Weekly threat roundup: Apple, VMware, OpenSSL

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Apple WebKit zero-day under exploitation

Apple has released an emergency patch fixing a zero-day vulnerability in its iOS, iPadOS, and watchOS operating systems, that has been exploited by unidentified hackers.

Tracked as CVE-2021-187, the flaw resides in WebKit, which is an open source browser engine primarily used in the Safari web browser, as well as all iOS web browsers, alongside various other iOS and iPadOS apps.

Hackers were able to exploit the flaw by sending victims a malicious link and executing arbitrary code through a cross-site scripting (XSS) attack, with potential implications including the theft of sensitive data or forcing changes to the appearance of a website.

Apple has rolled out patches for all versions of the iPad Pro, iPad Air 2 and later, the fifth generation of the iPad and later, iPad mini 4 and later, and the seventh generation of the iPod touch. This is in addition to updates released for all Apple Watch products, and all iPhones from iPhone 6s.

VMware patches severe vRealize flaws

Vmware has patched two critical vulnerabilities in its vRealize Operations platform that could allow cyber criminals to infiltrate corporate networks, steal user credentials, and manipulate underlying systems.

This is a platform augmented with artificial intelligence that's capable of managing IT operations in various cloud deployments, allowing admins to monitor, troubleshoot, and manage the health and capacity of virtual IT environments.

The first flaw, tracked as CVE-2021-21975, is rated 8.6 on the CVSS threat severity scale. If exploited, it could allow a malicious actor with network access to the vRealize Operations Manager API to perform a server-side request forgery attack to steal admin credentials.

A second flaw, tracked as CVE-2021-21983, is considered less severe as it requires an attacker to be authenticated in order to successfully exploit. There are fears, however, that it can be chained with the first bug to allow hackers to write files to various locations on the underlying operating system.

OpenSSL fixes major denial of service bug

The most widely-used encryption software library, OpenSSL, has patched a severe flaw that could have allowed hackers to crash a wide number of servers.

The open source cryptography toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, is used across a host of products and platforms, including Linux as well as other software and email clients.

The latest update, OpenSSL 1.1.1k, fixed two severe bugs including CVE-2021-3449, which could have been exploited by hackers to deliberately crash vulnerable web servers or email servers at will, causing a looped denial of service (DoS) situation.

The second flaw, CVE-2021-3450, was a more complex issue that could have allowed security checks to be circumvented when an app would seek out the legitimacy of a TLS certificate.

Netmask flaw allows hackers to bypass server access controls

A vulnerability in the networking npm library, netmask, could give hackers the ability to bypass server access controls and launch server-side request forgery attacks, according to research by Sick Codes.

The nine-year-old exploit is considered far-reaching as hundreds of thousands of apps use the package to parse or compare IPv4 addresses and Classless Inter-Domain Routing (CIDR) blocks. The code was downloaded three million times last week alone, with 278,000 GitHub repositories using it.

The issue centres on the way netmask handles mixed-format IP addresses, with the library seeing a different IP address when parsing an address with a prefixed zero. The researchers warned that anyone could submit an address in netmask that looks like a private IP, but then connects to a public IP to download malicious files.