Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

‘Ghost notifications’ on the NHS COVID-19 app

The latest update to the NHS’ coronavirus contact tracing mobile app has fixed an issue where users were regularly notified that they were subjected to a “potential exposure”, only for the notification to disappear without a trace shortly after.

The messages wouldn’t give any more information and would disappear from users’ notifications centres once they interacted with it. An earlier update added a second notification informing users they were safe, and that it was effectively a false alarm, if applicable, but developers have now scrapped these entirely.

The latest update will also make the app better at approximating distances between users, which allow for more accurate assessments as to whether users should self-isolate.

Critical bug in Nvidia’s DGX A100 server line

Nvidia has patched a critical flaw in its high-performance line of DGX servers which, if exploited successfully, could have allowed an attacker to take control of sensitive data held on the systems.

There were nine patches in total released this week fixing vulnerabilities in the firmware used by the DGX high-performance computing (HPC) units, conventionally deployed in massive enterprises and government organisations. These systems are used for AI tasks, machine learning, and data modelling, among other purposes.

One highly severe bug, tagged CVE-2020-11487, however, won’t receive a patch until the second quarter of 2021. This flaw is tied to a hard-coded RSA 1024 key with weak ciphers, which could lead to potential information disclosure.

100,000 machines still vulnerable to 10/10 SMBGhost exploit

Security researcher Jan Kopriva has estimated that approximately 103,000 machines are vulnerable to the critical SMBGhost vulnerability in the Server Message Block (SMB) protocol discovered in March.

This is despite Microsoft releasing a patch for the wormable remote code execution (RCE) flaw, which could allow hackers to spread malware across machines without any need for user interaction. The wormable flaw, tagged CVE-2020-0796, is ranked as critical and holds a 10 score on the CVSS severity scale. Microsoft deemed it so severe that it received an out-of-band fix outside of the routine Patch Tuesday cycle.

Despite this, Kopriva has accumulated data from Shodan over the last eight months that suggests many businesses still haven’t patched potentially vulnerable systems.

Warning for unpatched Oracle WebLogic server consoles

Dean of Research at the SANS Technology Institute, Johannes Ullrich, has warned that hackers are actively scanning for vulnerable WebLogic systems that were affected by an RCE vulnerability, something that Oracle has since patched.

This flaw, tagged CVE-2020-14882 and rated 9.8 on the CVSS scale, was patched as part of Oracle’s gigantic quarterly ‘critical patch update’ recently, although it doesn’t necessarily mean that businesses have applied the fix. As a result of the activity, detected after setting up a ‘honeypot’, Ullrich has warned IT admins that if they find a vulnerable server in their network they should “assume it has been compromised”.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

What are biometrics?
Security

What are biometrics?

27 Nov 2020
Black Friday's best antivirus deals
Security

Black Friday's best antivirus deals

27 Nov 2020
Veritas Access Appliance with IBM Spectrum® Protect
Server & storage

Veritas Access Appliance with IBM Spectrum® Protect

27 Nov 2020
Ransomware protection with Veritas NetBackup Appliances
Security

Ransomware protection with Veritas NetBackup Appliances

27 Nov 2020

Most Popular

46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020
macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020