Weekly threat roundup: Solarwinds, HPE, and PostgreSQL

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

SolarWinds backdoor hits 18,000 and counting

Deemed one of the most serious security incidents of the year, this week we learned a flaw in SolarWinds Orion Platform paved the way for state-backed hackers to infiltrate the networks of thousands of organisations.

This was a targeted and precise supply chain cyber attack in which suspected Russian attackers compromised versions of the security platform released between March and June 2020, embedding it with malware known as Solorigate. More than 18,000 organisations have been affected, according to SolarWinds, including critical US government agencies and major firms companies, including FireEye.

SolarWinds has released a patch for the Orion Platform, and encourages its customers to immediately apply it, although for many it’s too little too late as a host of their devices have already been compromised. The US Cybersecurity and Infrastructure Security Agency (CISA) warned US government departments to immediately disconnect all devices fitted with the SolarWinds software upon confirming the attack. Closer to home, the UK’s National Cyber Security Centre (NCSC) has also issued comprehensive guidance for businesses.

HPE discloses zero-day in server software

A critical vulnerability in the HPE Systems Insight Manager (SIM) could allow attackers with no user privileges to conduct remote code execution on targeted systems.

Tagged CVE-2020-7200, the flaw is deemed to be extremely serious as it can be exploited without the need for user interaction, and, as such, has been rated 9.8 on the CVSS severity scale. Although HPE has released details of the flaw, it’s not known as to whether this has been exploited in the wild.

The vulnerability affects SIM version 7.6, and while no patch is currently yet available, HPE has released mitigation information for those running the software on Windows systems, as part of a security advisory. A complete fix will be developed and released in a future release of the SIM software.

Flaws in Go's XML parser

The Go open source programming language is embedded with three critical vulnerabilities within its XML parser that could allow cyber criminals to completely bypass authentication mechanisms used by many popular web apps.

Discovered by cloud collaboration provider Mattermost, the three flaws centre on the way Go processes XL documents over multiple parsing rounds, allowing attackers to use specific XML markup language to trick systems. Go itself is a programming language designed at Google, and is mostly used for backend systems, such as servers and network-related apps.

There are several implications of these flaws, with the most serious being that hackers may be able to bypass the web-based Security Assertion Markup Language (SAML) single sign-on (SSO) standard, used by many web-based apps.

Passing XML through Go’s decoder and encoder doesn’t preserve its semantics, and in many cases can be tampered with by attackers injecting malicious markups to a correctly signed SAML message, according to Mattermost’s product security engineer, Juho Nurminen. SAML messages can therefore be altered in some cases to suggest you’re somebody that you’re not, resulting in arbitrary privilege escalation or even bypassing authentication hurdles entirely.

Hackers deploy PGMiner botnet to attack Linux systems

Cyber criminals have deployed a botnet to target PostgreSQL databases to mine cryptocurrency, according to research by Palo Alto Networks.

The PGMiner botnet performs brute force attacks against PostgreSQL databases that are accessible through the internet, exploiting a disputed remote code execution vulnerability to mine Monero. PostgreSQL is considered one of the world’s most popular and reliable open source databases, backed by more than 20 years of community development.

The inbuilt feature under exploitation is ‘copy from programme’, which was introduced in PostgreSQL version 9.3 in 2013. This feature has been tied with CVE-2019-9193, although members of the database community have claimed it was incorrectly labelled as a security vulnerability.

Nevertheless, the researchers have publicly disclosed its findings on PGMiner, and have described it as the first cryptocurrency mining botnet delivered through PostgreSQL, with attackers weaponising not only confirmed flaws but disrupted ones too.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

23 Mar 2021
Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021