CyberSecurityBoard
Sponsor Register Login

Auto-Generated Password Vulnerability In Sitevision Leaks Signing Key

A critical security flaw in Sitevision CMS versions 10.3.1 and older has exposed SAML authentication signing keys, enabling potential authentication bypass and session hijacking. In non-default configurations, the /webdav/files/ directory became accessible, exposing a saml-keystore file containing cryptographic keys for SAML Authn request signing. Sitevision, a widely adopted content management system in Sweden’s public sector and enterprise environments, relies on SAML for secure authentication flows. Once decrypted, the oiosaml private key allows signing malicious SAML Authn requests. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The vulnerability, tracked as CVE-2022-35202, stems from weak auto-generated passwords protecting Java keystores, which could be extracted and brute-forced to compromise private keys. The compromised private key enables attackers to forge SAML Authn requests with malicious AssertionConsumerServiceURL values. While SAML 2.0 requires Identity Providers (IdPs) to validate this URL against pre-registered SP metadata, some IdPs prioritize signed requests over metadata checks. Organizations using SAML must ensure IdPs validate AssertionConsumerServiceURL against metadata, irrespective of request signatures. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Analysts at ShellTrail identified that the adversaries could retrieve the keystore’s SHA1 password hash using tools like JksPrivkPrepare.jar, then crack it via GPU-accelerated tools like Hashcat. Sitevision patched the vulnerability in version 10.3.2 by enforcing stronger passwords, though existing installations require manual rotation. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Output reveals the oiosaml PrivateKeyEntry, confirming the key’s role in SAML signing.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 21 Feb 2025 19:30:20 +0000


Cyber News related to Auto-Generated Password Vulnerability In Sitevision Leaks Signing Key

Beware of Expired or Compromised Code Signing Certificates - One of the vital security measures taken in this direction is the use of code signing certificates to prove software authenticity, integrity and security. Code signing certificates, used for digitally signing applications and software, are an ...
1 year ago Securityboulevard.com
Auto-Generated Password Vulnerability In Sitevision Leaks Signing Key - A critical security flaw in Sitevision CMS versions 10.3.1 and older has exposed SAML authentication signing keys, enabling potential authentication bypass and session hijacking. In non-default configurations, the /webdav/files/ directory became ...
2 weeks ago Cybersecuritynews.com CVE-2022-35202
Signing Executables With Azure DevOps - This signing tool is compatible with all major executable files and works impeccably with all OV and EV code signing certificates. It's mostly used with Azure DevOps due to the benefit of Azure Key Vault. Here, you will undergo the complete procedure ...
1 year ago Feeds.dzone.com
Best Password Generators of 2024 to Secure Your Accounts - Overview of best password generators to secure online accounts. We have various password generators to help us protect our accounts and practical barriers to protect our sensitive information. We have compiled this list of the best password ...
9 months ago Cyberdefensemagazine.com
Bitwarden's new auto-fill option adds phishing resistance - The Bitwarden open-source password management service has introduced a new inline auto-fill menu that addresses the risk of user credentials being stolen through malicious form fields. The issue was highlighted nearly a year ago when Flashpoint ...
1 year ago Bleepingcomputer.com LockBit
Password Advice for the Rest of Us - Cisco Blogs - The key function you’re wanting out of a password manager is the ability to create passwords that are at least twenty (20) characters long, with all the typical mix of letters, numbers and symbols, as well as the ability to create a unique password ...
5 months ago Feedpress.me
Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog - For example, using the s2n-tls client built with AWS-LC (which supports the quantum-resistant KEMs), you could try connecting to a Secrets Manager endpoint by using a post-quantum TLS policy (for example, PQ-TLS-1-2-2023-12-15) and observe the PQ ...
5 months ago Aws.amazon.com
Product showcase: Protect digital identities with Swissbit's iShield Key Pro - In today's fast-paced business world, protecting digital identities and optimizing daily workflows are crucial. The iShield Key Pro series from Swissbit addresses these challenges by offering top-notch security combined with effortless usability. ...
8 months ago Helpnetsecurity.com
Securden Password Vault Review 2024: Security, Pros & Cons - Securden Password Vault is a password management solution geared towards supervising multiple accounts and sensitive login credentials. Yes, Securden Password Vault can be accessed for free. If you're looking for an enterprise-level password solution ...
1 year ago Techrepublic.com
Understand the pros and cons of enterprise password managers - To counter these threats, corporate IT security teams are turning to business-grade password managers to help centralize and streamline password and credential management. A password manager is a credential vault that gives IT teams a unified digital ...
1 year ago Techtarget.com
6 Best Enterprise Password Managers for 2024 Rated - Password managers are security tools that store, manage, and share authorization credentials safely for individual users and groups. In this article, I evaluate the top password managers and their ability to deliver and support solutions for ...
11 months ago Esecurityplanet.com
Key Group uses leaked builders of ransomware and wipers | Securelist - The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and ...
5 months ago Securelist.com
Bitwarden: how to create and use Passkeys to sign in - They can use a master password and improve security by adding a two-factor authentication option to the process. A private part of it never leaves the device, which means that all standard password attacks don't work against passkeys. I used the ...
1 year ago Ghacks.net
CVE-2023-47640 - DataHub is an open-source metadata platform. The HMAC signature for DataHub Frontend sessions was being signed using a SHA-1 HMAC with the frontend secret key. SHA1 with a 10 byte key can be brute forced using sufficient resources (i.e. state level ...
2 months ago
How to Share a Wi-Fi Password: A Step-by-Step Guide - You can unsubscribe at any ...
5 months ago Techrepublic.com
Protect your Active Directory from these Password-based Vulnerabilities - Deploying a security solution like Specops Password Policy enhances the protection of passwords, which are frequently exploited as an initial entry point by attackers. In this attack, the perpetrator, typically using a compromised low-level account ...
1 year ago Bleepingcomputer.com
GitHub code-signing certificates stolen - Another day, another access-token-based database breach. This time, the victim is Microsoft's GitHub business. On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised ...
2 years ago Nakedsecurity.sophos.com
Open Source Password Managers: Overview, Pros & Cons - There are many proprietary password managers on the market for those who want an out-of-the box solution, and then there are open source password managers for those wanting a more customizable option. In this article, we explain how open source ...
11 months ago Techrepublic.com
Top 6 LastPass Alternatives for 2024 - LastPass is a popular choice for managing passwords and sensitive information for individuals and businesses. While the tool still enjoys global patronage, it's not a bad idea to consider other password managers that can serve as worthy alternatives ...
1 year ago Techrepublic.com
​​Strengthening identity protection in the face of highly sophisticated attacks​​ - We continuously work to improve the built-in security of our products and platforms. It's a multi-year commitment to advance the way we design, build, test, and operate our technology to ensure we deliver solutions that meet the highest possible ...
1 year ago Techcommunity.microsoft.com
Researchers extract RSA keys from SSH server signing errors - A team of academic researchers from universities in California and Massachusetts demonstrated that it's possible under certain conditions for passive network attackers to retrieve secret RSA keys from naturally occurring errors leading to failed SSH ...
1 year ago Bleepingcomputer.com
Windows 11 to let admins mandate SMB encryption for outbound connections - Windows 11 will let admins mandate SMB client encryption for all outbound connections, starting with today's Windows 11 Insider Preview Build 25982 rolling out to Insiders in the Canary Channel. SMB encryption provides data end-to-end encryption and ...
1 year ago Bleepingcomputer.com
Behind EB Control's Revolutionary Patented Key Management System - If you're knee-deep in the world of data security, you'd agree that the key to unlocking superior protection lies, quite literally, in the keys- the encryption keys, to be precise. When it comes to managing these critical elements to safeguard your ...
1 year ago Securityboulevard.com
Researchers crack 11-year-old password, recover $3 million in bitcoin - Michael, who is based in Europe and asked to remain anonymous, stored the cryptocurrency in a password-protected digital wallet. He generated a password using the RoboForm password manager and stored that password in a file encrypted with a tool ...
9 months ago Packetstormsecurity.com
Medium bans AI-generated content from its paid Partner Program - Medium is banning AI-generated content from its paid Partner program, notifying users that the new policy goes into effect on May 1, 2024. Stories entirely generated using AI will be taken off paywalls and might even result in users getting kicked ...
10 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)