The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Vulnerability

Kaseya Issues Patches for Two New 0-Day Flaws Affecting Unitrends Servers

Kaseya Issues Patches for Two New 0-Day Flaws Affecting Unitrends Servers

August 27, 2021Ravie Lakshmanan
U.S. technology firm Kaseya has  released  security patches to address two zero-day vulnerabilities affecting its Unitrends enterprise backup and continuity solution that could result in privilege escalation and authenticated remote code execution. The two weaknesses are part of a  trio of vulnerabilities  discovered and reported by researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) on July 3, 2021. The IT infrastructure management solution provider has addressed the issues in server software version 10.5.5-2 released on August 12, DIVD said. An as-yet-undisclosed client-side vulnerability in Kaseya Unitrends remains unpatched, but the company has published  firewall rules  that can be applied to filter traffic to and from the client and mitigate any risk associated with the flaw. As an additional precaution, it's  recommended  not to leave the servers accessible over the internet. Although specifics related to the vulnerabilities are sparse, the shortcomin
Critical ThroughTek SDK Bug Could Let Attackers Spy On Millions of IoT Devices

Critical ThroughTek SDK Bug Could Let Attackers Spy On Millions of IoT Devices

August 18, 2021Ravie Lakshmanan
A security vulnerability has been found affecting several versions of ThroughTek Kalay P2P Software Development Kit (SDK), which could be abused by a remote attacker to take control of an affected device and potentially lead to remote code execution. Tracked as CVE-2021-28372 (CVSS score: 9.6) and  discovered  by FireEye Mandiant in late 2020, the weakness concerns an improper access control flaw in ThroughTek point-to-point (P2P) products, successful exploitation of which could result in the "ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality." "Successful exploitation of this vulnerability could permit remote code execution and unauthorized access to sensitive information, such as to camera audio/video feeds," the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  noted  in an advisory. There are believed to be 83 million active devices on the Kala
BadAlloc Flaw Affects BlackBerry QNX Used in Millions of Cars and Medical Devices

BadAlloc Flaw Affects BlackBerry QNX Used in Millions of Cars and Medical Devices

August 18, 2021Ravie Lakshmanan
A major vulnerability affecting older versions of BlackBerry's QNX Real-Time Operating System (RTOS) could allow malicious actors to cripple and gain control of a variety of products, including cars, medical, and industrial equipment. The shortcoming (CVE-2021-22156, CVSS score: 9.0) is part of a broader collection of flaws, collectively dubbed  BadAlloc , that was originally disclosed by Microsoft in April 2021, which could open a backdoor into many of these devices, allowing attackers to commandeer them or disrupt their operations. "A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices," the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  said  in a Tuesday bulletin. As of writing, there is no evidence of active exploitation of the vulnerability. BlackBerry QNX technology is  used  worldwide by over 195 million vehicles and embedded systems across a wide range of industries,
Unpatched Remote Hacking Flaw Disclosed in Fortinet's FortiWeb WAF

Unpatched Remote Hacking Flaw Disclosed in Fortinet's FortiWeb WAF

August 17, 2021Ravie Lakshmanan
Details have emerged about a new unpatched security vulnerability in Fortinet's web application firewall (WAF) appliances that could be abused by a remote, authenticated attacker to execute malicious commands on the system. "An OS command injection vulnerability in FortiWeb's management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page," cybersecurity firm Rapid7  said  in an advisory published Tuesday. "This vulnerability appears to be related to  CVE-2021-22123 , which was addressed in  FG-IR-20-120 ." Rapid7 said it discovered and reported the issue in June 2021. Fortinet is expected to release a patch at the end of August with version Fortiweb 6.4.1. The command injection flaw is yet to be assigned a CVE identifier, but it has a severity rating of 8.7 on the CVSS scoring system. Successful exploitation of the vulnerability can allow auth
Microsoft Warns of Another Unpatched Windows Print Spooler RCE Vulnerability

Microsoft Warns of Another Unpatched Windows Print Spooler RCE Vulnerability

August 11, 2021Ravie Lakshmanan
A day after releasing  Patch Tuesday updates , Microsoft acknowledged yet another remote code execution vulnerability in the Windows Print Spooler component, adding that it's working to remediate the issue in an upcoming security update. Tracked as  CVE-2021-36958  (CVSS score: 7.3), the unpatched flaw is the latest to join a  list  of  bugs  collectively known as  PrintNightmare  that have plagued the printer service and come to light in recent months. Victor Mata of FusionX, Accenture Security, who has been credited with reporting the flaw,  said  the issue was disclosed to Microsoft in December 2020. "A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations," the company said in its out-of-band bulletin, echoing the vulnerability details for  CVE-2021-34481 . "An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then
Top 30 Critical Security Vulnerabilities Most Exploited by Hackers

Top 30 Critical Security Vulnerabilities Most Exploited by Hackers

July 29, 2021Ravie Lakshmanan
Intelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage. "Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide," the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI)  noted . "However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system." The top 30 vulnerabilities span a wide range of software, including remote work, virtual pri
Several Bugs Found in 3 Open-Source Software Used by Several Businesses

Several Bugs Found in 3 Open-Source Software Used by Several Businesses

July 27, 2021Ravie Lakshmanan
Cybersecurity researchers on Tuesday disclosed nine security vulnerabilities affecting three open-source projects —  EspoCRM ,  Pimcore , and  Akaunting  — that are widely used by several small to medium businesses and, if successfully exploited, could provide a pathway to more sophisticated attacks. All the security flaws in question, which impact EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12, were fixed within a day of responsible disclosure, researchers Wiktor Sędkowski of Nokia and Trevor Christiansen of Rapid7  noted. Six of the nine flaws were uncovered in the Akaunting project. EspoCRM is an open-source customer relationship management (CRM) application, while Pimcore is an open-source enterprise software platform for customer data management, digital asset management, content management, and digital commerce. Akaunting, on the other hand, is an open-source and online accounting software designed for invoice and exp
Apple Releases Urgent 0-Day Bug Patch for Mac, iPhone and iPad Devices

Apple Releases Urgent 0-Day Bug Patch for Mac, iPhone and iPad Devices

July 27, 2021Ravie Lakshmanan
Apple on Monday rolled out an urgent security update for  iOS, iPadOS , and  macOS  to address a zero-day flaw that it said may have been actively exploited, making it the thirteenth such vulnerability Apple has patched since the start of this year. The updates, which arrive less than a week after the company released iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5 to the public, fixes a memory corruption issue ( CVE-2021-30807 ) in the IOMobileFrameBuffer component, a kernel extension for managing the screen  framebuffer , that could be abused to execute arbitrary code with kernel privileges. The company said it addressed the issue with improved memory handling, noting it's "aware of a report that this issue may have been actively exploited." As is typically the case, additional details about the flaw have not been disclosed to prevent the weaponization of the vulnerability for additional attacks. Apple credited an anonymous researcher for discovering and reporting the
How to Mitigate Microsoft Windows 10, 11 SeriousSAM Vulnerability

How to Mitigate Microsoft Windows 10, 11 SeriousSAM Vulnerability

July 26, 2021The Hacker News
Microsoft Windows 10 and Windows 11 users are at risk of a new unpatched vulnerability that was recently disclosed publicly. As we reported last week, the vulnerability — SeriousSAM — allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash (and potentially Silver Ticket) attack.  Attackers can exploit this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and Registry, and ultimately run arbitrary code with SYSTEM privileges. SeriousSAM vulnerability, tracked as CVE-2021-36934 , exists in the default configuration of Windows 10 and Windows 11, specifically due to a setting that allows 'read' permissions to the built-in user's group that contains all local users. As a result, built-in local users have access to read the SAM files and the Registry, where they can also view the hashes. Once the attacker has 'User' access, they can use a tool such as Mimikatz to gain access to the Re
New Windows and Linux Flaws Give Attackers Highest System Privileges

New Windows and Linux Flaws Give Attackers Highest System Privileges

July 20, 2021Ravie Lakshmanan
Microsoft's Windows 10 and the upcoming Windows 11 versions have been found vulnerable to a new local privilege escalation vulnerability that permits users with low-level permissions access Windows system files, in turn, enabling them to unmask the operating system installation password and even decrypt private keys. The vulnerability has been nicknamed "SeriousSAM." "Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY registry hive files," CERT Coordination Center (CERT/CC) said in a  vulnerability note  published Monday. "This can allow for local privilege escalation (LPE)." The operating system configuration files in question are as follows - c:\Windows\System32\config\sam c:\Windows\System32\config\system c:\Windows\System32\config\security Microsoft, which is tracking the vulnerability under the identifier  CVE-2021-36934 , acknowledged the issue, but has yet to roll out a patch, o
16-Year-Old Security Bug Affects Millions of HP, Samsung, Xerox Printers

16-Year-Old Security Bug Affects Millions of HP, Samsung, Xerox Printers

July 20, 2021Ravie Lakshmanan
Details have emerged about a high severity security vulnerability affecting a software driver used in HP, Xerox, and Samsung printers that has remained undetected since 2005. Tracked as  CVE-2021-3438  (CVSS score: 8.8), the issue concerns a buffer overflow in a print driver installer package named "SSPORT.SYS" that can enable remote privilege and arbitrary code execution. Hundreds of millions of printers have been released worldwide to date with the vulnerable driver in question. However, there is no evidence that the flaw was abused in real-world attacks. "A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege," according to an advisory published in May. The issue was reported to HP by threat intelligence researchers from SentinelLabs on February 18, 2021, following which  remedies  have been  published  for the affected printers as of May 19, 2021. Specific
Researcher Uncovers Yet Another Unpatched Windows Printer Spooler Vulnerability

Researcher Uncovers Yet Another Unpatched Windows Printer Spooler Vulnerability

July 18, 2021Ravie Lakshmanan
Merely days after Microsoft sounded the alarm on an unpatched security vulnerability in the Windows Print Spooler service, possibly yet another zero-day flaw in the same component has come to light, making it the fourth printer-related shortcoming to be discovered in recent weeks. "Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print," CERT Coordination Center's Will Dormann  said  in an advisory published Sunday. "Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process." An exploit for the vulnerability was disclosed by security researcher and  Mimikatz creator   Benjamin Delpy . #printnightmare - Episode 4 You know what is better than a Legit Kiwi Printer ? 🥝Another Legit Kiwi Printer...👍 No prerequiste at all, you even don't need to sign drivers/package🤪 pic.twitter.com/oInb5jm3tE — 🥝 B
China's New Law Requires Vendors to Report Zero-Day Bugs to Government

China's New Law Requires Vendors to Report Zero-Day Bugs to Government

July 17, 2021Ravie Lakshmanan
The Cyberspace Administration of China (CAC) has issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws to mandatorily disclose them first-hand to the government authorities within two days of filing a report. The " Regulations on the Management of Network Product Security Vulnerability " are expected to go into effect starting September 1, 2021, and aim to standardize the discovery, reporting, repair, and release of security vulnerabilities and prevent security risks. "No organization or individual may take advantage of network product security vulnerabilities to engage in activities that endanger network security, and shall not illegally collect, sell or publish information on network product security vulnerabilities," Article 4 of the regulation states. In addition to banning sales of previously unknown security weaknesses, the new rules also forbid vulnerabilities from being disclos
Israeli Firm Helped Governments Target Journalists, Activists with 0-Days and Spyware

Israeli Firm Helped Governments Target Journalists, Activists with 0-Days and Spyware

July 16, 2021Ravie Lakshmanan
Two of the zero-day Windows flaws rectified by Microsoft as part of its Patch Tuesday update earlier this week were weaponized by an Israel-based company called Candiru in a series of "precision attacks" to hack more than 100 journalists, academics, activists, and political dissidents globally. The spyware vendor was also formally identified as the commercial surveillance company that Google's Threat Analysis Group (TAG) revealed as exploiting multiple zero-day vulnerabilities in Chrome browser to target victims located in Armenia, according to a report published by the University of Toronto's Citizen Lab. " Candiru 's apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab researchers  said . "This case demonstrates, yet again, that in the absence of any international safegua
Update Your Chrome Browser to Patch New Zero‑Day Bug Exploited in the Wild

Update Your Chrome Browser to Patch New Zero‑Day Bug Exploited in the Wild

July 15, 2021Ravie Lakshmanan
Google has pushed out a new security update to Chrome browser for Windows, Mac, and Linux with multiple fixes, including a zero-day that it says is being exploited in the wild. The latest patch resolves a total of eight issues, one of which concerns a type confusion issue in its V8 open-source and JavaScript engine ( CVE-2021-30563 ). The search giant credited an anonymous researcher for reporting the flaw on July 12. As is usually the case with actively exploited flaws, the company issued a terse statement acknowledging that "an exploit for CVE-2021-30563 exists in the wild" while refraining from sharing full details about the underlying vulnerability used in the attacks due to its serious nature and the possibility that doing so could lead to further abuse. CVE-2021-30563 also marks the ninth zero-day addressed by Google to combat real-world attacks against Chrome users since the start of the year — CVE-2021-21148  - Heap buffer overflow in V8 CVE-2021-21166  - Obje
Microsoft Warns of New Unpatched Windows Print Spooler Vulnerability

Microsoft Warns of New Unpatched Windows Print Spooler Vulnerability

July 15, 2021Ravie Lakshmanan
Microsoft on Thursday shared fresh guidance on yet another vulnerability affecting the Windows Print Spooler service, stating that it's working to address it in an upcoming security update. Tracked as  CVE-2021-34481  (CVSS score: 7.8), the issue concerns a local privilege escalation flaw that could be abused to perform unauthorized actions on the system. The company credited security researcher Jacob Baines for discovering and reporting the bug. "An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges," the Windows maker said in its advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." However, it's worth pointing out that successful exploitation of the vulnerability requires the attacker to have t
Google Details iOS, Chrome, IE Zero-Day Flaws Exploited Recently in the Wild

Google Details iOS, Chrome, IE Zero-Day Flaws Exploited Recently in the Wild

July 15, 2021Ravie Lakshmanan
Threat intelligence researchers from Google on Wednesday  shed more light  on four in-the-wild zero-days in Chrome, Safari, and Internet Explorer browsers that were exploited by malicious actors in different campaigns since the start of the year. What's more, three of the four zero-days were engineered by commercial providers and sold to and used by government-backed actors, contributing to an uptick in real-world attacks. The list of now-patched vulnerabilities is as follows - CVE-2021-1879 : Use-After-Free in QuickTimePluginReplacement (Apple WebKit) CVE-2021-21166 : Chrome Object Lifecycle Issue in Audio CVE-2021-30551 : Chrome Type Confusion in V8 CVE-2021-33742 : Internet Explorer out-of-bounds write in MSHTML Both Chrome zero-days — CVE-2021-21166 and CVE-2021-30551 — are believed to have been used by the same actor, and were delivered as one-time links sent via email to targets located in Armenia, with the links redirecting unsuspecting users to attacker-controlled
Update Your Windows PCs to Patch 117 New Flaws, Including 9 Zero-Days

Update Your Windows PCs to Patch 117 New Flaws, Including 9 Zero-Days

July 13, 2021Ravie Lakshmanan
Microsoft rolled out  Patch Tuesday updates  for the month of July with fixes for a total of 117 security vulnerabilities, including nine zero-day flaws, of which four are said to be under active attacks in the wild, potentially enabling an adversary to take control of affected systems.  Of the 117 issues, 13 are rated Critical, 103 are rated Important, and one is rated as Moderate in severity, with six of these bugs publicly known at the time of release.  The updates span across several of Microsoft's products, including Windows, Bing, Dynamics, Exchange Server, Office, Scripting Engine, Windows DNS, and Visual Studio Code. July also marks a dramatic jump in the volume of vulnerabilities, surpassing the number Microsoft collectively addressed as part of its updates in  May  (55) and  June  (50). Chief among the security flaws actively exploited are as follows — CVE-2021-34527  (CVSS score: 8.8) - Windows Print Spooler Remote Code Execution Vulnerability (publicly disclosed
Critical RCE Flaw in ForgeRock Access Manager Under Active Attack

Critical RCE Flaw in ForgeRock Access Manager Under Active Attack

July 12, 2021Ravie Lakshmanan
Cybersecurity agencies in Australia and the U.S. are  warning  of an actively exploited vulnerability impacting ForgeRock's OpenAM access management solution that could be leveraged to execute arbitrary code on an affected system remotely. "The [Australian Cyber Security Centre] has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools," the organization  said  in an alert. ACSC didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them. Tracked as  CVE-2021-35464 , the issue concerns a pre-authentication remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management tool, and stems from an  unsafe Java deserialization  in the Jato framework used by the software. "An attacker exploiting the vulnerability will execute commands in the context of the current user, not as the root user (unless ForgeRo
A New Critical SolarWinds Zero-Day Vulnerability Under Active Attack

A New Critical SolarWinds Zero-Day Vulnerability Under Active Attack

July 12, 2021Ravie Lakshmanan
SolarWinds, the Texas-based company that became the epicenter of a  massive supply chain attack  late last year, has issued patches to contain a remote code execution flaw in its Serv-U managed file transfer service. The fixes, which target Serv-U Managed File Transfer and Serv-U Secure FTP products, arrive after Microsoft notified the IT management and remote monitoring software maker that the flaw was being exploited in the wild. The threat actor behind the exploitation remains unknown as yet, and it isn't clear exactly how the attack was carried out. "Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability," SolarWinds  said  in an advisory published Friday, adding it's "unaware of the identity of the potentially affected customers." Impacting Serv-U versions 15.2.3 HF1 and before, a successful exploitation of the sh
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.