Security Wrap-Up (June 15th, 2021)

Happy Tuesday, everyone! I hope your Monday wasn’t too rough and your Tuesday is equally non-demanding. I’m back with more security news from the past week. Let’s get into it!

Critical remote code execution flaw in thousands of VMware vCenter servers remains unpatched
If you remember a couple of weeks ago, I posted about some vulnerabilities that VMware patched - two bugs within the vCenter Server, CVE-2021-21985 (an RCE vulnerability with a 9.8 rating) and CVE-2021-21986 (an issue relating to the vCenter Server plug-in framework). VMWare said in a security advisory that CVE-2021-21985 can be exploited so threat actors can access “the underlying operating system that hosts vCenter Server” with “unrestricted privileges.” Based on an analysis done by Trustwave SpiderLabs, they revealed 5,271 instances of VMWare vCenter servers that are available online, the majority of which are running versions 6.7, 6.5, and 7.0, with port 443 the most commonly employed. They found that a total of 4019 instances – or 80.88% – remain unpatched. So if you’re using this version of VMware vCenter, it’s incredibly important to make sure your patches are up-to-date! A staggering number of servers remain unpatched, leaving networks open to exploit.

Apple deploying patches for Safari bugs under active attack
Apple has patched two bugs impacting their Safari browser WebKit engine that are currently under active exploit. Apple issued two out-of-band security fixes for its Safari web browser, fixing zero-day vulnerabilities that “may have been actively exploited,” according to a Monday security bulletin by the company. The bugs affect sixth-generation Apple iPhones, iPads and iPod touch model hardware, released between 2013 and 2018. Both bugs are tied to Apple’s Safari browser and the underlying iOS code, called WebKit, which is responsible for rendering web pages. The patch for CVE-2021-30761 addresses a memory corruption issue within iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) devices. The second vulnerability, CVE-20121-30762, allows an attacker to execute code on targeted devices. The iOS patch, distributed as a iOS 12.5.4 update, is for the same model hardware as above: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

Intel’s latest patch set plugs some serious holes in CPU, Bluetooth, and server
Intel has pushed out a number of security advisories for June, bringing its total discovered “potential vulnerabilities” for the year to date to 132. Included in this month’s patch set are four privilege escalation vulnerabilities in its firmware for its CPU products, a local privilege escalation vulnerability in Intel Virtualization Technology for Directed I/O (VT-d), a network-exploitable privilege escalation vulnerability in the Intel Security Library, and a whole lot more. Plus, system administrators with Intel Server Board M10JNP2SB systems in use, following their release in late 2019, are advised to patch a series of high-severity vulnerabilities in the system’s baseboard management controller (BMC) which allow for privilege escalation and denial-of-service attacks. You can find a full list of Intel’s most recent security advisories here.

Microsoft Teams bug could have led to BEC fraud
In a now-patched vulnerability, attackers had the opportunity to get read/write privileges for a victim user’s email, Teams chats, OneDrive, Sharepoint and loads of other services. Exploitation would require a lot of moving parts. Attacks could be carried out through a malicious Microsoft Teams tab and Power Automate flows. Tenable’s Evan Grant found the bug in Microsoft’s Power Apps and details all of his findings in this post.

Any security news you want to share? Leave it down below!