Security Flaws & Fixes - W/E - 7/26/19
Apple's Multiple Updates Fix Security Issues in Product Lines (07/22/2019)
Apple has updated multiple products including iOS, tvOS, Safari, macOS Mojave, watchOS, and AirPort Base Station. These updates rectify 48 overall vulnerabilities, 19 of which were memory bugs affected iOS, tvOS, Safari, and macOS.
Apple has updated multiple products including iOS, tvOS, Safari, macOS Mojave, watchOS, and AirPort Base Station. These updates rectify 48 overall vulnerabilities, 19 of which were memory bugs affected iOS, tvOS, Safari, and macOS.
As Clouds Soar, Exposures and Vulnerabilities Abound (07/24/2019)
Palo Alto Networks found more than 34 million vulnerabilities across various cloud service providers, including over 29 million bugs in Amazon Elastic Compute Cloud alone. In its Cloud Threat Report, the vendor discovered that more than 40,000 container systems operate under default configurations. This represents nearly 51% of all publicly exposed Docker containers. Sixty-five percent of publicly disclosed cloud security incidents were the result of misconfigurations and organizations that had at least one Remote Desktop Protocol service exposed to the entire Internet amounted to 56%. Finally, the research team discovered 28% of organizations communicating with malicious cryptomining command and control domains operated by the threat group Rocke.
Palo Alto Networks found more than 34 million vulnerabilities across various cloud service providers, including over 29 million bugs in Amazon Elastic Compute Cloud alone. In its Cloud Threat Report, the vendor discovered that more than 40,000 container systems operate under default configurations. This represents nearly 51% of all publicly exposed Docker containers. Sixty-five percent of publicly disclosed cloud security incidents were the result of misconfigurations and organizations that had at least one Remote Desktop Protocol service exposed to the entire Internet amounted to 56%. Finally, the research team discovered 28% of organizations communicating with malicious cryptomining command and control domains operated by the threat group Rocke.
BlackBerry Cylance Fixes Bypass Bug in Antivirus Product (07/22/2019)
BlackBerry Cylance issued a fix for its CylancePROTECT after it was determined that a technique could enable one of the anti-malware components to be bypassed in certain circumstances. Researchers at Skylight discovered the bypass issue.
BlackBerry Cylance issued a fix for its CylancePROTECT after it was determined that a technique could enable one of the anti-malware components to be bypassed in certain circumstances. Researchers at Skylight discovered the bypass issue.
Flawed Automotive Devices Could Put Drivers in Danger (07/22/2019)
Upon assessment of automotive connected devices, Kaspersky uncovered a number of vulnerabilities. Among the devices studied was a toolset with four sensors for monitoring tire pressure and temperature. Kaspersky identified a method to intercept the signals produced by the sensors and made changes to the data to hack the system. At one point, the researchers were able to overheat a vehicle's tires to over 212 degrees Fahrenheit.
Upon assessment of automotive connected devices, Kaspersky uncovered a number of vulnerabilities. Among the devices studied was a toolset with four sensors for monitoring tire pressure and temperature. Kaspersky identified a method to intercept the signals produced by the sensors and made changes to the data to hack the system. At one point, the researchers were able to overheat a vehicle's tires to over 212 degrees Fahrenheit.
IRS Deficiencies Could Put Taxpayer Data at Risk (07/24/2019)
An audit of the Internal Revenue Service's (IRS) controls to safeguard sensitive financial and taxpayer information found weaknesses, according to a report from the Government Accountability Office (GAO). Fourteen new information system security control deficiencies, such as weaknesses in access controls and in procedures to help ensure information systems are operating securely, have been identified.
An audit of the Internal Revenue Service's (IRS) controls to safeguard sensitive financial and taxpayer information found weaknesses, according to a report from the Government Accountability Office (GAO). Fourteen new information system security control deficiencies, such as weaknesses in access controls and in procedures to help ensure information systems are operating securely, have been identified.
Johnson Controls' exacqVision Server Requires Upgrade to Deflect Security Flaw (07/22/2019)
A vulnerability within exacqVision Server could allow an unauthenticated user to elevate their privileges. This vulnerability impacts exacqVision server Versions 9.6 and 9.8. Exacq Technologies, a subsidiary of Johnson Controls, is the vendor. It is recommended that users upgrade to version 19.03. The ICS-CERT posted an advisory with further information.
A vulnerability within exacqVision Server could allow an unauthenticated user to elevate their privileges. This vulnerability impacts exacqVision server Versions 9.6 and 9.8. Exacq Technologies, a subsidiary of Johnson Controls, is the vendor. It is recommended that users upgrade to version 19.03. The ICS-CERT posted an advisory with further information.
Mitsubishi Electric Confirms Bug in FR Configurator2 (07/24/2019)
Mitsubishi Electric's FR Configurator2, which is used for configuring Mitsubishi variable frequency drives, contains vulnerabilities that may enable arbitrary files to be read or cause a denial-of-service condition. The vendor has issued an advisory and a workaround version for mitigation purposes.
Mitsubishi Electric's FR Configurator2, which is used for configuring Mitsubishi variable frequency drives, contains vulnerabilities that may enable arbitrary files to be read or cause a denial-of-service condition. The vendor has issued an advisory and a workaround version for mitigation purposes.
Palo Alto Reminds Users to Patch RCE Bug in GlobalProtect (07/22/2019)
Palo Alto Networks issued an advisory for a remote code execution vulnerability in the GlobalProtect portal and GlobalProtect Gateway interface products. While this issue had been mitigated in earlier maintenance releases, researchers had pushed out a proof-of-concept code after discovering the bug is a simple format string and requires no authentication.
Palo Alto Networks issued an advisory for a remote code execution vulnerability in the GlobalProtect portal and GlobalProtect Gateway interface products. While this issue had been mitigated in earlier maintenance releases, researchers had pushed out a proof-of-concept code after discovering the bug is a simple format string and requires no authentication.
Updated Needed to Mitigate Bug in NREL EnergyPlus (07/24/2019)
EnergyPlus, an energy simulation program from the National Renewable Energy Laboratory, is vulnerable to a stack-based overflow condition. The ICS-CERT, which posted an advisory, suggests updating the application to the latest available release, v9.0.1 or later.
EnergyPlus, an energy simulation program from the National Renewable Energy Laboratory, is vulnerable to a stack-based overflow condition. The ICS-CERT, which posted an advisory, suggests updating the application to the latest available release, v9.0.1 or later.
Updates Available for Arbitrary Code Execution Bug in Oracle Solaris (07/22/2019)
An advisory from the CERT Coordination Center describes an arbitrary code execution vulnerability in Oracle Solaris 11 and Solaris 10. This condition may occur when an attacker has read/write access to /proc/self in the process file system. Oracle has released updates for Solaris 11 and Solaris 10 to address the vulnerability.
An advisory from the CERT Coordination Center describes an arbitrary code execution vulnerability in Oracle Solaris 11 and Solaris 10. This condition may occur when an attacker has read/write access to /proc/self in the process file system. Oracle has released updates for Solaris 11 and Solaris 10 to address the vulnerability.
VideoLAN Denies Report that VLC Media Player Has RCE Flaw (07/24/2019)
Germany's CERT-Bund security agency reported a critical remote code execution bug in the VLC open-source media player. Developed by the VideoLAN project, VLC media player has over three billion users. VideoLAN released multiple tweets to say that the VLC media player is not vulnerable and "the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped..."
Germany's CERT-Bund security agency reported a critical remote code execution bug in the VLC open-source media player. Developed by the VideoLAN project, VLC media player has over three billion users. VideoLAN released multiple tweets to say that the VLC media player is not vulnerable and "the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped..."