Weekly threat roundup: Blackberry QNX, Cisco VPNs, Fortinet firewalls

Graphic showing a red unlocked padlock surrounded by blue locked padlocks
(Image credit: Shutterstock)

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Blackberry ‘attempted to hide’ QNX flaws

Vulnerabilities in Blackberry’s QNX operating system (OS), known as BadAlloc, were allegedly kept secret for months, according to Politico. Tracked as CVE-2021-22516, they were only disclosed this week after having first been discovered four months ago. Two people speaking to the publication said that company had initially denied that BadAlloc affected its products at all, when speaking to cyber security officials, and later resisted making a public announcement.

The BadAlloc flaws are embedded in pre-2012 versions of the QNX Real Time Operating System (RTOS), still used by hundreds of millions of internet-enabled products. The list of affected products include cars made by Volkswagen and Ford, heavy machinery and hospital equipment, among other kinds of devices.

Hackers could exploit the flaw to trigger a denial of service (DoS) condition in the affected products or even gain control of highly sensitive systems by executing arbitrary code, according to the US Computer Emergency Readiness Team (US-CERT). Patches are now available for BadAlloc.

Cisco won’t patch critical VPN flaw

Cisco has said that it won’t patch a critical vulnerability in the universal plug-and-play (UPnP) service of several small business virtual private network (VPN) routers because these systems have reached end-of-life.

The zero-day vulnerability, tracked as CVE-2021-34730, is rated a near-maximum 9.8 out of ten on the CVSS threat severity scoring system, suggesting it’s highly exploitable and the effects are particularly severe.

Attackers can exploit the flaw to restart vulnerable devices or execute arbitrary code remotely, posing as the root user on the underlying operating system. The devices affected are the RV110W, RV130, RV130W and RV215W routers.

Because these devices are no longer supported, however, Cisco hasn’t released software updates that address the flaw, nor are there any workarounds that address it.

Microsoft discloses another Windows Print Spooler flaw

Microsoft recently published a security notice this week detailing yet another Print Spooler vulnerability, the latest in a string of flaws found in the Windows component throughout 2021.

Although the bug, tracked as CVE-2021-36958, was only disclosed this month, it was first discovered by researchers in December 2020, well before the controversies surrounding the PrintNightmare bug emerged.

An attacker who successfully exploits the flaw can run arbitrary code with system-level privileges, which would then allow them to install programmes as well as view, change or delete data. Hackers can also create new accounts with full user rights.

Although there are no indications the flaw has been exploited, Microsoft said that a functional exploit code is available.

Fortinet hits out at Rapid7 after firewall bug is disclosed early


The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently


After Rapid7 detailed a flaw in the operating system of Fortinet’s FortiWeb web application firewall, the firm publicly called out the researchers for disclosing the bug before the 90-day disclosure window had elapsed.

FortiWeb is designed to catch both known and unknown exploits targeting protected web applications. An OS command injection flaw in the management interface, tracked as CVE-2021-22123, can allow remote attackers to execute arbitrary commands on the system through the SAML server configuration page.

Following disclosure, Fortinet criticised Rapid7 for violating the terms of their disclosure agreement, according to ZDNet, with the bug revealed before they had an opportunity to develop a patch. Rapid7, however, said it contacted Fortinet several times to work on the issue but didn’t get a response, so followed its own disclosure policy.

Fortinet says version 6.4.1 of FortiWeb, which includes a fix, will be released by the end of August.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.