Security vulnerabilities often provide a way for hackers to compromise computer systems for malicious purposes, and that is why it’s important to keep an eye on fresh bugs discovered in various software and hardware solutions. So here is our latest overview covering multiple vulnerabilities affecting Mozilla Firefox, Cisco’s network gear, and other products.
The Mozilla Foundation has released Firefox 86, which comes with a slew of security vulnerability fixes, including a couple of high-risk flaws (CVE-2021-23978, CVE-2021-23979) that could be exploited for remote code execution.
The latest version of Firefox also offers new privacy protections in the form of a feature called Total Cookie Protection. It works by maintaining a separate “cookie jar” for each website a user visits. Any time a website, or third-party content embedded in a website, deposits a cookie in the browser, that cookie is confined to the cookie jar assigned to that website, such that it is not allowed to be shared with any other website.
Mozilla also released updates for its Thunderbird free email application that address four vulnerabilities, including a bug (CVE-2021-23978), which allows a remote attacker to execute arbitrary code on the target system using a malicious webpage. Other flaws could be used to gain access to sensitive data, or to bypass implemented security restrictions.
Cisco this week released patches for a number of vulnerabilities affecting multiple products, including three dangerous bugs impacting its ACI Multi-Site Orchestrator, Application Services Engine, and NX-OS software, namely CVE-2021-1388, CVE-2021-1361, and CVE-2021-1393. The first one is a privilege escalation bug in ACI Multi-Site Orchestrator that allows a remote attacker to obtain a token with administrator-level privileges using a specially crafted request. Other two bugs affect Cisco NX-OS and Cisco Application Services Engine respectively, and could be used for system takeover.
Rockwell Automation FactoryTalk Services Platform contains a vulnerability (CVE-2020-14516), which lets a remote, unauthenticated attacker to create new users in the FactoryTalk Services Platform administration console. The issue is related to usage of password hash with insufficient computational effort. It impacts FactoryTalk Services Platform versions 6.10.00 and 6.11.00.
A severe vulnerability (CVE-2021-22667) has been found in Advantech BB-ESWGP506-2SFP-T industrial ethernet switches. The issue stems from presence of hard-coded credentials in application code. By taking advantage of this flaw, a remote hacker can gain unauthorized access to sensitive information and execute arbitrary code. BB-ESWGP506-2SFP-T appliances versions 1.01.09 and prior are known to be affected. Note, a patch for this bug has yet to be released.