Please see Security Advisories for the week ending November 13, 2020
- Google Releases Security Updates for Chrome
- Apple Releases Security Updates for Multiple Products
- Palo Alto Networks Releases Security Updates For PAN-OS
- Cisco Releases Security Update for IOS XR Software
- Microsoft Releases November 2020 Security Updates
- SAP Releases November 2020 Security Updates
- Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
________________________________
Google Releases Security Updates for Chrome
Situation
Google has discovered and patched several vulnerabilities for its Chrome web browser software.
Problem
Google has identified several security vulnerabilities for its Chrome web browser software, CVE-2020-16013 and CVE-2020-16017, if exploited an attacker can potentially take control of affected systems.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
Google has released Chrome version 86.0.4240.198 for Windows, Mac, and Linux. Please upgrade to latest version to ensure that you are protected.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2020/11/12/google-releases-security-updates-chrome
For a more detailed overview:
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_11.html
________________________________
Apple Releases Security Updates for Multiple Products
Situation
Apple has released security updates to address vulnerabilities in multiple products including: macOS Big Sur, Mojave10.14.6, High Sierra.10.13.6, and Safari 14.0.1
Problem
Apple has identified several security vulnerabilities for its products that a remote attacker can exploit and possibly take control of affected systems. Unpatched systems could allow attackers to cause denial of service, execute malicious code, and gain control of compromised systems.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
Apple advises patching to the latest version of macOS Big Sur, Mojave, High Sierra, and Safari
For a brief overview:
For a more detailed overview:
Big Sur: https://support.apple.com/en-us/HT211931
High Sierra and Mojave: https://support.apple.com/en-us/HT211946
Safari: https://support.apple.com/en-us/HT211934
________________________________
Palo Alto Networks Releases Security Updates For PAN-OS
Situation
Palo Alto Networks has released security updates to patch five vulnerabilities found in PAN-OS.
Problem
The vulnerabilities that were patched are:
- CVE-2020-2050 an authentication bypass vulnerability found in GlobalProtect SSL VPN client certificate verification. Having a severity rating of 8.2 CVSS.
- CVE-2020-2022 a Panorama session vulnerability that discloses the token for administrator's session to a managed device when the Panorama administrator performs a context switch into that device. Having a severity rating of 7.5 CVSS.
- CVE-2020-2000 an OS command injection and memory corruption vulnerability. Having a severity rating of 7.2 CVSS.
- CVE-2020-1999 a threat detection engine vulnerability where threat signatures are evaded by specifically crafted packets. Having a severity rating of 5.2 CVSS.
- CVE-2020-2048 a vulnerability where system proxy passwords may be logged in clear text while viewing system state. Having a severity rating of 5.2 CVSS.
Implication
If an attacker is able to successfully exploit these vulnerabilities it can allow them to take control of the affected system.
Need
Palo Alto Networks recommends updating PAN-OS to protect against these vulnerabilities. Additional information, workarounds and mitigations about these vulnerabilities can be found in the link below.
Palo Alto Networks Security Advisory:
https://security.paloaltonetworks.com/
________________________________
Cisco Releases Security Update for IOS XR Software
Situation
Cisco has released a security update to address a vulnerability in IOS XR Software for ASR 9000 Series Aggregation Services Routers.
Problem
The vulnerability is due to improper resource allocation in software switching mode.
Implication
An unauthenticated, remote attacker can cause a denial-of-service attack on the device.
Need
Update Cisco IOS XR Software to 6.7.2 and later and 7.1.2 and later.
For a more detailed overview:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr-cp-dos-ej8VB9QY
________________________________
Microsoft Releases November 2020 Security Updates
Situation
Microsoft has released the monthly security updates for November. These updates address vulnerabilities in the following Microsoft products:
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Internet Explorer
- Microsoft Edge (EdgeHTML-based)
- Microsoft Edge (Chromium-based)
- ChakraCore
- Microsoft Exchange Server
- Microsoft Dynamics
- Microsoft Windows Codecs Library
- Azure Sphere
- Windows Defender
- Microsoft Teams
- Azure SDK
- Azure DevOps
- Visual Studio
Problem
Microsoft has addressed vulnerabilities in products that range from many different attack vectors including local, physical, and network.
Implication
Microsoft has addressed a large variety of vulnerabilities so the impact will vary depending on the product. Worst case scenario would allow remote attackers to take control of the affected system.
Need
Update all systems as soon as possible.
For a more detailed overview:
________________________________
SAP Releases November 2020 Security Updates
Situation
SAP has released security updates for their products in their November patch cycle. Products include SAP Solution Manager, SAP Data Services, SAP NetWeaver, and more.
Problem
SAP has patched vulnerabilities ranging from 4.3 to 10 on the CVSS. Vulnerabilities include code injection, denial of service, missing authentication and authorization checks, OS command injection, RCE, and more.
Implication
Attackers exploiting these vulnerabilities will be able to compromise the system.
Need
Patch all SAP products as soon as possible.
For a more detailed overview:
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571
________________________________
Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
Situation
Mozilla has released security updates to patch a critical severity vulnerability (CVE-2020-26950) in Firefox, Firefox ESR, and Thunderbird.
Problem
This vulnerability (CVE-2020-26950) exists due to a use-after-free error when processing HTML content, which is caused by the MCallGetProperty opcode being emitted with unmet assumptions. A remote attacker can create a specially crafted web page, trick a victim into opening it triggering a use-after-free error and arbitrary code execution on the effected system.
Implication
Successful exploitation of this vulnerability can allow a remote attacker to take control of the affected system.
Need
Mozilla strongly recommends updating to Firefox 82.0.3, Firefox ESR 78.4.1, and Thunderbird 78.4.2 or higher to protect against this vulnerability. Additional information can be found in the link below.
For a brief overview
For a more detailed overview:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-49/