Sicurezza – Alert CERT ENG

Alert da Computer Emergency Response Team internazionali (CERT-EU, US-CERT)

  • 2024-114: Multiple Critical CISCO Vulnerabilities
    by Latest publications of type Security Advisories on 25 Ottobre 2024 at 10:11 am

    A set of critical vulnerabilities affecting Cisco Adaptive Security Appliance (ASA) Software, Cisco Firepower Threat Defense (FTD) Software, Cisco Secure Firewall Management Center (FMC) Software, and Cisco Nexus Dashboard Fabric Controller (NDFC) have been identified. These vulnerabilities can potentially allow attackers to conduct various types of attacks, including command injection, remote command execution, arbitrary command execution, and unauthorised access through static credentials due to improper input validation or insecure handling of web services components. Successful exploitation could allow attackers to execute arbitrary commands, gain root-level access through SSH, or gain unauthorised access via static credentials. They obtained CVSS score of 9 out of 10 or more.

  • CISA Adds Two Known Exploited Vulnerabilities to Catalog
    by CISA (Alerts) on 24 Ottobre 2024 at 12:00 pm

    CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-20481 Cisco ASA and FTD Denial-of-Service Vulnerability CVE-2024-37383 RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • Cisco Releases Security Bundle for Cisco ASA, FMC, and FTD Software
    by CISA (Alerts) on 24 Ottobre 2024 at 12:00 pm

    Cisco released its October 2024 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication to address vulnerabilities in Cisco ASA, FMC, and FTD. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.    CISA encourages users and administrators to review the following advisory and apply the necessary updates:   Cisco Event Response: October 2024 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication

  • CISA Releases Four Industrial Control Systems Advisories
    by CISA (Alerts) on 24 Ottobre 2024 at 12:00 pm

    CISA released four Industrial Control Systems (ICS) advisories on October 24, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-298-01 VIMESA VHF/FM Transmitter Blue Plus ICSA-24-298-02 iniNet Solutions SpiderControl SCADA PC HMI Editor ICSA-24-298-03 Deep Sea Electronics DSE855 ICSA-24-268-06 OMNTEC Proteus Tank Monitoring (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • CISA, US, and International Partners Release Joint Guidance to Assist Software Manufacturers with Safe Software Deployment Processes
    by CISA (Alerts) on 24 Ottobre 2024 at 12:00 pm

    Today, CISA—along with U.S. and international partners—released joint guidance, Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers. This guide aids software manufacturers in establishing secure software deployment processes to help ensure software is reliable and safe for customers. Additionally, it offers guidance on how to deploy in an efficient manner as part of the software development lifecycle (SDLC). A well-designed software deployment process can help guarantee customers receive new features, security, and reliability while minimizing unplanned outages.  CISA encourages software and service manufacturers review this guide, evaluate their software deployment processes, and address them through a continuous improvement program. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage.

  • 2024-113: Critical 0-day Vulnerability in Fortinet FortiManager
    by Latest publications of type Security Advisories on 24 Ottobre 2024 at 8:56 am

    On October 23, 2024, Fortinet released a security advisory addressing a critical 0-day vulnerability in its FortiManager product. If exploited, a remote unauthenticated attacker could execute arbitrary code or commands on the affected device. It is strongly recommended applying the update. When not possible, it is recommended applying the workaround. In all cases, it is recommended searching for potential compromise.

  • CISA Adds One Known Exploited Vulnerability to Catalog
    by CISA (Alerts) on 23 Ottobre 2024 at 12:00 pm

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, as confirmed by Fortinet. CVE-2024-47575 Fortinet FortiManager Missing Authentication Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. CISA encourages users and administrators to see Fortinet Advisory FG-IR-24-423 and apply necessary patches and mitigations. Additionally, see Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) from Google Threat Intelligence for more information.  Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • CISA Adds One Known Exploited Vulnerability to Catalog
    by CISA (Alerts) on 22 Ottobre 2024 at 12:00 pm

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-38094 Microsoft SharePoint Deserialization Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • CISA Releases One Industrial Control Systems Advisory
    by CISA (Alerts) on 22 Ottobre 2024 at 12:00 pm

    CISA released one Industrial Control Systems (ICS) advisory on October 22, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-296-01 ICONICS and Mitsubishi Electric Products CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • 2024-100: Critical RCE Vulnerability in VMware vCenter Server
    by Latest publications of type Security Advisories on 22 Ottobre 2024 at 8:43 am

    On September 17, 2024, Broadcom released a fix for a critical vulnerability tracked as CVE-2024-38812 in VMware vCenter Server, enabling remote code execution (RCE) via a specially crafted network packet. Following this, on October 21, 2024, Broadcom updated their advisory with additional information about another related vulnerability tracked as CVE-2024-38813.

  • CISA Adds One Known Exploited Vulnerability to Catalog
    by CISA (Alerts) on 21 Ottobre 2024 at 12:00 pm

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-9537 ScienceLogic SL1 Unspecified Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • 2024-112: Critical Vulnerability in Kubernetes
    by Latest publications of type Security Advisories on 17 Ottobre 2024 at 2:37 pm

    On October 14, 2024, Kubernetes released a security advisory addressing a critical vulnerability affecting the Kubernetes Image Builder project. It is recommended updating the Kubernetes Image Builder, and redeploying or mitigating Virtual Machines (VMs) created by the vulnerable Kubernetes Image Builder.

  • CISA Releases Seven Industrial Control Systems Advisories
    by CISA (Alerts) on 17 Ottobre 2024 at 12:00 pm

    CISA released seven Industrial Control Systems (ICS) advisories on October 17, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-291-01 Elvaco M-Bus Metering Gateway CMe3100 ICSA-24-291-02 LCDS LAquis SCADA ICSA-24-291-03 Mitsubishi Electric CNC Series ICSA-24-291-04 HMS Networks EWON FLEXY 202 ICSA-24-291-05 Kieback&Peter DDC4000 Series ICSA-24-270-04 goTenna Pro X and Pro X2 (Update A) ICSA-24-270-05 goTenna Pro ATAK Plugin (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • CISA Adds One Known Exploited Vulnerability to Catalog
    by CISA (Alerts) on 17 Ottobre 2024 at 12:00 pm

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-40711 Veeam Backup and Replication Deserialization Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • Oracle Releases Quarterly Critical Patch Update Advisory for October 2024
    by CISA (Alerts) on 17 Ottobre 2024 at 12:00 pm

    Oracle released its quarterly Critical Patch Update Advisory for October 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.  CISA encourages users and administrators to review the following Oracle Critical Patch Update Advisory and apply the necessary updates:  Oracle Critical Patch Update Advisory – October 2024

  • CISA and FBI Release Joint Guidance on Product Security Bad Practices for Public Comment
    by CISA (Alerts) on 16 Ottobre 2024 at 12:00 pm

    Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released joint guidance on Product Security Bad Practices, a part of CISA’s Secure by Design initiative. This joint guidance supplies an overview of exceptionally risky product security bad practices for software manufacturers who produce software in support of critical infrastructure or national critical functions.  The bad practices presented in this guidance are organized into three categories: product properties, security features, and organizational processes and policies. This guidance contains brief information about specific bad practices, recommended actions, and additional resources. While this guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices.  CISA and FBI urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process. For more information and resources, visit CISA.gov/SecureByDesign. The public comment period begins today and concludes on December 16, 2024. During the comment period, members of the public can provide comments and feedback via the Federal Register.

  • CISA, FBI, NSA, and International Partners Release Advisory on Iranian Cyber Actors Targeting Critical Infrastructure Organizations Using Brute Force
    by CISA (Alerts) on 16 Ottobre 2024 at 12:00 pm

    Today, CISA—with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and international partners—released joint Cybersecurity Advisory Iranian Cyber Actors Brute Force and Credential Access Activity Compromises Critical Infrastructure. This advisory provides known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by Iranian actors to impact organizations across multiple critical infrastructure sectors. Since October 2023, Iranian actors have used brute force and password spraying to compromise user accounts and obtain access to organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors. CISA and partners recommend critical infrastructure organizations follow the provided guidance, as well as ensure all accounts use strong passwords and register a second form of authentication. For more information on Iranian state-sponsored threat actor activity, see CISA’s Iran Cyber Threat Overview and Advisories page. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including more recommended baseline protections.

  • 2024-111: Multiple Vulnerabilities in Splunk Enterprise and Splunk Cloud
    by Latest publications of type Security Advisories on 16 Ottobre 2024 at 7:37 am

    On October 14, 2024, Splunk released several advisories addressing multiple high and medium severity vulnerabilities affecting Splunk Enterprise and Splunk Cloud. These vulnerabilities could lead to arbitrary file write to Windows system root directory, access to potentially restricted data and remote code execution.

  • 2024-110: Critical Vulnerability in Ivanti Products
    by Latest publications of type Security Advisories on 16 Ottobre 2024 at 7:36 am

    On October 8, 2024, Ivanti addressed a critical vulnerability in Ivanti Connect Secure and Ivanti Policy Secure.

  • Guidance: Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)
    by CISA (Alerts) on 15 Ottobre 2024 at 12:00 pm

    Today, CISA published the Framing Software Component Transparency, created by the Software Bill of Materials (SBOM) Tooling & Implementation Working Group, one of the five SBOM community-driven workstreams facilitated by CISA. CISA’s community-driven working groups publish documents and reports to advance and refine SBOM and ultimately promote adoption. This resource serves as the detailed foundation of SBOM, defining SBOM concepts and related terms and offering an updated baseline of how software components are to be represented. This document serves as a guide on the processes around SBOM creation. For more information on all things SBOM, please visit CISA’s Software Bill of Materials website.

  • CISA Adds Three Known Exploited Vulnerabilities to Catalog
    by CISA (Alerts) on 15 Ottobre 2024 at 12:00 pm

    CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-30088 Microsoft Windows Kernel TOCTOU Race Condition Vulnerability CVE-2024-9680 Mozilla Firefox Use-After-Free Vulnerability CVE-2024-28987 SolarWinds Web Help Desk Hardcoded Credential Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • CISA Releases Two Industrial Control Systems Advisories
    by CISA (Alerts) on 15 Ottobre 2024 at 12:00 pm

    CISA released two Industrial Control Systems (ICS) advisories on October 15, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-289-01 Siemens Siveillance Video Camera ICSA-24-289-02 Schneider Electric Data Center Expert CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • 2024-109: Critical vulnerabilities in Gitlab
    by Latest publications of type Security Advisories on 11 Ottobre 2024 at 2:26 pm

    On October 9, 2024, GitLab released an advisory addressing several critical vulnerabilities in GitLab EE/CE affecting versions from 8.16 to 17.4.1. It is recommended updating affected assets as soon as possible.

  • 2024-108: Palo Alto Critical Vulnerabilities
    by Latest publications of type Security Advisories on 11 Ottobre 2024 at 8:22 am

    Palo Alto Networks has disclosed multiple critical vulnerabilities in its Expedition tool that can lead to unauthorised access to firewall credentials and sensitive data, including usernames, passwords, and API keys. The vulnerabilities allow attackers to execute arbitrary commands, read or write files, and exploit SQL injection flaws. Successful exploitation could result in a full takeover of affected systems.

  • 2024-107: Critical Vulnerability in Firefox
    by Latest publications of type Security Advisories on 11 Ottobre 2024 at 8:08 am

    On October 9th, 2024, the Mozilla Foundation issued a security advisory regarding a critical use-after-free vulnerability (CVE-2024-9680) in Firefox.

  • Best Practices to Configure BIG-IP LTM Systems to Encrypt HTTP Persistence Cookies
    by CISA (Alerts) on 10 Ottobre 2024 at 12:00 pm

    CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. F5 BIG-IP is a suite of hardware and software solutions designed to manage and secure network traffic. A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network.    CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies. Additionally, F5 has developed an iHealth heuristic to detect and alert customers when cookie persistence profiles do not have encryption enabled. BIG-IP iHealth is a diagnostic tool that “evaluates the logs, command output, and configuration of a BIG-IP system against a database of known issues, common mistakes, and published F5 best practices” to help users verify the optimal operation of their BIG-IP systems.

  • CISA Releases Twenty-One Industrial Control Systems Advisories
    by CISA (Alerts) on 10 Ottobre 2024 at 12:00 pm

    CISA released twenty-one Industrial Control Systems (ICS) advisories on October 10, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-284-01 Siemens SIMATIC S7-1500 and S7-1200 CPUs ICSA-24-284-02 Siemens Simcenter Nastran ICSA-24-284-03 Siemens Teamcenter Visualization and JT2Go ICSA-24-284-04 Siemens SENTRON PAC3200 Devices ICSA-24-284-05 Siemens Questa and ModelSim ICSA-24-284-06 Siemens SINEC Security Monitor ICSA-24-284-07 Siemens JT2Go ICSA-24-284-08 Siemens HiMed Cockpit ICSA-24-284-09 Siemens PSS SINCAL ICSA-24-284-10 Siemens SIMATIC S7-1500 CPUs ICSA-24-284-11 Siemens RUGGEDCOM APE1808 ICSA-24-284-12 Siemens Sentron Powercenter 1000 ICSA-24-284-13 Siemens Tecnomatix Plant Simulation ICSA-24-284-14 Schneider Electric Zelio Soft 2 ICSA-24-284-15 Rockwell Automation DataMosaix Private Cloud ICSA-24-284-16 Rockwell Automation DataMosaix Private Cloud ICSA-24-284-17 Rockwell Automation Verve Asset Manager ICSA-24-284-18 Rockwell Automation Logix Controllers ICSA-24-284-19 Rockwell Automation PowerFlex 6000T ICSA-24-284-20 Rockwell Automation ControlLogix ICSA-24-284-21 Delta Electronics CNCSoft-G2 CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • 2024-106: Multiple Critical Vulnerabilities in Microsoft Products
    by Latest publications of type Security Advisories on 9 Ottobre 2024 at 4:06 pm

    On October 8, 2024, Microsoft addressed 118 vulnerabilities in its October 2024 Patch Tuesday update, including five zero-day vulnerabilities. This Patch Tuesday also fixes three critical vulnerabilities.

  • CISA Adds Three Known Exploited Vulnerabilities to Catalog
    by CISA (Alerts) on 9 Ottobre 2024 at 12:00 pm

    CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-23113 Fortinet Multiple Products Format String Vulnerability CVE-2024-9379 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability CVE-2024-9380 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • Adobe Releases Security Updates for Multiple Products
    by CISA (Alerts) on 8 Ottobre 2024 at 12:00 pm

    Adobe released security updates to address multiple vulnerabilities in Adobe software. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.     CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates:   Security update available for Adobe Substance 3D Printer| APSB24-52 Security update available for Adobe Commerce and Magento Open Source | APSB24-73 Security update available for Adobe Dimension | APSB24-74 Security update available for Adobe Animate | APSB24-76 Security update available for Adobe Lightroom | APSB24-78 Security update available for Adobe InCopy | APSB24-79 Security update available for Adobe InDesign | APSB24-80 Security update available for Adobe Substance 3D Stager | APSB24-81 Security update available for Adobe FrameMaker | APSB24-82