Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron
Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
Zero-day flaws in multiple VMware products
VMware has warned customers about a critical command injection flaw in a number of its products, including Workspace One Access and Identity Manager, for which a patch is not currently available.
The critical vulnerability, tracked as CVE-2020-4006, could allow hackers to take control of vulnerable machines if successfully exploited. To do so, they would need to be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.
With a patch still in development, VMware has outlined a workaround that can be applied to some product lines, but not all. Potentially affected customers should consult the security advisory and follow the steps outlined to safeguard their systems.
Facebook Messenger calling bug
Facebook patched a vulnerability in its widely-used Messenger app for Android that could have allowed a remote attacker to call targets and listen to them before they picked up an audio call.
Discovered by Google’s Project Zero researcher Natalie Silvanovich, the flaw could have granted an attacker logged into the app the ability to initiate a call and send a specially crafted message to targets signed into multiple devices. This would trigger a scenario where, when the device is ringing, the caller would receive audio either until the person being called answers, or the call times out.
The bug lay in the WebRTC framework Session Description Protocol (SDP), which defines a format for the streaming of media between two endpoints, and has since been fixed.
GitHub patches severe three-month-old flaw
The development platform GitHub has released a fix for a bug that was first reported more than three months ago by Google’s Project Zero security research team.
The flaw, which Google argues is highly-severe but GitHub insists is moderately-severe, affected the developer workflow automation tool, known as Actions. This was highly susceptible to injection attacks, according to researcher Felix Wilhelm, and GitHub finally addressed the bug by disabling the feature’s runner commends.
Remarkably, Google first informed GitHub of the flaw in August, but held back on publishing details in accordance with its 90-day disclosure policy. Google then granted GitHub a further 14-day grace period in which to fix the flaw, before finally revealing its existence on 2 November. Although GitHub requested an additional 48 hours, this was denied, and the details were published. The bug was subsequently patched on 16 November.
Warnings over MobileIron Android vulnerability
The National Cyber Security Centre (NCSC) has warned businesses about a vulnerability that can compromise the networks of UK organisations if successfully exploited.
Tagged as CVE-2020-15505, the remote code execution flaw affects the MobileIron Core and Connector software, which forms the company’s mobile device management (MDM) suite. It also affected the Monitor and Reporting Database software.
Although a patch was released in June 2020, organisations that haven’t updated their systems might be vulnerable to attack. Nation-state hackers have been attempting to exploit the vulnerability since the publication of a proof-of-concept exploit in September, according to the NCSC.
2FA brute-force bypass flaw on cPanel
The cPanel & WebHost Manager (WHM) web hosting platform contained a vulnerability that could have allowed hackers to effectively bypass the two-factor authentication (2FA) mechanism.
The now-fixed 2FA cPanel Security Policy inadvertently allowed users to repeatedly submit 2FA codes, essentially allowing attackers to bypass the 2FA check using brute force techniques. Although user credentials were required to gain access to the 70 million sites hosted on the platform, the exploit still bypassed a crucial additional layer of security that many users rely on. To fix the situation, incorrect 2FA codes are now treated as the equivalent of a failed password validation attempt.