Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
Apple WebKit zero-day under exploitation
Apple has released an emergency patch fixing a zero-day vulnerability in its iOS, iPadOS, and watchOS operating systems, that has been exploited by unidentified hackers.
Tracked as CVE-2021-187, the flaw resides in WebKit, which is an open source browser engine primarily used in the Safari web browser, as well as all iOS web browsers, alongside various other iOS and iPadOS apps.
Hackers were able to exploit the flaw by sending victims a malicious link and executing arbitrary code through a cross-site scripting (XSS) attack, with potential implications including the theft of sensitive data or forcing changes to the appearance of a website.
Apple has rolled out patches for all versions of the iPad Pro, iPad Air 2 and later, the fifth generation of the iPad and later, iPad mini 4 and later, and the seventh generation of the iPod touch. This is in addition to updates released for all Apple Watch products, and all iPhones from iPhone 6s.
VMware patches severe vRealize flaws
Vmware has patched two critical vulnerabilities in its vRealize Operations platform that could allow cyber criminals to infiltrate corporate networks, steal user credentials, and manipulate underlying systems.
This is a platform augmented with artificial intelligence that's capable of managing IT operations in various cloud deployments, allowing admins to monitor, troubleshoot, and manage the health and capacity of virtual IT environments.
The first flaw, tracked as CVE-2021-21975, is rated 8.6 on the CVSS threat severity scale. If exploited, it could allow a malicious actor with network access to the vRealize Operations Manager API to perform a server-side request forgery attack to steal admin credentials.
A second flaw, tracked as CVE-2021-21983, is considered less severe as it requires an attacker to be authenticated in order to successfully exploit. There are fears, however, that it can be chained with the first bug to allow hackers to write files to various locations on the underlying operating system.
OpenSSL fixes major denial of service bug
The most widely-used encryption software library, OpenSSL, has patched a severe flaw that could have allowed hackers to crash a wide number of servers.
The open source cryptography toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, is used across a host of products and platforms, including Linux as well as other software and email clients.
The latest update, OpenSSL 1.1.1k, fixed two severe bugs including CVE-2021-3449, which could have been exploited by hackers to deliberately crash vulnerable web servers or email servers at will, causing a looped denial of service (DoS) situation.
The second flaw, CVE-2021-3450, was a more complex issue that could have allowed security checks to be circumvented when an app would seek out the legitimacy of a TLS certificate.
Netmask flaw allows hackers to bypass server access controls
RELATED RESOURCE
A vulnerability in the networking npm library, netmask, could give hackers the ability to bypass server access controls and launch server-side request forgery attacks, according to research by Sick Codes.
The nine-year-old exploit is considered far-reaching as hundreds of thousands of apps use the package to parse or compare IPv4 addresses and Classless Inter-Domain Routing (CIDR) blocks. The code was downloaded three million times last week alone, with 278,000 GitHub repositories using it.
The issue centres on the way netmask handles mixed-format IP addresses, with the library seeing a different IP address when parsing an address with a prefixed zero. The researchers warned that anyone could submit an address in netmask that looks like a private IP, but then connects to a public IP to download malicious files.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
