Weekly threat roundup: Solarwinds, HPE, and PostgreSQL – IT PRO

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. Its become typical, for example, to expect dozens of patches to be released on Microsofts Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Deemed one of the most serious security incidents of the year, this week we learned a flaw in SolarWinds Orion Platform paved the way for state-backed hackers to infiltrate the networks of thousands of organisations.

This was a targeted and precise supply chain cyber attack in which suspected Russian attackers compromised versions of the security platform released between March and June 2020, embedding it with malware known as Solorigate. More than 18,000 organisations have been affected, according to SolarWinds, including critical US government agencies and major firms companies, including FireEye.

SolarWinds has released a patch for the Orion Platform, and encourages its customers to immediately apply it, although for many its too little too late as a host of their devices have already been compromised. The US Cybersecurity and Infrastructure Security Agency (CISA) warned US government departments to immediately disconnect all devices fitted with the SolarWinds software upon confirming the attack. Closer to home, the UKs National Cyber Security Centre (NCSC) has also issued comprehensive guidance for businesses.

A critical vulnerability in the HPE Systems Insight Manager (SIM) could allow attackers with no user privileges to conduct remote code execution on targeted systems.

Tagged CVE-2020-7200, the flaw is deemed to be extremely serious as it can be exploited without the need for user interaction, and, as such, has been rated 9.8 on the CVSS severity scale. Although HPE has released details of the flaw, its not known as to whether this has been exploited in the wild.

The vulnerability affects SIM version 7.6, and while no patch is currently yet available, HPE has released mitigation information for those running the software on Windows systems, as part of asecurity advisory. A complete fix will be developed and released in a future release of the SIM software.

The Go open source programming language is embedded with three critical vulnerabilities within its XML parser that could allow cyber criminals to completely bypass authentication mechanisms used by many popular web apps.

Discovered by cloud collaboration provider Mattermost, the three flaws centre on the way Go processes XL documents over multiple parsing rounds, allowing attackers to use specific XML markup language to trick systems. Go itself is a programming language designed at Google, and is mostly used for backend systems, such as servers and network-related apps.

There are several implications of these flaws, with the most serious being that hackers may be able to bypass the web-based Security Assertion Markup Language (SAML) single sign-on (SSO) standard, used by many web-based apps.

Passing XML through Gos decoder and encoder doesnt preserve its semantics, and in many cases can be tampered with by attackers injecting malicious markups to a correctly signed SAML message, according to Mattermosts product security engineer, Juho Nurminen. SAML messages can therefore be altered in some cases to suggest youre somebody that youre not, resulting in arbitrary privilege escalation or even bypassing authentication hurdles entirely.

Cyber criminals have deployed a botnet to target PostgreSQL databases to mine cryptocurrency, according to research by Palo Alto Networks.

The PGMiner botnet performs brute force attacks against PostgreSQL databases that are accessible through the internet, exploiting a disputed remote code execution vulnerability to mine Monero. PostgreSQL is considered one of the worlds most popular and reliable open source databases, backed by more than 20 years of community development.

The inbuilt feature under exploitation is copy from programme, which was introduced in PostgreSQL version 9.3 in 2013. This feature has been tied with CVE-2019-9193, although members of the database community have claimedit was incorrectly labelled as a security vulnerability.

Nevertheless, the researchers have publicly disclosed its findings on PGMiner, and have describedit asthe first cryptocurrency mining botnet delivered through PostgreSQL, with attackers weaponising not only confirmed flaws but disrupted ones too.

Five ways forms are ruining your customer experience and hurting your bottom line

Attract customers by rethinking data collection and processing

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

The definitive guide for choosing the right application delivery controller

Key considerations for an ADC

Continued here:
Weekly threat roundup: Solarwinds, HPE, and PostgreSQL - IT PRO