Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

‘Ghost notifications’ on the NHS COVID-19 app

The latest update to the NHS’ coronavirus contact tracing mobile app has fixed an issue where users were regularly notified that they were subjected to a “potential exposure”, only for the notification to disappear without a trace shortly after.

The messages wouldn’t give any more information and would disappear from users’ notifications centres once they interacted with it. An earlier update added a second notification informing users they were safe, and that it was effectively a false alarm, if applicable, but developers have now scrapped these entirely.

The latest update will also make the app better at approximating distances between users, which allow for more accurate assessments as to whether users should self-isolate.

Critical bug in Nvidia’s DGX A100 server line

Nvidia has patched a critical flaw in its high-performance line of DGX servers which, if exploited successfully, could have allowed an attacker to take control of sensitive data held on the systems.

There were nine patches in total released this week fixing vulnerabilities in the firmware used by the DGX high-performance computing (HPC) units, conventionally deployed in massive enterprises and government organisations. These systems are used for AI tasks, machine learning, and data modelling, among other purposes.

One highly severe bug, tagged CVE-2020-11487, however, won’t receive a patch until the second quarter of 2021. This flaw is tied to a hard-coded RSA 1024 key with weak ciphers, which could lead to potential information disclosure.

100,000 machines still vulnerable to 10/10 SMBGhost exploit

Security researcher Jan Kopriva has estimated that approximately 103,000 machines are vulnerable to the critical SMBGhost vulnerability in the Server Message Block (SMB) protocol discovered in March.

This is despite Microsoft releasing a patch for the wormable remote code execution (RCE) flaw, which could allow hackers to spread malware across machines without any need for user interaction. The wormable flaw, tagged CVE-2020-0796, is ranked as critical and holds a 10 score on the CVSS severity scale. Microsoft deemed it so severe that it received an out-of-band fix outside of the routine Patch Tuesday cycle.

Despite this, Kopriva has accumulated data from Shodan over the last eight months that suggests many businesses still haven’t patched potentially vulnerable systems.

Warning for unpatched Oracle WebLogic server consoles

Dean of Research at the SANS Technology Institute, Johannes Ullrich, has warned that hackers are actively scanning for vulnerable WebLogic systems that were affected by an RCE vulnerability, something that Oracle has since patched.

This flaw, tagged CVE-2020-14882 and rated 9.8 on the CVSS scale, was patched as part of Oracle’s gigantic quarterly ‘critical patch update’ recently, although it doesn’t necessarily mean that businesses have applied the fix. As a result of the activity, detected after setting up a ‘honeypot’, Ullrich has warned IT admins that if they find a vulnerable server in their network they should “assume it has been compromised”.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022