NEWS > Lab
December 16, 2024
X41 Audited Backstage
X41 finished auditing the Backstage platform and releases the resulting report.
September 12, 2024
Advisory X41-2024-003: DoS Vulnerability in Chilkat ASN.1 Decoder
X41 discovered a vulnerability in Chilkat's ASN.1 decoder
September 09, 2024
Advisory X41-2024-002: Multiple Vulnerabilities in Antragsgrün
X41 discovered multiple vulnerabilities in Antragsgrün
April 03, 2024
Advisory X41-2024-001: Weak Chilkat PRNG
The Chilkat library generated secret key material using a pseudorandom number generator not designed for cryptographic purposes. Attackers observing a sufficient number of outputs can recover past and future outputs of it. This includes, for example, key material generated with it, allowing attackers to decrypt or alter data protected by the key material.
February 13, 2024
X41 Source Code Audit of ISC BIND 9
X41 releases the code audit report of BIND 9
September 21, 2023
Advisory X41-2023-001: Two Vulnerabilities in OPNsense
Yasar Klawohn and JM of X41 discovered multiple vulnerabilities in OPNsense
January 17, 2023
X41 Audited Git
X41 releases the audit report of Git
October 26, 2022
X41 Audited The Update Framework (TUF)
X41 releases the audit report of The Update Framework.
August 30, 2022
X41 Audited Backstage
X41 finished auditing the Backstage platform and releases the resulting report.
June 28, 2022
AnyZone - Delegated zones for every IP
AnyZone lets you easily get a delegated zone for testing purposes without touching zone files
June 14, 2022
Wrapping up Unikernel Security Research
As part of his master thesis Leonard Rapp analyzed the security of various popular unikernels. This blogpost is the last one in the unikernel series. It discusses some of the findings and draws a conclusion.
May 18, 2022
Missing or Weak Mitigations in Various Unikernels
Several security weaknesses and missing mitigations were discovered in various unikernel systems
March 09, 2022
RustyHermit Security Vulnerabilities & Missing Mitigations
The research unikernel RustHermit was further audited for security vulnerabilities and effectiveness of its mitigations.
January 18, 2022
Telenot Complex: Insecure AES Key Generation
CVE-2021-34600: How predictable random numbers (literally) open the door for attackers: Our discovery of a flaw in the generation of AES keys, used for both physical and remote access, in a popular alarm system's parameterization software. Includes a proof-of-concept for cloning NFC tags!
January 18, 2022
Advisory X41-2021-003: Telenot complex - Insecure AES Key Generation
The compasX parameterization software for complex alarm systems generated the AES keys used for both physical access control (via NFC tags) and remote management in an insecure fashion.
January 12, 2022
RustyHermit Missing Memory Protections
The research unikernel RustyHermit lacks of several memory protection mechanisms which significantly ease attacks on vulnerable applications
May 25, 2021
nginx DNS Resolver Off-by-One Heap Write Vulnerability
An off-by-one error in ngx_resolver_copy() while processing DNS responses allows a network attacker to write a dot character ('.', 0x2E) out of bounds in a heap allocated buffer.
May 03, 2021
QR Code reconstruction
Reconstructing a QR Code from partially censored images.
January 28, 2021
Advisory X41-2021-001: Multiple Vulnerabilities in YARA
Luis Merino of X41 discovered multiple vulnerabilities in YARA
December 21, 2020
Microsoft Exchange Remote Code Execution - CVE-2020-16875
The patch for CVE-2020-16875 in Microsoft Exchange can bypassed to gain remote code execution again.