Happy first day of December, everyone! I think Austin finally got the memo and it got down to 25F last night. I’m currently writing this wrapped up in a sweater and coming to terms with the fact that I will probably need to turn the heater on soon.
But, enough about me, let’s turn to this week’s security news -
Vulnerabilities in OpenClinic could expose personal health information
Four vulnerabilities were recently discovered in the OpenClinic application, one of which would allow a remote, unauthenticated attacker to read patients’ personal health information (PHI) from the application. OpenClinic is an open-source health records management software. Its latest version is 0.8.2, released in 2016, so the flaws remain unpatched. The four bugs involve missing authentication, insecure file upload, cross-site scripting (XSS), and path-traversal. The most high-severity bug (CVE-2020-28937) stems from a missing authentication check on requests for medical test information. Another bug (CVE-2020-28939) allows the Administrative and Administrator user roles to upload malicious files, such as PHP web shells, which can lead to arbitrary code execution on the application server. According to researchers, “There is no version of OpenClinic available that does not suffer from the identified vulnerabilities, and the recommendation is to switch to a different medical records management software.”
Windows 7 and Windows Server 2008 bug discovered and micropatched
This zero-day vulnerability resides in two misconfigured registry keys for the RPC Endpoint Mapper and DNSCache services that are part of all Windows installations. French security researcher Clément Labro, who discovered the zero-day, says that an attacker that has a foothold on vulnerable systems can modify these registry keys to activate a sub-key usually employed by the Windows Performance Monitoring mechanism. “Performance” subkeys allow developers to load their own DLL files to track performance using custom tools. But, while recent versions of Windows restrict and limit privileges on DLLS, it was still possible to load custom DLLs that ran with SYSTEM-level privileges. A micropatch was released through the 0patch platform and is free to everyone until Microsoft releases an official fix for the zero-day to address the registry bad permission issues.
VMware patches security flaws in SD-WAN Orchestrator
VMware has fixed vulnerabilities within its Velocloud SD-WAN Orchestrator that, chained together, can lead to unauthenticated remote code execution (RCE). Researchers from Realmode Labs combined authentication bypass, SQL injection, and directory traversal vulnerabilities to leave arbitrary JavaScript running in node.js. VMware issued a security advisory on November 18th that addressed six CVEs emanating from Realmode Labs’ research and advised customers to update to versions 4.0.1, 3.4.4, or 3.3.2.
How to update your remote access policy - and why you should
With many employees working from home and the network access process getting foggier, it’s important to reevaluate your current security practices and adapt to this new workflow. To understand whether your access policy is geared for a remote-reliant workforce is by auditing it against your organization’s security objectives. It’s also important to revise policies that are designed for on-premises work. Take a look at the guide linked above to see what you can do to improve your remote access policies!
What other security news did you see this week?