Tuesday, January 26, 06:28
Home security US Department of Defense (DoD): Revealed vulnerabilities in its infrastructure!

US Department of Defense (DoD): Revealed vulnerabilities in its infrastructure!

The US Department of Defense (DoD) has revealed details of four vulnerabilities identified in its infrastructure. Two of these vulnerabilities have been rated as "high severity", while the other two have been rated as "critical". The vulnerabilities, which were first revealed in July and August, could allow hacker to occupy a subdomain, to execute arbitrarily code from a distance or to see archives on the affected computer. All issues were reported through the revelation of vulnerabilities of the Ministry on the platform HackerOne bug bounty by distinguished ethical hackers.

One of the critical vulnerabilities is one subdomain takeover, due to an unfounded Amazon S3 bucket. The moral hacker chron0x found that the issue could be used to host malicious content in a legitimate domain. Visitors to the site will then be targeted Phishing and cross-site scripting attacks. The defect would also allow an attacker to bypass it safety of the domain and steal sensitively data users.

The second vulnerability rated as critical was reported by Hzllaga on August 19th. it is about a remote code execution into a server DoD running Apache Solr and had not received a patch since August 2019. The server was vulnerable to vulnerabilities identified as CVE-2019-0192 and CVE-2019-0193, but only the second was enough for the attacker to receive a shell on the server. However, it is possible to exploit code for both.

Another vulnerability comes from unpatched software, discovered by IT security analyst Dan (veteran of their Navy USA and the Coast Guard), is one read-only path traversal which could allow an attacker to access sensitive and confidential system files. This is a vulnerability found in one of its products Cisco.

The second less serious vulnerability is one injection code on a DoD server, which could lead to arbitrary code execution, according to the report. e3xpl0it, a penetration tester at the cybersecurity company "Positive Technologies".

In all cases, the US Department of Defense immediately rectified the problems. According to statistics from the HackerOne platform, the Ministry took about eight hours, on average, to correct and address each of the vulnerabilities. Since the US Department of Defense launched the HackerOne vulnerability detection program in November 2016, it has dealt with 9555 security issues. It is noteworthy that the Ministry has dealt with more than 1/3 of these in the last three months.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.



COVID-19 vaccines: Ways to protect supply chains

The development of vaccines for COVID-19 in such a short period of time has created many challenges and these are not only related to ...

How do insurance companies "enhance" ransomware attacks?

Ransomware attacks have increased significantly, with experts warning that their victims should not pay ransom to hackers ....

Russia: "US may be planning retaliation for SolarWinds hack"!

The Russian government warns the country's organizations about possible cyber attacks that the US may carry out, as "retaliation" for the hack ...

iPhone: How to see which apps have access to your contacts

Some iPhone privacy issues go deeper than accessing your contacts list, which exposes your contacts to ...

COVID-19: Google makes vaccination clinics available

Google CEO Sundar Pichai said Monday that the company will make its facilities available to become clinics ...

Netflix offers "studio quality" audio upgrade on Android

Do not be surprised if Netflix sounds better the next time you run a marathon with rows on your Android phone ...

Will Bitcoin return to $ 40.000? There is concern!

Bitcoin lovers who take his return above the level of $ 40.000 for granted have been worried because the demand ...

Avaddon ransomware: Its operators threaten with DDoS attacks to get ransom!

Lately, more and more ransomware gangs tend to threaten their targets with DDoS attacks in order to secure profits ....

Volunteer firefighters will be trained through VR simulation

Volunteer firefighters in the Australian state of Victoria will soon have access to the virtual reality (VR) training that will be available in ...

Tesla: Accuses its former employee of stealing her confidential data!

On January 23, Tesla sued former employee Alex Khatilov for stealing 26.000 confidential documents, including trade secrets. The software ...