Please see Security Advisories for the week ending June 4, 2021
- Critical Security Advisory: VMware Releases Security Updates for Critical Vulnerabilities
- Zero-Day Flaw Actively Exploited in WordPress Fancy Product Designer Plugin
- Cisco Releases Security Updates for Multiple Products
- Mozilla Releases Security Updates for Firefox
________________________________
Critical Security Advisory: VMware Releases Security Updates for Critical Vulnerabilities
Situation
VMware has released security updates to address multiple vulnerabilities in vCenter Server and Cloud Foundation. VMware is urging vCenter users to update vCenter Server versions 6.5, 6.7, and 7.0 immediately.
Problem
The most severe of the vulnerabilities that were patched is a remote code execution vulnerability (CVE-2021-21985) found in vSphere Client (HTML5). This vulnerability is due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.
Implication
An attacker with network access to port 443 may be able to exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
Need
VMware strongly recommends customers update vCenter Server 6.5, 6.7, and 7.0 to the most recent version as soon as possible. Additional information can be found in the links below.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/06/04/unpatched-vmware-vcenter-software
For a more technical overview:
https://www.vmware.com/security/advisories/VMSA-2021-0010.html
VMware blog post:
https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html
________________________________
Zero-Day Flaw Actively Exploited in WordPress Fancy Product Designer Plugin
Situation
A zero-day vulnerability has been discovered and patched for the open-source plugin Fancy Product Designer, before version 4.6.9 that is used in Word Press.
Problem
Unauthenticated arbitrary file upload and remote code execution vulnerability has been found in a word press plugin that if exploited would allow remote attackers to upload files and compromise the sites integrity leading to site takeover.
Implication
Failure to patch could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
To address this vulnerability, the plugin developer has release version 4.6.9 for the Fancy Product Designer plugin. Wordfence has also released new firewall rules to its premium customers to protect from this vulnerability, and free customers will get this update on June 30th.
For a brief overview:
________________________________
Cisco Releases Security Updates for Multiple Products
Situation
Cisco has released security updates to address several vulnerabilities in multiple Cisco products.
Problem
Cisco has released security updates to address a vulnerability in multiple Cisco products: Cisco Webex Network Recording Player, Cisco SD-WAN Software, Cisco ASR 5000 Series Software. An attacker could exploit some of these vulnerabilities to take control of an affected system.
Implication
Failure to patch systems could result in loss of control of affected systems, possible compromise of systems and network integrity.
Need
Cisco advises patching to the most recent security update. There are several security updates so please follow the Cisco technical link provided to ensure all necessary systems are patched.
For a brief overview:
For a more technical overview:
https://tools.cisco.com/security/center/publicationListing.x
_______________________________
Mozilla Releases Security Updates for Firefox
Situation
Mozilla has released security updates to address vulnerabilities in Firefox and Firefox for Android.
Problem
Mozilla has released security updates to address vulnerabilities in Firefox and Firefox for Android. An attacker could exploit some of these vulnerabilities to take control of an affected system.
Implication
Failure to patch systems could result in loss of control of affected systems.
Need
Mozilla advises patching to the most up to date versions of Firefox 89 and Firefox for Android.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/06/02/mozilla-releases-security-updates-firefox
For a more technical overview:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-23/