Weekly threat roundup: Apple, VMware, OpenSSL

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Apple WebKit zero-day under exploitation

Apple has released an emergency patch fixing a zero-day vulnerability in its iOS, iPadOS, and watchOS operating systems, that has been exploited by unidentified hackers.

Tracked as CVE-2021-187, the flaw resides in WebKit, which is an open source browser engine primarily used in the Safari web browser, as well as all iOS web browsers, alongside various other iOS and iPadOS apps.

Hackers were able to exploit the flaw by sending victims a malicious link and executing arbitrary code through a cross-site scripting (XSS) attack, with potential implications including the theft of sensitive data or forcing changes to the appearance of a website.

Apple has rolled out patches for all versions of the iPad Pro, iPad Air 2 and later, the fifth generation of the iPad and later, iPad mini 4 and later, and the seventh generation of the iPod touch. This is in addition to updates released for all Apple Watch products, and all iPhones from iPhone 6s.

VMware patches severe vRealize flaws

Vmware has patched two critical vulnerabilities in its vRealize Operations platform that could allow cyber criminals to infiltrate corporate networks, steal user credentials, and manipulate underlying systems.

This is a platform augmented with artificial intelligence that's capable of managing IT operations in various cloud deployments, allowing admins to monitor, troubleshoot, and manage the health and capacity of virtual IT environments.

The first flaw, tracked as CVE-2021-21975, is rated 8.6 on the CVSS threat severity scale. If exploited, it could allow a malicious actor with network access to the vRealize Operations Manager API to perform a server-side request forgery attack to steal admin credentials.

A second flaw, tracked as CVE-2021-21983, is considered less severe as it requires an attacker to be authenticated in order to successfully exploit. There are fears, however, that it can be chained with the first bug to allow hackers to write files to various locations on the underlying operating system.

OpenSSL fixes major denial of service bug

The most widely-used encryption software library, OpenSSL, has patched a severe flaw that could have allowed hackers to crash a wide number of servers.

The open source cryptography toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, is used across a host of products and platforms, including Linux as well as other software and email clients.

The latest update, OpenSSL 1.1.1k, fixed two severe bugs including CVE-2021-3449, which could have been exploited by hackers to deliberately crash vulnerable web servers or email servers at will, causing a looped denial of service (DoS) situation.

The second flaw, CVE-2021-3450, was a more complex issue that could have allowed security checks to be circumvented when an app would seek out the legitimacy of a TLS certificate.

Netmask flaw allows hackers to bypass server access controls

Related Resource

Taking a proactive approach to cyber security

A complete guide to penetration testing

A complete guide to penetration testing - whitepaper from CyberCxDownload now

A vulnerability in the networking npm library, netmask, could give hackers the ability to bypass server access controls and launch server-side request forgery attacks, according to research by Sick Codes.

The nine-year-old exploit is considered far-reaching as hundreds of thousands of apps use the package to parse or compare IPv4 addresses and Classless Inter-Domain Routing (CIDR) blocks. The code was downloaded three million times last week alone, with 278,000 GitHub repositories using it.

The issue centres on the way netmask handles mixed-format IP addresses, with the library seeing a different IP address when parsing an address with a prefixed zero. The researchers warned that anyone could submit an address in netmask that looks like a private IP, but then connects to a public IP to download malicious files.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Supply chain breaches impacted 97% of firms in the past year
supply chain management (SCM)

Supply chain breaches impacted 97% of firms in the past year

12 Oct 2021