IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Weekly threat roundup: Microsoft Teams, VMware and QNAP NAS drives

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

‘Wormable’ zero-click RCE flaw in Teams

For a short few months this year, hackers were able to exploit a serious vulnerability in the Microsoft Teams desktop app to execute arbitrary code and spread infection across a company network.

The zero-click flaw could have been triggered by cross-site scripting (XSS) injection in Teams, with hackers able to transmit a specially-crafted malicious message which would execute code when seen. No further user interaction would be required.

This is according to researcher Oskars Vegaris, who reported the flaw to Microsoft in August before it was patched in October. In a technical breakdown of the vulnerability, the researcher highlighted how RCE can be achieved by chaining two flaws, including stored XSS in Teams chat functionality and a cross-platform JavaScript exploit for the Teams desktop client. Microsoft, however, didn’t issue a CVE tag, given it’s the company’s standard practice not to do so with platforms that update automatically, such as Microsoft Teams.

Russian hackers exploiting VMware flaws

Recently-patched vulnerabilities found in a series of VMware products are being actively exploited by Russian state-backed cyber criminals, according to the US National Security Agency (NSA). These include Workspace One Access, Identity Manager, Access Connector and Identity Manager Connector.

Customers were previously warned about the command injection flaw, reported in a previous threat roundup in November, and the way it could allow hackers to take control of vulnerable machines if successfully exploited. Tagged CVE-2020-4006, allows successful takeover should hackers be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.

The NSA has recommended that network administrators limit the accessibility of the management interface on servers to only a small set of known systems, and block it from direct internet access. Critical portions of this activity can also be blocked by disabling the firm’s configurator service. This is, of course, outside of applying the necessary patches.

QNP patches several bugs in NAS devices

QNAP has patched a series of high and medium-risk security flaws in its NAS devices, used for backing up data, this week, with the exploitation of these eight vulnerabilities leading to the takeover of a victim’s device.

The command injection and XSS bugs affect all QNAP NAS devices running vulnerable software, and could allow cyber criminals to inject malicious code remotely. Exploiting the command injection flaws, meanwhile, could allow them to escalate user privileges and seize control of the operating system. 

Four XSS vulnerabilities and a command injection flaw were reported to affect earlier versions of QTS and QuTS hero, while hackers could also exploit flaws in Music Station, Multimedia Console and Photo Station.

Four high-severity bugs in Chrome

The latest Google Chrome update fixes a range of security flaws, including four that were classed as highly severe in nature, affecting the Windows, macOS and Linux versions of the widely-used web browser.

Three of these flaws are use-after-free vulnerabilities, with CVE-2020-16037 affecting Chrome’s clipboard function, CVE-2020-16038 affecting the Chrome media component and CVE-2020-16039 affecting the browser extensions element. The fourth, tagged as CVE-2020-16040, is an insufficient data validation bug in the V8 JavaScript engine.

Eight flaws in total were fixed, with six discovered by external researchers, according to cyber security firm ESET. System administrators have also been warned by the US Cybersecurity and Infrastructure Security Agency (CISA) in a security advisory to update their browsers immediately as the flaws can be exploited to take control of targeted systems.

Open source flaws exposing millions of devices

Smart devices from more than 150 vendors are embedded with 33 vulnerabilities that can cause widespread disruption to organisational operations around the world, including healthcare services, manufacturers, and retailers. 

Dubbed Amnesia:33, the flaws could also pose a physical risk to those who purchase these devices. Researchers with Forescout Research found that four of these bugs are critical, with potential for remote code execution in some. Attackers may exploit these flaws to take control of a device and use it as a network entry point, for example, or a pivot point for lateral movement, a persistence point on a target network, or the final target itself.

The Amnesia:33 flaws affect multiple open source TCP/IP stacks not owned by a single vendor, including uIP, FNET, picoTCP and Nut/Net. This means a single flaw may spread silently across multiple codebases, teams, firms, and platforms. This poses a significant challenge to patch management.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

What is zero trust?
network security

What is zero trust?

14 Jul 2022
Retbleed hardware-level flaw brings overhead woe to Intel and AMD
Hardware

Retbleed hardware-level flaw brings overhead woe to Intel and AMD

13 Jul 2022
An analysis of the European cyber threat landscape
Whitepaper

An analysis of the European cyber threat landscape

8 Jul 2022
Solve cyber resilience challenges with storage solutions
Whitepaper

Solve cyber resilience challenges with storage solutions

4 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022