Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-38129PUBLISHED: 2022-08-10A path traversal vulnerability exists in the com.keysight.tentacle.licensing.LicenseManager.addLicenseFile() method in the Keysight Sensor Management Server (SMS). This allows an unauthenticated remote attacker to upload arbitrary files to the SMS host.
CVE-2022-38130PUBLISHED: 2022-08-10
The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip() method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file (i.e., \\<at...
CVE-2022-37024PUBLISHED: 2022-08-10Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code execution.
CVE-2022-37003PUBLISHED: 2022-08-10The AOD module has a vulnerability in permission assignment. Successful exploitation of this vulnerability may cause permission escalation and unauthorized access to files.
CVE-2022-37004PUBLISHED: 2022-08-10The Settings application has a vulnerability of bypassing the out-of-box experience (OOBE). Successful exploitation of this vulnerability may affect the availability.
User Rank: Apprentice
3/15/2013 | 4:46:32 AM
Lately, I've been asking myself whether the lack of 'success' achieved by DiD is due entirely to the factors already mentioned by many of those who responded to this article or if in fact its our 'thinking' about such strategies that is really the issue. Reading the quotes in this article, I was reminded of that line from Samuel Beckett's play, 'Waiting for Godot" .. -á-áThereGÇÖs man all over for you, blaming on his boots the faults of his feet".-á
It's my view that while there is ample evidence that the DiD strategy, when executed incorrectly, does not-áyield-áthe expected results; it can also be argued that successful, ongoing-áexecution of the strategy relies too heavily on factors and resources not readily available to most users (knowledge, skills, etc.)
It also is apparent that our 'adversaries' have the-áadvantage-áof fighting a-águerrilla-style-áwar against security professionals in which the very tools we use to blunt their attacks are being turned against us. I've noticed an inherently,-áasymmetrical aspect to each battle-ásecurity professionals fight; -áthe advantage is our adversaries' learn more about our defenses,-áadapt-áfaster, and with greater agility of deployment than we obtain from our analysis of their attacks. The evidence cited by the article about the continuing increase in security breaches despite greater security spend suggests that we defenders are missing something-áfundamental in our attempts to build better security systems and controls.-á
So in what new direction should we be looking to find a way to turn the tide of this war in our favor? I've taken a closer look at the fundamental underpinnings of my own approach to thinking about security strategy and I found a few insightful and thought-provoking ideas in the work done by-áJames A. Dewar of the RAND Corporation on Assumption-Based Planning (ABP) and that of Prof. Richard Heeks of the University of Manchester's, "design reality gap" model. I hope to have a paper submitted to ISACA by the end of the summer which discusses how one might apply these ideas to develop a new-áapproach in-ábuilding security infrastructure.-á