Cisco NX-OS Software Flaw Let Attacker Trigger a DoS Attack

0
[ad_1]
Cisco NX-OS Software Flaw

A high-severity vulnerability in TACACS+ and RADIUS remote authentication for Cisco NX-OS Software might allow an unauthenticated local attacker to force an affected device to unintentionally reload.

NX-OS is a network operating system for Cisco Systems’ Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network devices. It originated from the SAN-OS operating system developed by Cisco for their MDS switches.

With a CVSS score of 7.1, this vulnerability is tagged as CVE-2023-20168.  If the exploit is successful, the attacker may be able to trigger an unexpected device reload that would create a denial of service (DoS) attack.

This vulnerability has been fixed by software updates from Cisco. There are no workarounds that address this vulnerability.

Details of the Vulnerability

Cisco stated that if the directed request option for TACACS+ or RADIUS is enabled, this vulnerability arises by incorrect input validation when processing an authentication attempt.

By providing a specially crafted string at the login prompt of a compromised device, an attacker might take advantage of this vulnerability.

“This vulnerability is due to incorrect input validation when processing an authentication attempt if the directed request option is enabled for TACACS+ or RADIUS,” Cisco said in its security advisory.

“A successful exploit could allow the attacker to cause the affected device to unexpectedly reload, resulting in a denial of service (DoS) condition.”

Affected Products

If the directed request option is enabled for TACACS+, RADIUS, or both on a vulnerable edition of Cisco NX-OS Software, it might affect the following Cisco products:

  • MDS 9000 Series Multilayer Switches (CSCwe72670)
  • Nexus 1000 Virtual Edge for VMware vSphere (CSCwe72673)
  • Nexus 1000V Switch for Microsoft Hyper-V (CSCwe72673)
  • Nexus 1000V Switch for VMware vSphere (CSCwe72673)
  • Nexus 3000 Series Switches (CSCwe72648)
  • Nexus 5500 Platform Switches (CSCwe72674)
  • Nexus 5600 Platform Switches (CSCwe72674)
  • Nexus 6000 Series Switches (CSCwe72674)
  • Nexus 7000 Series Switches (CSCwe72368)
  • Nexus 9000 Series Switches in standalone NX-OS mode (CSCwe72648)

“This vulnerability can only be exploited over Telnet, which is disabled by default, or over the console management connection. This vulnerability cannot be exploited over SSH connections to the device”, Cisco said.

To Identify Vulnerable Configuration

Use the show running-config | include the directed-request command to see if the directed request option is enabled for TACACS+ or RADIUS.

This vulnerability may affect the device if the command returns tacacs-server directed-request or radius-server directed-request.

Products Not Vulnerable

  • Firepower 1000 Series
  • Firepower 2100 Series
  • Firepower 4100 Series
  • Firepower 9300 Security Appliances
  • Nexus 9000 Series Fabric Switches in ACI mode
  • Secure Firewall 3100 Series
  • UCS 6200 Series Fabric Interconnects
  • UCS 6300 Series Fabric Interconnects
  • UCS 6400 Series Fabric Interconnects
  • UCS 6500 Series Fabric Interconnects

Fixed Software

To address this issue, Cisco has published the following SMUs.

Customers may get the SMUs from Cisco.com’s Software Centre.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


[ad_2]
Source link

Pixel Watch 2 passes another hurdle on its way to launch

0
[ad_1]

With Google‘s Fall 2023 event drawing closer, leaks about the next-gen Pixels have gotten more frequent. While the Pixel 8 series will be the star of the show, which should take place in October, the company also has the Pixel Watch 2 in the pipeline. Over the past few weeks, we have seen the new watch in various certification listings, including the FCC and Google Play Console. It has just picked up the IMDA certification as well.

The IMDA (Infocomm Media Development Authority) is a Singaporean regulatory body. It has certified the Pixel Watch 2 for launch in the country. First spotted by MySmartPrice, the second-gen Google smartwatch is listed with the model number G4TSL on its website. As revealed by the FCC earlier this month, that’s the global Bluetooth/Wi-Fi version of the watch. The IMDA confirms this, adding that the device will support 2.4GHz Wi-Fi frequency.

Google will offer a 4G/LTE version of the Pixel Watch 2

Though not seen on the Singaporean agency’s website, the Pixel Watch 2 will also be available in a 4G/LTE version. The global 4G version has the model number GC3G8, while that for the US 4G version is GD2WG. Earlier leaks and certifications have revealed that Google will equip the watch with Qualcomm’s Snapdragon W5 Gen 1 (SW5100) processor. It’s a 4nm chip with four Cortex-A53 CPU cores clocked at up to 1.7GHz.

This is a massive upgrade over the original Pixel Watch‘s Samsung Exynos 9110 SoC. The 2018 chip is built on a 10nm process node and has only two Cortex-A53 CPU cores, with the frequency topping out at just 1.15GHz. While Google isn’t adding more RAM to its new watch (still has 2GB of RAM), it has upgraded the GPU. The Qualcomm Adreno 702 GPU on the Pixel Watch 2 operates at a 1,000MHz frequency.

The upcoming Google smartwatch is also getting a marginally bigger battery (306mAh vs. 294mAh). Coupled with features like Deep Sleep and Hibernation, as well as a more efficient Snapdragon processor, the Pixel Watch 2 should deliver a much longer battery life than the first-gen model. The power improvements brought by Android 13-based Wear OS 4 should also help boost the battery life of the new watch.

There are also rumors of Google offering UWB (ultra-wideband) connectivity on the Pixel Watch 2. The device will reportedly use an NXP SR100T UWB module for more precise device tracking and potential applications. However, neither the FCC nor the IMDA confirmed this feature. We might have to wait some more time for confirmation. The Pixel Watch 2 and Pixel 8 series are expected to arrive in the first half of October.

Google Pixel Watch 2 IMDA certification


[ad_2]
Source link

Cloud hosting Provider Lost all Customer Data-Ransomware Attack

0
[ad_1]
Cloud hosting Provider Lost Data

There has been a cyber attack on two cloud hosting providers, namely CloudNordic and Azero Cloud, both of which are owned by Certiqa Holding. The cyber attack has resulted in a complete data loss for all of their customers.

The cloud attack was reportedly on Friday, 18th August 2023, at around 4 AM when CloudNordic and Azero cloud were exposed to a ransomware attack in which the threat actors shut down all the systems, including customer systems, e-mail systems, customers’ websites, and literally everything they gained access to.

Both companies mentioned that they could not and didn’t want to pay the ransom demanded by the threat actors. However, the IT teams of CloudNordic and Azero Cloud are working with external experts to get complete information about the attack and possible recreation.

Unfortunately, the companies could not recover or recreate any customer data, and they have lost every data on their customers, mail servers, web servers, etc.

Current Status

CloudNordic and Azero Cloud are extremely affected due to this cyber attack, and they have lost many critical data of customers but have re-established communications.

This means that they have now deployed blank systems, which include name servers, web servers, and mail servers. However, none of them contain any previous data.

The company has sorted out a way to restore the DNS administration interface that can enable users to get email and web working again.

Attack Explanation

As per the report submitted to Cyber Security News, both companies were attempting to migrate between data centers and had some infected systems prior to the migration, which the company had no knowledge about. 

Nevertheless, some servers used to manage all the servers were still wired to the previous network. Threat actors gained access to the administration systems with this network misconfiguration, which paved their way toward the backup systems (both primary and secondary backup).

Attackers encrypted all the systems they had access to, including all the virtual machines. Large amounts of data were reported encrypted by the ransomware, but there seems to be no evidence of data being copied.

Both companies claimed that there seemed to be no evidence of a data breach and regretted the inconvenience caused to their customers.

With the rise in cyber attacks and cybercriminals, every organization must implement multiple security measures and monitor every traffic in order to prevent these kinds of cyber attack loss.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


[ad_2]
Source link

You can now create name-less groups on WhatsApp

0
[ad_1]

WhatsApp now lets you create groups without naming them beforehand. The Meta-owned messaging app gives these groups an auto-generated name based on the saved contact names of their participants. Each participant will see a different name for the group depending on what they have named other participants on their phone.

Meta CEO Mark Zuckerberg announced the new WhatsApp feature through his official Facebook page. “Making it simpler to start WhatsApp groups by naming them based on who’s in the chat when you don’t feel like coming up with another name,” he said. Zuckerberg also broadcasted the news via his Instagram channel.

A screenshot shared with the post shows a group named “Rocco & Li-Chen,” with both being the saved contact names of its participants. Likewise, if you add contacts saved as “Mom,” “Dad,” and “Brother” to a group, the group will be automatically named “Mom, Dad & Brother.” However, “Mom,” “Dad,” and “Brother” will each see a name unique to the other. For unsaved contacts, the phone number will appear in the name.

Of course, you can always change the group’s name after creating it. Depending on the settings, other participants may also be able to edit the group’s name. But this feature can come in handy if you want to quickly share a message with a group of friends or when you need to create a temporary group for sharing vacation photos. Just add the participants and you’re done. Don’t bother naming the group.

That said, WhatsApp only lets you create name-less groups with a maximum of six participants, including you. If you have selected more participants (up to 1,024 allowed), you must name it. As a workaround, you can add more participants later after initially picking five or fewer. It’s unclear whether the feature was supposed to work this way or if it’s a bug, but we could add many more people to a name-less group after creating it.

WhatsApp is already rolling out the name-less group feature

The new WhatsApp feature is now rolling out to users globally. It should be available to everyone on Android, iOS, and the desktop client over the next few days. Update the app to check if the name-less group feature is already live for you. If available, you will see that names are optional for groups with six or fewer members. You can click the button below to download the latest version of WhatsApp from the Google Play Store.

DOWNLOAD WHATSAPP


[ad_2]
Source link

Google fixes a specific Calendar interaction with Microsoft Outlook

0
[ad_1]

Microsoft’s Outlook has many issues, especially when it comes to its interaction with other apps, but this one seems have been a Google problem. The company’s Calendar app doesn’t work that well with Microsoft’s Outlook in some cases, so it makes sense for Google to want to iron out these issues.

In this regard, Google has just confirmed that it fixed one of those interaction issues between Calendar and Outlook, and while it might seem minor at first glance, this is a very important feature for those who use both apps to organize their meetings.

As per Google’s announcement, an issue with displaying an Outlook user’s name on Calendar has just been addressed. Previously, if an Outlook user invited a Google Calendar user to a meeting event, the former’s display would not appear in the list of meeting attendees on Google Calendar.

We’re happy to report that this bug has not been fixed, so the Outlook user who organized the meeting finally listed among the other meeting attendees in Calendar as the meeting organizer.

According to Google, all Workspace customers and users with personal Google Accounts will be getting the fix gradually in the next two weeks starting on August 24.

[ad_2]
Source link

Hackers Continue to Exploit Barracuda ESG Zero-Day Flaw

0
[ad_1]

The recent discovery of a zero-day vulnerability (CVE-2023-2868) in Barracuda Networks Email Security Gateway (ESG) appliances has brought significant concern. 

CVE-2023-2868 is a remote command injection vulnerability that grants unauthorized execution of system commands with administrator privileges on Barracuda ESG appliances. 

Notably, this vulnerability affects ESG versions 5.1.3.001-9.2.0.006 in the appliance form factor. The vulnerability is exploited during the email attachment screening process. 

Cyber actors can format TAR file attachments in a specific manner and send them to an email address linked to a domain with an ESG appliance. 

This malicious attachment triggers a command injection, allowing the execution of commands within the ESG with its privileges. More details about Barracuda’s zero-day vulnerability can be found here.

Exploitation by Suspected PRC Cyber Actors

Evidence of the exploitation of Barracuda ESG appliances emerged in October 2022. 

Suspected PRC cyber actors utilized emails with malicious attachments to target victims. 

Initially, attachments had “.tar” extensions, later evolving to different formats like “.jpg” or “.dat.” 

Upon scanning, these files initiated a connection to a domain/IP controlled by the actors, establishing a reverse shell and enabling further commands on the ESG device. 

Following the compromise, actors injected various malicious payloads to gain persistent access, scan emails, harvest credentials, and exfiltrate data.

The vulnerability’s exploitation involves formatting malicious attachments to trigger command injection. 

Exploited ESG appliances remain at risk even after patches have been applied. The FBI urges immediate isolation and replacement of affected ESG appliances. 

The attackers’ advanced techniques include counter-forensics, making detection challenging. 

Networks must be scanned for connections to provide indicators of compromise.

The FBI released a list that includes domains and IP addresses utilized by the attackers for malicious activities through an investigation.

The cyber division of the FBI also published recommended Barracuda mitigations for this exploitation.

  • Remove all ESG appliances immediately.
  • Conduct scans for outgoing connections using provided indicators.
  • Investigate and revoke compromised credentials.
  • Revoke and reissue certificates present during the compromise.
  • Monitor the entire network for signs of data exfiltration and lateral movement.
  • Capture forensic images and conduct a thorough analysis.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


[ad_2]
Source link

Google Pixel 8 could offer a new way to reply to notifications using voice

0
[ad_1]

It seems like the Pixel 8 series could usher in a new way to reply to notifications by using your voice. This information comes from Mishaal Rahman, and it seems like this feature would work similarly to what Android Auto offers. The thing is, it would work on your phone, and without any prompts.

Google could offer a new way to reply to notifications using voice, coming to Pixel 8 first

Rahman managed to find some evidence of this in the Android code. You basically should be able to use Google Assistant to dictate what you want to say. The thing is, this feature looks to cut out the Google Assistant prompt that is present on Android Auto.

So, how exactly would this work? Well, when you receive a message, you’ll be able to say “Hey Google, reply”, or simply say “reply”. At that point, Google Assistant will immediately allow you to dictate your message.

This would be a massive improvement over today’s system. At the moment, you can read your message, and then say “Hey Google, send a message to [contact name]”. So, you can basically do things from scratch. This would make things a lot easier, seamless.

It’s expected to launch with the Pixel 8, but that doesn’t have to be the case

Now, this could launch with the Google Pixel 8 series, but that’s just a wild guess at this point. Even Mishaal said that he’s not sure. It could launch later on, as part of a Pixel Feature Drop, or something like that.

One thing is quite certain, though, this feature will first launch on the Pixel 8 series. Google tends to make such new features available on its latest phones first, which makes sense. Then, later on, they trickle down to other devices.

That will likely happen with this feature too. This doesn’t seem to need any special hardware, or anything of the sort. So, nothing is stopping Google from offering the feature on a bunch of other Pixels.


[ad_2]
Source link

WhatsApp’s latest update: Now you can send videos in HD quality

0
[ad_1]

It may be summer, but there is no vacation in sight for the WhatsApp team, as the app has been on a roll these last few weeks. New updates and features are coming regularly, and as promised earlier by Meta, one more is rolling out.

According to 9to5Mac, WhatsApp now supports HD video. When the update arrives on your phone, you will notice that when sending a video, you get the option to choose HD quality. Simply tap the resolution button before sending a video, and you can pick between Standard quality and HD quality.

Standard quality, which was the only option until now, compresses video files to 480p resolution, which, to be honest, is quite low quality, given that many smartphones these days shoot not only at 1080p but also 4K and 8K resolution for video. But sure, choosing the Standard quality option can be helpful, especially if you’re dealing with limited data or have a slower internet connection.

The new HD quality option sends videos in 720p resolution, which, while not the highest, is a significant improvement over 480p. Before sending an image or video, WhatsApp will display the file size for each available option.

If you’ve recorded something truly incredible in 4K or higher resolution and want to share it with your friends without sacrificing quality, you can simply opt to send the video in its original resolution as a document.

The option to send videos in HD quality comes just a little while after WhatsApp’s recent update brought support for high-resolution photos. In addition, the option to share your screen during video calls was also just introduced. WhatsApp might also introduce passkeys soon, as well as new text formatting tools.


[ad_2]
Source link

How to choose the best reverse phone lookup service

0
[ad_1]

Unfortunately, harassment, prank calls, and repeated scam calls are a fact of modern life. Our phones are so useful, but they make us eternally available to anyone who can find our number. While many of these calls are easy to ignore, there are some that can be persistently irritating or frightening because of their content. Finding out who is behind such calls can be the first step in putting a stop to them.

Using a reverse phone lookup site can help you to gather information on the owner of an unknown number. We’re here to tell you everything you need to know about services like these and how to choose the right one for you.

What Information Do Reverse Phone Number Lookup Sites Provide?

Phone number lookup sites are, in essence, reverse phone books. While a phone book lets you use someone’s name to find any public phone numbers associated with them, these services let you use a phone number to find out who it is associated with.

However, reverse phone lookup services can also provide other information. How much information you can get from a search generally depends on whether the service is free or not. You can usually find out who owns a phone number as well as some basic, publicly available information when you undertake a reverse phone lookup for free, but paid services offer more.

For example, a paid service might also provide known addresses for the number’s owner, their public criminal record, and even their employment history. This can be incredibly useful if someone is harassing you.

Are Phone Number Lookup Sites Legal?

Legitimate reverse phone lookup sites are perfectly legal, because they only provide publicly available information. Any phone number lookup service that claims to be able to provide private information such as medical records or social security information are either lying or breaking the law. Never engage with sites that claim to give access to private information like this.

How to Choose the Best Reverse Number Lookup Sites for You

When you find yourself in need of a reverse number lookup service, it can be hard to know which provider is the right one for you. There are a few factors to consider if you want to get the best possible results from your search. These are the most important:

Database Size

The size of a company’s database directly impacts how much information they will be able to provide you with and your chance of identifying the number you are looking for. Some services only use the National Caller ID Database, which seriously reduces the chance that they will be able to identify the number and provide more information.

Ideally, you should look for companies that use public records, such as court records, census records, and other public databases.

Cost

When money is tight, finding a comprehensive free service is ideal. However, even free reverse phone lookup sites limit the information they provide for free. If you need a detailed report, look for sites that use many public databases and provide detailed reports, then cross-reference the cost associated with each service.

Privacy

Reverse phone number lookup sites may be a way to find information, but you should take time to be certain that they are protecting your privacy at the same time. Research to find sites that use security and encryption technology to protect your search history. High quality companies in this industry should have strict policies against spam, harassment, and other forms of abuse.

Report Generation Details

The kind of report a company provides, how detailed it is, the format it is provided in, and how long it takes to generate such a report is important. Big sites will have millions, if not billions, of records to check when you make a search, so it’s important to choose one that has the infrastructure to make this a quick process. What’s more, if you are getting a detailed report, it should be downloadable so you can read it at your leisure.

How to Use a Reverse Phone Lookup Site

When you find a site you like, it’s time to make your search. If you have to make an account to perform a search, do this first, but after this point, you should only need the number in question to make a search. Most of these sites function in the same way as search engines do, so enter the number and begin your hunting.


[ad_2]
Source link

You’ll be able to use a stylus with your Pixel Tablet soon

0
[ad_1]

The Google Pixel Tablet checks a lot of boxes (see how many it checks in our review), but there’s something that people have been pining for. This device doesn’t have stylus support yet; however, that’s going to change. According to Mishaal Rahman, the Pixel Tablet is going to gain stylus support soon.

This is Google’s first tablet in years, and it’s the fourth entry into the Pixel ecosystem of devices. What makes it stand out is the included charging dock that charges it and acts as a speaker. While docked, it will basically turn into a Nest Hub speaker. It’s a highly-reviewed device, and you can pick one up for only $499.

The Pixel Tablet will gain stylus support soon

Sometimes, people want to interact with their tablet using more than just their fingers. Using a stylus is great for people who want to sign documents, jot down handwritten notes, and draw. This is why it was a good idea for Google to run this tablet through the USI (Universal Stylus Initiative) certification.

While the device got the certification, people aren’t able to use styluses on it out of the box. Folks were confused about this because of the certification. If you bought this tablet with the hope of writing on it, don’t worry, your wait will soon end.

Android analyst Mishaal Rahman just posted a tweet showing us what Google has planned for the tablet. Backing up, we covered the story of Google working on a way to let you use handwriting in every text field.

Well, according to the tweet, Google is ready to roll that out too. When you go into your settings, you’ll see a new menu under the Connected Devices section. You’ll be able to adjust the settings for your stylus. You’ll be able to test out writing on the tablet to get a sense of how you should adjust the settings.

While we don’t have a timetable for when to expect this new feature, it shouldn’t be too long. If you’re looking to pick up a Pixel Tablet in the meantime, click the link below.

Buy the Pixel Tablet


[ad_2]
Source link