Security News

Cisco has rolled out fixes for multiple critical vulnerabilities in the web-based management interface of Small Business routers that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. The flaws - tracked from CVE-2021-1289 through CVE-2021-1295 - impact RV160, RV160W, RV260, RV260P, and RV260W VPN routers running a firmware release earlier than Release 1.0.01.02.

Bug hunter Tavis Ormandy of Google's Project Zero just discovered a dangerous bug in the GNU Privacy Guard team's libgcrypt encryption software. The libgcrypt library is an open-source toolkit that anyone can use, but it's probably best known as the encryption library used by the GNU Privacy Guard team's own widely deployed GnuPG software.

The identified bug is a heap buffer overflow and it's considered rather serious because it's easily exploitable. "Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature is validated before the vulnerability occurs," explains Werner Koch, principal developer of GnuPGP in the security advisory.

Cisco SD-WAN Buffer Overflow Vulnerabilities: Systems running the Cisco SD-WAN software - such as SD-WAN vEdge Routers - can be exploited "By sending crafted IP traffic through an affected device, which may cause a buffer overflow when the traffic is processed." A successful attack can result in the execution of arbitrary code on the underlying operating system with root privileges, which means you basically hand over the gear to a stranger. Cisco SD-WAN Command Injection Vulnerabilities: These can be exploited by authenticated users to gain root-level privileges on a system running the vulnerable software.

Security updates released this week by the developers of the Drupal content management system patch a vulnerability identified in a third-party library. Core patches were made available for Drupal 9.1, 9.0, 8.9, and 7, to resolve a security flaw affecting PEAR Archive Tar, and which also impacts Drupal.

Microsoft today warned admins that updates addressing the Windows Zerologon vulnerability will transition into the enforcement phase starting next month. "DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device."

Microsoft today released updates to plug more than 80 security holes in its Windows operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it's not entirely clear how this is being exploited.

Microsoft addressed 10 critical bugs, one under active exploit and another publicly known, in its January Patch Tuesday roundup of fixes. The most serious bug is a flaw in Microsoft's Defender anti-malware software that allows remote attackers to infect targeted systems with executable code.

Microsoft has plugged 83 CVEs, including a Microsoft Defender zero-day. One of the latter - a zero-day RCE affecting Microsoft Defender antivirus - is being exploited in the wild, but Microsoft didn't reveal more about these attacks.

Microsoft on Tuesday released the first batch of security patches for 2021 with fixes for 83 documented security vulnerabilities, including a "Critical" bug in the Defender security product that's being actively exploited. Security experts are urging security response personnel to pay special attention to CVE-2021-1647, which describes a remote code execution flaw in Microsoft Defender, the company's flagship anti-malware product.