Show vulnerabilities with patch / with exploit
10 April 2020

Vulnerability summary for the week: April 10, 2020


Vulnerability summary for the week: April 10, 2020

Our latest weekly digest provides an overview of the recent vulnerabilities disclosed this week, including zero-days in Mozilla Firefox, multiple flaws in Google Chrome, dangerous bugs in glibc, SCADA systems, and more.

Mozilla has addressed two zero-day vulnerabilities in its Firefox browser. Both flaws allow a remote attacker to execute an arbitrary code and compromise a vulnerable system.

The bugs, tracked as CVE-2020-6819 and CVE-2020-6820, are use-after-free vulnerabilities with the first one caused by a race condition when running the nsDocShell destructor, and the second one exists due to a race condition when handling a ReadableStream. The flaws can be exploited by tricking a victim into visiting a maliciously crafted web site.

More than 30 vulnerabilities have been patched in Google Chrome, including four high-severity bugs which allowed to compromise a target system. The rest of the vulnerabilities affect various components in Chrome and could be used to bypass security restrictions, or gain access to sensitive information.

Palo Alto PAN-OS firewall software found to be vulnerable to remote code execution and privilege escalation attacks due to a couple of vulnerabilities. The first one, CVE-2020-1990, exists due to a boundary error in the management server component and can be lead to remote code execution by triggering stack-based buffer overflow. The second flaw, CVE-2020-1991, allows a local user to gain elevated privileges or overwrite system files.

Advantech WebAccess/NMS, a web browser-based software package for networking management system (NMS), contains multiple vulnerabilities the most severe of which (CVE-2020-10621, CVE-2020-10619, CVE-2020-10631, CVE-2020-10603) could allow a remote attacker to compromise a vulnerable system, conduct directory traversal attacks, or to execute arbitrary shell commands on the target system

Fuji Electric released a new version (4.0.9.0) to handle a heap-based buffer overflow (CVE-2020-10646) in its V-Server Lite, a standard programming package for HMI, which could allow a remote attacker to gain elevated privileges for remote code execution.

A vulnerability (CVE-2020-11647) has been discovered in Wireshark BACapp dissector, which may lead to remote code execution. A remote attacker can send specially crafted data via the network, trigger stack-based buffer overflow and execute arbitrary code on the target system. While there are currently no known cases of the vulnerability being exploited in the wild, it should be noted that proof of concept for this flaw is available.

Glibc (GNU C Library) is affected by a high risk vulnerability (CVE-2020-1752), which allows a local user to escalate privileges on the system and potentially execute an arbitrary code.

ManageEngine ADSelfService Plus password reset management program, and Hirschmann Automation and Control HiOS and HiSecOS products also contain RCE-bugs (CVE-2020-11518 and CVE-2020-6994 accordingly) that may lead to remote takeover.


Back to the list

Latest Posts

REvil ransomware group announces its first ever stolen data auction

REvil ransomware group announces its first ever stolen data auction

REvil ransomware operators escalate their extortion tactics.
3 June 2020
Apple fixes recent iPhone “unc0ver” jailbreak flaw

Apple fixes recent iPhone “unc0ver” jailbreak flaw

The vendor issued the security patches less than a week after the hackers have released jailbreak tool called “Unc0ver”.
3 June 2020
DopplePaymer ransomware operators leak NASA-related files allegedly stolen from DMI

DopplePaymer ransomware operators leak NASA-related files allegedly stolen from DMI

The gang says it breached the network of one of NASA IT contractors.
3 June 2020
Featured vulnerabilities
MitM attack in GnuTLS
Medium Patched | 04 Jun, 2020
Spoofing attack in Docker
Medium Patched | 03 Jun, 2020
Information disclosure in GitLab
Medium Patched | 03 Jun, 2020
Multiple vulnerabilities in Google Chrome
High Patched | 03 Jun, 2020
Privilege escalation in ABB Central Licensing System
Medium Not Patched | 03 Jun, 2020