Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

‘Ghost notifications’ on the NHS COVID-19 app

The latest update to the NHS’ coronavirus contact tracing mobile app has fixed an issue where users were regularly notified that they were subjected to a “potential exposure”, only for the notification to disappear without a trace shortly after.

The messages wouldn’t give any more information and would disappear from users’ notifications centres once they interacted with it. An earlier update added a second notification informing users they were safe, and that it was effectively a false alarm, if applicable, but developers have now scrapped these entirely.

The latest update will also make the app better at approximating distances between users, which allow for more accurate assessments as to whether users should self-isolate.

Critical bug in Nvidia’s DGX A100 server line

Nvidia has patched a critical flaw in its high-performance line of DGX servers which, if exploited successfully, could have allowed an attacker to take control of sensitive data held on the systems.

There were nine patches in total released this week fixing vulnerabilities in the firmware used by the DGX high-performance computing (HPC) units, conventionally deployed in massive enterprises and government organisations. These systems are used for AI tasks, machine learning, and data modelling, among other purposes.

One highly severe bug, tagged CVE-2020-11487, however, won’t receive a patch until the second quarter of 2021. This flaw is tied to a hard-coded RSA 1024 key with weak ciphers, which could lead to potential information disclosure.

100,000 machines still vulnerable to 10/10 SMBGhost exploit

Security researcher Jan Kopriva has estimated that approximately 103,000 machines are vulnerable to the critical SMBGhost vulnerability in the Server Message Block (SMB) protocol discovered in March.

This is despite Microsoft releasing a patch for the wormable remote code execution (RCE) flaw, which could allow hackers to spread malware across machines without any need for user interaction. The wormable flaw, tagged CVE-2020-0796, is ranked as critical and holds a 10 score on the CVSS severity scale. Microsoft deemed it so severe that it received an out-of-band fix outside of the routine Patch Tuesday cycle.

Despite this, Kopriva has accumulated data from Shodan over the last eight months that suggests many businesses still haven’t patched potentially vulnerable systems.

Warning for unpatched Oracle WebLogic server consoles

Dean of Research at the SANS Technology Institute, Johannes Ullrich, has warned that hackers are actively scanning for vulnerable WebLogic systems that were affected by an RCE vulnerability, something that Oracle has since patched.

This flaw, tagged CVE-2020-14882 and rated 9.8 on the CVSS scale, was patched as part of Oracle’s gigantic quarterly ‘critical patch update’ recently, although it doesn’t necessarily mean that businesses have applied the fix. As a result of the activity, detected after setting up a ‘honeypot’, Ullrich has warned IT admins that if they find a vulnerable server in their network they should “assume it has been compromised”.