Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
Chain-split flaw found in the Ethereum project
The maintainers of the Ethereum blockchain project are urging Go developers who are using “go-ethereum”, also known as Geth, to apply a fix to a severe vulnerability that can cause corruption in the service.
Geth is the official Golang implementation of the Ethereum protocol. It’s currently embedded with a flaw tracked as CVE-2021-39137 that can undermine the integrity of the blockchain and potentially lead to a massive outage.
The exact attack mechanism hasn’t yet been disclosed so node operators and downstream projects have enough time to apply the update, according to Ethereum’s team lead, Péter Szilágyi. However, generally speaking, the bug can cause a chain split, meaning vulnerable Geth instances would reject canonical chains.
Razer flaw allows Windows takeover through a mouse
A security researcher has discovered a flaw that lets anyone with Razer peripherals like a USB mouse gain administrative rights on a Windows machine.
The researcher, known as Jonhat, outlined on Twitter how plugging in a Razer USB peripheral lets users gain admin privileges. This is because of a quirk in the Windows Update tool that installs and runs the Razer Synapse software as a system-level user, by default.
During the installation process, the installer asks the user to choose a directory to install Synapse. Due to the fact it’s run as a system-level user, anyone can press Shift and right-click an empty area to open PowerShell with full admin privileges. Razer later contacted the researcher and said its security team is working on a fix as soon as possible.
Cisco patches critical flaw in APIC interface for switches
RELATED RESOURCE
The top three IT pains of the new reality and how to solve them
Driving more resiliency with unified operations and service management
Cisco has issued a patch to fix a critical security flaw embedded in the Application Policy Infrastructure Controller (APIC) interface used in its Nexus 9000 Series switches.
APIC is a centralised controller that automates network provisioning and control based on application requirements and policies.
Tracked as CVE-2021-1577 and rated 9.1 out of ten on the CVSS threat severity scale, the bug is due to improper access control, which can allow a remote attacker to upload files. The flaw can be potentially abused to read or write arbitrary files onto a vulnerable system.
Atlassian warns of a critical Confluence flaw
Atlassian has disclosed a vulnerability in its Confluence Server and Confluence Data Center products that can allow an unauthenticated attacker to execute arbitrary code on either of the affected platforms.
Confluence is a workplace collaboration platform that allows a team to work together remotely on projects or ideas. Confluence Cloud, which is hosted on the public cloud, isn’t affected by the flaw, rather, it’s the on-premises versions of the product that are susceptible to exploitation.
The flaw is tracked as CVE-2021-26084 and is rated 9.8 out of ten on the CVSS threat severity scale. Atlassian hasn’t revealed precise exploit mechanisms, beyond describing the vulnerability as a Confluence Server Webwork OGNL injection.
-
CISA issues alert as China-linked hackers exploit Brickstorm malware to target VMware serversNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
Atlassian launches new ChatGPT connector feature for Jira and ConfluenceNews The company says the new features will make it easier to summarize updates, surface insights, and act on information in Jira and Confluence
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
