Researchers wait 12 months to report vulnerability with 9.8 out of 10 severity rating

by
Dan Goodin
from Ars Technica - All content on (#5RSHQ)
caution-800x534.jpg

Enlarge (credit: Michael Theis / Flickr)

About 10,000 enterprise servers running Palo Alto Networks' GlobalProtect VPN are vulnerable to a just-patched buffer overflow bug with a severity rating of 9.8 out of a possible 10.

Security firm Randori said on Wednesday that it discovered the vulnerability 12 months ago and for most of the time since has been privately using it in its red team products, which help customers test their network defenses against real-world threats. The norm among security professionals is for researchers to privately report high-severity vulnerabilities to vendors as soon as possible rather than hoarding them in secret.

Moving laterally

CVE-2021-3064, as the vulnerability is tracked, is a buffer overflow flaw that occurs when parsing user-supplied input in a fixed-length location on the stack. A proof-of-concept exploit Randori researchers developed demonstrates the considerable damage that can result.

Read 13 remaining paragraphs | Comments

index?i=8WzXtU4jvck:9YWHs5KMzs0:V_sGLiPB index?i=8WzXtU4jvck:9YWHs5KMzs0:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments