19 February 2021

Vulnerability summary for the week: February 19, 2021


Vulnerability summary for the week: February 19, 2021

Several reports emerged this week highlighting a number of vulnerabilities affecting various solutions, such as QNAP NAS devices, OpenSSL, and Agora Video SDK that could be leveraged by malicious actors for remote code execution, DoS attacks, to spy on private calls, or compromise home and corporate networks.

Specifically, QNAP has addressed a critical security vulnerability in the Surveillance Station app that could allow attackers to execute malicious code remotely on network-attached storage (NAS) devices running the vulnerable software. The flaw in question is tracked as CVE-2020-2501 and impacts Surveillance Station versions before 5.1.5.3.3, 5.1.5.4.3.

Maintainers of OpenSSL Project released patches to fix three vulnerabilities (CVE-2021-23841, CVE-2021-23839, CVE-2021-23840), two of which could be exploited for denial-of-service (DoS) attacks and one allowed to perform MitM attack. CVE-2021-23841 and CVE-2021-23840 have been addressed with the release of OpenSSL 1.1.1j, while CVE-2021-23839 has been patched in version 1.0.2y.

A dangerous flaw was found in Agora Video SDK (allows users to make video calls in apps like eHarmony, Plenty of Fish, MeetMe, Skout, and Talkspace), which lets threat actors to spy on private calls without the user knowing.

The issue (CVE-2020-25605) exists due to software using insecure communication channel to transmit sensitive information. A remote attacker with ability to intercept network traffic can obtain access to audio and video of any ongoing Agora video call. The vulnerability was patched in Agora SDK version 3.2.1.

Another interesting issue disclosed this week is related to ConnectPort X2e, a gateway device used for solar energy installations. In particular, Digi ConnectPort X2e contains two vulnerabilities (CVE-2020-9306, CVE-2020-12878) that attackers could use to gain access to home or corporate networks via the vulnerable device.

CVE-2020-9306 stems from Digi ConnectPort X2e storing password for the python user account in the cleartext, and the second bug is a privilege escalation flaw. By exploiting both vulnerabilities an attacker who has network access to the targeted device could obtain a root shell and remotely take over the device.

Google addressed multiple vulnerabilities in its Chrome browser, almost all of which allowed remote code execution. Microsoft released updates for its Edge (Chromium-based) browser designed to fix these issues, as well.

Also, multiple RCE vulnerabilities have been reported in the libmaxminddb library, Soar Cloud System HR Portal, ISC BIND, SPIP, and static-eval package for npm (patch is not available for this flaw).

Back to the list

Latest Posts

Researchers discover connection between SunCrypt and QNAPCrypt ransomware

Researchers discover connection between SunCrypt and QNAPCrypt ransomware

SunCrypt may be an updated version of the QNAPCrypt ransomware.
4 March 2021
Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks

Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks

The cybercriminals behind the Clop ransomware operation have posted screenshots of files allegedly stolen from Qualys on their leak site.
4 March 2021
CISA orders federal agencies to ‘immediately’ patch Exchange flaws exploited by hackers

CISA orders federal agencies to ‘immediately’ patch Exchange flaws exploited by hackers

Several APT groups are exploiting "at least" the CVE-2021-26855 Microsoft Exchange Server vulnerability as part of ongoing attacks, ESET says.
4 March 2021