Several reports emerged this week highlighting a number of vulnerabilities affecting various solutions, such as QNAP NAS devices, OpenSSL, and Agora Video SDK that could be leveraged by malicious actors for remote code execution, DoS attacks, to spy on private calls, or compromise home and corporate networks.
Specifically, QNAP has addressed a critical security vulnerability in the Surveillance Station app that could allow attackers to execute malicious code remotely on network-attached storage (NAS) devices running the vulnerable software. The flaw in question is tracked as CVE-2020-2501 and impacts Surveillance Station versions before 220.127.116.11.3, 18.104.22.168.3.
Maintainers of OpenSSL Project released patches to fix three vulnerabilities (CVE-2021-23841, CVE-2021-23839, CVE-2021-23840), two of which could be exploited for denial-of-service (DoS) attacks and one allowed to perform MitM attack. CVE-2021-23841 and CVE-2021-23840 have been addressed with the release of OpenSSL 1.1.1j, while CVE-2021-23839 has been patched in version 1.0.2y.
A dangerous flaw was found in Agora Video SDK (allows users to make video calls in apps like eHarmony, Plenty of Fish, MeetMe, Skout, and Talkspace), which lets threat actors to spy on private calls without the user knowing.
The issue (CVE-2020-25605) exists due to software using insecure communication channel to transmit sensitive information. A remote attacker with ability to intercept network traffic can obtain access to audio and video of any ongoing Agora video call. The vulnerability was patched in Agora SDK version 3.2.1.
Another interesting issue disclosed this week is related to ConnectPort X2e, a gateway device used for solar energy installations. In particular, Digi ConnectPort X2e contains two vulnerabilities (CVE-2020-9306, CVE-2020-12878) that attackers could use to gain access to home or corporate networks via the vulnerable device.
CVE-2020-9306 stems from Digi ConnectPort X2e storing password for the python user account in the cleartext, and the second bug is a privilege escalation flaw. By exploiting both vulnerabilities an attacker who has network access to the targeted device could obtain a root shell and remotely take over the device.
Google addressed multiple vulnerabilities in its Chrome browser, almost all of which allowed remote code execution. Microsoft released updates for its Edge (Chromium-based) browser designed to fix these issues, as well.