Hírolvasó

Overview

System Management Mode (SMM) memory corruption vulnerabilities have been identified in UEFI modules present in AMI Aptio UEFI firmware. An attacker could exploit this vulnerability to elevate privileges and execute arbitrary code in the highly privileged SMM environment. Users should apply UEFI firmware updates provided by their supply-chain-supported vendors to address these issues.

Description

The Unified Extensible Firmware Interface (UEFI) specification defines an interface between an operating system (OS) and platform firmware. The UEFI specification defines mechanisms that allow firmware code to execute in System Management Mode (SMM), a highly privileged CPU mode intended for low-level system operations and direct hardware access. SMM operations are executed within a CPU protected memory region called System Management RAM (SMRAM). This environment is often referred to as "ring -2" because it operates at a deeper privilege level than the OS kernel (ring 0) and hypervisor (ring -1).

A vulnerability has been identified in certain firmware modules of AMI APTIOV related to improper pointer validation. Specifically, the code fails to adequately validate pointer values to prevent overlap with SMRAM. This allows memory references to be redirected into SMRAM, potentially enabling unauthorized code execution within SMM. An attacker exploiting this flaw could corrupt memory and overwrite sensitive SMRAM data, including firmware components that may later be written to PCI flash memory—establishing persistent control over the device.

Impact

Successful exploitation of this vulnerability may allow execution of code within System Management Mode (SMM), a highly privileged environment in firmware. This could bypass certain firmware-level protections, such as those protecting the SPI flash memory, and enable persistent modifications to the firmware that operate independently of the OS.

Solution

Install the latest UEFI firmware updates provided by your PC vendor. Refer to the Vendor Information section below and AMI's security advisory. As these vulnerabilities may affect firmware distributed through the supply chain, multiple PC OEMs may be impacted. Continue monitoring the Vendor Information section for updates relevant to your device.

Acknowledgements

Thanks to Binarly REsearch team for the responsible disclosure of this vulnerability to CERT/CC. Thanks also to AMI for their collaboration and timely response. This document was written by Ben Koo.

A közösségi fejlesztésű rootolási eszközök biztonsági auditja gyakran hiányos, ami jelentős kockázatot jelent.

A tudatosság, a forrásellenőrzés és a proaktív védelem a leghatékonyabb módja annak, hogy ne váljunk részeseivé egy rejtett proxyhálózatnak.

A mesterséges intelligencia alkalmazása a kiberbűnözésben új korszakot nyitott.

Az elmúlt években az adathalász támadások fejlődése egyértelműen rávilágít arra, hogy a kiberbűnözőknek nem feltétlenül van szükségük kifinomult exploitokra, ehelyett sokkal inkább a bizalom megszerzésére fókuszálnak.

Az eset ismételten rámutat arra, milyen törékeny a szoftver-ellátási lánc biztonsága, különösen az olyan ökoszisztémákban, mint a Docker.

A Charon ransomware újabb példája annak, hogy a zsarolóvírusok fejlődnek és egyre inkább átveszik az APT csoportok módszertanát.

Kedden több tucat biztonsági közleményt adott ki az Intel, az AMD és az Nvidia, melyek a közelmúltban azonosított biztonsági hibákról tájékoztatták az ügyfeleket.

Az SAP 15 új biztonsági frissítést publikált, köztük kritikus besorolású sérülékenységekre vonatkozó javításokkal.

Overview

A vulnerability has been discovered within many HTTP/2 implementations allowing for denial of service (DoS) attacks through HTTP/2 control frames. This vulnerability is colloquially known as "MadeYouReset" and is tracked as CVE-2025-8671. Some vendors have assigned a specific CVE to their products to describe the vulnerability. MadeYouReset exploits a mismatch caused by stream resets between HTTP/2 specifications and the internal architectures of many real-world web servers. This results in resource exhaustion, and a threat actor can leverage this vulnerability to perform a distributed denial of service attack (DDoS). This vulnerability is similar to CVE-2023-44487, colloquially known as "Rapid Reset." Multiple vendors have issued patches or responses to the vulnerability, and readers should review the statements provided by vendors at the end of this Vulnerability Note and patch as appropriate.

Description

A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). This vulnerability is tracked as CVE-2025-8671 and is known colloquially as "MadeYouReset." This vulnerability is similar to CVE-2023-44487, colloquially known as "Rapid Reset", which abused client-sent stream resets. HTTP/2 introduced stream cancellation - the ability of both client and server to immediately close a stream at any time. However, after a stream is canceled, many implementations keep processing the request, compute the response, but don't send it back to the client. This creates a mismatch between the amount of active streams from the HTTP/2 point of view, and the actual active HTTP requests the backend server is processing.

By opening streams and then rapidly triggering the server to reset them using malformed frames or flow control errors, an attacker can exploit a discrepancy created between HTTP/2 streams accounting and the servers active HTTP requests. Streams reset by the server are considered closed, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent HTTP/2 requests on a single connection.

The flaw largely stems from many implementations of the HTTP/2 protocol equating resetting streams to closing them; however, in practice, the server will still process them. An attacker can exploit this to continually send reset requests, where the protocol is considering these reset streams as closed, but the server will still be processing them, causing a DoS.

HTTP/2 does support a parameter called SETTINGS_MAX_CONCURRENT_STREAMS, which defines a set of currently active streams per session. In theory, this setting would prevent an attacker from overloading the target server, as they would max out the concurrent stream counter for their specific malicious session. In practice, when a stream is reset by the attacker, the protocol considers it no longer active and no longer accounts for it within this counter.

Impact

The main impact of this vulnerability is its potential usage in DDoS attacks. Threat actors exploiting the vulnerability will likely be able to force targets offline or heavily limit connection possibilities for clients by making the server process an extremely high number of concurrent requests. Victims will have to address either high CPU overload or memory exhaustion depending on their implementation of HTTP/2.

Solution

Various vendors have provided patches and statements to address the vulnerability. Please review their statements below. CERT/CC recommends that vendors who use HTTP/2 in their products review their implementation and limit the number/rate of RST_STREAMs sent from the server. Additionally, please review the supplemental materials provided by the reporters, which include additional mitigations and other potential solutions here: https://github.com/galbarnahum/MadeYouReset

Acknowledgements

Thanks to the reporters, Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel of Tel Aviv University. This document was written by Christopher Cullen.

Hogyan verik át a modern obfuszkációs technikák a védelmi rendszereket?

A modern támadók ma már rendszeren belül rejtőznek el.

Két különböző biztonsági kutatócsoport is tesztelte az OpenAI nemrég bemutatott GPT-5 nyelvi modelljét, és mindkettő komoly biztonsági hiányosságokat fedezett fel. A Grok-4 modellt korábban két nap alatt sikerült feltörni, a GPT-5 pedig mindössze 24 óráig bírta ugyanazon kutatók keze alatt. Az egyik red team vizsgálata során azt a megállapítást tette, hogy a nyers GPT-5 modell […]

Az egyszerű fájlkezelő eszközök is lehetnek támadási felületek.

Az autóipar egyik legkomolyabb biztonsági válságát idézheti elő az a nemrég felfedezett firmware.

Ahogy a hibrid identitás rendszerek terjednek, a biztonsági csapatoknak meg kell valósítaniuk a zero-trust elveket.

A zsarolóvírusok operátorai egyre gyakrabban kombinálják a technikai sebezhetőségeket a kifinomult manipulációs eszközökkel.

A modern kibertámadások nem napok, hanem percek alatt történnek és súlyos következményekkel járhatnak.

A Dell ControlVault3 firmware-ben és annak Windows-API kapcsolódásaiban súlyos sérülékenységeket fedeztek fel.

Az Adobe kritikus biztonsági frissítéseket adott ki az Adobe Experience Manager (AEM) Forms on JEE platformjához.