Weekly threat roundup: Microsoft Teams, VMware and QNAP NAS drives

Graphic showing a red unlocked padlock surrounded by blue locked padlocks
(Image credit: Shutterstock)

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

‘Wormable’ zero-click RCE flaw in Teams

For a short few months this year, hackers were able to exploit a serious vulnerability in the Microsoft Teams desktop app to execute arbitrary code and spread infection across a company network.

The zero-click flaw could have been triggered by cross-site scripting (XSS) injection in Teams, with hackers able to transmit a specially-crafted malicious message which would execute code when seen. No further user interaction would be required.

This is according to researcher Oskars Vegaris, who reported the flaw to Microsoft in August before it was patched in October. In a technical breakdown of the vulnerability, the researcher highlighted how RCE can be achieved by chaining two flaws, including stored XSS in Teams chat functionality and a cross-platform JavaScript exploit for the Teams desktop client. Microsoft, however, didn’t issue a CVE tag, given it’s the company’s standard practice not to do so with platforms that update automatically, such as Microsoft Teams.

Russian hackers exploiting VMware flaws

Recently-patched vulnerabilities found in a series of VMware products are being actively exploited by Russian state-backed cyber criminals, according to the US National Security Agency (NSA). These include Workspace One Access, Identity Manager, Access Connector and Identity Manager Connector.

Customers were previously warned about the command injection flaw, reported in a previous threat roundup in November, and the way it could allow hackers to take control of vulnerable machines if successfully exploited. Tagged CVE-2020-4006, allows successful takeover should hackers be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.

The NSA has recommended that network administrators limit the accessibility of the management interface on servers to only a small set of known systems, and block it from direct internet access. Critical portions of this activity can also be blocked by disabling the firm’s configurator service. This is, of course, outside of applying the necessary patches.

QNP patches several bugs in NAS devices

QNAP has patched a series of high and medium-risk security flaws in its NAS devices, used for backing up data, this week, with the exploitation of these eight vulnerabilities leading to the takeover of a victim’s device.

The command injection and XSS bugs affect all QNAP NAS devices running vulnerable software, and could allow cyber criminals to inject malicious code remotely. Exploiting the command injection flaws, meanwhile, could allow them to escalate user privileges and seize control of the operating system.

Four XSS vulnerabilities and a command injection flaw were reported to affect earlier versions of QTS and QuTS hero, while hackers could also exploit flaws in Music Station, Multimedia Console and Photo Station.

Four high-severity bugs in Chrome

The latest Google Chrome update fixes a range of security flaws, including four that were classed as highly severe in nature, affecting the Windows, macOS and Linux versions of the widely-used web browser.

Three of these flaws are use-after-free vulnerabilities, with CVE-2020-16037 affecting Chrome’s clipboard function, CVE-2020-16038 affecting the Chrome media component and CVE-2020-16039 affecting the browser extensions element. The fourth, tagged as CVE-2020-16040, is an insufficient data validation bug in the V8 JavaScript engine.

Eight flaws in total were fixed, with six discovered by external researchers, according to cyber security firm ESET. System administrators have also been warned by the US Cybersecurity and Infrastructure Security Agency (CISA) in a security advisory to update their browsers immediately as the flaws can be exploited to take control of targeted systems.

Open source flaws exposing millions of devices

Smart devices from more than 150 vendors are embedded with 33 vulnerabilities that can cause widespread disruption to organisational operations around the world, including healthcare services, manufacturers, and retailers.

Dubbed Amnesia:33, the flaws could also pose a physical risk to those who purchase these devices. Researchers with Forescout Research found that four of these bugs are critical, with potential for remote code execution in some. Attackers may exploit these flaws to take control of a device and use it as a network entry point, for example, or a pivot point for lateral movement, a persistence point on a target network, or the final target itself.

The Amnesia:33 flaws affect multiple open source TCP/IP stacks not owned by a single vendor, including uIP, FNET, picoTCP and Nut/Net. This means a single flaw may spread silently across multiple codebases, teams, firms, and platforms. This poses a significant challenge to patch management.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.