Weekly threat roundup: Solarwinds, HPE, and PostgreSQL

Graphic showing a red unlocked padlock surrounded by blue locked padlocks
(Image credit: Shutterstock)

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

SolarWinds backdoor hits 18,000 and counting

Deemed one of the most serious security incidents of the year, this week we learned a flaw in SolarWinds Orion Platform paved the way for state-backed hackers to infiltrate the networks of thousands of organisations.

This was a targeted and precise supply chain cyber attack in which suspected Russian attackers compromised versions of the security platform released between March and June 2020, embedding it with malware known as Solorigate. More than 18,000 organisations have been affected, according to SolarWinds, including critical US government agencies and major firms companies, including FireEye.

SolarWinds has released a patch for the Orion Platform, and encourages its customers to immediately apply it, although for many it’s too little too late as a host of their devices have already been compromised. The US Cybersecurity and Infrastructure Security Agency (CISA) warned US government departments to immediately disconnect all devices fitted with the SolarWinds software upon confirming the attack. Closer to home, the UK’s National Cyber Security Centre (NCSC) has also issued comprehensive guidance for businesses.

HPE discloses zero-day in server software

A critical vulnerability in the HPE Systems Insight Manager (SIM) could allow attackers with no user privileges to conduct remote code execution on targeted systems.

Tagged CVE-2020-7200, the flaw is deemed to be extremely serious as it can be exploited without the need for user interaction, and, as such, has been rated 9.8 on the CVSS severity scale. Although HPE has released details of the flaw, it’s not known as to whether this has been exploited in the wild.

The vulnerability affects SIM version 7.6, and while no patch is currently yet available, HPE has released mitigation information for those running the software on Windows systems, as part of a security advisory. A complete fix will be developed and released in a future release of the SIM software.

Flaws in Go's XML parser

The Go open source programming language is embedded with three critical vulnerabilities within its XML parser that could allow cyber criminals to completely bypass authentication mechanisms used by many popular web apps.

Discovered by cloud collaboration provider Mattermost, the three flaws centre on the way Go processes XL documents over multiple parsing rounds, allowing attackers to use specific XML markup language to trick systems. Go itself is a programming language designed at Google, and is mostly used for backend systems, such as servers and network-related apps.

There are several implications of these flaws, with the most serious being that hackers may be able to bypass the web-based Security Assertion Markup Language (SAML) single sign-on (SSO) standard, used by many web-based apps.

Passing XML through Go’s decoder and encoder doesn’t preserve its semantics, and in many cases can be tampered with by attackers injecting malicious markups to a correctly signed SAML message, according to Mattermost’s product security engineer, Juho Nurminen. SAML messages can therefore be altered in some cases to suggest you’re somebody that you’re not, resulting in arbitrary privilege escalation or even bypassing authentication hurdles entirely.

Hackers deploy PGMiner botnet to attack Linux systems

Cyber criminals have deployed a botnet to target PostgreSQL databases to mine cryptocurrency, according to research by Palo Alto Networks.

The PGMiner botnet performs brute force attacks against PostgreSQL databases that are accessible through the internet, exploiting a disputed remote code execution vulnerability to mine Monero. PostgreSQL is considered one of the world’s most popular and reliable open source databases, backed by more than 20 years of community development.

The inbuilt feature under exploitation is ‘copy from programme’, which was introduced in PostgreSQL version 9.3 in 2013. This feature has been tied with CVE-2019-9193, although members of the database community have claimed it was incorrectly labelled as a security vulnerability.

Nevertheless, the researchers have publicly disclosed its findings on PGMiner, and have described it as the first cryptocurrency mining botnet delivered through PostgreSQL, with attackers weaponising not only confirmed flaws but disrupted ones too.

Keumars Afifi-Sabet
Contributor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.