TruffleHog, Fade In and BSAFE Crypto-C vulnerabilities
嗯,用户让我用中文总结一下这篇文章的内容,控制在一百个字以内,而且不需要以“文章内容总结”或者“这篇文章”这样的开头,直接写描述即可。好的,首先我需要仔细阅读这篇文章,找出主要的信息。 文章主要讲的是Cisco Talos团队最近披露了三个漏洞,分别是在Dell BSAFE、Fade In和Trufflehog软件中发现的。具体来说,Dell BSAFE有三个漏洞,包括整数溢出、下溢和堆栈溢出;Fade In有两个漏洞,都是与XML解析有关的内存问题;Trufflehog有一个任意代码执行的漏洞。所有这些漏洞都已经修复了,并且遵循了Cisco的第三方漏洞披露政策。文章还提到可以下载Snort的最新规则集来检测这些漏洞的利用,并且最新的漏洞公告发布在Talos Intelligence网站上。 接下来,我需要将这些信息浓缩到100字以内。重点包括:Cisco Talos团队、三个软件、各自的漏洞类型、已经修复、以及检测和公告的信息。 可能的结构是:Cisco Talos团队披露了Dell BSAFE、Fade In和Trufflehog中的多个安全漏洞,包括整数溢出、内存错误和代码执行问题。所有漏洞已修复,并提供检测工具和公告链接。 这样应该可以控制在100字以内,并且直接描述内容,不使用开头语。 </think> Cisco Talos团队披露了Dell BSAFE、Fade In和Trufflehog中的多个安全漏洞,包括整数溢出、内存错误和代码执行问题。所有漏洞已修复,并提供检测工具和公告链接。 2025-11-4 14:25:16 Author: blog.talosintelligence.com(查看原文) 阅读量:8 收藏

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Dell BSAFE, two in Fade In screenwriting software, and one in Trufflehog 

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Fade In out-of-bounds write vulnerabilities

Discovered by Piotr Bania of Cisco Talos.

Fade In is a cross-platform text handling software for screenwriters.

TALOS-2025-2250 (CVE-2025-53855) is an out-of-bounds write vulnerability in the XML parser functionality of GCC Productions Inc. Fade In 4.2.0. A specially crafted .fadein file can lead to an out-of-bounds write.

TALOS-2025-2252 (CVE-2025-53814) is a use-after-free vulnerability in the XML parser functionality of GCC Productions Inc. Fade In 4.2.0. A specially crafted .xml file can lead to heap-based memory corruption. 

TruffleHog arbitrary code execution vulnerability

Discovered by Adam Reiser of Cisco ASIG.

TruffleHog is a detection system for code repositories and ticket systems that finds exposed sensitive information, such as API keys and passwords. This vulnerability is described in an accompanying article on the Truffle Security website. The vuln is an arbitrary code execution vulnerability in the Git functionality of TruffleHog 3.90.2, TALOS-2025-2243 (CVE-2025-41390). A specially crafted repository can lead to a arbitrary code execution. An attacker can provide a malicious repository to trigger this vulnerability.

Dell BSAFE integer overflow, underflow, and stack overflow vulnerabilities

Discovered by Jason Crowder.

Dell BSAFE Crypto-C is FIPS-140 validated cryptography development kit for C/C++ environments. In cooperation with Jason Crowder, Talos published three vulnerabilities in the Dell BSAFE Crypto-C module. This product is at end of service; the vulnerable versions were added to an existing CVE.

TALOS-2025-2140 (CVE-2019-3728) is an integer overflow vulnerability, and TALOS-2025-2141 (CVE-2019-3728) is an integer underflow vulnerability. In both cases, a specially crafted ASN.1 record can lead to an out-of-bounds read. An attacker can provide a malformed ASN.1 record to trigger this vulnerability.

TALOS-2025-2142 (CVE-2019-3728) is a stack overflow vulnerability. A specially crafted ASN.1 record can lead to denial of service.


文章来源: https://blog.talosintelligence.com/trufflehog-fade-in-and-bsafe-crypto-c-vulnerabilities/
如有侵权请联系:admin#unsafe.sh