October 2021

CVE-2021-1120

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a string provided by the guest OS may not be properly null terminated. The guest OS or attacker has no ability to push content to the plugin through this vulnerability, which may lead to information disclosure, data tampering, unauthorized code execution, and denial of service.
Source: NIST
CVE-2021-1120

CVE-2021-1121

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager kernel driver, where a vGPU can cause resource starvation among other vGPUs hosted on the same GPU, which may lead to denial of service.
Source: NIST
CVE-2021-1121

CVE-2020-25872

A vulnerability exists within the FileManagerController.php function in FrogCMS 0.9.5 which allows an attacker to perform a directory traversal attack via a GET request urlencode parameter.
Source: NIST
CVE-2020-25872

CVE-2020-25873

A directory traversal vulnerability in the component system/manager/class/web/database.php was discovered in Baijiacms V4 which allows attackers to arbitrarily delete folders on the server via the “id” parameter.
Source: NIST
CVE-2020-25873

Minnesotan Charged with Hacking Pro Sports Leagues

Minnesotan Charged with Hacking Pro Sports Leagues

A man from Minnesota has been charged with hacking four major American professional sports leagues and defrauding them of millions of dollars by illegally streaming copyrighted live games.



St. Louis Park resident Joshua Streit, who is also known as Josh Brody, allegedly intruded into the computer systems of the National Basketball Association (NBA), the National Football League (NFL), the National Hockey League (NHL), and Major League Baseball (MLB) using login credentials misappropriated from legitimate users.



The 30-year-old Streit then allegedly used his unauthorized access to livestream games via a pay-to-view website that he operated from around 2017 to August 2021. 



Streit is further accused of threatening to expose cybersecurity flaws in the computer system of one of the leagues unless he received a hefty payment.



US Attorney Damian Williams said: “Joshua Streit is alleged to have illegally streamed sports content online from MLB, the NHL, the NBA, and the NFL for his own personal profit. 



“Furthermore, Streit allegedly hacked MLB’s computer systems and attempted to extort $150,000 from the league.” 



According to the complaint unsealed Thursday in Manhattan Federal Court, Streit’s alleged illegal conduct caused one of the victim sports leagues to sustain financial losses of approximately $3m.



Streit is charged with one count of knowingly accessing a protected computer in furtherance of a criminal act and for purposes of commercial advantage and private financial gain, one count of knowingly accessing a protected computer in furtherance of fraud, one count of wire fraud, one count of illicit digital transmission, and one count of sending interstate threats with the intent to extort.



If convicted on all counts, Streit faces a maximum custodial sentence of 37 years.



“Instead of quitting while he [Streit] was ahead, he allegedly decided to continue the game by extorting one of the leagues, threatening to expose the very vulnerability he used to hack them,” said FBI Assistant Director Michael Driscoll.



“Now instead of scoring a payday, Mr. Brody faces the possibility of a federal prison sentence as a penalty.”



Source: Infosecurity
Minnesotan Charged with Hacking Pro Sports Leagues

Cerberus Sentinel Acquires RED74

Cerberus Sentinel Acquires RED74

RED74, a managed security services provider based in New Jersey, has been acquired by cybersecurity consulting and managed services firm Cerberus Cyber Sentinel Corporation.



The financial terms of the acquisition were not disclosed when the deal was announced on Thursday.



RED74 is a privately held company whose clientele are primarily in the financial services and distribution/warehouse management sectors. It was launched in the summer of 2009 and operates from an office in Pennington.



The company’s team provides information technology managed services and key IT security management expertise to small and medium-sized businesses (SMBs) in New Jersey, Manhattan, and Eastern Pennsylvania.



Under the terms of the agreement, RED74 will continue to be based in New Jersey but will become a wholly owned subsidiary of Cerberus Sentinel, which is sited in Scottsdale, Arizona.



“A strong cybersecurity stance is crucial not only to IT resource management, but to the core business functions of all organizations,” said Tim Coleman, president of RED74. 



“We are thrilled to be a part of the Cerberus Sentinel team and contribute to the mission of ensuring the protection and continued success of our customers.”



David Jemmett, CEO and founder of Cerberus Sentinel, said Coleman’s enthusiasm for the deal was catching. 



“RED74 is an excellent addition for the Cerberus portfolio of companies,” said Jemmett. “Tim has built a strong team, and we know his continued support in the Cerberus Sentinel family will have a great impact.”



Jemmett added: “Tim’s excitement to join a national firm is contagious. Working with him and his team has been and will continue to be a pleasure.”



RED74 isn’t the only security acquisition to be made by Cerberus Sentinel. In August, Cerberus snapped up VelocIT, a managed security services provider, also based in New Jersey.



That deal followed Cerberus Sentinel’s December 2020 acquisition of Alpine Security, a St. Louis, Missouri–based cybersecurity services provider. 



A spokesperson for Cerberus Sentinel said: “The company is rapidly expanding by acquiring world-class cybersecurity, secured managed services, and compliance companies with top-tier talent that utilize the latest technology to create innovative solutions to protect the most demanding businesses and government organizations against continuing and emerging security threats and compliance obligations.”



Source: Infosecurity
Cerberus Sentinel Acquires RED74

CVE-2021-41189

DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not impact 6.x or below. This issue is patched in version 7.1. As a workaround, users of 7.0 may temporarily disable the ability for community or collection administrators to manage permissions or workflows settings.
Source: NIST
CVE-2021-41189

CVE-2021-41748

An Incorrect Access Control issue exists in all versions of Portainer.via an unauthorized access vulnerability. The vulnerability is also CNVD-2021-49547
Source: NIST
CVE-2021-41748