Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

‘Ghost notifications’ on the NHS COVID-19 app

The latest update to the NHS’ coronavirus contact tracing mobile app has fixed an issue where users were regularly notified that they were subjected to a “potential exposure”, only for the notification to disappear without a trace shortly after.

The messages wouldn’t give any more information and would disappear from users’ notifications centres once they interacted with it. An earlier update added a second notification informing users they were safe, and that it was effectively a false alarm, if applicable, but developers have now scrapped these entirely.

The latest update will also make the app better at approximating distances between users, which allow for more accurate assessments as to whether users should self-isolate.

Critical bug in Nvidia’s DGX A100 server line

Nvidia has patched a critical flaw in its high-performance line of DGX servers which, if exploited successfully, could have allowed an attacker to take control of sensitive data held on the systems.

There were nine patches in total released this week fixing vulnerabilities in the firmware used by the DGX high-performance computing (HPC) units, conventionally deployed in massive enterprises and government organisations. These systems are used for AI tasks, machine learning, and data modelling, among other purposes.

One highly severe bug, tagged CVE-2020-11487, however, won’t receive a patch until the second quarter of 2021. This flaw is tied to a hard-coded RSA 1024 key with weak ciphers, which could lead to potential information disclosure.

100,000 machines still vulnerable to 10/10 SMBGhost exploit

Security researcher Jan Kopriva has estimated that approximately 103,000 machines are vulnerable to the critical SMBGhost vulnerability in the Server Message Block (SMB) protocol discovered in March.

This is despite Microsoft releasing a patch for the wormable remote code execution (RCE) flaw, which could allow hackers to spread malware across machines without any need for user interaction. The wormable flaw, tagged CVE-2020-0796, is ranked as critical and holds a 10 score on the CVSS severity scale. Microsoft deemed it so severe that it received an out-of-band fix outside of the routine Patch Tuesday cycle.

Despite this, Kopriva has accumulated data from Shodan over the last eight months that suggests many businesses still haven’t patched potentially vulnerable systems.

Warning for unpatched Oracle WebLogic server consoles

Dean of Research at the SANS Technology Institute, Johannes Ullrich, has warned that hackers are actively scanning for vulnerable WebLogic systems that were affected by an RCE vulnerability, something that Oracle has since patched.

This flaw, tagged CVE-2020-14882 and rated 9.8 on the CVSS scale, was patched as part of Oracle’s gigantic quarterly ‘critical patch update’ recently, although it doesn’t necessarily mean that businesses have applied the fix. As a result of the activity, detected after setting up a ‘honeypot’, Ullrich has warned IT admins that if they find a vulnerable server in their network they should “assume it has been compromised”.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

IT security awareness and training firm KnowBe4 acquires MediaPRO
Acquisition

IT security awareness and training firm KnowBe4 acquires MediaPRO

3 Mar 2021
High-risk email security threats increased by 32% last year
phishing

High-risk email security threats increased by 32% last year

3 Mar 2021
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

3 Mar 2021
Microsoft Exchange targeted by China-linked hackers
zero-day exploit

Microsoft Exchange targeted by China-linked hackers

3 Mar 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021