Please see Security Advisories for the week ending November 20, 2020
- VMware Releases Security Updates for VMware SD-WAN Orchestrator
- Mozilla Patches One Zero-Day and 15+ High-Severity Vulnerabilities
- Cisco Releases Security Updates for Cisco's Security Manage
________________________________
VMware Releases Security Updates for VMware SD-WAN Orchestrator
Situation
VMware has released multiple updates to its SD-Wan Orchestrator to patch vulnerabilities that could lead to an attacker taking control over the vulnerable system.
Problem
VMware has found a vulnerability where an attacker can exploit VMware software on devices and possibly take complete control of the device.
Implication
Unpatched software leaves a vulnerability where an attacker could exploit the vulnerability and take control of the affected devices.
Need
VMware recommends installing the latest updates in its SD-Wan Orchestrator to prevent this vulnerability.
For a brief overview
For a more detailed overview
https://www.vmware.com/security/advisories/VMSA-2020-0025.html
________________________________
Mozilla Patches One Zero-Day and 15+ High-Severity Vulnerabilities
Situation
Mozilla has released security updates to patch several critical severity vulnerabilities (CVE-2020-15999, CVE-2020-2695, CVE-2020-26952) in Firefox, Firefox ESR, and Thunderbird.
Problem
The new vulnerabilities could lead to bypassing security screening in applications such as Thunderbird email client and buffer overflow attacks in Firefox browser or possible memory corruption leading to crash in Firefox browser.
Implication
Successful exploitation of the vulnerabilities could allow a remote attacker to take control of the affected system, crash the system, or compromise the security of the affected systems.
Need
Mozilla strongly recommends updating to the latest versions of Firefox and Thunderbird to patch and protect against these vulnerability’s Please upgrade to Firefox 83.0+, Firefox ESR 78.5.0+, Thunderbird 78.4.0
For a more detailed overview
https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/
________________________________
Cisco Releases Security Updates for Cisco's Security Manage
Situation
Cisco has released security updates to address two vulnerabilities found in Cisco Security Manager.
Problem
The first vulnerability (CVE-2020-27130) is due to improper validation of directory traversal character sequences within requests to an affected device. The vulnerability having a severity level Critical, an attacker could exploit this vulnerability by sending a crafted request to the affected device.
The second vulnerability (CVE-2020-27125) is due to insufficient protection of static credentials. Having a severity level High, an attacker could exploit this vulnerability by viewing source code.
Implication
If an attacker is able to successfully exploit the vulnerability (CVE-2020-27130) could allow them to download arbitrary files from the affected device and obtain sensitive information.
If an attacker is able to successfully exploit the vulnerability (CVE-2020-27125) it could lead to the ability to view static credentials, which the attacker could use to carry out further attack.
Need
Cisco recommends updating Cisco Security Manager to protect against these vulnerabilities. For additional information check out Cisco’s security advisories in the links below.
Cisco Security Advisory CVE-2020-27130:
Cisco Security Advisory CVE-2020-27125:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-rce-8gjUz9fW
_________