Latest Vulnerabilities to Watch
There were a number of vulnerabilities announced recently in major products, though nothing that screamed PATCH NOW. I still like to keep you apprised so let’s have a look at what’s been happening.
Last week Cisco released advisories for the following vulnerabilities:
- Cisco IOx Application Hosting Environment Command Injection Vulnerability – SIR: High
- Cisco Prime Infrastructure Reflected Cross-Site Scripting Vulnerability – SIR: Medium
- Cisco Identity Services Engine XML External Entity Injection Vulnerability – SIR: Medium
- Cisco Identity Services Engine Privilege Escalation Vulnerabilities – SIR: Medium
- Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability – SIR: Medium
The IOx vulnerability got a bit of publicity but the requirements are for an authenticated user and: “Cisco devices that are running Cisco IOS XE Software if they have the Cisco IOx feature enabled and they do not support native docker” meaning that all of theses devices are not affected:
- Catalyst 9100 Family of Access Points (COS-AP)
- IOS XR Software
- Meraki products
- NX-OS Software (native docker is supported in all releases)
- IC3000 Industrial Compute Gateways on release 1.2.1 or later
Check the advisory to confirm if you have any vulnerable devices or releases and patch as necessary.
VMware ESXi Hypervisor Ransomware
The French Government incident response team, CERT-FR, discovered a ransomware campaign against unpatched/outdated ESXi hypervisors. The campaign targeted vulnerabilities announced in October 2020 and February 2021, namely: CVE-2020-3992 and CVE-2021-21974.
These ESXi were exposed either directly to the internet or in such a way that access was easy. The targeted service is called SLP and the above vulnerabilities should have already been patched. The affected ESXi versions are:
- ESXi 7.x versions earlier than ESXi70U1c-17325551
- ESXi versions 6.7.x earlier than ESXi670-202102401-SG
- ESXi versions 6.5.x earlier than ESXi650-202102101-SG
CERT-FR detailed a recovery process in their alert bulletin.
If you are running the affected ESXi versions above and for some reason the hypervisor is easily accessible by attackers then please update these immediately.
Jira Service Management Vulnerability
Atlassian released an advisory for a critical vulnerability in Jira Service Management Server and Data Center that can lead to account takeover. If the attacker is included in Jira issues or requests with user accounts that have never been signed into, or if a ‘View Request’ e-mail is sent to the attacker, then this vulnerability can be exploited.
Instances with SSO (single sign-on) are particular vulnerable if anyone can create their own account.
Affected versions of Jira Service Management Server and Data Center are:
- 5.3.0 – 5.3.2
- 5.4.0 – 5.4.1
Fixed versions are:
- 5.6.0 or later
If you utilise the issues/requests features or SSO then you should patch immediately.
That’s all for now. Thanks for reading and I’ll follow up next week with a Patch Tuesday bulletin.
James @ spotit