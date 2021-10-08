Security Leftovers
Really stupid “smart contract” bug let hackers steal $31 million in digital coin
Blockchain startup MonoX Finance said on Wednesday that a hacker stole $31 million by exploiting a bug in software the service uses to draft smart contracts.
The company uses a decentralized finance protocol known as MonoX that lets users trade digital currency tokens without some of the requirements of traditional exchanges. “Project owners can list their tokens without the burden of capital requirements and focus on using funds for building the project instead of providing liquidity,” MonoX company representatives say here. “It works by grouping deposited tokens into a virtual pair with vCASH, to offer a single token pool design.”
An accounting error built into the company’s software let an attacker inflate the price of the MONO token and to then use it to cash out all the other deposited tokens, MonoX Finance revealed in a post. The haul amounted to $31 million worth of tokens on the Ethereum or Polygon blockchains, both of which are supported by the MonoX protocol.
Smart Contract Bug Results in $31 Million Loss
To me, this is reason enough never to use smart contracts for anything important. Human-based adjudication systems are not useless pre-Internet human baggage, they’re vital.
Mozilla Releases #Security Updates for Network Security Services
Mozilla has released security updates to address a vulnerability in Network Security Services (NSS). An attacker could exploit this vulnerability to take control of an affected system.
CISA encourages users and administrators to review the Mozilla Security Advisory for NSS and apply the necessary update.
Vulnerability in Mozilla NSS that could allow code execution when handling certificates - itsfoss.net
A cryptographic library set NSS Mozilla (Network Security Services) has been identified in the critical vulnerability (( CVE-2021-43527 CVE-2021-43527)) that could lead to malicious code execution when processing DSA or RSA-PSS digital signatures specified using the DER ( Distinguished Encoding Rules). The issue codenamed BigSig has been fixed in NSS 3.73 and NSS ESR 3.68.1. Distribution package updates are available for Debian, RHEL, Ubuntu, SUSE, Arch Linux, Gentoo, FreeBSD. Updates for not yet available Fedora are.
The problem manifests itself in applications that use NSS to handle CMS, S / MIME, PKCS # 7 and PKCS # 12 digital signatures, or when verifying certificates in TLS, X.509, OCSP, and CRL implementations. The vulnerability could surface in various client and server applications with TLS, DTLS and S / MIME support, email clients and PDF viewers that use the CERT_VerifyCertificate () NSS call to verify digital signatures.
as examples of vulnerable applications are mentioned LibreOffice, Evolution and Evince . Potentially, the problem can also affect projects such as Pidgin, Apache OpenOffice, Suricata, Curl, Chrony, Red Hat Directory Server, Red Hat Certificate System, mod_nss for the Apache http server, Oracle Communications Messaging Server, Oracle Directory Server Enterprise Edition. At the same time, the vulnerability does not appear in Firefox, Thunderbird and Tor Browser, which use a separate library for verification mozilla :: pkix , which is also part of NSS. Chromium-based browsers (unless specifically compiled with NSS), which used NSS until 2015, but then were transferred to BoringSSL, are not affected by the problem.
This shouldn't have happened: A vulnerability postmortem
Over on the Project Zero blog, Tavis Ormandy has a lengthy postmortem on a vulnerability that he found in the Network Security Services (NSS) cryptography library. The vulnerability is a bog-standard buffer overflow that has existed in the library since 2012 despite various kinds of static analysis, testing, and fuzzing that Mozilla and others have applied to it over the years.
This shouldn't have happened: A vulnerability postmortem
This is an unusual blog post. I normally write posts to highlight some hidden attack surface or interesting complex vulnerability class. This time, I want to talk about a vulnerability that is neither of those things. The striking thing about this vulnerability is just how simple it is. This should have been caught earlier, and I want to explore why that didn’t happen.
In 2021, all good bugs need a catchy name, so I’m calling this one “BigSig”.
First, let’s take a look at the bug, I’ll explain how I found it and then try to understand why we missed it for so long.
CISA and FBI Release Alert on Active Exploitation of CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus | CISA
CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory identifying active exploitation of a vulnerability—CVE-2021-44077—in Zoho ManageEngine ServiceDesk Plus. CVE-2021-44077 is an unauthenticated remote code execution vulnerability that affects all ServiceDesk Plus versions up to, and including, version 11305.
These researchers wanted to test cloud security. They were shocked by what they found
Cybersecurity researchers set up a tempting cloud honeypot to examine how cyber attackers work.
