Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

‘Ghost notifications’ on the NHS COVID-19 app

The latest update to the NHS’ coronavirus contact tracing mobile app has fixed an issue where users were regularly notified that they were subjected to a “potential exposure”, only for the notification to disappear without a trace shortly after.

The messages wouldn’t give any more information and would disappear from users’ notifications centres once they interacted with it. An earlier update added a second notification informing users they were safe, and that it was effectively a false alarm, if applicable, but developers have now scrapped these entirely.

The latest update will also make the app better at approximating distances between users, which allow for more accurate assessments as to whether users should self-isolate.

Critical bug in Nvidia’s DGX A100 server line

Nvidia has patched a critical flaw in its high-performance line of DGX servers which, if exploited successfully, could have allowed an attacker to take control of sensitive data held on the systems.

There were nine patches in total released this week fixing vulnerabilities in the firmware used by the DGX high-performance computing (HPC) units, conventionally deployed in massive enterprises and government organisations. These systems are used for AI tasks, machine learning, and data modelling, among other purposes.

One highly severe bug, tagged CVE-2020-11487, however, won’t receive a patch until the second quarter of 2021. This flaw is tied to a hard-coded RSA 1024 key with weak ciphers, which could lead to potential information disclosure.

100,000 machines still vulnerable to 10/10 SMBGhost exploit

Security researcher Jan Kopriva has estimated that approximately 103,000 machines are vulnerable to the critical SMBGhost vulnerability in the Server Message Block (SMB) protocol discovered in March.

This is despite Microsoft releasing a patch for the wormable remote code execution (RCE) flaw, which could allow hackers to spread malware across machines without any need for user interaction. The wormable flaw, tagged CVE-2020-0796, is ranked as critical and holds a 10 score on the CVSS severity scale. Microsoft deemed it so severe that it received an out-of-band fix outside of the routine Patch Tuesday cycle.

Despite this, Kopriva has accumulated data from Shodan over the last eight months that suggests many businesses still haven’t patched potentially vulnerable systems.

Warning for unpatched Oracle WebLogic server consoles

Dean of Research at the SANS Technology Institute, Johannes Ullrich, has warned that hackers are actively scanning for vulnerable WebLogic systems that were affected by an RCE vulnerability, something that Oracle has since patched.

This flaw, tagged CVE-2020-14882 and rated 9.8 on the CVSS scale, was patched as part of Oracle’s gigantic quarterly ‘critical patch update’ recently, although it doesn’t necessarily mean that businesses have applied the fix. As a result of the activity, detected after setting up a ‘honeypot’, Ullrich has warned IT admins that if they find a vulnerable server in their network they should “assume it has been compromised”.

Featured Resources

Become a digital service provider

How to transform your business from network core to edge

Download now

Optimal business results with the cloud

Evaluating the best approaches to hybrid cloud adoption

Download now

Virtualisation that enables choices, not compromises

Harness the virtualisation technology that's right for your hybrid infrastructure

Download now

Email security threat report 2020

Four key trends from spear fishing to credentials theft

Download now

Recommended

How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Weekly threat roundup: Microsoft Defender, Adobe, Mimecast
vulnerability

Weekly threat roundup: Microsoft Defender, Adobe, Mimecast

14 Jan 2021

Most Popular

150,000 arrest records accidentally deleted from police database
data management

150,000 arrest records accidentally deleted from police database

15 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021