No one likes the hassle of dealing with patch management or vulnerability management, but it is universally agreed that security breaches are far worse.
Many organizations try to proactively patch and manage vulnerabilities to prevent attackers from gaining any foothold. Google announced this week that it will now push out weekly security updates to Chrome to help make users more secure.
However, pushing out patches and isolating unpatched vulnerabilities can lead to operations issues, so many organizations drag their feet. Tenable’s CEO accused Microsoft of “grossly irresponsible, if not blatantly negligent” responses to vulnerability disclosures that affect popular and important tools such as Azure.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently published an analysis of the top 12 vulnerabilities exploited in 2022. Seven of these vulnerabilities were discovered between 2018 and 2021 and remained unpatched!
Some delays will be tolerated or even expected by executives, board members, customers, and other stakeholders, but unpatched vulnerabilities over a year old will most likely be seen as negligence. Organizations need to effectively manage their exposed vulnerabilities or hire a managed service provider (MSP) to help address potential issues before an attacker exploits them and they need to justify their IT practices after an incident response.
Here’s a roundup of the week’s major vulnerabilities that security teams should mitigate or patch.
August 12, 2023
Ford Auto’s TI Wi-Fi Vulnerability
The Internet of Things (IoT) continues to expand and become a threat to connected businesses. Security researchers discovered a software driver buffer overflow vulnerability in the Texas Instruments (TI) chips powering Ford’s SYNC 3 infotainment system available in Ford and Lincoln vehicles. Carefully crafted attacks will be able to perform remote code execution (RCE) and overwrite the memory of the host processor.
Ford notes that the vehicles are safe to drive and that drivers concerned about the vulnerability can turn off the system until patches are available. Owners will need to download the update to a USB stick and perform the patch installation.
While the infotainment system is supposedly firewalled from steering, throttling, and braking, attached devices may not be fully secured against communication via Wi-Fi. Mobile devices connected to the automobile infotainment system may be exposed to RCE attacks seeking to access the device or use it to attack connected networks.
August 11, 2023
DEFCON and Black Hat Vulnerabilities
Security researchers at DEFCON and Black Hat discussed a number of vulnerabilities with significant impact for affected organizations.
Data Centers Can Shut Down Because of Power Management Vulnerabilities
Trellix researchers discovered a series of vulnerabilities in CyberPower’s data center infrastructure management (DCIM) platform and Dataprobe’s iBoot power distribution unit (PDU) tools that can allow attackers to access systems, create back doors, and gain access to other data center devices and systems. As with other carte blanche, attackers can deploy malware at scale or perform espionage, but more dangerously, these power management consoles could be used to simply shut down the data centers entirely.
Other Vulnerability News: Intel, Microsoft, Dell, and VMware
Other vulnerabilities disclosed at DEFCON and Black Hat last week include:
- Private encryption keys hardcoded into Dell’s Storage Integration Tools that can compromise all VMware environments
- A data leakage flaw in Intel chips
- A denial of service vulnerability in Microsoft Defender revealed by SafeBreach researchers
Programmable Logic Controllers at Risk for RCE and DoS Attacks
Security researchers at Microsoft found a set of 15 RCE and denial of services (DoS) attacks present in the programmable logic controllers (PLCs) from over 500 device manufacturers using the CODESYS V3 software development kit. This type of equipment usually lies outside of normal patch management processes, so Microsoft is pushing for extra publicity to help bring this issue to vulnerable organizations. Admins can either disconnect vulnerable PLCs from possible internet connections or upgrade to CODESYS V3 v3.5.19.0.
August 10, 2023
Actively Exploited Barracuda Email Security Gateway Vulnerability
CISA provided an updated analysis of active exploits targeting Barracuda Network’s Email Security Gateway (ESG) appliance first disclosed on May 19, 2023. In June, Mandiant disclosed active exploitation of the zero-day vulnerability (CVE-2023-2868) linked to highly-skilled Chinese attackers that occurred as early as October 10, 2022.
The zero day affected Barracuda’s email security appliance version 5.1.3.001 – 9.2.0.006 and enabled the installation of reverse shells for remote access. CISA provides an analysis report that lists potential indicators of compromise and offers investigations assistance to potential victims through the “report@cisa.gov” email for CISA’s 24/7 Operations Center.
2017 Zyxel Vulnerability Under Active Attack
Fortinet issued an alert about thousands of daily attacks looking to perform a command injection attack on end-of-life Zyxel routers. The vulnerability is nearly six years old, and Zyxel previously issued a security advisory about the Gafgyt malware in 2019 that exploited CVE-2017-18368. However, the recent ramp-up in activity for the Gafgyt malware suggests that many organizations continue to use the vulnerable and unpatched router.
August 8, 2023
74 Patched Vulnerabilities, Including 6 Critical RCE Flaws
On Tuesday, Microsoft patched 74 vulnerabilities in a variety of products, including Microsoft Teams and Microsoft Office. All six critical vulnerabilities enabled RCE, and CVSS rated the flaws between 7.8 and 9.8 in severity. At least one of these vulnerabilities is actively exploited.
Critical Security Update for Adobe Acrobat, Reader, and More
Adobe resolved at least 30 security vulnerabilities in Adobe’s Acrobat and Reader software update for critical, important, and moderate vulnerabilities. Although none of these vulnerabilities appear to be currently exploited, they can lead to denial of service, memory leak, arbitrary code execution, and security feature bypass. Adobe also updated their Commerce and Dimension software.
August 7, 2023
Microsoft Visual Studio Code Flaw Can Lead to Unauthorized Access
Cycode researchers discovered that malicious extensions running in Microsoft’s Visual Studio Code (VS Code) can allow attackers to retrieve authentication tokens stored in Windows, Linux, and macOS credentials managers. APIs and third-party services such as Git or GitHub use these tokens for integration, and token theft can allow attackers to gain access to passwords stored in tokens or to code repositories. So far, Microsoft declines to address this issue, so developers should be very cautious with VS Code extensions.
