Bulletin — August 2023

August brings the first industry-level framework for AI security (OWASP LLM Top 10 v1.0), an AI Village at DEF CON with serious presence for the first time, a five-vulnerability cluster in the TETRA radio standard that affects police and emergency communications in much of the world, and an Ivanti Sentry pre-auth RCE that joins the year’s list of broken perimeter appliances.

OWASP LLM Top 10 v1.0 published

16 August. OWASP publishes version 1.0 of the Top 10 for LLM Applications. Steve Wilson leads the project. It’s the first industry framework that standardises vocabulary and priorities in AI security.

Critical reading of the 10 items, what’s missing and what’s redundant, in our analysis.

DEF CON 31 — AI Village with red-teaming at scale

11–13 August. DEF CON 31 hosts the first large-scale Generative AI Red Team challenge: ~2,200 participants try to provoke harmful behaviour in models from Anthropic, Google, Hugging Face, Microsoft, NVIDIA, OpenAI and Stability AI. The White House takes part in the opening — first explicit endorsement of public red-teaming by the Biden administration.

Detailed results come in February 2024, but a few threads leak during the conference:

• Indirect prompt injection remains the most reproducible vector.
• Models resist very differently against the same prompts.
• Attack patterns that work have high cross-model correlation — what GCG already suggested.

Other Village events: presentation of Garak (NVIDIA red-teaming framework), keynotes from Riley Goodside, Simon Willison and Johann Rehberger, and workshops on prompt injection in production.

Source: https://aivillage.org/generative%20red%20team/generative-red-team/

TETRA:BURST — 5 vulns in the TETRA radio standard

9 August. Midnight Blue (NL) researchers publish TETRA:BURST, a set of 5 vulnerabilities in the TETRA standard (TErrestrial Trunked RAdio), used worldwide by police, emergency services, military, public transport and critical industry.

The two key vulns:

• CVE-2022-24401 — key recovery in TEA1 (Terrestrial Encryption Algorithm 1). The TEA1 cipher has a backdoor by design: the effective key is reduced to 32 bits, allowing cracking in minutes on modern hardware. The backdoor has been suspected since the 1990s (export controls); now it’s confirmed.
• CVE-2022-24402 — broken authentication in TEA2: passive attacks allow decrypting traffic, injecting messages and impersonating authenticated users.

Applicability: European and Latin American police forces, critical infrastructure such as SCADA in utilities, military communications in NATO countries. Industry response is slow because patching physical radios at scale is operationally expensive.

Source: https://tetraburst.com/ · https://www.midnightblue.nl/research/tetraburst

CVE-2023-38035 — Ivanti Sentry pre-auth RCE

21 August. Ivanti publishes an advisory on authentication bypass + pre-auth RCE in Sentry (enterprise mobile-app gateway, formerly MobileIron Sentry). CVSS 9.8. Exploited in the wild before the patch.

It’s the third Ivanti product with a critical CVE exploited in the wild in 2023 (after Ivanti EPMM/MobileIron Core in July and others in H1). The Norwegian government had been confirmed as a victim of Ivanti EPMM; Sentry adds to the pattern of a vendor with repeated zero-days in its MDM/edge line.

Immediate mitigation while patching: block the MICS port (8443) externally.

Source: https://www.ivanti.com/blog/security-update-for-ivanti-sentry

Rest of the month

• MOVEit — Cl0p continues. End of August: 820+ confirmed affected organisations.
• CrowdStrike Falcon researcher publishes the writeup of an RCE in the agent via memory corruption (patched in April, disclosed in August).
• PowerShell Gallery typosquatting — multiple malicious packages found mimicking legitimate names.
• WinRAR CVE-2023-38831 — spoofing in .zip or .rar that lets the user execute a file different from the one they pick. Exploited in the wild by several groups (including APTs and financial actors).

Cross-cutting pattern of the month

Two familiar fronts:

1. AI security goes public-professional. OWASP, DEF CON AI Village, White House opening — the field moves out of the forum and into regulatory conversation. The next step (already visible in September–October): model vendors will have to publish safety datasheets and support external red-teaming.
2. Unpatched edge appliances remain the steady vector that delivers for actors with time and operational discipline. TETRA is radio rather than IP, but the logic is the same — an old protocol, widely deployed, with expensive audit.