Welcome back to another edition of our Security Wrap-Up! We have plenty to discuss this week -
Patched VMware bug under active attack
The National Security Agency (NSA) has escalated concerns regarding the now-patched VMware Workspace One Access and VMware Identity Manager bugs, warning about a greater number of adversaries attempting to leverage the vulnerability to launch attacks to pilfer protected data and abuse shared authentication systems. VMware originally disclosed the vulnerability in late November, identifying it as an escalation-of-privileges flaw that impacts Workspace One Access and other platforms, for both Windows and Linux operating systems. (If you want more info, these are being tracked as CVE-2020-4006.)
Amnesia:33 vulnerabilities impact millions of smart and industrial devices
Security researchers disclosed 33 security flaws (called Amnesia:33) in four open-source TCP/IP libraries currently used inside the firmware of products from more than 150 vendors. Researchers estimate that this could impact millions of consumer and industrial-grade devices including smartphones, gaming consoles, sensors, HVAC systems, printers, routers, switches, and more. If exploited, the 33 vulnerabilities would allow an attacker to perform a wide range of attacks such as remote code execution (RCE), denial of service (DoS) or DNS cache poisoning attacks.
High severity Chrome bugs patched - update your browser!
Google has updated its Chrome web browser, fixing four bugs with a severity rating of “high” and eight overall. Three are use-after-free flaws, which could allow an adversary to generate an error in the browser’s memory, opening the door to a browser hack and host computer compromise. On Friday, the CISA urged everyone to update to Chrome version 87.0.4280.88 to address vulnerabilities that exist in previous versions.
GE puts default password in radiology devices
Oof. Dozens of radiology products from GE Healthcare contain a critical vulnerability that threatens the networks of hospitals and other health providers that use the devices. The use of the devices ranges from CT scans to MRIs and use a default password to receive regular maintenance. The passwords are available to anyone who knows where on the Internet to look. A lack of proper access restrictions allows the devices to connect to malicious servers rather than those designated by GE Healthcare. Attackers can then exploit these shortcomings by abusing the maintenance protocols to access the devices. The flaw has a CVSS severity rating of 9.8 out of 10 because of the impact of the vulnerability combined with the ease of exploiting it.
Any security news or updates you’ve seen this past week?