Weekly threat roundup: Microsoft Teams, VMware and QNAP NAS drives

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

‘Wormable’ zero-click RCE flaw in Teams

For a short few months this year, hackers were able to exploit a serious vulnerability in the Microsoft Teams desktop app to execute arbitrary code and spread infection across a company network.

The zero-click flaw could have been triggered by cross-site scripting (XSS) injection in Teams, with hackers able to transmit a specially-crafted malicious message which would execute code when seen. No further user interaction would be required.

This is according to researcher Oskars Vegaris, who reported the flaw to Microsoft in August before it was patched in October. In a technical breakdown of the vulnerability, the researcher highlighted how RCE can be achieved by chaining two flaws, including stored XSS in Teams chat functionality and a cross-platform JavaScript exploit for the Teams desktop client. Microsoft, however, didn’t issue a CVE tag, given it’s the company’s standard practice not to do so with platforms that update automatically, such as Microsoft Teams.

Russian hackers exploiting VMware flaws

Recently-patched vulnerabilities found in a series of VMware products are being actively exploited by Russian state-backed cyber criminals, according to the US National Security Agency (NSA). These include Workspace One Access, Identity Manager, Access Connector and Identity Manager Connector.

Customers were previously warned about the command injection flaw, reported in a previous threat roundup in November, and the way it could allow hackers to take control of vulnerable machines if successfully exploited. Tagged CVE-2020-4006, allows successful takeover should hackers be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.

The NSA has recommended that network administrators limit the accessibility of the management interface on servers to only a small set of known systems, and block it from direct internet access. Critical portions of this activity can also be blocked by disabling the firm’s configurator service. This is, of course, outside of applying the necessary patches.

QNP patches several bugs in NAS devices

QNAP has patched a series of high and medium-risk security flaws in its NAS devices, used for backing up data, this week, with the exploitation of these eight vulnerabilities leading to the takeover of a victim’s device.

The command injection and XSS bugs affect all QNAP NAS devices running vulnerable software, and could allow cyber criminals to inject malicious code remotely. Exploiting the command injection flaws, meanwhile, could allow them to escalate user privileges and seize control of the operating system. 

Four XSS vulnerabilities and a command injection flaw were reported to affect earlier versions of QTS and QuTS hero, while hackers could also exploit flaws in Music Station, Multimedia Console and Photo Station.

Four high-severity bugs in Chrome

The latest Google Chrome update fixes a range of security flaws, including four that were classed as highly severe in nature, affecting the Windows, macOS and Linux versions of the widely-used web browser.

Three of these flaws are use-after-free vulnerabilities, with CVE-2020-16037 affecting Chrome’s clipboard function, CVE-2020-16038 affecting the Chrome media component and CVE-2020-16039 affecting the browser extensions element. The fourth, tagged as CVE-2020-16040, is an insufficient data validation bug in the V8 JavaScript engine.

Eight flaws in total were fixed, with six discovered by external researchers, according to cyber security firm ESET. System administrators have also been warned by the US Cybersecurity and Infrastructure Security Agency (CISA) in a security advisory to update their browsers immediately as the flaws can be exploited to take control of targeted systems.

Open source flaws exposing millions of devices

Smart devices from more than 150 vendors are embedded with 33 vulnerabilities that can cause widespread disruption to organisational operations around the world, including healthcare services, manufacturers, and retailers. 

Dubbed Amnesia:33, the flaws could also pose a physical risk to those who purchase these devices. Researchers with Forescout Research found that four of these bugs are critical, with potential for remote code execution in some. Attackers may exploit these flaws to take control of a device and use it as a network entry point, for example, or a pivot point for lateral movement, a persistence point on a target network, or the final target itself.

The Amnesia:33 flaws affect multiple open source TCP/IP stacks not owned by a single vendor, including uIP, FNET, picoTCP and Nut/Net. This means a single flaw may spread silently across multiple codebases, teams, firms, and platforms. This poses a significant challenge to patch management.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021
UK’s IoT security regulation will also include smartphones
Internet of Things (IoT)

UK’s IoT security regulation will also include smartphones

21 Apr 2021
eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020
phishing

eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020

20 Apr 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
UK exploring plans to launch its own digital currency
digital currency

UK exploring plans to launch its own digital currency

19 Apr 2021