29 January 2021

Vulnerability summary for the week: January 29, 2021


Vulnerability summary for the week: January 29, 2021

Today’s blog post highlights the most important and interesting security vulnerabilities in various products that have been disclosed by security researchers, vendors, or received particular media coverage this week.

Apple released security updates for iOS, iPadOS, Apple tvOS, and watchOS this week to fix three dangerous vulnerabilities that may have been exploited in the real-world attacks.

The three zero days are CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871. The first flaw affects the iOS operating system kernel. It exists due to a race condition in the Kernel component. A remote attacker can use a malicious application and escalate privileges on the system.

The other two flaws (CVE-2021-1871, CVE-2021-1870) impact the WebKit component and are described as a logic issue that allows a remote attacker to execute code by tricking a user into visiting a malicious website. Apple did not provide additional details on how widespread the attack was, or who might have been behind it.

The company also removed several high risk vulnerabilities affecting iCloud for Windows (versions before 12.0) that could allow a remote attacker to compromise a vulnerable system or gain access to sensitive data.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned industrial organizations of some high severity flaws in SCADA/HMI products manufactured by Japanese electrical equipment company Fuji Electric. The issues (CVE-2021-22637, CVE-2021-22653, CVE-2021-22639, CVE-2021-22641) affect Tellus Lite V-Simulator (versions prior to v4.0.10.0) and Server Lite (versions before v4.0.10.0) and could be exploited for remote code execution.

In addition, several dangerous vulnerabilities were found in Schneider Electric IGSS (Interactive Graphical SCADA System), using which an attacker can execute arbitrary code on the system by tricking a user into opening a malicious CGF file. All of the bugs are related to a boundary error when processing CGF files. The issue affects IGSS SCADA 2, 4.1, 5, 5.1, 6, 7, 8, 9, 10, 11, 12, 13, 13.0.0.19140, 14, 14.0.0.19120, 14.0.0.20009, 14.0.0.20247, 14.0.0.20248. At present, there is no patch available for these vulnerabilities.

Go 1.15.7 and Go 1.14.14 have been released to address a couple of security issues (CVE-2021-3114, CVE-2021-3115). The first bug stems from incorrect calculation performed by the application in "crypto/elliptic/p224.go", while the latter is a command injection issue that exists due to improper input validation when using the "go get" command to fetch modules that make use of cgo. If exploited, both vulnerabilities allow remote code execution.

Mozilla released security updates that address multiple high risk issues in Mozilla Thunderbird, Mozilla Firefox and Firefox ESR, including those that allow to hijack control of a system.

This week, numerous cybersecurity news outlets brought to public attention a security vulnerability (CVE-2021-3156) affecting Sudo, an open-source utility used on major Linux and Unix-like operating systems that could allow any unprivileged local to execute code with root privileges on a vulnerable host.

Dubbed Baron Samedit, the heap-based buffer overflow flaw is present in Sudo legacy versions (1.8.2 to 1.8.31p2) and all stable versions (1.9.0 to 1.9.5p1) in their default configuration. It should be noted, however, that this bug can’t be exploited remotely, the attacker should have authentication credentials and successfully authenticate on the system.

Chinese tech giant Tencent has fixed a buffer overflow vulnerability (CVE-2020-27874) in its WeChat messaging app that could be used for remote code execution via a specially crafted file. The issue affects WeChat versions 7.0.0, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.9, 7.0.10, 7.0.12, 7.0.13, 7.0.14, 7.0.15, 7.0.16, 7.0.17, 7.0.18

Other notable bugs include an improper authentication flaw (CVE-2021-26117) in Apache ActiveMQ and ActiveMQ Artemis (allows to bypass authentication process), and multiple high severity issues in ACDSee Photo Studio (CVE-2021-26025, CVE-2021-26026, CVE-2020-29595), which could be exploited in order to compromise a vulnerable system.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024