Security Flaws & Fixes - W/E - 10/18/19
Adobe Patches Bugs Across Acrobat, Other Products (10/14/2019)
Adobe issued multiple fixes for its products to mitigate against security vulnerabilities. Updates have been posted by the vendor for Experience Manager, Acrobat and Reader, Experience Manager Forms, and Download Manager.
Adobe issued multiple fixes for its products to mitigate against security vulnerabilities. Updates have been posted by the vendor for Experience Manager, Acrobat and Reader, Experience Manager Forms, and Download Manager.
Cisco Eliminates Critical Flaw in Aironet Access Points Software (10/16/2019)
Cisco squashed a number of bugs in its product lines with the release of more than two dozen advisories. Among the fixes is a patch for a critical unauthorized access bug in Aironet Access Points Software that Cisco recommends should be immediately applied.
Cisco squashed a number of bugs in its product lines with the release of more than two dozen advisories. Among the fixes is a patch for a critical unauthorized access bug in Aironet Access Points Software that Cisco recommends should be immediately applied.
Employ Patches Immediately to Mitigate Holes in Pulse Secure VPN (10/16/2019)
The CERT Coordination Center has advised of at least 10 vulnerabilities in Pulse Secure's SSL VPN, which can allow an unauthenticated remote attacker to compromise the VPN server and connected clients. Pulse Secure released an out-of-band advisory along with software patches for the various affected products on April 24. This addressed a number of vulnerabilities including a remotecode execution with pre-authentication access. This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates.
The CERT Coordination Center has advised of at least 10 vulnerabilities in Pulse Secure's SSL VPN, which can allow an unauthenticated remote attacker to compromise the VPN server and connected clients. Pulse Secure released an out-of-band advisory along with software patches for the various affected products on April 24. This addressed a number of vulnerabilities including a remotecode execution with pre-authentication access. This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates.
Google Chrome Receives Security Updates (10/14/2019)
Google released Chrome version 77.0.3865.120 for Windows, Mac, and Linux. This update consists of eight security fixes, including four use-after-free vulnerabilities and cross-origin size leak. Users should immediately update to mitigate risks.
Google released Chrome version 77.0.3865.120 for Windows, Mac, and Linux. This update consists of eight security fixes, including four use-after-free vulnerabilities and cross-origin size leak. Users should immediately update to mitigate risks.
Mozilla Beefs Up Firefox Against Injection Attacks (10/14/2019)
Mozilla added new defenses to Firefox to deflect cyber threats. "To make Firefox resilient against such code injection attacks, we removed occurrences of inline scripts as well as removed eval()-like functions...Additionally we added assertions, disallowing the use of 'eval()' and its relatives in system-privileged script contexts.," Mozilla said in a blog post.
Mozilla added new defenses to Firefox to deflect cyber threats. "To make Firefox resilient against such code injection attacks, we removed occurrences of inline scripts as well as removed eval()-like functions...Additionally we added assertions, disallowing the use of 'eval()' and its relatives in system-privileged script contexts.," Mozilla said in a blog post.
Nearly 220 Bugs in Oracle Products Neutralized (10/16/2019)
Oracle mitigated 219 vulnerabilities with its Critical Patch Update for October. Issues have been resolved across multiple product lines, including Siebel Applications, WebLogic Server, Solaris, SOA Suite, Java SE, API Gateway, MICROS Relate CRM Software, and more.
Oracle mitigated 219 vulnerabilities with its Critical Patch Update for October. Issues have been resolved across multiple product lines, including Siebel Applications, WebLogic Server, Solaris, SOA Suite, Java SE, API Gateway, MICROS Relate CRM Software, and more.
Sudo Flaw Exposes Linux Systems Via Root Access (10/15/2019)
Red Hat reported that a flaw was found in the way Sudo implemented running commands with arbitrary user ID. The bug can enable an attacker to execute commands as a root user even when that access has not been allowed. Sudo is a Linux core command utility. Sudo notified Red Hat of the bug and patched it in version 1.8.28.
Red Hat reported that a flaw was found in the way Sudo implemented running commands with arbitrary user ID. The bug can enable an attacker to execute commands as a root user even when that access has not been allowed. Sudo is a Linux core command utility. Sudo notified Red Hat of the bug and patched it in version 1.8.28.
Undocumented, Mystery Boxes Expose Vessels, Crew to Possible Cyber Attacks (10/16/2019)
Undocumented systems or devices on ships leave the vessels exposed to cyber attacks, the researchers at Pen Test Partners say. While assessing vessel and platform types across different fleets and operators, the researchers found systems or devices that the crew either did not know existed or had no idea what they were used for. In one case, the team found an undocumented device connected to a ship's main engine. The crew did not know what the device did, its hardware was not labeled, and it had been installed by a third-party years prior, but that arrangement with the third-party had ended. Pen Test Partners' Andrew Tierney said, "Let that sink in. A vulnerable box that no-one knew about with a direct, remote connection to the main engine." Such vulnerable devices can lead to vessel damage or crew death via an attacker-controlled cyber attack.
Undocumented systems or devices on ships leave the vessels exposed to cyber attacks, the researchers at Pen Test Partners say. While assessing vessel and platform types across different fleets and operators, the researchers found systems or devices that the crew either did not know existed or had no idea what they were used for. In one case, the team found an undocumented device connected to a ship's main engine. The crew did not know what the device did, its hardware was not labeled, and it had been installed by a third-party years prior, but that arrangement with the third-party had ended. Pen Test Partners' Andrew Tierney said, "Let that sink in. A vulnerable box that no-one knew about with a direct, remote connection to the main engine." Such vulnerable devices can lead to vessel damage or crew death via an attacker-controlled cyber attack.
VMware Patches Bug in Harbor Container Registry for PCF (10/16/2019)
An update from VMware has been issued to address a broken access control vulnerability affecting Harbor Container Registry for Pivotal Cloud Foundry. This flaw could enable an attacker to gain control of a vulnerable system.
An update from VMware has been issued to address a broken access control vulnerability affecting Harbor Container Registry for Pivotal Cloud Foundry. This flaw could enable an attacker to gain control of a vulnerable system.
Vulnerable OS in Sophos Cyberoam Firewall Receives Security Update (10/14/2019)
A critical shell injection vulnerability in Sophos Cyberoam Firewall appliances running CyberoamOS version 10.6.6 MR-5 and earlier has been patched, the vendor said in an advisory. The vulnerability can be potentially exploited by sending a malicious request to either the Web Admin or SSL VPN consoles, which would enable an unauthenticated remote attacker to execute arbitrary commands.
A critical shell injection vulnerability in Sophos Cyberoam Firewall appliances running CyberoamOS version 10.6.6 MR-5 and earlier has been patched, the vendor said in an advisory. The vulnerability can be potentially exploited by sending a malicious request to either the Web Admin or SSL VPN consoles, which would enable an unauthenticated remote attacker to execute arbitrary commands.
WordPress Update Alleviates Holes in Earlier Versions (10/15/2019)
WordPress has been updated to version 5.2.4. Multiple security vulnerabilities existed in prior versions, including a stored cross-site scripting issue and a server-side request forgery.
WordPress has been updated to version 5.2.4. Multiple security vulnerabilities existed in prior versions, including a stored cross-site scripting issue and a server-side request forgery.