Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2306PUBLISHED: 2022-07-05Old session tokens can be used to authenticate to the application and send authenticated requests.
CVE-2022-34918PUBLISHED: 2022-07-04
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an u...
CVE-2022-34829PUBLISHED: 2022-07-04Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.
CVE-2022-31600PUBLISHED: 2022-07-04
NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmmCore, where a user with high privileges can chain another vulnerability to this vulnerability, causing an integer overflow, possibly leading to code execution, escalation of privileges, denial of service, compromised integrity, and informat...
CVE-2022-31601PUBLISHED: 2022-07-04NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmbiosPei, which may allow a highly privileged local attacker to cause an out-of-bounds write, which may lead to code execution, denial of service, compromised integrity, and information disclosure.
User Rank: Apprentice
10/12/2015 | 12:22:18 PM
"Yes" the App has to have mitigations for its vulnerabilities as they exist at the App level, but that is a far cry from actually securing the operating environment. And without securing the OS operation the App can be made to believe that anything is occurring (or not occurring) as desired to exploit a weakness in the system.
Security is a chain that has to have 'strong links' at every level.
There has been a marketing trend of late, claiming that "their product" can magically secure the operating environment by running it on your App. Managers love this type of easy solution; it is just a shame that they are largely ineffective, at best just securing some limited aspects of App operation. At worst they are a lot of 'security theater' and hand waving.
In my opinion, the best approach is a multi-layered solution with a hardware root of trust. The use of TrustZone is a good first step towards this, and with all the security company acquisitions that ARM is making lately apparently they must be headed in that direction as well.
Now all we have to do is to convince the OS manufacturers that security is important enough to us that they will then start to use some of these hardware security tools that are available to them.
Instead they are releasing "new features" like 'upper / lower case keyboards' and 'long press', as if these are some new revolutionary concepts. We need them to focus on the real issues, not the fluff.
Maybe voting with our wallets will get their attention.