Weekly threat roundup: Solarwinds, HPE, and PostgreSQL

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

SolarWinds backdoor hits 18,000 and counting

Deemed one of the most serious security incidents of the year, this week we learned a flaw in SolarWinds Orion Platform paved the way for state-backed hackers to infiltrate the networks of thousands of organisations.

This was a targeted and precise supply chain cyber attack in which suspected Russian attackers compromised versions of the security platform released between March and June 2020, embedding it with malware known as Solorigate. More than 18,000 organisations have been affected, according to SolarWinds, including critical US government agencies and major firms companies, including FireEye.

SolarWinds has released a patch for the Orion Platform, and encourages its customers to immediately apply it, although for many it’s too little too late as a host of their devices have already been compromised. The US Cybersecurity and Infrastructure Security Agency (CISA) warned US government departments to immediately disconnect all devices fitted with the SolarWinds software upon confirming the attack. Closer to home, the UK’s National Cyber Security Centre (NCSC) has also issued comprehensive guidance for businesses.

HPE discloses zero-day in server software

A critical vulnerability in the HPE Systems Insight Manager (SIM) could allow attackers with no user privileges to conduct remote code execution on targeted systems.

Tagged CVE-2020-7200, the flaw is deemed to be extremely serious as it can be exploited without the need for user interaction, and, as such, has been rated 9.8 on the CVSS severity scale. Although HPE has released details of the flaw, it’s not known as to whether this has been exploited in the wild.

The vulnerability affects SIM version 7.6, and while no patch is currently yet available, HPE has released mitigation information for those running the software on Windows systems, as part of a security advisory. A complete fix will be developed and released in a future release of the SIM software.

Flaws in Go's XML parser

The Go open source programming language is embedded with three critical vulnerabilities within its XML parser that could allow cyber criminals to completely bypass authentication mechanisms used by many popular web apps.

Discovered by cloud collaboration provider Mattermost, the three flaws centre on the way Go processes XL documents over multiple parsing rounds, allowing attackers to use specific XML markup language to trick systems. Go itself is a programming language designed at Google, and is mostly used for backend systems, such as servers and network-related apps.

There are several implications of these flaws, with the most serious being that hackers may be able to bypass the web-based Security Assertion Markup Language (SAML) single sign-on (SSO) standard, used by many web-based apps.

Passing XML through Go’s decoder and encoder doesn’t preserve its semantics, and in many cases can be tampered with by attackers injecting malicious markups to a correctly signed SAML message, according to Mattermost’s product security engineer, Juho Nurminen. SAML messages can therefore be altered in some cases to suggest you’re somebody that you’re not, resulting in arbitrary privilege escalation or even bypassing authentication hurdles entirely.

Hackers deploy PGMiner botnet to attack Linux systems

Cyber criminals have deployed a botnet to target PostgreSQL databases to mine cryptocurrency, according to research by Palo Alto Networks.

The PGMiner botnet performs brute force attacks against PostgreSQL databases that are accessible through the internet, exploiting a disputed remote code execution vulnerability to mine Monero. PostgreSQL is considered one of the world’s most popular and reliable open source databases, backed by more than 20 years of community development.

The inbuilt feature under exploitation is ‘copy from programme’, which was introduced in PostgreSQL version 9.3 in 2013. This feature has been tied with CVE-2019-9193, although members of the database community have claimed it was incorrectly labelled as a security vulnerability.

Nevertheless, the researchers have publicly disclosed its findings on PGMiner, and have described it as the first cryptocurrency mining botnet delivered through PostgreSQL, with attackers weaponising not only confirmed flaws but disrupted ones too.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Researchers disclose top flaws abused by ransomware gangs
ransomware

Researchers disclose top flaws abused by ransomware gangs

20 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021
How do hackers choose their targets?
hacking

How do hackers choose their targets?

17 Sep 2021
Owner of DDoS for hire sites found guilty of hacking offences
distributed denial of service (DDOS)

Owner of DDoS for hire sites found guilty of hacking offences

17 Sep 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021
Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition
mergers and acquisitions

Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition

14 Sep 2021