Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142PUBLISHED: 2023-03-27In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143PUBLISHED: 2023-03-27In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144PUBLISHED: 2023-03-27Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145PUBLISHED: 2023-03-27Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655PUBLISHED: 2023-03-27Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.
User Rank: Apprentice
3/15/2013 | 4:46:32 AM
Lately, I've been asking myself whether the lack of 'success' achieved by DiD is due entirely to the factors already mentioned by many of those who responded to this article or if in fact its our 'thinking' about such strategies that is really the issue. Reading the quotes in this article, I was reminded of that line from Samuel Beckett's play, 'Waiting for Godot" .. -á-áThereGÇÖs man all over for you, blaming on his boots the faults of his feet".-á
It's my view that while there is ample evidence that the DiD strategy, when executed incorrectly, does not-áyield-áthe expected results; it can also be argued that successful, ongoing-áexecution of the strategy relies too heavily on factors and resources not readily available to most users (knowledge, skills, etc.)
It also is apparent that our 'adversaries' have the-áadvantage-áof fighting a-águerrilla-style-áwar against security professionals in which the very tools we use to blunt their attacks are being turned against us. I've noticed an inherently,-áasymmetrical aspect to each battle-ásecurity professionals fight; -áthe advantage is our adversaries' learn more about our defenses,-áadapt-áfaster, and with greater agility of deployment than we obtain from our analysis of their attacks. The evidence cited by the article about the continuing increase in security breaches despite greater security spend suggests that we defenders are missing something-áfundamental in our attempts to build better security systems and controls.-á
So in what new direction should we be looking to find a way to turn the tide of this war in our favor? I've taken a closer look at the fundamental underpinnings of my own approach to thinking about security strategy and I found a few insightful and thought-provoking ideas in the work done by-áJames A. Dewar of the RAND Corporation on Assumption-Based Planning (ABP) and that of Prof. Richard Heeks of the University of Manchester's, "design reality gap" model. I hope to have a paper submitted to ISACA by the end of the summer which discusses how one might apply these ideas to develop a new-áapproach in-ábuilding security infrastructure.-á