Weekly threat roundup: SAP, Windows 10, Chrome
Pulling together the most dangerous and pressing flaws that businesses need to patch
Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
SAP exploit grants root access to corporate servers
Hackers can take advantage of a fully-functional exploit that abuses a vulnerability in the SAP Solution Manager. Tracked as CVE-2020-6207, this flaw is a missing authentication check in EEM Manager, a component of the Solution Manager, and is rated a perfect 10/10 on the CVSS threat scale.
Solution Manager is an administrative system used in all SAP environments and centralises the management of all SAP and non-SAP systems within the SAP landscape. By exploiting this flaw, cyber criminals can gain root access to enterprise servers, and access mission-critical applications, business processes and data. They’ll need access to the Solution Manager HTTP(s) port, and can execute the exploit remotely.
Onapsis previously identified this flaw in 2020 and demonstrated at the Black Hat conference how it could be chained with two other flaws to give remote attackers root access. SAP issued a patch for the flaw in March of last year. Onapsis, however, has continued to scan for activity in the wild and have encountered this new exploit published by a Russian researcher on Github.
Unpatched Windows 10 flaw can corrupt your hard drive
Microsoft is working on a fix for a “nasty” vulnerability in Windows 10 that can corrupt users’ hard drives. It can be triggered by opening a specially crafted file name inserted in any folder, according to the Verge, and has apparently existed in Windows for several years.
The vulnerability was flagged by security researcher Jonas L, and corroborated by vulnerability analyst Will Dormann. He suggested the problem seems to have been introduced with Windows 10 version 1803, and that he had reported a similar issue to Microsoft almost two years ago.
The flaw poses a security risk, given it’s possible for an attacker to hide a specially crafted line inside a ZIP folder, for instance, or even a shortcut. When this specific path is opened, the vulnerability will present a message claiming that your hard drive is corrupted. Microsoft confirmed to the Verge that a fix for this bug will be published in a future Windows update.
Flaws in DNS software can be chained to devastating effect
Seven vulnerabilities have been discovered in DNSMasq, software used for domain name system (DNS) caching and IP address assignment, which can be exploited by attackers to mount DNS spoofing attacks, or compromise networking devices.
Researchers with JSOF have found three bugs that allow DNS spoofing and four buffer overflow flaws, the worst of which can lead to the execution of arbitrary code remotely on a vulnerable device. The vulnerable DNSMasq software is used in Cisco routers, Android phones, Aruba devices, as well as systems built by Technicolor, Red Hat, Siemens, Ubiquiti networks, Comcast, and others.
While each of these vulnerabilities has a limited impact in isolation, the researchers found that these can be combined in chained in certain ways to build extremely effective multi-staged attacks. While there are several minor workarounds available, the only full mitigation is for manufacturers to update DNSMasq to version 2.83 or above.
RCE exploit fixed in Google Chrome
Google has released a Chrome browser update addressing a number of flaws including a critical vulnerability tracked as CVE-2021-21117. This is the most severe of the 36 fixes and centres on ‘insufficient policy enforcement in Cryptohome’.
This bug can be successfully exploited by an attacker to execute arbitrary code remotely. Attackers would be able to view, change, or delete data depending on the privileges associated with the browser, meaning it can be partially mitigated if the application is configured with weaker administrative rights.
These 36 security fixes have been bundled with version 88.0.4324.96 of Chrome, which also includes a tool which users can deploy to check whether their passwords should be strengthened. The feature makes it easier to fix weaker passwords by scanning various combinations held in the Chrome password manager and highlighting the weakest links.