This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. This month, the threat landscape is plagued with bugs, prompting patching updates from multiple players in the industry – such as VMware, Google and Cisco. Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. CTRL Group hope this will boost your overall understanding of security breaches happening on the expansive and scary internet.
VMware Warns of Ransomware Bugs in vCentre Server (CVE-2021-22005)
Malicious actors are scanning honeypots, looking for servers vulnerable to the critical arbitrary file upload flaw in vCenter servers. VMware has released a security update that includes patches for 19 CVEs that affect the company’s vCenter Server virtualization management platform and its hybrid Cloud Foundation platform for managing VMs and orchestrating containers. One of them, CVE-2021-22005, is a critical arbitrary file upload vulnerability in the Analytics service that’s been assigned the maximum CVSSv3 base score of 9.8. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of the vCenter Server. Hence, attackers are even leveraging Phishing attacks to compromise a device so that they can reach vCenter.
The quickest way to resolve these serious issues is to patch vCenter Server. If that’s not possible, VMware has workarounds, but only for the critical vulnerability, CVE-2021-22005. The workaround is listed in the response matrix at the bottom of VMware’s VMware Security Advisory (VMSA), VMSA-2021-0020. The workaround involves editing a text file on the VCSA and restarting services. CTRL Group recommends immediately patch your VMware vCenter to prevent any open loopholes.
Cisco Bugs Allows for Code Execution on Wireless, SD-WAN
3 new critical vulnerabilities were discovered and patched in Cisco Systems IOS XE network operating system. These vulnerabilities could potentially be leveraged by attackers to execute arbitrary code with the level of administrative privileges. As well as a vulnerability to trigger a DoS attack on the vulnerable devices.
The top CVSS exploits patched on the 22nd of September patch release were:
CVE-2021-34770(CVSS score: 10.0) – Cisco IOS XE Software for Catalyst 9000 Family Wireless Controllers CAPWAP Remote Code Execution Vulnerability
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Catalyst 9800-CL Wireless Controllers for Cloud
- Embedded Wireless Controller on Catalyst Access Points
CVE-2021-34727(CVSS score: 9.8) – Cisco IOS XE SD-WAN Software Buffer Overflow Vulnerability
- 1000 Series Integrated Services Routers (ISRs)
- 4000 Series ISRs
- ASR 1000 Series Aggregation Services Router
- Cloud Services Router 1000V Series
Urgent Chrome Update Released to Patch Actively Exploited Zero-Day Vulnerability
Google has rolled out an emergency security patch to its Chrome web browser to address a security flaw that’s known to have an exploit in the wild. This 0 day is being tracked as CVE-2021-37973, which has been described as use after free in Portals API, a web page navigation system that enables a page to show another page as an inset and “perform a seamless transition to a new state, where the formerly-inset page becomes the top-level document.”
The update arrives a day after Apple moved to close an actively exploited security hole in older versions of iOS and macOS (CVE-2021-30869), which the TAG noted as being used in conjunction with a N-day remote code execution targeting WebKit.
Chrome users are advised to update to the latest version (94.0.4606.61) for Windows, Mac, and Linux by heading to Settings > Help > ‘About Google Chrome’ to mitigate the risk associated with the flaw.
With the latest fix, Google has addressed a total of 12 zero-day flaws in Chrome since the start of 2021:
- CVE-2021-21148– Heap buffer overflow in V8
- CVE-2021-21166– Object recycle issue in audio
- CVE-2021-21193– Use-after-free in Blink
- CVE-2021-21206– Use-after-free in Blink
- CVE-2021-21220– Insufficient validation of untrusted input in V8 for x86_64
- CVE-2021-21224– Type confusion in V8
- CVE-2021-30551– Type confusion in V8
- CVE-2021-30554– Use-after-free in WebGL
- CVE-2021-30563– Type confusion in V8
- CVE-2021-30632– Out of bounds write in V8
- CVE-2021-30633– Use after free in Indexed DB API