3 July 2020

Vulnerability summary for the week: July 3, 2020


Vulnerability summary for the week: July 3, 2020

This week Microsoft has released security updates that address two high risk vulnerabilities in Microsoft Windows Codecs Library. Both bugs (CVE-2020-1425, CVE-2020-1457) are remote code execution issues that exist in the way that Microsoft Windows Codecs Library handles objects in memory.

By exploiting the CVE-2020-1425 flaw an attacker could obtain information to further compromise the user’s system. In the case of CVE-2020-1457, the exploitation of the flaw could lead to remote code execution. The two security flaws can be exploited by using a specially crafted image file.

The vulnerabilities impact only Windows 10 and Windows Server 2019 releases.

Another serious vulnerability disclosed this week affects PAN-OS, the operating system that powers Palo Alto Networks’ next-generation firewalls. The vulnerability, tracked as CVE-2020-2021, could allow unauthenticated network-based attackers to bypass authentication.

The issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). The PAN-OS 7.1 version is not affected by CVE-2020-2021.

The issue has been fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.

Palo Alto Networks said it is not aware of attacks exploiting this vulnerability, however, US Cyber Command has warned that foreign ATP groups will likely attempt to exploit unpatched Palo Alto firewalls.

Multiple vulnerabilities have been reported in Delta Industrial Automation DOPSoft solution. One of them (CVE-2020-14482) is a heap-based overflow bug which may allow remote code execution, disclosure/modification of information, or cause the application to crash. Other bugs are out-of-bounds read vulnerabilities, which could allow an attacker to read information and/or crash the application.

YARA versions 4.0.0, 4.0.1 contain a number of vulnerabilities the most severe of which can be exploited to remotely execute an arbitrary code on a vulnerable system.

FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), is plagued by multiple vulnerabilities, most of which could allow a remote attacker to gain access to potentially sensitive information. However, one of the bugs (CVE-2020-4031) can lead to remote code execution.

Tenda PA6 Wi-Fi Powerline extender, a popular Wi-Fi extender for the home, has multiple unpatched vulnerabilities. Two of the bugs could allow complete remote control of the device (CVE-2019-16213, CVE-2019-19505), while the third one (CVE-2019-19506) can be exploited by a remote attacker to perform a denial of service (DoS) attack. The vulnerabilities affect PA6 Wi-Fi Powerline extender v1.0.1.21.

Mozilla has addressed multiple vulnerabilities in Firefox, Firefox ESR, and the Thunderbird email client, including numerous bugs that allowed to fully compromise the target system.

Apache Guacamole, a clientless remote desktop gateway, contains multiple vulnerabilities that could potentially allow attackers to achieve full control over the Guacamole server, intercept, and control all other connected sessions, including but not limited to: upload and download any remote host file; execute any program/command on any remote host, etc. The issues were fixed with the release of version 1.2.02 on June 28.

Back to the list

Latest Posts

ShadowSyndicate ransomware group targeting Aiohttp flaw

ShadowSyndicate ransomware group targeting Aiohttp flaw

Organizations are urged to update to Aiohttp v3.9.
18 March 2024
The International Monetary Fund discloses cyberattack affecting 11 email accounts

The International Monetary Fund discloses cyberattack affecting 11 email accounts

The organization did not share any additional details regarding the nature of the attack.
18 March 2024
E-Root Marketplace operator sentenced to 3.5 years in prison

E-Root Marketplace operator sentenced to 3.5 years in prison

It is estimated that over 350,000 compromised credentials were listed for sale on the E-Root Marketplace.
18 March 2024