Weekly threat roundup: Apple's M1 chip, VMware, Trend Micro

Graphic showing a red unlocked padlock surrounded by blue locked padlocks
(Image credit: Shutterstock)

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It's become typical, for example, to expect dozens of patches to be released on Microsoft's Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Apple's M1 chip affected by hardware-level flaw

The flagship M1 CPU developed by Apple is embedded with a vulnerability that can allow any two apps under an operating system (OS) to exchange data between them covertly.

Tracked as CVE-2021-30747, the flaw is baked into the hardware, meaning it cannot be fixed without changing the chip technology. It allows communication between processes running as different users and under different privilege levels.

The vulnerability isn't easily exploited, and malware cannot use this to infect machines or take over systems. It does, however, give strains of malware already installed on computers additional capabilities, such as communication with other strains.

Practically, however, it's unlikely cyber criminals can develop mechanisms to exploit the bug, according to Hector Martin, the researcher who discovered it, with advertising companies more likely to be inclined to abuse it for cross-app tracking purposes.

VMware advises immediate patching of vCenter systems

Ransomware gangs are primed to exploit two vulnerabilities in VMware's vCenter Server platform, according to the company, with hackers able to abuse the flaws to launch remote code execution attacks.

The most severe bug of the pair, tracked as CVE-2021-21985, which lies in the vSphere Client, involves a lack of input validation in the Virtual SAN Health Check plugin, which is enabled in the system by default. This plugin allows customers to manage their virtual deployments and includes dozens of automated health checks.

RELATED RESOURCE

The technology of trust

How to protect your most valuable commodity

FREE DOWNLOAD

It's rated 9.8 on the CVSS threat severity scale, out of ten, meaning its effects are particularly devastating and it's relatively straightforward to exploit. Hackers with network access to port 443 will be able to execute commands with unrestricted privileges on the OS that hosts vCenter Server.

The second flaw, tracked as CVE-2021-21986, is less severe but also allows hackers with network access to port 443 on vCenter Server to perform actions allowed by various plugins without authentication. These comprise the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager and VMware Cloud Director Availability plugins.

Bluetooth bug allows hackers to mimic devices

Cyber criminals can exploit flaws in Bluetooth Core and Mesh Profile Specifications to disguise themselves as legitimate devices and execute man in the middle attacks.

The fresh wave of flaws, discovered by researchers at the French security agency known as Agence nationale de la sécurité des systèmes d'information (ANSSI), allow impersonation attacks and AuthValue disclosures.

The discovery of six flaws, CVE-2020-26555 through CVE-2020-26560, builds on previously discovered vulnerabilities which could have been exploited in so-called 'Bluetooth Impersonation Attacks' (BIAS).

They allow hackers to impersonate a device and establish a secure connection with a victim without possessing the long-term key shared by the impersonated device and the victim. It effectively bypasses the authentication mechanism.

Apple fixes three macOS flaws under attack

Apple has issued a patch to fix several vulnerabilities across its various operating systems, including a macOS Big Sur zero-day flaw that's under attack.

Tracked as CVE-2021-30713, the flaw lies in Apple's Transparency, Consent and Control (TCC) framework, which manages user consent for permissions across local apps. Hackers can exploit the flaw to gain permissions for malicious apps, granting access to the hard drive and to screen recording, which could allow them to take screenshots of infected machines.

While Apple declined to share the exploit mechanism, security firm Jamf has identified the malware known as XCSSET is currently abusing the flaw.

Alongside this flaw, Apple has patched CVE-2021-30663 and CVE-2021-30665, both lying in the WebKit browser engine in Safari and Apple TV, and both under attack. They can each be exploited to launch remote code execution attacks.

Trend Micro home network security allows PC takeover

Researchers have discovered flaws in Trend Micro's Home Network Security Station that could let attackers launch denial of service (DoS) attacks, escalate user privileges and levy remote code execution attacks.

This is a device that plugs into home routers in order to prevent internet of things (IoT) devices from being hacked. The first two flaws lead to privilege escalation, while the third is a hard-coded password flaw.

Three security vulnerabilities in the platform, tracked CVE-2021-032457 through CVE-2021-32459, can be exploited to infiltrate home networks. Specifically, hackers can exploit the first two bugs to elevate permissions on the targeted device. The third flaw exists with a set of hard-coded credentials on the device, which an attacker could exploit to create files, change permissions and upload arbitrary data to an SFTP server.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.