From Security Weekly WikiJump to navigationJump to search
#[https://www.securityweek.com/critical-code-execution-vulnerability-found-goahead-web-server Critical Code Execution Vulnerability Found in GoAhead Web Server] - ''Developed by EmbedThis, GoAhead is advertised as the “world's most popular tiny embedded web server.” Both open-source and enterprise versions are available and the vendor says GoAhead is present in hundreds of millions of devices. A Shodan search for GoAhead currently shows over 1.3 million internet-connected systems. The critical GoAhead vulnerability discovered by Talos is related to how multi-part/form-data requests are processed. An unauthenticated attacker can exploit this weakness to trigger a use-after-free condition and execute arbitrary code on the server by sending specially crafted HTTP requests. The security hole is tracked as CVE-2019-5096 and it has been assigned a CVSS score of 9.8.''
#[https://www.helpnetsecurity.com/2019/12/03/aws-iam-access-analyzer/ Control access and permissions to AWS services and resources] - If you are in AWS, you should use this: ''Resource policies allow customers to granularly control who is able to access a specific resource and how they are able to use it across the entire cloud environment. With one click in the IAM console, customers can enable the analyzer across their account to continuously analyze permissions granted using policies associated with their Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions.'' While there are other solutions out there for this, it doesn't hurt to enable additional monitoring as your cloud configuration likely changes, a lot.
#[https://arstechnica.com/information-technology/2019/12/new-crypto-cracking-record-reached-with-less-help-than-usual-from-moores-law/ New crypto-cracking record reached, with less help than usual from Moores Law]