Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Zero-day flaws in multiple VMware products

VMware has warned customers about a critical command injection flaw in a number of its products, including Workspace One Access and Identity Manager, for which a patch is not currently available.

The critical vulnerability, tracked as CVE-2020-4006, could allow hackers to take control of vulnerable machines if successfully exploited. To do so, they would need to be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.

With a patch still in development, VMware has outlined a workaround that can be applied to some product lines, but not all. Potentially affected customers should consult the security advisory and follow the steps outlined to safeguard their systems.

Facebook Messenger calling bug

Facebook patched a vulnerability in its widely-used Messenger app for Android that could have allowed a remote attacker to call targets and listen to them before they picked up an audio call.

Discovered by Google’s Project Zero researcher Natalie Silvanovich, the flaw could have granted an attacker logged into the app the ability to initiate a call and send a specially crafted message to targets signed into multiple devices. This would trigger a scenario where, when the device is ringing, the caller would receive audio either until the person being called answers, or the call times out.

The bug lay in the WebRTC framework Session Description Protocol (SDP), which defines a format for the streaming of media between two endpoints, and has since been fixed.

GitHub patches severe three-month-old flaw

The development platform GitHub has released a fix for a bug that was first reported more than three months ago by Google’s Project Zero security research team.

Related Resource

A buyer’s guide to managed detection and response (MDR) services

Simplifying and strengthening your security programme through outsourcing

Download now

The flaw, which Google argues is highly-severe but GitHub insists is moderately-severe, affected the developer workflow automation tool, known as Actions. This was highly susceptible to injection attacks, according to researcher Felix Wilhelm, and GitHub finally addressed the bug by disabling the feature’s runner commends.

Remarkably, Google first informed GitHub of the flaw in August, but held back on publishing details in accordance with its 90-day disclosure policy. Google then granted GitHub a further 14-day grace period in which to fix the flaw, before finally revealing its existence on 2 November. Although GitHub requested an additional 48 hours, this was denied, and the details were published. The bug was subsequently patched on 16 November.

Warnings over MobileIron Android vulnerability

The National Cyber Security Centre (NCSC) has warned businesses about a vulnerability that can compromise the networks of UK organisations if successfully exploited.

Tagged as CVE-2020-15505, the remote code execution flaw affects the MobileIron Core and Connector software, which forms the company’s mobile device management (MDM) suite. It also affected the Monitor and Reporting Database software.

Although a patch was released in June 2020, organisations that haven’t updated their systems might be vulnerable to attack. Nation-state hackers have been attempting to exploit the vulnerability since the publication of a proof-of-concept exploit in September, according to the NCSC.

2FA brute-force bypass flaw on cPanel 

The cPanel & WebHost Manager (WHM) web hosting platform contained a vulnerability that could have allowed hackers to effectively bypass the two-factor authentication (2FA) mechanism.

The now-fixed 2FA cPanel Security Policy inadvertently allowed users to repeatedly submit 2FA codes, essentially allowing attackers to bypass the 2FA check using brute force techniques. Although user credentials were required to gain access to the 70 million sites hosted on the platform, the exploit still bypassed a crucial additional layer of security that many users rely on. To fix the situation, incorrect 2FA codes are now treated as the equivalent of a failed password validation attempt.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021

Most Popular

School laptops sent by government arrive loaded with malware
malware

School laptops sent by government arrive loaded with malware

21 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021