Here’s a brief overview of the most important vulnerabilities that made headlines this week, including a dangerous flaw affecting BLE protocol, which puts at risk billions of Bluetooth-enabled devices, the Zerologon vulnerability in Windows, bugs in Adobe products, and more
Researchers have warned of a Bluetooth Low Energy (BLE) vulnerability that allows spoofing attacks and potentially impacts billions of Internet of Things (IoT) devices, as well as smartphones, tablets and laptops that use Bluetooth software stacks.
Dubbed BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability affects the reconnection process that occurs when a device moves out of range and then moves back into range again later. The vulnerability could be used by an attacker to bypass reconnection verifications and send spoofed data to a BLE device.
While Apple has fixed the flaw (CVE-2020-9770) in June, the vulnerability remains unpatched on Android devices.
Security researchers have released the details about a serious vulnerability (CVE-2020-1472) in Netlogon remote protocol, a legacy protocol that is still supported on all Windows servers to allow them to work in domain environment. Named Zerologon, the vulnerability could be used by an attacker with access to a Windows Domain Controller to take over the Windows domain.
Adobe has released an out-of-band update to address three vulnerabilities in its Media Encoder product. CVE-2020-9739, CVE-2020-9744, and CVE-2020-9745 are out-of-bound read flaws “that could lead to information disclosure in the context of the current user.”
Multiple vulnerabilities have been fixed in MobileIron’s mobile device management (MDM) solutions the most severe of which could allow remote code execution (CVE-2020-15505), to read arbitrary files from a targeted system (CVE-2020-15507), or bypass authentication mechanisms remotely (CVE-2020-15506). Vulnerable products include MobileIron Core (version 10.6 and earlier), MobileIron Sentry, MobileIron Cloud, Enterprise Connector, and Reporting Database.
Other vulnerabilities worth mentioning are the out-of-bounds write (CVE-2020-16304) and buffer overflaw (CVE-2020-16302) vulnerabilities in ghostscript (Alpine package), a remote code execution flaw (CVE-2020-13948) in Apache Superset, an authentication bypass (CVE-2020-11998) in Apache ActiveMQ, a remote command injection flaw (CVE-2020-24552) in Atop Technology industrial 3G/4G gateway, and a privilege escalation flaw in Zoho ManageEngine Desktop Central