Security News

Earlier this week SonicWall patched 11 vulnerabilities affecting its Network Security Appliance. The SonicWall NSAs are next-generation firewall appliances, with a sandbox, an intrusion prevention system, SSL/TLS decryption and inspection capabilities, network-based malware protection, and VPN capabilities.

A critical stack-based Buffer Overflow vulnerability has been discovered in SonicWall VPNs. When exploited, it allows unauthenticated remote attackers to execute arbitrary code on the impacted devices. Tracked as CVE-2020-5135, the vulnerability impacts multiple versions of SonicOS ran by hundreds of thousands of active VPNs. Craig Young of Tripwire Vulnerability and Exposure Research Team and Nikita Abramov of Positive Technologies have been credited with discovering and reporting the vulnerability.

A significant number of SonicWall firewalls may be affected by a critical vulnerability that can be exploited for denial-of-service attacks and possibly arbitrary code execution. The vulnerability, identified as CVE-2020-5135, impacts various versions of SonicOS, the operating system powering SonicWall firewalls.

Microsoft on Tuesday issued fixes for 87 newly discovered security vulnerabilities as part of its October 2020 Patch Tuesday, including two critical remote code execution flaws in Windows TCP/IP stack and Microsoft Outlook. Another critical RCE vulnerability in Windows Hyper-V exists due to improper validation of input from an authenticated user on a guest operating system.

Two critical flaws in Magento - Adobe's e-commerce platform that is commonly targeted by attackers like the Magecart threat group - could enable arbitrary code execution on affected systems. Retail is set to boom in the coming months - between this week's Amazon Prime Day and November's Black Friday - which puts pressure on Adobe to rapidly patch up any holes in the popular Magento open-source platform, which powers many online shops.

The updates released by SAP for October 2020 include 15 Security Notes, including one that addresses a critical vulnerability. Featuring a CVSS score of 10, the critical flaw is an OS command injection vulnerability that affects CA Introscope Enterprise Manager version 10.7.0.304 or lower.

NET Core is crawling closer to its November launch with. NET Core, Microsoft is calling the upcoming release plain.

UPDATE. A critical security bug in the SonicWall VPN portal can be used to crash the device and prevent users from connecting to corporate resources. "The most notable aspect of this vulnerability is that the VPN portal can be exploited without knowing a username or password," Young told Threatpost.

The highlight of this month's Microsoft Office security updates is without a doubt CVE-2020-16947, a remote code execution vulnerability that leads to remote code execution when previewing or opening maliciously crafted emails with a vulnerable Microsoft Outlook version. CVE-2020-16947 affects several Office products including Microsoft Outlook 2016 and Microsoft Office 2019, as well as Microsoft 365 Apps for Enterprise.

Microsoft has pushed out fixes for 87 security vulnerabilities in October - 11 of them critical - and one of those is potentially wormable. "Coming in at 53 of the 87 vulnerabilities, patching the OS knocks out 60 percent of the vulnerabilities listed, along with over half of the critical RCE vulnerabilities resolved today."