Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Zero-day flaws in multiple VMware products

VMware has warned customers about a critical command injection flaw in a number of its products, including Workspace One Access and Identity Manager, for which a patch is not currently available.

The critical vulnerability, tracked as CVE-2020-4006, could allow hackers to take control of vulnerable machines if successfully exploited. To do so, they would need to be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.

With a patch still in development, VMware has outlined a workaround that can be applied to some product lines, but not all. Potentially affected customers should consult the security advisory and follow the steps outlined to safeguard their systems.

Facebook Messenger calling bug

Facebook patched a vulnerability in its widely-used Messenger app for Android that could have allowed a remote attacker to call targets and listen to them before they picked up an audio call.

Discovered by Google’s Project Zero researcher Natalie Silvanovich, the flaw could have granted an attacker logged into the app the ability to initiate a call and send a specially crafted message to targets signed into multiple devices. This would trigger a scenario where, when the device is ringing, the caller would receive audio either until the person being called answers, or the call times out.

The bug lay in the WebRTC framework Session Description Protocol (SDP), which defines a format for the streaming of media between two endpoints, and has since been fixed.

GitHub patches severe three-month-old flaw

The development platform GitHub has released a fix for a bug that was first reported more than three months ago by Google’s Project Zero security research team.

Related Resource

A buyer’s guide to managed detection and response (MDR) services

Simplifying and strengthening your security programme through outsourcing

Download now

The flaw, which Google argues is highly-severe but GitHub insists is moderately-severe, affected the developer workflow automation tool, known as Actions. This was highly susceptible to injection attacks, according to researcher Felix Wilhelm, and GitHub finally addressed the bug by disabling the feature’s runner commends.

Remarkably, Google first informed GitHub of the flaw in August, but held back on publishing details in accordance with its 90-day disclosure policy. Google then granted GitHub a further 14-day grace period in which to fix the flaw, before finally revealing its existence on 2 November. Although GitHub requested an additional 48 hours, this was denied, and the details were published. The bug was subsequently patched on 16 November.

Warnings over MobileIron Android vulnerability

The National Cyber Security Centre (NCSC) has warned businesses about a vulnerability that can compromise the networks of UK organisations if successfully exploited.

Tagged as CVE-2020-15505, the remote code execution flaw affects the MobileIron Core and Connector software, which forms the company’s mobile device management (MDM) suite. It also affected the Monitor and Reporting Database software.

Although a patch was released in June 2020, organisations that haven’t updated their systems might be vulnerable to attack. Nation-state hackers have been attempting to exploit the vulnerability since the publication of a proof-of-concept exploit in September, according to the NCSC.

2FA brute-force bypass flaw on cPanel 

The cPanel & WebHost Manager (WHM) web hosting platform contained a vulnerability that could have allowed hackers to effectively bypass the two-factor authentication (2FA) mechanism.

The now-fixed 2FA cPanel Security Policy inadvertently allowed users to repeatedly submit 2FA codes, essentially allowing attackers to bypass the 2FA check using brute force techniques. Although user credentials were required to gain access to the 70 million sites hosted on the platform, the exploit still bypassed a crucial additional layer of security that many users rely on. To fix the situation, incorrect 2FA codes are now treated as the equivalent of a failed password validation attempt.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022