Security News

OpenSMTPD has been found vulnerable to yet another critical vulnerability that could allow remote attackers to take complete control over email servers running BSD or Linux operating systems. OpenSMTPD, also known as OpenBSD SMTP Server, is an open-source implementation of the Simple Mail Transfer Protocol to deliver messages on a local machine or to relay them to other SMTP servers.

The patched version of Mozilla's browser, launched on Tuesday, is Firefox 73 and Firefox ESR 68.5. One of the vulnerabilities, tracked as CVE-2020-6800, was fixed in a previous release of Firefox 72 and the current Firefox ESR 68.5 update on Tuesday.

A critical vulnerability in the Bluetooth implementation on Android devices could allow attackers to launch remote code execution attacks - without any user interaction. Researchers on Thursday revealed further details behind the critical Android flaw, which was patched earlier this week as part of Google's February Android Security Bulletin.

About one in five of the 80,000 companies affected by a critical bug in the Citrix Application Delivery Controller and Citrix Gateway are still at risk from a trivial attack on their internal operations. "The critical information about applications accessible by Citrix can be leaked," he explained.

Security researchers have identified a JavaScript vulnerability in the WhatsApp desktop platform that could allow cybercriminals to spread malware, phishing or ransomware campaigns through notification messages that appear completely normal to unsuspecting users. "Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message."

Qualys researchers have discovered a critical vulnerability in OpenBSD's OpenSMTPD mail server, which can allow attackers to execute arbitrary shell commands on the underlying system as root. OpenSMTPD is an open source implementation of the Simple Mail Transfer Protocol.

Citrix has quickened its rollout of patches for a critical vulnerability in the Citrix Application Delivery Controller and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24.

As attackers continue to hit vulnerable Citrix ADC and Gateway installations, Citrix has released permanent fixes for some versions and has promised to provide them for other versions and for two older versions of SD-WAN WANOP by January 24. CVE-2019-19781, a critical vulnerability affecting Citrix ADC and Gateway that may allow unauthenticated attackers to achieve remote code execution and obtain direct access to an organization's local network from the internet, was responsibly disclosed last December.

Citrix has rushed out official fixes for the well-publicised vuln in some of its server products after miscreants were seen deploying their own custom patches that left a backdoor open for later exploitation. As previously reported, vulnerabilities in Citrix Application Delivery Encoder and Citrix Gateway could allow remote attackers to carry out unauthenticated code execution.

Why the urgency? Earlier today, multiple groups publicly released weaponized proof-of-concept exploit code [1, 2] for a recently disclosed remote code execution vulnerability in Citrix's NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets. Just before the last Christmas and year-end holidays, Citrix announced that its Citrix Application Delivery Controller and Citrix Gateway are vulnerable to a critical path traversal flaw that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers.