Weekly threat roundup: Cisco, Windows, Google Cloud VMs

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Cisco flaw abused after PoC posted online

Hackers are exploiting a vulnerability in Cisco’s Adaptive Security Appliance (ASA) after researchers published a proof-of-concept (PoC) for successful exploitation online last week.

The vulnerability tracked as CVE-2020-3580 was originally patched in October 2020, alongside CVE-2020-3581 through to CVE-2020-3583. It concerns flaws in the web services interface of Cisco ASA software and Cisco Firepower Threat Defense (FTD) software.

Tenable researchers have detected attackers abusing the flaw to remotely launch cross-site scripting (XSS) attacks a few days after researchers with Positive Technologies published the PoC. As of July 2020, there were 85,000 ASA/FTD devices distributed across the business landscape.

Netgear routers susceptible to takeover

Microsoft researchers have detailed three vulnerabilities affecting Netgear DGN-2200v1 series routers that hackers can exploit to seize control of devices and gain network access.

The three HTTP authentication security flaws, which were patched in December 2020, are considered critical security issues and range on the CVSS threat severity scale from 7.1 to 9.4 out of ten. They affect routers running firmware versions 1.0.0.60 or earlier.

These vulnerabilities allow hackers to access router management pages using an authentication bypass, which could let them gain control over the router and glean credentials that have been saved by launching side-channel attacks.

Microsoft Edge Translator embedded with uXSS flaw

The Microsoft Edge translation tool is embedded with a universal XSS flaw that allows cyber criminals to execute malicious code on a victim’s web browser.

To trigger the exploit, CyberXplore researchers inserted malicious JavaScript into web pages, alongside text in a foreign language. When the tool either automatically translated the text, or was activated through a prompt, the browser re-rendered the page, but failed to render the image tag, which triggered an error event and activated the malicious function.

The vulnerability, which has now been patched, was tracked as CVE-2021-34506 and is classed as moderately severe. The researchers who discovered the flaw, Vansh Devgan and Shivam Kumar Singh, believe a critical designation would be more appropriate, though. This is because they claim it can trigger XSS on any page across the internet.

Alarms raised over Windows print spooler flaw

Researchers have inadvertently endangered Windows users by releasing a PoC exploitation for an unpatched flaw in the Print Spooler component.

Microsoft had initially fixed a flaw as part of its 8 June Patch Tuesday round of updates, tracked as CVE-2021-1675 and referred to then as a Print Spooler bug. Microsoft upgraded the severity of this vulnerability from a privilege escalation to a remote code execution flaw (RCE) on 21 June.

This prompted Sangfor researchers to publish a PoC exploitation for a print spooler RCE bug earlier than expected, having originally planned to discuss their work at the Black Hat conference in August. Their exploit was for an entirely different vulnerability, however, from that which Microsoft fixed in June.

It prompted the researchers to delete their PoC, although the code was downloaded and republished elsewhere. There’s no patch currently available, with Sophos urging users to disable the Print Spooler on vulnerable machines until Microsoft develops a fix.

Bug grants root access to Google Cloud VMs

Researcher Imre Rad has uncovered a flaw that cyber criminals can exploit to gain root access to virtual machines (VMs) running on Google Cloud.

Any prospective attack would abuse a weakness in Google’s Infrastructure as a Service (IaaS) product, known as the Google Compute Engine. The vulnerability lies in the random number generator of the ISC DHCP server used by default.

There are two phases to any potential attack. First, attackers must overload a victim’s VM with DHCP traffic to force it to use a malicious metadata server, instead of an official Google one. Then, once the VM is tied with the malicious server, the attacker can send across their SSH public key and gain root access to the VM.

Although Rad reported the bug to Google, the firm hasn’t yet confirmed whether it’s working on a fix. Until then, he's recommended that users refrain from using DHCP, or that they set up a firewall rule to ensure DHCP communication comes from the specified Google metadata server.