Please see Security Advisories for the week ending November 20, 2020
- VMware Releases Security Updates for VMware SD-WAN Orchestrator
- Mozilla Patches One Zero-Day and 15+ High-Severity Vulnerabilities
- Cisco Releases Security Updates for Cisco's Security Manage
VMware has released multiple updates to its SD-Wan Orchestrator to patch vulnerabilities that could lead to an attacker taking control over the vulnerable system.
VMware has found a vulnerability where an attacker can exploit VMware software on devices and possibly take complete control of the device.
Unpatched software leaves a vulnerability where an attacker could exploit the vulnerability and take control of the affected devices.
VMware recommends installing the latest updates in its SD-Wan Orchestrator to prevent this vulnerability.
For a brief overview
For a more detailed overview
Mozilla has released security updates to patch several critical severity vulnerabilities (CVE-2020-15999, CVE-2020-2695, CVE-2020-26952) in Firefox, Firefox ESR, and Thunderbird.
The new vulnerabilities could lead to bypassing security screening in applications such as Thunderbird email client and buffer overflow attacks in Firefox browser or possible memory corruption leading to crash in Firefox browser.
Successful exploitation of the vulnerabilities could allow a remote attacker to take control of the affected system, crash the system, or compromise the security of the affected systems.
Mozilla strongly recommends updating to the latest versions of Firefox and Thunderbird to patch and protect against these vulnerability’s Please upgrade to Firefox 83.0+, Firefox ESR 78.5.0+, Thunderbird 78.4.0
For a more detailed overview
Cisco has released security updates to address two vulnerabilities found in Cisco Security Manager.
The first vulnerability (CVE-2020-27130) is due to improper validation of directory traversal character sequences within requests to an affected device. The vulnerability having a severity level Critical, an attacker could exploit this vulnerability by sending a crafted request to the affected device.
The second vulnerability (CVE-2020-27125) is due to insufficient protection of static credentials. Having a severity level High, an attacker could exploit this vulnerability by viewing source code.
If an attacker is able to successfully exploit the vulnerability (CVE-2020-27130) could allow them to download arbitrary files from the affected device and obtain sensitive information.
If an attacker is able to successfully exploit the vulnerability (CVE-2020-27125) it could lead to the ability to view static credentials, which the attacker could use to carry out further attack.
Cisco recommends updating Cisco Security Manager to protect against these vulnerabilities. For additional information check out Cisco’s security advisories in the links below.
Cisco Security Advisory CVE-2020-27130:
Cisco Security Advisory CVE-2020-27125: