Here we are with this week’s Security Wrap-Up! My brain thought yesterday was Monday for almost the entire day, so my apologies for getting this one out a day late. But, we are here with some really intriguing security updates, including a deep-dive into PDF security. Let’s take a look!
HPE fixes critical zero-day in server management software
Hewlett Packard Enterprise (HPE) has patched a critical zero-day remote code execution (RCE) flaw in its HPE Systems Insight Manager (SIM) software for Windows that it originally disclosed in December. HPE SIM is a tool that enables remote support automation and management for a variety of HPE servers, including the ProLiant Gen9 and Gen10 along with some storage and networking products. Back on April 20th, HPE did issue an earlier SIM hotfix update kit that resolves the vulnerability. It’s an extremely high-risk flaw that can enable attackers with no privileges to remotely execute code within the context of HPE SIM’s hpsimsvc.exe process. The vulnerability is tracked as CVE-2020-7200 and is rated an astonishingly high 9.8 out of 10.
VMware patches critical severity bugs in the vCenter Server
VMware has released a patch for two bugs within the vCenter Server, CVE-2021-21985 (an RCE vulnerability with a 9.8 rating) and CVE-2021-21986 (an issue relating to the vCenter Server plug-in framework). In the threat notice, VMware stated the following about the RCE vulnerability - “The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server… A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.” While there are workarounds, VMware recommends patching vCenter Server as soon as possible. They have also implemented a patch to better enforce plug-in authentication. VMware recommends testing plug-ins to make sure they continue to work after the patch.
XSS vulnerability found in popular WYSIWYG website editor
A cross-site scripting (XSS) vulnerability has been found in a What-You-See-Is-What-You-Get (WYSIWYG) editor used by at least 30,000 websites. Trakced as CVE-2021-28114, the bug impacts Froala WYSIWYG HTML rich text editor version 3.2.6 and earlier. Wappalyzer estimates that Froala is in use by approximately 30,000 web domains. According to Bishop Fox, the WYSIWYG editor contains a flaw in its HTML sanitization parsing protocol, allowing attackers to bypass existing XSS protections. The vulnerability can be triggered by inserting a JavaScript payload in an HTML event handler within specific HTML and MathML tags, causing the parser to mutate the payload into JavaScript commands. Cross-site scripting attacks often allow attackers to act as a victim user when they interact with a vulnerable application and consequences can range from data leaks to privilege escalation, or even force an unauthorized fund transfer.
PDF feature ‘Certified’ vulnerable to attack
Certified PDF files are used to securely sign agreements between two parties while keeping the contents’ integrity protected, but a new report found the security protections on most certified PDF applications were inadequate and left organizations exposed to a number of attacks. Researchers from Ruhr University Bochum explained certified PDFs use two specific signatures to authenticate a document, an Approval signature and a Certification signature. Certification signatures are more flexible and made to handle complicated agreements and allow changes to the document within a set of parameters. Certified signatures are where the team found vulnerabilities they’ve named “Evil Annotation” (EAA) and “Sneaky Signature” (SSA). Both would allow an attacker to overlay malicious content on top of the certified information without showing any signs it was altered.
Any thoughts on the above articles? Want to share some of your own? Reply in the comments below!