19 February 2021

Vulnerability summary for the week: February 19, 2021


Vulnerability summary for the week: February 19, 2021

Several reports emerged this week highlighting a number of vulnerabilities affecting various solutions, such as QNAP NAS devices, OpenSSL, and Agora Video SDK that could be leveraged by malicious actors for remote code execution, DoS attacks, to spy on private calls, or compromise home and corporate networks.

Specifically, QNAP has addressed a critical security vulnerability in the Surveillance Station app that could allow attackers to execute malicious code remotely on network-attached storage (NAS) devices running the vulnerable software. The flaw in question is tracked as CVE-2020-2501 and impacts Surveillance Station versions before 5.1.5.3.3, 5.1.5.4.3.

Maintainers of OpenSSL Project released patches to fix three vulnerabilities (CVE-2021-23841, CVE-2021-23839, CVE-2021-23840), two of which could be exploited for denial-of-service (DoS) attacks and one allowed to perform MitM attack. CVE-2021-23841 and CVE-2021-23840 have been addressed with the release of OpenSSL 1.1.1j, while CVE-2021-23839 has been patched in version 1.0.2y.

A dangerous flaw was found in Agora Video SDK (allows users to make video calls in apps like eHarmony, Plenty of Fish, MeetMe, Skout, and Talkspace), which lets threat actors to spy on private calls without the user knowing.

The issue (CVE-2020-25605) exists due to software using insecure communication channel to transmit sensitive information. A remote attacker with ability to intercept network traffic can obtain access to audio and video of any ongoing Agora video call. The vulnerability was patched in Agora SDK version 3.2.1.

Another interesting issue disclosed this week is related to ConnectPort X2e, a gateway device used for solar energy installations. In particular, Digi ConnectPort X2e contains two vulnerabilities (CVE-2020-9306, CVE-2020-12878) that attackers could use to gain access to home or corporate networks via the vulnerable device.

CVE-2020-9306 stems from Digi ConnectPort X2e storing password for the python user account in the cleartext, and the second bug is a privilege escalation flaw. By exploiting both vulnerabilities an attacker who has network access to the targeted device could obtain a root shell and remotely take over the device.

Google addressed multiple vulnerabilities in its Chrome browser, almost all of which allowed remote code execution. Microsoft released updates for its Edge (Chromium-based) browser designed to fix these issues, as well.

Also, multiple RCE vulnerabilities have been reported in the libmaxminddb library, Soar Cloud System HR Portal, ISC BIND, SPIP, and static-eval package for npm (patch is not available for this flaw).

Back to the list

Latest Posts

Vulnerability in Trend Micro antivirus products exploited in the wild

Vulnerability in Trend Micro antivirus products exploited in the wild

The flaw affects Trend Micro Apex One, Apex One SaaS, and OfficeScan Corporate Edition.
22 April 2021
University of Minnesota banned from Linux development for submitting buggy patches

University of Minnesota banned from Linux development for submitting buggy patches

Two graduate students at the University of Minnesota deliberately introduced known security bugs in the Linux kernel in the name of research.
22 April 2021
Qlocker ransomware campaign targets QNAP devices across the globe

Qlocker ransomware campaign targets QNAP devices across the globe

The campaign uses 7-zip to move files on QNAP devices into password-protected archives.
22 April 2021