Show vulnerabilities with patch / with exploit
3 July 2020

Vulnerability summary for the week: July 3, 2020


Vulnerability summary for the week: July 3, 2020

This week Microsoft has released security updates that address two high risk vulnerabilities in Microsoft Windows Codecs Library. Both bugs (CVE-2020-1425, CVE-2020-1457) are remote code execution issues that exist in the way that Microsoft Windows Codecs Library handles objects in memory.

By exploiting the CVE-2020-1425 flaw an attacker could obtain information to further compromise the user’s system. In the case of CVE-2020-1457, the exploitation of the flaw could lead to remote code execution. The two security flaws can be exploited by using a specially crafted image file.

The vulnerabilities impact only Windows 10 and Windows Server 2019 releases.

Another serious vulnerability disclosed this week affects PAN-OS, the operating system that powers Palo Alto Networks’ next-generation firewalls. The vulnerability, tracked as CVE-2020-2021, could allow unauthenticated network-based attackers to bypass authentication.

The issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). The PAN-OS 7.1 version is not affected by CVE-2020-2021.

The issue has been fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.

Palo Alto Networks said it is not aware of attacks exploiting this vulnerability, however, US Cyber Command has warned that foreign ATP groups will likely attempt to exploit unpatched Palo Alto firewalls.

Multiple vulnerabilities have been reported in Delta Industrial Automation DOPSoft solution. One of them (CVE-2020-14482) is a heap-based overflow bug which may allow remote code execution, disclosure/modification of information, or cause the application to crash. Other bugs are out-of-bounds read vulnerabilities, which could allow an attacker to read information and/or crash the application.

YARA versions 4.0.0, 4.0.1 contain a number of vulnerabilities the most severe of which can be exploited to remotely execute an arbitrary code on a vulnerable system.

FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), is plagued by multiple vulnerabilities, most of which could allow a remote attacker to gain access to potentially sensitive information. However, one of the bugs (CVE-2020-4031) can lead to remote code execution.

Tenda PA6 Wi-Fi Powerline extender, a popular Wi-Fi extender for the home, has multiple unpatched vulnerabilities. Two of the bugs could allow complete remote control of the device (CVE-2019-16213, CVE-2019-19505), while the third one (CVE-2019-19506) can be exploited by a remote attacker to perform a denial of service (DoS) attack. The vulnerabilities affect PA6 Wi-Fi Powerline extender v1.0.1.21.

Mozilla has addressed multiple vulnerabilities in Firefox, Firefox ESR, and the Thunderbird email client, including numerous bugs that allowed to fully compromise the target system.

Apache Guacamole, a clientless remote desktop gateway, contains multiple vulnerabilities that could potentially allow attackers to achieve full control over the Guacamole server, intercept, and control all other connected sessions, including but not limited to: upload and download any remote host file; execute any program/command on any remote host, etc. The issues were fixed with the release of version 1.2.02 on June 28.

Back to the list

Latest Posts

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020
Hacker published passwords for over 900 corporate VPN servers

Hacker published passwords for over 900 corporate VPN servers

The list was published on a Russian-speaking hacker forum frequented by different ransomware operators.
5 August 2020
Maze operators published dozens of GBs of data from LG and Xerox

Maze operators published dozens of GBs of data from LG and Xerox

Stolen information may include Xerox support records and source code for the firmware of various LG products.
4 August 2020