IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Zero-day flaws in multiple VMware products

VMware has warned customers about a critical command injection flaw in a number of its products, including Workspace One Access and Identity Manager, for which a patch is not currently available.

The critical vulnerability, tracked as CVE-2020-4006, could allow hackers to take control of vulnerable machines if successfully exploited. To do so, they would need to be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.

With a patch still in development, VMware has outlined a workaround that can be applied to some product lines, but not all. Potentially affected customers should consult the security advisory and follow the steps outlined to safeguard their systems.

Facebook Messenger calling bug

Facebook patched a vulnerability in its widely-used Messenger app for Android that could have allowed a remote attacker to call targets and listen to them before they picked up an audio call.

Discovered by Google’s Project Zero researcher Natalie Silvanovich, the flaw could have granted an attacker logged into the app the ability to initiate a call and send a specially crafted message to targets signed into multiple devices. This would trigger a scenario where, when the device is ringing, the caller would receive audio either until the person being called answers, or the call times out.

The bug lay in the WebRTC framework Session Description Protocol (SDP), which defines a format for the streaming of media between two endpoints, and has since been fixed.

GitHub patches severe three-month-old flaw

The development platform GitHub has released a fix for a bug that was first reported more than three months ago by Google’s Project Zero security research team.

Related Resource

A buyer’s guide to managed detection and response (MDR) services

Simplifying and strengthening your security programme through outsourcing

Download now

The flaw, which Google argues is highly-severe but GitHub insists is moderately-severe, affected the developer workflow automation tool, known as Actions. This was highly susceptible to injection attacks, according to researcher Felix Wilhelm, and GitHub finally addressed the bug by disabling the feature’s runner commends.

Remarkably, Google first informed GitHub of the flaw in August, but held back on publishing details in accordance with its 90-day disclosure policy. Google then granted GitHub a further 14-day grace period in which to fix the flaw, before finally revealing its existence on 2 November. Although GitHub requested an additional 48 hours, this was denied, and the details were published. The bug was subsequently patched on 16 November.

Warnings over MobileIron Android vulnerability

The National Cyber Security Centre (NCSC) has warned businesses about a vulnerability that can compromise the networks of UK organisations if successfully exploited.

Tagged as CVE-2020-15505, the remote code execution flaw affects the MobileIron Core and Connector software, which forms the company’s mobile device management (MDM) suite. It also affected the Monitor and Reporting Database software.

Although a patch was released in June 2020, organisations that haven’t updated their systems might be vulnerable to attack. Nation-state hackers have been attempting to exploit the vulnerability since the publication of a proof-of-concept exploit in September, according to the NCSC.

2FA brute-force bypass flaw on cPanel 

The cPanel & WebHost Manager (WHM) web hosting platform contained a vulnerability that could have allowed hackers to effectively bypass the two-factor authentication (2FA) mechanism.

The now-fixed 2FA cPanel Security Policy inadvertently allowed users to repeatedly submit 2FA codes, essentially allowing attackers to bypass the 2FA check using brute force techniques. Although user credentials were required to gain access to the 70 million sites hosted on the platform, the exploit still bypassed a crucial additional layer of security that many users rely on. To fix the situation, incorrect 2FA codes are now treated as the equivalent of a failed password validation attempt.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download


Best free malware removal tools 2022

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide

CIAM buyer’s guide

6 Jun 2022

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Raspberry Pi launches next-gen Pico W microcontroller with networking support

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022