Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
‘Ghost’ vulnerability in Cisco Webex
Cisco has patched a flaw in its Webex video conferencing platform that could allow an attendee to behave as a ‘ghost’ in a live meeting, allowing them to spy on participants without them knowing.
The medium-risk flaw, assigned CVE-2020-3419, would have allowed a remote attacker to join a session without appearing on the participant list. This has been blamed on the improper handling of authentication tokens by a vulnerable Webex site. Successful exploitation required the attacker to have access to join a meeting, including join links and passwords, but once in they would then gain full access to audio, video, chat, and screen sharing capabilities.
RCE flaws left out of Cisco Security Manager patch notes
Eyebrows were raised when security researcher Florian Hauser claimed that the latest patch notes released by Cisco this week left out the details of 12 severe security flaws in the company’s Security Manager (CSM) tool. These 12 bugs were reported to the networking giant in July, and almost all involved remote code execution.
The developer initially failed to mention these in a recent set of patch notes, according to Hauser, nor did the company release security advisories when CSM was updated to version 4.22 earlier this month. As a result, the researcher published the proof-of-concept for all 12 flaws.
The firm subsequently released three advisories for vulnerabilities tagged CVE-2020-27130, CVE-2020-27131 and CVE-2020-27125, crediting Hauser with their discovery.
Warning issued over historic flaws - including BlueKeep
Millions of corporate devices are still vulnerable to historic vulnerabilities, according to analysis by security researcher Jan Kopriva, including roughly 240,000 machines susceptible to the BlueKeep exploit.
Although the infamous vulnerability was discovered more than a year and a half ago, an alarming number of devices are still vulnerable. This is particularly concerning given the widely-publicised ‘wormable’ nature of the flaw and the way it can spread between terminals in a corporate network without any user intervention.
By scanning the Shodan search engine, Kopriva was able to ascertain a rough indication of the number of devices vulnerable to specific flaws, all discovered before 2020. For example, an Apache HTTP server root privilege escalation flaw tagged CVE-2019-0211 still affects 3,357,835 machines. The HeartBleed OpenSSL flaw, meanwhile, still affects 204,878 devices despite a patch being released more than six years ago.
Cookie and file theft in Firefox for Android
Mozilla has rolled out a fix for a vulnerability in the mobile version of its Firefox web browser after reports showed attackers were able to exploit it to steal files from the device, including cookies for previously visited websites.
Tagged CVE-2020-15647, the vulnerability lies in how Firefox browsers use Uniform Resource Identifier (URI), a string that corresponds with locally saved files - and allows Android devices to identify data in a content provider. Researcher Pedro Oliveira demonstrated it was possible to steal files from the device solely by having the victim visit a webpage, including a database containing all cookies from visited domains.
Firefox acknowledged the report swiftly when it was first flagged in June earlier this year, and issued a fix in July 2020. This is the second prominent Firefox for Android flaw disclosed in recent weeks, following another bug that could allow attackers to hijack sessions over Wi-Fi.
Apache Unomi RCE flaw discovered
The Java open source customer data platform, Apache Unomi, contained a now patched flaw that allowed attackers to send malicious requests with MVEL and OGNL expressions (which sit within the Unomi package). This could eventually lead to remote code execution.
The flaw, tagged CVE-2020-13942 and rated a maximum of 10.0 on the CVSS severity scale, was discovered by the Checkmarx Security Research Team and has since been publicised because the Unomi platform is a highly desired target for attackers. This is because the system can be integrated with various other platforms, including CMS, CRM, native mobile apps, and more, and contains an abundance of data.
The vulnerability has been fixed, and users have been urged to upgrade to Apache Unomi version 1.5.2 or later as soon as possible.
Critical remote attacking flaw found in industrial machinery
The 499ES EtherNet/IP (ENIP) stack built by Real-Time Automation (RTA) is currently vulnerable to a critical flaw that could allow a remote attacker to compromise industrial connected machinery. This is the stack that powers the control system devices in industrial and manufacturing environments.
Tracked as CVE-2020-25159 and rated 9.8 out of 10 in severity on the CVSS scale, the stack buffer overflow vulnerability is said to affect ENIP versions of 2.28 and lower. Exploitation can allow an attacker to send a specially crafted packet the could result in a denial-of-service condition or even arbitrary code execution.
The flaw was discovered by Claroty’s Sharon Birzinov and reported to the US government’s Cybersecurity and Infrastructure Security Agency (CISA). The agency recommends that users minimise network exposure for all control system devices to ensure they’re not accessible from the internet, as well as locate control system networks and remote devices behind the firewall and isolate them from the corporate network.
There are, at the time of publishing, no known public exploits specifically targeting this vulnerability.
