Weekly threat roundup: macOS, VMware and SolarWinds

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

57 bugs patched in macOS Big Sur 11.2

Apple has rectified several dozen security vulnerabilities in its latest macOS release, including a number of serious flaws that could allow an attacker to elevate system privileges on a targeted device.

One flaw in the Crash Reporter app - tracked as CVE-2021-1787 - for example, could allow an attacker to do precisely that. A vulnerability in the Director Utility, meanwhile, could let a malicious application access private information. This is tagged CVE-2020-27937. Another highlight is CVE-2021-1761, which is a bug in Analytics which could allow a remote attacker to cause a denial of service attack.

Users have been urged to download the update immediately, although they’ll have to ensure at least 3.66GB of space is available to do so, according to LifeHacker.

VMware ESXi flaws abused in the wild

Researchers have warned of two VMware ESXi hypervisor flaws that ransomware groups are actively using to encrypt virtual hard drives. 

Tagged CVE-2019-5544 and CVE-2020-3992, these vulnerabilities allow multiple virtual machines (VMs) to share the same storage hardware. They lie in the service layer protocol (SLP), which allows computers and other devices to find services in a local area network without having to configure anything beforehand.

The flaws aren’t new, and those behind the RansomExx ransomware strain have been launching attacks since October 2020, according to reports. Hackers who’ve sent malicious SLP requests to an ESXi device have then been able to gain access to devices on a corporate network to compromise other ESMXi VMs and encrypt virtual hard drives. 

DDoS attacks targeting Plex Media SSDP

Flaws in the widely-used Plex Media Server, a personal media library and steam system, could lead to reflection/amplification distributed denial of service (DDoS) attacks if successfully exploited, according to research by NETSCOUT Arbor.

Upon startup, Plex probes the local network using the G’Day Mate (GDM) network/service discovery protocol to find other compatible media devices. It also uses SSDP probes to find UPnP gateways on broadband routers which have SSDP enabled. When successful, this has the effect of exposing a Plex UPnP-enabled service registration responder to the web, where it can be abused to generate reflection/amplification DDoS attacks.

Observed attacks range in size from roughly 2Gbps to 3Gbps, which is enough to have a significant negative impact on the availability of targeted networks or services. Network operators should perform reconnaissance to identify abusable Pled Media SSDP reflectors/amplifiers on their networks, and the networks of their customers.

Flaw found in Libgrcrypt Encryption Library 

Businesses using GNU Privacy Guard’s (GnuPG’s) Libgcrypt encryption software have been urged to update the platform due to a severe vulnerability that can pave the way for a remote code execution attack.

This piece of software is an open source cryptographic repository that can be used by developers to encrypt and sign data and communications. It essentially provides functions for all fundamental cryptographic building blocks.

Hackers can exploit a heap buffer overflow vulnerability in version 1.9.0 of Libgrcrypt, however, by simply decrypting some data. This will overflow a heap buffer with attacker-controlled data, and allow an attacker to compromise the system, according to Google’s Project Zero researcher Tavis Ormandy, who discovered the flaw.

Three fresh flaws in SolarWinds products

Researchers have discovered new flaws embedded in SolarWinds products, including two in the Orion Platform that was at the heart of the infamous supply chain attack of 2020 and one in Serv-U FTP for Windows.

These flaws, which haven’t yet been exploited in the wild, are severe bugs that demand urgent patching because they can let attackers steal information from a network or gain admin-level privileges. This is according to researchers with Trustwave SpiderLabs.

The most severe flaw, found in the Orion Platform, is tracked as CVE-2021-25274 and centres on improper use of Microsoft Messaging Queue (MSQ). This can allow a remote unprivileged user to execute arbitrary code as if they had the highest privileges. Another flaw in Serv-U FTP can allow any user, regardless of privilege to define a new Serv-U FTP admin account with access to the C:\ drive by simply creating a file.

All three were fixed in January with the release of ‘Orion Platform 2020.2.4’ and ‘ServU-FTP 15.2.2 Hotfix 1 Patch’.

Hackers attempt to exploit SonicWall zero-day

Cyber criminals are trying to exploit a zero-day vulnerability in SonicWall’s Secure Mobile Access (SMA) 100 devices first flagged publicly last month, according to researchers with the NCC Group.

The company previously admitted it was attacked by criminals exploiting zero-day vulnerabilities in its remote access products, with an initial investigation suggesting its NetExtender VPN client and SMB-oriented SAM 100 Series products were vulnerable. 

NCC Group now claims it’s detected attempts to abuse a concrete exploit in the wild, while SonicWall has confirmed all SMA 100 devices with 10.x firmware are vulnerable. The physical appliances affected include SMA 200, SMA 210, SMA 400, SMA 410 while virtual appliances include SMA 500v ((Azure, AWS, ESXi, HyperV). Users can download a patch by following SonicWall guidance.

Linux malware targeting high-performance computers (HPCs)

High-performance computing clusters run by university networks as well as servers tied with government agencies are being targeted by hackers exploiting a backdoor that lets them execute arbitrary code remotely. 

Kobalos, uncovered by researchers with ESET, is a generic backdoor that contains broad commands that don’t actually reveal the intent of the attackers. It grants remote access to a file system, provides the ability to spawn terminal sessions and allows proxying connections to other infected servers. 

This strain is capable of compromising systems running Linux, FreeBSD, Solaris, as well as AIX and Windows machines too. Other victims also include an endpoint security vendor and a large internet service provider.

Strikingly, any compromised server can be turned into a command and control centre for the malware, with the code embedded into the malware. Most hosts compromised by Kobalos also had an OpenSSH credential stealer installed, which might suggest how the strain spreads between networks and systems.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Hackers used SonicWall zero-day flaw to plant ransomware
ransomware

Hackers used SonicWall zero-day flaw to plant ransomware

30 Apr 2021
How can you protect your business from crypto-ransomware?
Security

How can you protect your business from crypto-ransomware?

20 Apr 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

9 Apr 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021