Serious security vulnerabilities have been discovered in Avast’s Antitrack and AVG Antitrack tools. Exploiting the flaws could expose users to MiTM attacks whilst downgrading browsers’ security. Avast AntiTrack Certificate Vulnerability Reportedly, researcher David Eade found numerous security vulnerabilities in the Avast Antitrack tool. One of these is a vulnerability in certificate validation feature that could have allowed man-in-the-middle (MiTM) attacks. Elaborating his findings in a post, the researcher stated, Avast Antitrack does not check the validity of certificates presented by the end web server. This makes it trivial for a man-in-the-middle to serve a fake site using a self-signed certificate. An attacker could not only intercept the victim’s traffic but could also hijack live sessions by cloning cookies, thus bypassing two-factor authentication as well. Exploiting this bug required no user interaction, hence becoming entirely possible for a remote attacker. The researcher also noticed two other issues with the same tool. At first, it downgraded the browser’s security protocol to TLS 1.0. Then, the chosen cipher suites by the tool did not support Forward Secrecy. Patches Rolled Out The researcher found the said issues in the Avast Antitrack tool. However, since it shares codes with AVG Antitrack as well, the same vulnerabilities also applied to the latter. Specifically, the bugs affected all Avast Antitrack versions prior to 1.5.1.172, and AVG Antitrack versions below 2.0.0.178. Upon discovering the flaws in August 2019, the researcher contacted Avast to report the matter. After continued communication in the following months, the vendors eventually patched the flaws. At first, they released Avast Antitrack 1.5.1.172, and then AVG Antitrack 2.0.0.178 containing the patches. Avast has confirmed the existence and subsequent patching of the vulnerabilities whilst acknowledging the researcher in a separate advisory. As stated, Thanks to David for reporting these issues to us, the issues have been fixed, through an update pushed to all AntiTrack users.

Heads up, Zoho customers! A zero-day vulnerability exists in Zoho platform that can pose a serious security threat. The disgruntled researcher dropped the bug publicly on Twitter, a patch isn’t available yet. Zoho Zero-Day Disclosed On Twitter Reportedly, a security researcher Steven Seeley dropped a Zoho zero-day vulnerability on Twitter. The bug exists in Zoho’s ManageEngine Desktop Central. Exploiting the bug allows a remote attacker to execute arbitrary code. The researcher disclosed the bug publicly since Zoho did not heed their bug reports. Elaborating on the vulnerability in a separate advisory, the researcher stated that exploiting the flaw requires no authentication. Whereas, regarding how the flaw affected the system, the advisory reads, The specific flaw exists within the FileStorage class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code under the context of SYSTEM. The advisory has deemed the vulnerability as critical with a CVSS score of 9.8. The researcher also shared the PoC exploit for the flaw. For now, the vulnerability has also received a CVE ID, CVE-2020-10189. Patch Rolling Out Soon Since the researcher disclosed the vulnerability publicly instead of following a responsible disclosure, no patch is currently available. Hence, at present, the bug poses a threat to all the users. Nonetheless, Zoho’s Twitter team has assured patching the bug shortly.

The ManageEngine Desktop Central has also officially acknowledged the existence of the bug in an advisory. They confirm that the flaw affects Desktop Central build 10.0.473 and earlier. While they are working on the patch, they have advised mitigation steps for the users. So, until a fix arrives, everyone must remain very careful considering the risk of abusing the publicly disclosed exploit.

A serious vulnerability existed in NordVPN payment systems. Exploiting the flaw required sending an HTTP POST request that exposed NordVPN users’ details to anyone. NordVPN Flaw Exposed Users’ Details Reportedly, NordVPN has patched a serious flaw that could have exposed users’ details to others. First discovered by a bug bounty hunter, the vulnerability existed in their payments system. The researcher with alias foo bar on HackerOne reported this vulnerability to NordVPN in December 2019. He found that sending a HTTP POST request without any authentication to join.nordvpn.com could let anyone view other users’ data. Doing so was simple; the attacker could simply change the numbers in the id and user_id to get the details of other users. The said vulnerability received a high-severity rating with a score of 7 to 8.9. Upon reporting the flaw, not only NordVPN patched the vulnerability, but also awarded the researcher with a $1000 bounty. Though, it remains unclear whether NordVPN has notified its users about the flaw, they did assure fixing of the bug. As per the statement of Jody Myers, spokesperson NordVPN, to TheRegister, Such reports are one of the reasons why we have launched the bug bounty program. We are extremely happy with its results and encourage even more researchers to analyze our product. This is an isolated case that potentially affected only a handful of users, due to the implemented rate-limiting. Theoretically, only email addresses could have been seen by a third party. Multiple Bugs Patched Since Bug Bounty Program NordVPN announced launching its bug bounty program on HackerOne in October 2019. The announcement came up after the company faced backlash over a security breach. Since then, the HackerOne profile of NordVPN shows back-to-back vulnerabilities being reported and addressed. Around the same time as that of the above-referenced IDOR, NordVPN also fixed the absence of rate-limiting on their password reset feature. Towards the end of February 2020, they also patched a critical severity bug that violated users’ privacy. Specifically, the flaw existed owing to potential reuse of the API key that could send connection information to third-party service. For highlighting this bug, NordVPN awarded a $7,777 bounty to the researcher.

Google have recently fixed numerous security bugs in their Chrome browser. These Chrome bugs include two serious vulnerabilities as well as a zero-day flaw under active exploit. Chrome Zero-Day Under Exploit Researcher Clement Lecigne of Google’s Threat Analysis Group discovered a zero-day bug in the Chrome browser under active exploit. The vulnerability, CVE-2020-6418, was a type confusion flaw in V8 – a Chrome component that processes JavaScript code. Google labeled it a high-severity flaw in their advisory, what makes it serious is its exploitation in the wild. Though, Google hasn’t shared details about how the attackers are exploiting the bug. Yet, they confirm the zero-day is under attack. Other than this zero-day, Google also revealed two other bugs in the Chrome browser. These include two high-severity bugs for which, Google hasn’t hinted of any active exploitation. One of these caught the attention of Google Project Zero’s Sergei Glazunov. Google described it as an Out of bounds memory access in streams (CVE-2020-6407). The other vulnerability caught Google’s attention after researcher André Bargull reported it. This vulnerability, an integer overflow in the ICU component, the researcher was awarded a $5000 bounty. Google Released Patches Recently, Google has patched all the three flaws and released fixes with the latest Chrome version 80.0.3987.122. As the tech giant rolls out the updates, users must ensure their devices are updated to avoid any issues. This is particularly important considering the active exploitation of the zero-day. The present zero-day marks the third major vulnerability that caught the hackers’ attention before a fix. The first of these (CVE-2019-5786) surfaced online in March 2019. The attackers exploited this use after free flaw to target Windows 7. Whereas, the second vulnerability, another use after free flaw (CVE-2019-13720), appeared online in November 2019.

The latest victim of an actively exploited zero-day vulnerability is the Taiwan-based firm ‘Zyxel’ whom manufacture networking devices.  Zyxel has addressed a critical zero-day vulnerability in some of its NAS devices that could allow remote code execution. Zero-Day Vulnerability In Zyxel NAS Devices The Taiwan-based technology firm Zyxel has made it into the news owing to a serious vulnerability in its network-attached storage devices. The founder of security firm Hold Security, Alex Holden, discovered a serious zero-day vulnerability in Zyxel NAS devices. As revealed through a blog post, Holden found that exploiting this vulnerability could allow a potential attacker to execute arbitrary code. Worryingly the exploit required no user permission for code execution. The researcher also noticed active sales of the exploit code on the dark web. He found ransomware gangs interested in the working exploit code which the seller put up for $20,000. CERT/CC has confirmed the presence of the vulnerability in their advisory. Regarding the details of the bug, the advisory reads, ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. While the webserver doesn’t run with root privileges, an attacker could achieve elevated privileges by abusing the setuid utility. Hence, remote code execution with root privileges would become possible. Zyxel Patched The Flaw Upon receiving the alerts for the zero-day under attack, Zyxel worked swiftly to patch the flaw. They confirmed that the vulnerability, CVE-2020-9054, affected numerous devices including NAS326, NAS520, NAS540, and NAS542. While the patches for these are available, users of NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325, and NSA325v2 would still remain vulnerable since these devices won’t receive the updates due to end-of-support. The complete list of devices and the hotfixes is available in Zyxel’s advisory. Zyxel have recommended limiting access to vulnerable NAS devices and blocking access to the web interface as possible mitigations.

A critical vulnerability has been discovered in the OpenBSD email server OpenSMTPD. Exploiting the flaw could allow remote code execution attacks. The seriousness of the vulnerability poses a threat to the integrity of OpenBSD and Linux systems. OpenSMTPD Email Server Vulnerability Researchers from Qualys have discovered a serious vulnerability in the OpenSMTPD email server. As elaborated in their advisory, the vulnerability, CVE-2020-8794, could allow a remote attacker to execute code on the target system. Describing the vulnerability, the advisory reads, This vulnerability, an out-of-bounds read introduced in December 2015 (commit 80c6a60c, “when peer outputs a multi-line response …”), is exploitable remotely and leads to the execution of arbitrary shell commands: either as root, after May 2018 (commit a8e22235, “switch smtpd to new grammar”); or as any non-root user, before May 2018. In brief, the flaw exists on the client-side code that is responsible for delivering emails. Hence, the bug could allow exploitation in two different scenarios: the client-side in the default configuration, or the server-side where the attacker should send an email that creates a bounce. Then, reconnecting again with the server in an attempt to deliver the bounce would let the attacker exploit the client-side vulnerability. Apart from this brief disclosure, the researchers haven’t shared the detailed PoC yet to avoid mass exploitation. Patch Available – Update Now The team Qualys successfully tested their exploit against various distros including OpenBSD 6.6, OpenBSD 5.9, Debian 10 (stable), Debian 11 (testing), and Fedora 31. They also tested the exploit against OpenSMTPD 6.6.3p1 that worked in a specific scenario. We tested our exploit against the recent changes in OpenSMTPD 6.6.3p1, and our results are: if the “mbox” method is used for local delivery (the default in OpenBSD -current), then arbitrary command execution as root is still possible; otherwise (if the “maildir” method is used, for example), arbitrary command execution as any non-root user is possible. Fortunately, OpenBSD has addressed this vulnerability with the release of OpenBSD 6.6.4p1. Hence, users must ensure updating their systems to avoid any exploits.

Mozilla has officially launched a new privacy-focused VPN service, called Firefox Private Network, as a browser extension that aims to encrypt your online activity and limit what websites and advertisers know about you.

Firefox Private Network service is currently in beta and available only to desktop users in the United States as part of Mozilla's recently expunged "Firefox Test Pilot" program that lets users try out new experimental features before they were officially released.

The Firefox Test Pilot program was first launched by the company three years ago but was shut down in January this year. The company now decided to bring the program back but with some changes.

"The difference with the newly relaunched Test Pilot program is that these products and services may be outside the Firefox browser, and will be far more polished, and just one step shy of general public release," said Marissa Wood, vice president of product at Mozilla.

Firefox Private Network is the Test Pilot program's first new project.

Firefox Private Network — Mozilla's VPN Service

Like any other best VPN service, Firefox Private Network also masks your IP address from third-party online trackers and protect your sensitive information, like the website you visit and your financial information, when using public Wi-Fi.

Mozilla says its Firefox Private Network "provides a secure, encrypted path to the web to protect your connection and your personal information anywhere, and everywhere you use your Firefox browser."

Firefox Private Network also works the same way as any other VPN service.

The Firefox Private Network VPN service also encrypts and funnels every Internet browsing activity of yours through a collection of remote proxy servers, thereby masking your real location/identity and blocking third parties, including government and your ISP, from snooping on your connection.

The actual proxy servers for the Firefox Private Network extension is provided by Cloudflare, the company that offers one of the biggest and fastest CDN, DNS and DDoS protection services.

For those concerned about the data collection by Cloudflare, Mozilla promises "strong privacy controls" to limit what data Cloudflare may collect and for how long it may store that data.

"Cloudflare only observes a limited amount of data about the HTTP/HTTPS requests that are sent to the Cloudflare proxy via browsers with an active Mozilla extension," Cloudflare says.

"When requests are sent to the Cloudflare proxy, Cloudflare will observe your IP address, the IP address for the Internet property you are accessing, source port, destination port, timestamp and a token provided by Mozilla that indicates that you are a Firefox Private Network user (together, "Proxy Data"). All Proxy Data will be deleted within 24 hours."

How To Sign Up For Firefox VPN Service

Firefox Private Network currently works only on desktops but is believed to be made available for mobile users as well, once the VPN exits beta.

Although the Firefox Private Network service is currently free, Mozilla hinted that the company is exploring possible pricing options for the service in the future to keep it self-sustainable.

For now, if you have a Firefox account and reside in the United States, you can test the Firefox VPN service for free by signing up on the Firefox Private Network website.

Once installed on your desktop, the Firefox Private Network extension will add a toggle on the toolbar of your Firefox web browser so you can easily turn it on or off at any time.

Immediately after Mozilla announced its plan to soon enable 'DNS over HTTPS' (DoH) by default for Firefox users in the United States, Google today says it is planning an experiment with the privacy-focused technology in its upcoming Chrome 78.

Under development since 2017, 'DNS over HTTPS' performs DNS lookups—finding the server IP address of a certain domain name—over an encrypted HTTPS connection to a DNS server, rather than sending DNS queries in plaintext.

The protocol that sends DNS queries over secure HTTPS connections has specifically been designed to prevent miscreants from interfering with domain name lookups, eventually stopping network observers, including your ISPs and attackers, from figuring out what sites you visit.

Though the privacy-focused technology is also helpful in preventing attackers from redirecting unsuspecting visitors to phishing and malware sites, DNS over HTTPS could also bring its own new challenges to the enterprise security solutions by making it difficult to monitor network traffic for malicious activities.

For the same reason, two months ago, the UK Internet Services Providers' Association (ISPA) nominated Mozilla for "Internet villain of the year" award after the company added support for DoH protocol in its Firefox browser that breaks DNS-based content filters.

However, it should be noted that Firefox by default sets DoH server to Cloudflare and the setting needs to be changed manually, for which Mozilla has been criticized, whereas Google's implementation only upgrades to the equivalent DoH service from the same provider that a user is using.

Enabling 'DNS over HTTPS' in Chrome 78

In a blog post published today, Google said the company will add its implementation of 'DNS over HTTPS' to the upcoming Chrome 78, which is due for beta release in the next two weeks, and will enable the feature for a fraction of users as an early-experiment,

The experimental feature will automatically upgrade the DNS provider to the equivalent DoH service from the same provider if the user's current DNS provider is part of the list of known DoH-compatible providers. If not in the list, Chrome will continue to operate as it does today.

"In other words, this would upgrade the protocol used for DNS resolution while keeping the user's DNS provider unchanged. It's also important to note that DNS over HTTPS does not preclude its operator from offering features such as family-safe filtering," Google says.

Chrome 78 users who want to manually opt-in or opt-out of the experiment can change the flag settings at chrome://flags/#dns-over-https.

Chrome Compatible' DNS over HTTPS' Providers

Google says it has selected some DNS providers for "their strong stance on security and privacy, as well as the readiness of their DoH services" and their agreement to participate in the test. The list of providers currently include:

• Cleanbrowsing
• Cloudflare
• DNS.SB
• Google
• OpenDNS
• Quad9

The experiment will run on all platforms for Chrome 78 users except Linux and iOS, with the goals to validate the company's "implementation and to evaluate the performance impact."

On Android 9 and later, if users have set a DNS-over-TLS (DoT) provider in the private DNS settings, Chrome may attempt to utilize DoH instead, but if an error occurred, the browser would fall back to the DoT setting.

For those unaware, though DoH and DoT are separate standards for encrypting DNS queries, the concept of both is the same.

What're your thoughts on Google's experiment of implementing DoH? Let us know in the comment section below.

Unlike previous side-channel vulnerabilities disclosed in Intel CPUs, researchers have discovered a new flaw that can be exploited remotely over the network without requiring an attacker to have physical access or any malware installed on a targeted computer.

Dubbed NetCAT, short for Network Cache ATtack, the new network-based side-channel vulnerability could allow a remote attacker to sniff out sensitive data, such as someone's SSH password, from Intel's CPU cache.

Discovered by a team of security researchers from the Vrije University in Amsterdam, the vulnerability, tracked as CVE-2019-11184, resides in a performance optimization feature called Intel's DDIO—short for Data-Direct I/O—which by design grants network devices and other peripherals access to the CPU cache.

The DDIO comes enabled by default on all Intel server-grade processors since 2012, including Intel Xeon E5, E7 and SP families.

According to the researchers [paper], NetCAT attack works similar to Throwhammer by solely sending specially crafted network packets to a targeted computer that has Remote Direct Memory Access (RDMA) feature enabled.

RDMA enables attackers to spy on remote server-side peripherals such as network cards and observe the timing difference between a network packet that is served from the remote processor's cache versus a packet served from memory.

Here the idea is to perform a keystroke timing analysis to recover words typed by a victim using a machine learning algorithm against the time information.

"In an interactive SSH session, every time you press a key, network packets are being directly transmitted. As a result, every time a victim you type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet," explains the VUSec team.

"Now, humans have distinct typing patterns. For example, typing's' right after 'a' is faster than typing 'g' after's.' As a result, NetCAT can operate statical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session."

"Compared to a native local attacker, NetCAT's attack from across the network only reduces the accuracy of the discovered keystrokes on average by 11.7% by discovering inter-arrival of SSH packets with a true positive rate of 85%."

The VUSec team has also published a video, as shown above, demonstrating a method for spying on SSH sessions in real-time with nothing but a shared server.

NetCAT becomes the new side-channel vulnerability joined the list of other dangerous side-channel vulnerabilities discovered in the past year, including Meltdown and Spectre, TLBleed, Foreshadow,  SWAPGS, and PortSmash.

In its advisory, Intel has acknowledged the issue and recommended users to either completely disable DDIO or at least RDMA to make such attacks more difficult, or otherwise suggested to limit direct access to the servers from untrusted networks.

The company assigned the NetCAT vulnerability a "low" severity rating, describing it as a partial information disclosure issue, and awarded a bounty to the VUSec team for the responsible disclosure.

Cybersecurity researchers today revealed the existence of a new and previously undetected critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

Dubbed "SimJacker," the vulnerability resides in a particular piece of software, called the S@T Browser (a dynamic SIM toolkit), embedded on most SIM cards that is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which handsets victims are using.

What's worrisome? A specific private company that works with governments is actively exploiting the SimJacker vulnerability from at least the last two years to conduct targeted surveillance on mobile phone users across several countries.

S@T Browser, short for SIMalliance Toolbox Browser, is an application that comes installed on a variety of SIM cards, including eSIM, as part of SIM Tool Kit (STK) and has been designed to let mobile carriers provide some basic services, subscriptions, and value-added services over-the-air to their customers.

Since S@T Browser contains a series of STK instructions—such as send short message, setup call, launch browser, provide local data, run at command, and send data—that can be triggered just by sending an SMS to a device, the software offers an execution environment to run malicious commands on mobile phones as well.

How Does Simjacker Vulnerability Work?

Disclosed by researchers at AdaptiveMobile Security in new research published today, the vulnerability can be exploited using a $10 GSM modem to perform several tasks, listed below, on a targeted device just by sending an SMS containing a specific type of spyware-like code.

• Retrieving targeted device' location and IMEI information,
• Spreading mis-information by sending fake messages on behalf of victims,
• Performing premium-rate scams by dialing premium-rate numbers,
• Spying on victims' surroundings by instructing the device to call the attacker's phone number,
• Spreading malware by forcing victim's phone browser to open a malicious web page,
• Performing denial of service attacks by disabling the SIM card, and
• Retrieving other information like language, radio type, battery level, etc.

"During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated," researchers explain.

"The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users. However the Simjacker attack can, and has been extended further to perform additional types of attacks."

"This attack is also unique, in that the Simjacker Attack Message could logically be classified as carrying a complete malware payload, specifically spyware. This is because it contains a list of instructions that the SIM card is to execute."

Though the technical details, detailed paper and proof-of-concept of the vulnerability are scheduled to be released publicly in October this year, the researchers said they had observed real-attacks against users with devices from nearly every manufacturer, including Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards.

According to the researchers, all manufacturers and mobile phone models are vulnerable to the SimJacker attack as the vulnerability exploits a legacy technology embedded on SIM cards, whose specification has not been updated since 2009, potentially putting over a billion people at risk.

Simjacker Vulnerability Being Exploited in the Wild

 

Critical ISPsystem Software Vulnerability Discovered

ISPsystem Fixed The Bug

Qualcomm Chip Vulnerability Discovered

Qualcomm Patched The Flaw

“Android developers who use the keystore in their applications can also take advantage of the user authentication requirements and key attestation offered by the keystore. These defense-in-depth mitigations increase the complexity of compromising keystore keys, making difficult-to-perform side-channel attacks even more challenging to pull off.”

Microsoft Word Bug Under Active Exploits

“The group was able to exploit this bug to circumvent many security solutions designed to protect data from infestation, including leading sandbox and anti-malware technologies.”

“Malware code reveals that it is capable of visiting URLs, creating files and/or folders, running shell commands, and executing and ending programs. It can also steal information by logging keystrokes and mouse events.”

No Patch From Microsoft

“Microsoft acknowledged it was unintended behavior, but declined to release a security patch at this time, as the issue on its own does not result in memory corruption or code execution. The issue may be fixed at a later date.”

The Swiss government is eager to ensure that its e-voting system is safe and secure for those casting their votes. To ensure that’s the case, they issued a press release looking for “Interested hackers from all over the world to attack the system.” This will be in the form of a public intrusion test or PIT session.

Public Intrusion Test

The public intrusion test (PIT) will run from February 25 until March 2 and offer cash rewards depending on what the hackers are able to do. There are a set of rules attached to this PIT, which set out the basics of the test, and the qualifying vulnerabilities.
The rewards for this test range from $100 to $30,000 based on CHF points (1 CHF point is roughly equivalent to 1 USD.)
There is set to be a mock e-voting session planned for the last day of testing on 24 March. However, hackers can attack the e-voting system before this date as well.

Registration

Anyone wanting to participate in the test has to register in advance of the PIT session. This gives the participants legal permission to attack the system and also enables them to receive rewards.
Registration also binds participants to the rules of the PIT. This ensures that only the system is targeted, and protects the rest of the Swiss Post infrastructure.

Rules

Participants of the PIT session are restricted from attacking certain areas of the infrastructure. For example, hackers are not allowed to harm a voter’s device or attack any unrelated systems belonging to Swiss Post who created the e-voting system.
However, Swiss Post will be disabling some of the e-voting security defences to allow participants to concentrate on the inner core of the system.
The Swiss government is holding public penetration tests to build confidence in the system. A committee of politicians and computer experts started an initiative at the end of January to have e-voting banned in Switzerland for at least five years. They are hoping to get over 100,000 signatures in a petition over the coming months.

Intel Patches Three High-Severity Security Flaws

“Improper directory permissions in the ZeroConfig service in Intel(R) PROSet/Wireless WiFi Software before version 20.90.0.7 may allow an authorized user to potentially enable escalation of privilege via local access.”

“Improper file verification in install routine for Intel(R) SGX SDK and Platform Software for Windows before 2.2.100 may allow an escalation of privilege via local access.”

• Intel® SGX Platform Software for Windows version 2.2.100 or later
• Intel® SGX Platform Software for Linux version 2.4.100 or later
• Intel® SGX SDK for Windows version 2.2.100 or later
• Intel® SGX SDK for Linux version 2.4.100

“Insufficient path checking in Intel(R) System Support Utility for Windows before 2.5.0.15 may allow an authenticated user to potentially enable an escalation of privilege via local access.”

Multiple Medium-Severity Bugs Also Fixed

“Data leakage in cryptographic libraries for Intel(R) IPP before 2019 update 1 release may allow an unprivileged user to cause information disclosure via local access.”

“Insufficient write protection in firmware for Intel(R) Optane(TM) SSD DC P4800X before version E2010435 may allow a privileged user to potentially enable a denial of service via local access.”