Security Flaws & Fixes - W/E - 9/20/19
Advantech Updates WebAccess to Plug Security Holes (09/16/2019)
An advisory from the ICS-CERT reports multiple vulnerabilities in Advantech's WebAccess human machine interface platform. The vendor released version 8.4.2 of WebAccessNode to address the reported vulnerabilities.
An advisory from the ICS-CERT reports multiple vulnerabilities in Advantech's WebAccess human machine interface platform. The vendor released version 8.4.2 of WebAccessNode to address the reported vulnerabilities.
Honeywell Performance IP Cameras and Performance NVRs Leak Data (09/17/2019)
An information exposure bug in Honeywell's Performance IP Cameras and Performance NVRs (network video recorders) has been found and the ICS-CERT issued an advisory. Honeywell released firmware updates to mitigate risks.
An information exposure bug in Honeywell's Performance IP Cameras and Performance NVRs (network video recorders) has been found and the ICS-CERT issued an advisory. Honeywell released firmware updates to mitigate risks.
LastPass Patches Clickjacking Bug (09/16/2019)
Password manager LassPass has fixed a bug in certain browser extensions that could potentially allow an attacker to create a clickjacking scenario. Security researcher Tavis Ormandy with Google's Project Zero reported the vulnerability.
Password manager LassPass has fixed a bug in certain browser extensions that could potentially allow an attacker to create a clickjacking scenario. Security researcher Tavis Ormandy with Google's Project Zero reported the vulnerability.
MITRE Lists 25 Most Dangerous Software Errors (09/17/2019)
MITRE has compiled a list of the Top 25 Most Dangerous Software Errors, the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. These weaknesses can often be easy to find and exploit. They are considered dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working.
MITRE has compiled a list of the Top 25 Most Dangerous Software Errors, the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. These weaknesses can often be easy to find and exploit. They are considered dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working.
Over 120 Bugs Found in IoT Devices from ASUS, Netgear, Lenovo, and Others (09/17/2019)
A team of scientists at Independent Security Evaluators discovered 125 unique vulnerabilities across 13 different small office/home office (SOHO) routers and network-attached storage devices. Products from various vendors including Asus, Lenovo, Seagate, and Netgear were found to contain flaws, which could expose the devices to cyber attacks. "All 13 of the devices we evaluated had at least one Web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) that could be leveraged by an attacker to get remote access to the device's shell or gain access to the device's administrative panel," the researchers said. The team dubbed this batch of bugs, "SOHOpelessly Broken 2.0," to follow similar evidence they uncovered in 2013.
A team of scientists at Independent Security Evaluators discovered 125 unique vulnerabilities across 13 different small office/home office (SOHO) routers and network-attached storage devices. Products from various vendors including Asus, Lenovo, Seagate, and Netgear were found to contain flaws, which could expose the devices to cyber attacks. "All 13 of the devices we evaluated had at least one Web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) that could be leveraged by an attacker to get remote access to the device's shell or gain access to the device's administrative panel," the researchers said. The team dubbed this batch of bugs, "SOHOpelessly Broken 2.0," to follow similar evidence they uncovered in 2013.
Philips Advises on Vulnerable Versions of IntelliVue WLAN (09/16/2019)
Philips posted an advisory regarding Versions A and B of the IntelliVue Wireless Local Area Network (WLAN) module available in specific IntelliVue Patient Monitors. The vendor is aware that under certain specific conditions, an unauthorized user with a high skill level and access to the device's local area network, may be able to corrupt the WLAN firmware and impact data flow. Should there be an interruption; an inoperative device alert on the device and on its associated central station would appear. Philips recommends customers update to the WLAN Module Version C wireless module in affected IntelliVue Monitors. WLAN Version C with current firmware of B.00.31 is not vulnerable to the described attack. WLAN Version A will be addressed via software patch by the end of 2019. The Philips WLAN Version B is obsolete.
Philips posted an advisory regarding Versions A and B of the IntelliVue Wireless Local Area Network (WLAN) module available in specific IntelliVue Patient Monitors. The vendor is aware that under certain specific conditions, an unauthorized user with a high skill level and access to the device's local area network, may be able to corrupt the WLAN firmware and impact data flow. Should there be an interruption; an inoperative device alert on the device and on its associated central station would appear. Philips recommends customers update to the WLAN Module Version C wireless module in affected IntelliVue Monitors. WLAN Version C with current firmware of B.00.31 is not vulnerable to the described attack. WLAN Version A will be addressed via software patch by the end of 2019. The Philips WLAN Version B is obsolete.
RCE Found and Resolved in AMD Radeon Driver (09/17/2019)
A remote code execution vulnerability in the ATIDXX64.DLL driver of some AMD Radeon cards could enable an attacker to gain the ability to remotely execute code on the victim machine. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. Cisco's Talos team warned of this bug, which has since been resolved with updates.
A remote code execution vulnerability in the ATIDXX64.DLL driver of some AMD Radeon cards could enable an attacker to gain the ability to remotely execute code on the victim machine. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. Cisco's Talos team warned of this bug, which has since been resolved with updates.
Update CODESYS Systems Now to Mitigate ICS Vulnerabilities (09/16/2019)
Multiple security issues within 3S-Smart Software's CODESYS products can leave industrial control systems exploitable by attackers. It is highly recommended that users review the vendor's advisories which were published in July and visit the software update page to apply the latest versions. The ICS-CERT has also published five advisories to provide further information.
Multiple security issues within 3S-Smart Software's CODESYS products can leave industrial control systems exploitable by attackers. It is highly recommended that users review the vendor's advisories which were published in July and visit the software update page to apply the latest versions. The ICS-CERT has also published five advisories to provide further information.
VMware ESXi and vCenter Server Receive Security Updates (09/17/2019)
VMware vSphere ESXi and vCenter Server are impacted by command injection and information disclosure vulnerabilities, which has resulted in a vendor-issued advisory. Users are instructed to update their versions for risk mitigation.
VMware vSphere ESXi and vCenter Server are impacted by command injection and information disclosure vulnerabilities, which has resulted in a vendor-issued advisory. Users are instructed to update their versions for risk mitigation.