Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Zero-day flaws in multiple VMware products

VMware has warned customers about a critical command injection flaw in a number of its products, including Workspace One Access and Identity Manager, for which a patch is not currently available.

The critical vulnerability, tracked as CVE-2020-4006, could allow hackers to take control of vulnerable machines if successfully exploited. To do so, they would need to be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.

With a patch still in development, VMware has outlined a workaround that can be applied to some product lines, but not all. Potentially affected customers should consult the security advisory and follow the steps outlined to safeguard their systems.

Facebook Messenger calling bug

Facebook patched a vulnerability in its widely-used Messenger app for Android that could have allowed a remote attacker to call targets and listen to them before they picked up an audio call.

Discovered by Google’s Project Zero researcher Natalie Silvanovich, the flaw could have granted an attacker logged into the app the ability to initiate a call and send a specially crafted message to targets signed into multiple devices. This would trigger a scenario where, when the device is ringing, the caller would receive audio either until the person being called answers, or the call times out.

The bug lay in the WebRTC framework Session Description Protocol (SDP), which defines a format for the streaming of media between two endpoints, and has since been fixed.

GitHub patches severe three-month-old flaw

The development platform GitHub has released a fix for a bug that was first reported more than three months ago by Google’s Project Zero security research team.

Related Resource

A buyer’s guide to managed detection and response (MDR) services

Simplifying and strengthening your security programme through outsourcing

Download now

The flaw, which Google argues is highly-severe but GitHub insists is moderately-severe, affected the developer workflow automation tool, known as Actions. This was highly susceptible to injection attacks, according to researcher Felix Wilhelm, and GitHub finally addressed the bug by disabling the feature’s runner commends.

Remarkably, Google first informed GitHub of the flaw in August, but held back on publishing details in accordance with its 90-day disclosure policy. Google then granted GitHub a further 14-day grace period in which to fix the flaw, before finally revealing its existence on 2 November. Although GitHub requested an additional 48 hours, this was denied, and the details were published. The bug was subsequently patched on 16 November.

Warnings over MobileIron Android vulnerability

The National Cyber Security Centre (NCSC) has warned businesses about a vulnerability that can compromise the networks of UK organisations if successfully exploited.

Tagged as CVE-2020-15505, the remote code execution flaw affects the MobileIron Core and Connector software, which forms the company’s mobile device management (MDM) suite. It also affected the Monitor and Reporting Database software.

Although a patch was released in June 2020, organisations that haven’t updated their systems might be vulnerable to attack. Nation-state hackers have been attempting to exploit the vulnerability since the publication of a proof-of-concept exploit in September, according to the NCSC.

2FA brute-force bypass flaw on cPanel 

The cPanel & WebHost Manager (WHM) web hosting platform contained a vulnerability that could have allowed hackers to effectively bypass the two-factor authentication (2FA) mechanism.

The now-fixed 2FA cPanel Security Policy inadvertently allowed users to repeatedly submit 2FA codes, essentially allowing attackers to bypass the 2FA check using brute force techniques. Although user credentials were required to gain access to the 70 million sites hosted on the platform, the exploit still bypassed a crucial additional layer of security that many users rely on. To fix the situation, incorrect 2FA codes are now treated as the equivalent of a failed password validation attempt.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Acer Taiwan falls victim to cyber attack
hacking

Acer Taiwan falls victim to cyber attack

18 Oct 2021
Marsh McLennan reveals its cyber risk analytics center
risk management

Marsh McLennan reveals its cyber risk analytics center

15 Oct 2021
£100 contactless payment limit could place shoppers at risk, warn industry experts
Policy & legislation

£100 contactless payment limit could place shoppers at risk, warn industry experts

15 Oct 2021
Hackers used MSHTML exploit a week before patches were ready
zero-day exploit

Hackers used MSHTML exploit a week before patches were ready

14 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021