Weekly threat roundup: Blackberry QNX, Cisco VPNs, Fortinet firewalls

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Blackberry ‘attempted to hide’ QNX flaws

Vulnerabilities in Blackberry’s QNX operating system (OS), known as BadAlloc, were allegedly kept secret for months, according to Politico. Tracked as CVE-2021-22516, they were only disclosed this week after having first been discovered four months ago. Two people speaking to the publication said that company had initially denied that BadAlloc affected its products at all, when speaking to cyber security officials, and later resisted making a public announcement. 

The BadAlloc flaws are embedded in pre-2012 versions of the QNX Real Time Operating System (RTOS), still used by hundreds of millions of internet-enabled products. The list of affected products include cars made by Volkswagen and Ford, heavy machinery and hospital equipment, among other kinds of devices.

Hackers could exploit the flaw to trigger a denial of service (DoS) condition in the affected products or even gain control of highly sensitive systems by executing arbitrary code, according to the US Computer Emergency Readiness Team (US-CERT). Patches are now available for BadAlloc.

Cisco won’t patch critical VPN flaw

Cisco has said that it won’t patch a critical vulnerability in the universal plug-and-play (UPnP) service of several small business virtual private network (VPN) routers because these systems have reached end-of-life.

The zero-day vulnerability, tracked as CVE-2021-34730, is rated a near-maximum 9.8 out of ten on the CVSS threat severity scoring system, suggesting it’s highly exploitable and the effects are particularly severe.

Attackers can exploit the flaw to restart vulnerable devices or execute arbitrary code remotely, posing as the root user on the underlying operating system. The devices affected are the RV110W, RV130, RV130W and RV215W routers.

Because these devices are no longer supported, however, Cisco hasn’t released software updates that address the flaw, nor are there any workarounds that address it.

Microsoft discloses another Windows Print Spooler flaw

Microsoft recently published a security notice this week detailing yet another Print Spooler vulnerability, the latest in a string of flaws found in the Windows component throughout 2021.

Although the bug, tracked as CVE-2021-36958, was only disclosed this month, it was first discovered by researchers in December 2020, well before the controversies surrounding the PrintNightmare bug emerged.

An attacker who successfully exploits the flaw can run arbitrary code with system-level privileges, which would then allow them to install programmes as well as view, change or delete data. Hackers can also create new accounts with full user rights.

Although there are no indications the flaw has been exploited, Microsoft said that a functional exploit code is available.

Fortinet hits out at Rapid7 after firewall bug is disclosed early

Related Resource

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Five essentials from your endpoint security partner - title against a background of blue circles - whitepaper from MalwarebytesDownload now

After Rapid7 detailed a flaw in the operating system of Fortinet’s FortiWeb web application firewall, the firm publicly called out the researchers for disclosing the bug before the 90-day disclosure window had elapsed.

FortiWeb is designed to catch both known and unknown exploits targeting protected web applications. An OS command injection flaw in the management interface, tracked as CVE-2021-22123, can allow remote attackers to execute arbitrary commands on the system through the SAML server configuration page.

Following disclosure, Fortinet criticised Rapid7 for violating the terms of their disclosure agreement, according to ZDNet, with the bug revealed before they had an opportunity to develop a patch. Rapid7, however, said it contacted Fortinet several times to work on the issue but didn’t get a response, so followed its own disclosure policy.

Fortinet says version 6.4.1 of FortiWeb, which includes a fix, will be released by the end of August.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
The technology powering the future of shopping
Technology

The technology powering the future of shopping

16 Sep 2021
Citrix mulling potential sale after tumultuous 2021
mergers and acquisitions

Citrix mulling potential sale after tumultuous 2021

15 Sep 2021