Software package repositories are becoming a popular target for supply chain attacks. Recently, there has been news about malware attacks on popular repositories like npm, PyPI, and RubyGems. Developers are blindly trusting repositories and installing packages from these sources, assuming they are secure. Sometimes malware packages are allowed to be uploaded to the package repository, …
On February 3rd 2021, we responsibly disclosed six critical issues in the Realtek RTL8195A Wi-Fi module, a popular Wi-Fi card found in numerous connected devices such as home and industrial appliances. Following that successful detection and disclosure, we expanded our analysis to additional modules. This new analysis resulted in two new critical vulnerabilities discovered by …
Recently, a novel supply chain attack was published by security researcher Alex Birsan, detailing how dependency confusion (or “namesquatting“) in package managers can be misused in order to execute malicious code on production and development systems. Background – dependency confusion & Birsan’s attack In short, most package managers such as pip and npm do not …
After getting a taste of DevOps’ benefits, enterprises naturally seek to widen its adoption. However, the tooling and processes that work for small-scale use cases often fall short when teams try to scale DevOps efforts. You must support all your different teams, toolsets, applications, processes, workflows, release cycles and pipelines — both legacy and cloud …
In a recent supply chain security assessment, the JFrog security research team (formerly Vdoo) analyzed multiple networking devices for security vulnerabilities and exposures. During the analysis we discovered and responsibly disclosed six major vulnerabilities in Realtek’s RTL8195A Wi-Fi module that these devices were based on. An attacker that exploits the discovered vulnerabilities can gain remote …
JFrog’s security research team (formerly Vdoo) are constantly researching leading embedded devices and their supply chain. As part of this research, we discovered CVE-2020-25860, a potentially critical vulnerability with CVSSv3 8.8 score in a Robust Auto-Update Controller (RAUC), an open-source framework for firmware updates. JFrog has responsibly disclosed this vulnerability and have worked closely with …
In a recent supply chain security assessment, we analyzed multiple networking devices for security vulnerabilities and exposures. During the analysis we discovered and have responsibly disclosed four major vulnerabilities in Qualcomm’s QCMAP (Qualcomm Mobile Access Point) architecture that these devices were based on. An attacker that exploits the discovered vulnerabilities can gain remote root access …
Through our ongoing device security analysis, we often uncover—and responsibly disclose—new unknown vulnerabilities in both closed and open source software components used in connected devices. In this blog post, we discuss a directory traversal vulnerability that we recently discovered while analyzing the firmware of a device based on the BlackBerry QNX operating system. First, here’s …
