18 September 2020

Vulnerability summary for the week: September 18, 2020


Vulnerability summary for the week: September 18, 2020

Here’s a brief overview of the most important vulnerabilities that made headlines this week, including a dangerous flaw affecting BLE protocol, which puts at risk billions of Bluetooth-enabled devices, the Zerologon vulnerability in Windows, bugs in Adobe products, and more

Researchers have warned of a Bluetooth Low Energy (BLE) vulnerability that allows spoofing attacks and potentially impacts billions of Internet of Things (IoT) devices, as well as smartphones, tablets and laptops that use Bluetooth software stacks.

Dubbed BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability affects the reconnection process that occurs when a device moves out of range and then moves back into range again later. The vulnerability could be used by an attacker to bypass reconnection verifications and send spoofed data to a BLE device.

While Apple has fixed the flaw (CVE-2020-9770) in June, the vulnerability remains unpatched on Android devices.

Security researchers have released the details about a serious vulnerability (CVE-2020-1472) in Netlogon remote protocol, a legacy protocol that is still supported on all Windows servers to allow them to work in domain environment. Named Zerologon, the vulnerability could be used by an attacker with access to a Windows Domain Controller to take over the Windows domain.

Adobe has released an out-of-band update to address three vulnerabilities in its Media Encoder product. CVE-2020-9739, CVE-2020-9744, and CVE-2020-9745 are out-of-bound read flaws “that could lead to information disclosure in the context of the current user.”

Multiple vulnerabilities have been fixed in MobileIron’s mobile device management (MDM) solutions the most severe of which could allow remote code execution (CVE-2020-15505), to read arbitrary files from a targeted system (CVE-2020-15507), or bypass authentication mechanisms remotely (CVE-2020-15506). Vulnerable products include MobileIron Core (version 10.6 and earlier), MobileIron Sentry, MobileIron Cloud, Enterprise Connector, and Reporting Database.

Other vulnerabilities worth mentioning are the out-of-bounds write (CVE-2020-16304) and buffer overflaw (CVE-2020-16302) vulnerabilities in ghostscript (Alpine package), a remote code execution flaw (CVE-2020-13948) in Apache Superset, an authentication bypass (CVE-2020-11998) in Apache ActiveMQ, a remote command injection flaw (CVE-2020-24552) in Atop Technology industrial 3G/4G gateway, and a privilege escalation flaw in Zoho ManageEngine Desktop Central






Back to the list

Latest Posts

Canadian steel maker Stelco temporarily halts production due to a cyber-attack

Canadian steel maker Stelco temporarily halts production due to a cyber-attack

The company did not reveal the nature of the cyber-attack, or what damage it might have caused.
27 October 2020
Cryptocurrency service 'Harvest Finance' offers $100K bounty after massive hack

Cryptocurrency service 'Harvest Finance' offers $100K bounty after massive hack

In total, the attacker stole $13 million worth of USD Coin and $11 million worth of Tether.
27 October 2020
KashmirBlack botnet targets popular CMS platforms to mine cryptocurrency, spread spam

KashmirBlack botnet targets popular CMS platforms to mine cryptocurrency, spread spam

The botnet utilizes exploits for dozens of known vulnerabilities that allow it to attack sites running CMS platforms, such as WordPress, Joomla!, Drupal, and vBulletin.
26 October 2020