Please see Security Advisories for the week ending October 16, 2020
- NCSC Releases Alert on Microsoft SharePoint Vulnerability
- Adobe Releases Security Updates for Magento
- Microsoft Addresses Windows TCP/IP RCE/DoS Vulnerability
- Juniper Networks Releases Security Updates for Multiple Products
- Apache Releases Security Updates for Apache Tomcat
- SAP Releases October 2020 Security Updates
- Microsoft Releases October 2020 Security Updates
- QNAP Releases Security Updates for QNAP Helpdesk
________________________________
NCSC Releases Alert on Microsoft SharePoint Vulnerability
Situation
Microsoft has discovered and patched a remote code execution vulnerability in Microsoft SharePoint. An attacker could exploit this vulnerability to run arbitrary code through SharePoint.
Problem
Microsoft has discovered a remote code execution vulnerability in Microsoft SharePoint. The vulnerability in Microsoft SharePoint occurs when the software fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
Microsoft advises patching to the latest version of SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1, Microsoft SharePoint Server 2019.
For a brief overview:
For a more detailed overview:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
________________________________
Adobe Releases Security Updates for Magento
Situation
Adobe has discovered and patched several vulnerabilities for Magento Commerce and Magento Open Source. An attacker could exploit some of these vulnerabilities to take control of an affected system.
Problem
Adobe has identified and patched vulnerabilities affecting Magento Commerce and Magento Open Source. An attacker with admin privileges can exploit these vulnerabilities and take control of an affected system, execute arbitrary code, and gain arbitrary read or write access.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
Adobe advises patching to the latest version of: Magento Commerce 2.4.1 and Magento Open Source 2.4.1.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2020/10/16/adobe-releases-security-updates-magento
For a more detailed overview:
https://helpx.adobe.com/security/products/magento/apsb20-59.html
________________________________
Microsoft Addresses Windows TCP/IP RCE/DoS Vulnerability
Situation
Microsoft has released a Security update for its IPV6 TCP/IP stack that would allow a remote attacker to take control of an affected system or cause a denial of service event preventing ipv6 network connectivity.
Problem
Microsoft has found a Vulnerability in its IPV6 TCP/IP network stack that would allow a remote attacker to cause a denial of service and break IPV6 tcp communications or remotely taking control of the affected pc If left unpatched.
Implication
Attackers could use this exploit to attack an unpatched pc remotely and take control or break IPV6 network connectivity.
Need
Microsoft Recommends
Installing the latest updates and security updates. Listed in windows update or from their advisory page.
For a more detailed overview:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
________________________________
Juniper Networks Releases Security Updates for Multiple Products
Situation
Juniper has released multiple security updates to patch vulnerabilities in its Junos OS across multiple products. To prevent attackers from exploiting the vulnerabilities and taking over the affected systems.
Problem
Juniper has released multiple updates and upgrades to its Junos OS to make it more secure and to fix multiple vulnerabilities to prevent attacker from exploiting the software and gaining access or privileges on the devices. Some of the attacks target the hardware platforms such as the intel CPU’s that could allow local authenticated users to obtain sensitive information, whereas other vulnerabilities and their fixes target the systems services such as IPV6 DDoS protection not working as intended and causing trouble with possible denial of service when triggered.
Implication
Without the patches and updates this leaves systems vulnerable to attacks which could compromise the system and allow attackers access into the devices or network or to control the devices and leak data or deny service or pivot in the network.
Need
Juniper recommends reviewing their security advisory page and ensuring you regularly update your devices to the latest Junos OS or firmware.
For a brief overview:
For a more detailed overview:
https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES
________________________________
Apache Releases Security Updates for Apache Tomcat
Situation
Apache has released a patch for Tomcat that affects the following versions:
Apache Tomcat 10.0.0-M1 to 10.0.0-M7
Apache Tomcat 9.0.0.M5 to 9.0.37
Apache Tomcat 8.5.1 to 8.5.57
Problem
Apache has identified an error in the HTTP/2 client where subsequent requests could contain HTTP/2 pseudo headers.
Implication
An attacker exploiting this could find sensitive information.
Need
Upgrade to Apache Tomcat 10.0.0-M8 or later
Upgrade to Apache Tomcat 9.0.38 or later
Upgrade to Apache Tomcat 8.5.58 or later
________________________________
SAP Releases October 2020 Security Updates
Situation
SAP has released monthly security updates for October for SAP products. These products include SAP Solution Manager, SAP Focused Run, SAP Business Client, SAP NetWeaver, and more.
Problem
SAP has patched a large number of vulnerabilities, ranging from 3.7 to 10 CVSS. These include code injection, XSS, OS command injections, and more.
Implication
Attackers exploiting these vulnerabilities can take over a system.
Need
If you are running any SAP product, apply the latest patches provided by SAP.
For a more detailed overview:
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
________________________________
Microsoft Releases October 2020 Security Updates
Situation
Microsoft has released October 2020 security updates for various Microsoft software which includes:
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft JET Database Engine
- Azure Functions
- Open Source Software
- Microsoft Exchange Server
- Visual Studio
- PowerShellGet
- Microsoft .NET Framework
- Microsoft Dynamics
- Adobe Flash Player
- Microsoft Windows Codecs Library
Problem
Microsoft has released patches for 87 vulnerabilities, of these 11 are listed as Critical, 75 are listed as Important, and one is listed as Moderate in severity. None of these vulnerabilities are listed as actively being exploited, but six vulnerabilities are listed as publicly known at the time of release. With the most severe of these vulnerabilities being 22 remote code executions and 36 elevation of privilege vulnerabilities.
Implication
If an attacker is able to successfully exploit these vulnerabilities, such as ones that allow for remote code execution or privilege escalation, it could allow the attacker to take control of the affected system.
Need
Microsoft strongly recommends updating all affected Microsoft products that are in use to protect against these vulnerabilities. Additional information can be found in the links below.
Microsoft Security Advisory:
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Oct
For a brief overview:
________________________________
QNAP Releases Security Updates for QNAP Helpdesk
Situation
QNAP Systems has released security updates to address two vulnerabilities in QNAP Helpdesk that could allow an attacker to take over unpatched QNAP network-attached storage (NAS) device.
Problem
Both QNAP Helpdesk security issues are due to improper access control vulnerabilities tracked as CVE-2020-2506 and CVE-2020-2507. Improper access control is a vulnerability that does not restrict or incorrectly restricts access to a resource from an unauthorized actor according to cwe.mitre.org.
Implication
If an attacker is able to successfully exploit these vulnerabilities it could allow them to take control of the affected QNAP device.
Need
QNAP strongly recommend updating Helpdesk to version 3.0.3 and later to protect against these vulnerabilities. For additional information please visit QNAP security advisory in the link below.
For a detailed overview: