This week’s overview highlights the most important security vulnerabilities affecting various software products and appliances, including Google Chrome, SolarWinds Orion, Siemens and many others.
Google has released the Chrome 88.0.4324.150 version for Windows, Mac and Linux, which contains a fix for a security vulnerability that is being actively exploited in the wild.
Tracked as CVE-2021-21148, the flaw is described as a heap-based overflow issue in V8 JavaScript engine in Google Chrome. A remote hacker can create a specially crafted web page, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
In addition to CVE-2021-21148, the tech giant has addressed a slew of high risk flaws in Chrome most of which would allow a remote attacker to compromise a vulnerable system.
Fortinet addressed a couple of severe vulnerabilities in the SSL VPN portal of FortiProxy web gateway. One of the flaws (CVE-2018-13381) is a buffer overflow issue that allows remote code execution. In order to exploit this bug a hacker needs to trick a user into visiting a malicious web site. The vulnerability impacts the following FortiProxy versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 2.0.0
The second flaw (CVE-2018-13383) exists due to a boundary error when parsing web pages in the SSL VPN web portal. A remote attacker can create a specially crafted web page with malicious javascript href data, trick the authenticated user into visiting it, trigger a buffer overflow and execute arbitrary code on the system. FortiProxy versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 2.0.0 are affected.
Three more vulnerabilities were found in the Solarwinds’ Orion platform that attracted public attention last year after cybersecurity firm FireEye revealed a widespread supply-chain attack that impacted multiple US government agencies and private firms, including FireEye itself.
The flaws in question are CVE-2021-25274, CVE-2021-25275 (the third bug does not have a CVE assigned). CVE-2021-25274 is the most severe of the three bugs, it exists due to insecure input validation when processing serialized data within the SolarWinds Collector Service MSMQ and can be exploited for remote code execution. Other two flaws could allow a malicious actor to gain unauthorized access to otherwise restricted functionality, or elevate privileges on the system.
In addition, multiple vulnerabilities were discovered in the SolarWinds Serv-U FTP server, including one RCE-flaw (CVE-2020-35481).
Siemens released patches for some of its SIMATIC human-machine interface (HMI) panels to fix a high-severity vulnerability (CVE-2020-15798) that can be exploited remotely to take full control of a device.
The vulnerability exists due to the affected devices with enabled Telnet service do not require authentication for this service. A remote attacker can gain full access to the device.
The vulnerability affects SIMATIC HMI Comfort Panels before v16 Update and SIMATIC HMI KTP Mobile Panels before v16 Update.
Cisco has warned of severe bugs in several of its small business VPN routers and SD-WAN products. Specifically, the web-based management interface of small business RV160, RV160W, RV260, RV260P, and RV260W VPN routers is affected by multiple vulnerabilities that could be abused by remote attackers to execute arbitrary code (CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292,CVE-2021-1293, CVE-2021-1294, CVE-2021-1295), or to perform directory traversal attacks (CVE-2021-1296, CVE-2021-1297).
Apache Dubbo, a high-performance, Java based RPC (remote procedure call) framework contains an RCE-vulnerability which can lead to a system takeover. The flaw exists due to insecure input validation when processing serialized data within readUTF in Dubbo protocol. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system. Currently, there is no patch available for this issue.