Weekly threat roundup: macOS, VMware and SolarWinds

Graphic showing a red unlocked padlock surrounded by blue locked padlocks
(Image credit: Shutterstock)

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

57 bugs patched in macOS Big Sur 11.2

Apple has rectified several dozen security vulnerabilities in its latest macOS release, including a number of serious flaws that could allow an attacker to elevate system privileges on a targeted device.

One flaw in the Crash Reporter app - tracked as CVE-2021-1787 - for example, could allow an attacker to do precisely that. A vulnerability in the Director Utility, meanwhile, could let a malicious application access private information. This is tagged CVE-2020-27937. Another highlight is CVE-2021-1761, which is a bug in Analytics which could allow a remote attacker to cause a denial of service attack.

Users have been urged to download the update immediately, although they’ll have to ensure at least 3.66GB of space is available to do so, according to LifeHacker.

VMware ESXi flaws abused in the wild

Researchers have warned of two VMware ESXi hypervisor flaws that ransomware groups are actively using to encrypt virtual hard drives.

Tagged CVE-2019-5544 and CVE-2020-3992, these vulnerabilities allow multiple virtual machines (VMs) to share the same storage hardware. They lie in the service layer protocol (SLP), which allows computers and other devices to find services in a local area network without having to configure anything beforehand.

The flaws aren’t new, and those behind the RansomExx ransomware strain have been launching attacks since October 2020, according to reports. Hackers who’ve sent malicious SLP requests to an ESXi device have then been able to gain access to devices on a corporate network to compromise other ESMXi VMs and encrypt virtual hard drives.

DDoS attacks targeting Plex Media SSDP

Flaws in the widely-used Plex Media Server, a personal media library and steam system, could lead to reflection/amplification distributed denial of service (DDoS) attacks if successfully exploited, according to research by NETSCOUT Arbor.

Upon startup, Plex probes the local network using the G’Day Mate (GDM) network/service discovery protocol to find other compatible media devices. It also uses SSDP probes to find UPnP gateways on broadband routers which have SSDP enabled. When successful, this has the effect of exposing a Plex UPnP-enabled service registration responder to the web, where it can be abused to generate reflection/amplification DDoS attacks.

Observed attacks range in size from roughly 2Gbps to 3Gbps, which is enough to have a significant negative impact on the availability of targeted networks or services. Network operators should perform reconnaissance to identify abusable Pled Media SSDP reflectors/amplifiers on their networks, and the networks of their customers.

Flaw found in Libgrcrypt Encryption Library

Businesses using GNU Privacy Guard’s (GnuPG’s) Libgcrypt encryption software have been urged to update the platform due to a severe vulnerability that can pave the way for a remote code execution attack.

This piece of software is an open source cryptographic repository that can be used by developers to encrypt and sign data and communications. It essentially provides functions for all fundamental cryptographic building blocks.

Hackers can exploit a heap buffer overflow vulnerability in version 1.9.0 of Libgrcrypt, however, by simply decrypting some data. This will overflow a heap buffer with attacker-controlled data, and allow an attacker to compromise the system, according to Google’s Project Zero researcher Tavis Ormandy, who discovered the flaw.

Three fresh flaws in SolarWinds products

Researchers have discovered new flaws embedded in SolarWinds products, including two in the Orion Platform that was at the heart of the infamous supply chain attack of 2020 and one in Serv-U FTP for Windows.

These flaws, which haven’t yet been exploited in the wild, are severe bugs that demand urgent patching because they can let attackers steal information from a network or gain admin-level privileges. This is according to researchers with Trustwave SpiderLabs.

The most severe flaw, found in the Orion Platform, is tracked as CVE-2021-25274 and centres on improper use of Microsoft Messaging Queue (MSQ). This can allow a remote unprivileged user to execute arbitrary code as if they had the highest privileges. Another flaw in Serv-U FTP can allow any user, regardless of privilege to define a new Serv-U FTP admin account with access to the C:\ drive by simply creating a file.

All three were fixed in January with the release of ‘Orion Platform 2020.2.4’ and ‘ServU-FTP 15.2.2 Hotfix 1 Patch’.

Hackers attempt to exploit SonicWall zero-day

Cyber criminals are trying to exploit a zero-day vulnerability in SonicWall’s Secure Mobile Access (SMA) 100 devices first flagged publicly last month, according to researchers with the NCC Group.

The company previously admitted it was attacked by criminals exploiting zero-day vulnerabilities in its remote access products, with an initial investigation suggesting its NetExtender VPN client and SMB-oriented SAM 100 Series products were vulnerable.

NCC Group now claims it’s detected attempts to abuse a concrete exploit in the wild, while SonicWall has confirmed all SMA 100 devices with 10.x firmware are vulnerable. The physical appliances affected include SMA 200, SMA 210, SMA 400, SMA 410 while virtual appliances include SMA 500v ((Azure, AWS, ESXi, HyperV). Users can download a patch by following SonicWall guidance.

Linux malware targeting high-performance computers (HPCs)

High-performance computing clusters run by university networks as well as servers tied with government agencies are being targeted by hackers exploiting a backdoor that lets them execute arbitrary code remotely.

Kobalos, uncovered by researchers with ESET, is a generic backdoor that contains broad commands that don’t actually reveal the intent of the attackers. It grants remote access to a file system, provides the ability to spawn terminal sessions and allows proxying connections to other infected servers.

This strain is capable of compromising systems running Linux, FreeBSD, Solaris, as well as AIX and Windows machines too. Other victims also include an endpoint security vendor and a large internet service provider.

Strikingly, any compromised server can be turned into a command and control centre for the malware, with the code embedded into the malware. Most hosts compromised by Kobalos also had an OpenSSH credential stealer installed, which might suggest how the strain spreads between networks and systems.

Keumars Afifi-Sabet
Contributor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.