Redguard AG exposes critical vulnerabilities in the open-source content management system (CMS) Bludit. These vulnerabilities, categorized as Remote Code Execution (RCE), could allow attackers to execute malicious code on a server running Bludit, potentially taking complete control of the system. #rce #open-source #cms-system

TeamViewer is compromised customer data breached - The NCC Group alert reports a "significant compromise of the TeamViewer remote access and support platform by an APT group." This is at odds with the "evidence" TeamViewer is saying indicates access is limited to its corporate environment. #APT #rce

New "Skeleton Key" Attack Exploits AI Guardrails, Microsoft Issues Fix - Microsoft warns of a novel AI attack called "Skeleton Key" that bypasses safety measures in large language models (LLMs) like GPT-3 and Google's Gemini Pro. This exploit allows attackers to trick the AI into generating harmful content or performing unauthorized actions. #LLM #AI #security

🔥 INTERESTING WRITEUPS

Github access token exposure - [50,000$ Bounty] 

📝 BLOGS & ARTICLES

Zip Slip Meets Artifactory: Exploiting a Classic Flaw for Big Rewards - Zip Slip vulnerability discovered in JFrog Artifactory. It allows attackers to exploit weaknesses in archive processing to overwrite arbitrary files on the system. The article details how a security researcher successfully exploited this vulnerability in Artifactory. #ssrf #rce #jfrog 

Popular Korean Messaging App KakaoTalk Vulnerable to Account Takeover - This vulnerability could have allowed attackers to take over user accounts by exploiting a weakness in how the app handled access tokens. #ATO

Nested Deserialization Flaw in Magento Exposes Sensitive Data (CVE-2024-34102) - A critical vulnerability (CVE-2024-34102) has been discovered in Magento, a popular e-commerce platform. This vulnerability, dubbed "CosmicSting," exploits a weakness in how Magento handles XML data (known as nested deserialization). Attackers could leverage this flaw to steal sensitive information from Magento stores, including cryptographic keys used for authentication. #deserialization #xxe 

Race Condition Vulnerability to bypass email confirmation -  Race Condition vulnerability which allows attackers to bypass the email confirmation that is required for any users who want to invite other users to their organization. #email #bypass

SEI Cosmos SDK for its blockchain application vulnerable to Code Injection - Vulnerability in the popular text editor "SEI" could allow attackers to inject malicious code into users' systems. One of these issues impacted the chain’s availability, and the other its integrity. The Sei Foundation awarded me $75,000 and $2,000,000 respectively for these reports. #blockchain #code #injection

🛠️TOOLS

FalconHound - FalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool. #BloodHound #blueteam #SIEM

Kdrill - Kdrill is a tool to analyze the kernel land of Windows 64b systems (tested from Windows 7 to Windows 11). Its main objective is to assess if the kernel is compromised by a rootkit. #windows #rootkit

CVE-2024-29943 - A Pwn2Own SpiderMonkey JIT Bug: From Integer Range Inconsistency to Bound Check Elimination then RCE. #Pwn2Own #RCE

Threadsafe - A Go package providing thread-safe implementations of arrays, slices, maps, stack & queue using generics and type constraints. #go #secure #coding

🧠 TUTORIALS & SKILL-BUILDING

NIST Cybersecurity Framework v2.0, explained - webcast talks about highly anticipated updates to the Cybersecurity Framework (CSF), Version 2.0, released by NIST in early 2024. #nist #framework

Ethical use of AI: seeking, understanding, and countering the risks - Michael Tjalve - This talk explains the Ethical use of AI: seeking, understanding, and countering the risks. #AI #risks

From Core to Containers to Orchestration - Modernizing my Compute - Mike Benkovich - Video explains how containerization has altered the landscape and to go from a monolith mindset to microservices requires more than wishful thinking or a management edict. #container #orchestrations

Full-Circle Zero Trust: Ensuring No App is Left Behind in your IAM Strategy -  This session moves beyond identifying gaps, offering a forward-looking blueprint to bring every application, irrespective of its native support for identity standards, under zero trust. #zero-trust #IAM #cloud

🎁 MISCELLANEOUS

Maglev's Achilles' Heel: A Deep Dive into a Chrome V8 Engine Exploit - A critical vulnerability (CVE-2023-4069) discovered in the V8 JavaScript engine's Maglev compiler. The article explores the inner workings of the V8 compilation pipeline and sheds light on how an issue in Maglev's handling of a specific optimization ("FindNonDefaultConstructorOrConstruct") could lead to the creation of uninitialized objects. #chrome #exploitation

GPT-2 From Scratch in MLX - Train.py is ~200 lines of python code that define and train GPT-2 from scratch using mlx and numpy as the only dependencies. #ml #gpt-2

Llama-agents - Llama-agents is an async-first framework for building, iterating, and productionizing multi-agent systems, including multi-agent communication, distributed tool execution, human-in-the-loop, and more. #llama #AI

AI scaling myths - This article challenges the hype surrounding "scaling" as the ultimate solution for achieving Artificial General Intelligence (AGI), simply throwing more data and computing power at AI models isn't a guaranteed path to human-level intelligence. #AI #scaling #myths

🎯 QUOTE OF THE DAY

“The road to success and the road to failure are almost exactly the same."

- Colin

⭐ HOW DID WE DO?

Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.

That’s a wrap!

Thank you for reading,
VayFul Team