This week Microsoft issued emergency security updates for its Exchange Server enterprise email product to fix a total of four zero day vulnerabilities that have been actively exploited in real-world attacks.
The vulnerabilities in question are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. All of them are described as an input validation error issue and allow remote code execution using specially crafted data sent to the Exchange server.
The affected Exchange Server versions include Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019. Microsoft Exchange Online is not impacted.
Microsoft believes that the observed attacks are the work of a China-linked state-sponsored hacker group known as Hafnium focused on targeting entities in the United States with the goal of stealing information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.
Google is yet another vendor that addressed a zero-day bug this week. The company released Chrome 89.0.4389.72 version for Windows, Mac, and Linux with a number of improvements and fixes for multiple vulnerabilities, including a zero day flaw that has been observed being exploited in the wild.
The zero day flaw, tracked as CVE-2021-21166, is a remote code execution bug, which exists due to improper control of object lifetime in audio in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.
In addition to CVE-2021-21166, Chrome 89.0.4389.72 contains fixes for a number of high risk vulnerabilities (CVE-2021-21174, CVE-2021-21175, CVE-2021-21176, CVE-2021-21178, CVE-2021-21159, CVE-2021-21160, CVE-2021-21161, CVE-2021-21162, CVE-2021-21165, CVE-2020-27844) that could allow a remote attacker to execute arbitrary code on the system or gain access to sensitive information.
Google has also patched about three dozen vulnerabilities in its Android operating system, including numerous flaws (CVE-2021-0396, CVE-2021-0393, CVE-2021-0397, CVE-2017-14491, CVE-2020-11299, CVE-2020-11226, CVE-2020-11222, CVE-2020-11221, CVE-2020-11220, CVE-2020-11199, CVE-2020-11198) that allowed remote code execution.
A warning had been released this week concerning a dangerous vulnerability (CVE-2021-22681) affecting Rockwell Automation Logix controllers. The vulnerability exists due to the affected product uses a key to verify Logix controllers are communicating with the affected Rockwell Automation products. A remote attacker can bypass this verification mechanism and authenticate with Logix controllers. CVE-2021-22681 impacts the following series of the Rockwell Automation’s Logix controllers:
CompactLogix 1768
CompactLogix 1769
CompactLogix 5370
CompactLogix 5380
CompactLogix 5480
ControlLogix 5550
ControlLogix 5560
ControlLogix 5570
ControlLogix 5580
DriveLogix 5560
DriveLogix 5730
DriveLogix 1794-L34
Compact GuardLogix 5370
Compact GuardLogix 5380
GuardLogix 5570
GuardLogix 5580
SoftLogix 5800
While there are no known public exploits that specifically target this authentication bypass flaw, it should be noted that the vendor has yet to release patches to address the vulnerability.
FATEK FvDesigner, a software tool used to design and develop FATEK FV HMI series product projects, contains multiple vulnerabilities, four of which (CVE-2021-22662, CVE-2021-22670, CVE-2021-22666, CVE-2021-22683) are rated as high risk flaws because they could be used for remote takeover the vulnerable system. The issues affect FvDesigner v1.5.76. As in the above case, these bugs are still remain unpatched.
A number of high risk vulnerabilities had also been found in Epignosis eFront (not patched), Dell EMC OpenManage Server Administrator, ProSoft Technology ICX35, GLPI, VMware View Planner, and VMware Tanzu Application Service for VMs and Isolation Segment.