Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
SAP exploit grants root access to corporate servers
Hackers can take advantage of a fully-functional exploit that abuses a vulnerability in the SAP Solution Manager. Tracked as CVE-2020-6207, this flaw is a missing authentication check in EEM Manager, a component of the Solution Manager, and is rated a perfect 10/10 on the CVSS threat scale.
Solution Manager is an administrative system used in all SAP environments and centralises the management of all SAP and non-SAP systems within the SAP landscape. By exploiting this flaw, cyber criminals can gain root access to enterprise servers, and access mission-critical applications, business processes and data. They’ll need access to the Solution Manager HTTP(s) port, and can execute the exploit remotely.
Onapsis previously identified this flaw in 2020 and demonstrated at the Black Hat conference how it could be chained with two other flaws to give remote attackers root access. SAP issued a patch for the flaw in March of last year. Onapsis, however, has continued to scan for activity in the wild and have encountered this new exploit published by a Russian researcher on Github.
Unpatched Windows 10 flaw can corrupt your hard drive
Microsoft is working on a fix for a “nasty” vulnerability in Windows 10 that can corrupt users’ hard drives. It can be triggered by opening a specially crafted file name inserted in any folder, according to the Verge, and has apparently existed in Windows for several years.
The vulnerability was flagged by security researcher Jonas L, and corroborated by vulnerability analyst Will Dormann. He suggested the problem seems to have been introduced with Windows 10 version 1803, and that he had reported a similar issue to Microsoft almost two years ago.
The flaw poses a security risk, given it’s possible for an attacker to hide a specially crafted line inside a ZIP folder, for instance, or even a shortcut. When this specific path is opened, the vulnerability will present a message claiming that your hard drive is corrupted. Microsoft confirmed to the Verge that a fix for this bug will be published in a future Windows update.
Flaws in DNS software can be chained to devastating effect
Seven vulnerabilities have been discovered in DNSMasq, software used for domain name system (DNS) caching and IP address assignment, which can be exploited by attackers to mount DNS spoofing attacks, or compromise networking devices.
Researchers with JSOF have found three bugs that allow DNS spoofing and four buffer overflow flaws, the worst of which can lead to the execution of arbitrary code remotely on a vulnerable device. The vulnerable DNSMasq software is used in Cisco routers, Android phones, Aruba devices, as well as systems built by Technicolor, Red Hat, Siemens, Ubiquiti networks, Comcast, and others.
While each of these vulnerabilities has a limited impact in isolation, the researchers found that these can be combined in chained in certain ways to build extremely effective multi-staged attacks. While there are several minor workarounds available, the only full mitigation is for manufacturers to update DNSMasq to version 2.83 or above.
RCE exploit fixed in Google Chrome
Google has released a Chrome browser update addressing a number of flaws including a critical vulnerability tracked as CVE-2021-21117. This is the most severe of the 36 fixes and centres on ‘insufficient policy enforcement in Cryptohome’.
This bug can be successfully exploited by an attacker to execute arbitrary code remotely. Attackers would be able to view, change, or delete data depending on the privileges associated with the browser, meaning it can be partially mitigated if the application is configured with weaker administrative rights.
These 36 security fixes have been bundled with version 88.0.4324.96 of Chrome, which also includes a tool which users can deploy to check whether their passwords should be strengthened. The feature makes it easier to fix weaker passwords by scanning various combinations held in the Chrome password manager and highlighting the weakest links.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
"Thinly spread": Questions raised over UK government’s latest cyber funding schemeThe funding will go towards bolstering cyber skills, though some industry experts have questioned the size of the price tag
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
