CVE-2020-27780 – Linux-pam vulnerability – Improper Authentication (18th Dec 2020)

Background: Linux pam originated from the open source implementation of the software DCE-RFC of Sun, a well-known manufacturer later acquired by Oracle. PAM is called Pluggable Authentication Modules, which can be inserted into authentication modules. Various authentication modules and plug-ins can be dynamically introduced for authentication without reloading the system, very flexible.

Vulnerability details: When the user doesn’t exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.

Reason: The default options set on pam_pwquality above include local_users_only, which tells pam_pwquality to ignore users that are not in the local [/]etc[/]passwd file. However, the blank check could return 1 if root had empty password
because in the second case (refer to diagram) the password hash of root was used.


CVE-2021-3006 (Loopring(LRC) Protocol Incident)- If you are passionate about cryptocurrency. You should be alert of this. (4th Jan 2021)

Background: In November 2020, lots of DeFi platforms in Ethereum encounters a security incident, such as Pickle Finance, 88mph.

What Is Decentralized Finance (DeFi)?
By deploying immutable smart contracts on Ethereum, DeFi developers can launch financial protocols and platforms that run exactly as programmed and that are available to anyone with an Internet connection.

What Are Flash Loans in DeFi?
A loan from strangers is possible in DeFi. In order to fulfill this request. The individuals should repay the lender in the same transaction that issued the funds.

Vulnerability details: The Farm contract is deployed in every Seal pool and the function breed() in the contract is used to issue new Seal tokens.However there is no access control designed for the breed() function, anyone can calls the breed() function of the Farm contract.

CVE-2021-3006 Detail –