Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
Wormable CVSS 9.8-rated flaw - Microsoft’s Patch Tuesday
Although this week’s Patch Tuesday was a much smaller package than we have come to expect in recent months, with just 87 security fixes released, there were still patches for 11 ‘critical’ exploits among them.
The highlight of the bunch was a wormable flaw in the TCP/IP component of Windows 10 and Windows Server 2019 that, if exploited, could allow an attacker to run code on target systems remotely, and compromise an entire network. This flaw, tagged CVE-2020-16898, was rated 9.8 on the CVSS severity scale.
Another major exploit fixed as part of the wave of updates include a remote code execution bug found in Windows Hyper-V, tagged CVE-2020-16891. This was among bugs fixed in Microsoft Office, Azure Functions, Microsoft Exchange Server, and Adobe Flash player, among other Microsoft software.
Two critical bugs in Adobe’s Magento platform
Nine security vulnerabilities in Adobe’s ecommerce platform, branded Magento, were fixed on Thursday. These included two critical vulnerabilities, file upload allow list bypass and SQL injection flaws, tagged CVE-2020-24407 and CVE-2020-24400 respectively.
The former could have allowed a hacker to execute arbitrary code on targeted systems, while the latter, if exploited, would grant arbitrary read or write access to a database. Both require administrative privileges to execute, however.
Both the Magento Commerce and Magento Open Source platforms were affected by all nine bugs, the company confirmed, including versions 2.3.5-p1 and earlier versions as well as 2.4.0 and earlier versions of both platforms.
Zero-Click Linux Bluetooth flaws
A set of zero-click vulnerabilities in the Linux Bluetooth software can allow an unauthorised attacker to remotely execute arbitrary code, with kernel privileges, on vulnerable devices, according to security engineer Andy Nguyen.
Three flaws, collectively known as BleedingTooth, are present in the open-source BlueZ protocol stack, which provides support for the core Bluetooth layers and protocols on systems running Linux. Intel and Google have both provided advisories detailing the nature of the potential exploit.
2020 cyber security outlook report
Behaviours in the battle between modern attacker and defender
The first, tagged CVE-2020-12351, is a heap-based type confusion present in the Logical Link Control and Adaptation Protocol (L2CAP) of the standard, and can be exploited to send malicious packets and cause denial of service, or even arbitrary code execution. The second, tagged CVE-2020-12352, concerns improper access controls and may allow an attacker to enable information disclosure. The third, meanwhile, tagged CVE-2020-24490, centres on improper buffer restrictions in BlueZ, and may cause denial of service.
SonicWall VPNs under threat by RCE bug
Patches have been released for a critical vulnerability in the SonicOS operating system that runs SonicWall virtual private network (VPN) appliances.
The 9.4-rated vulnerability on the CVSS scale is a denial of service flaw that is caused by a buffer overflow and can allow hackers to potentially execute arbitrary code on systems running the vulnerable OS.
The flaw in approximately 800,000 of the network security appliances affected can be triggered by an unauthenticated HTTP request involving a custom protocol handler, according to researchers from Tripwire. An unskilled attacker can use the flaw to cause a persistent state of denial of service, or possibly even execute arbitrary code remotely.
