Security News
Vulnerabilities discovered by researchers in VPN products primarily used for remote access to operational technology networks can allow hackers to compromise industrial control systems and possibly cause physical damage. Researchers from industrial cybersecurity company Claroty have identified potentially serious vulnerabilities in Secomea GateManager, Moxa EDR-G902 and EDR-G903, and HMS Networks' eWon.
Critical vulnerabilities in several industrial VPN implementations for remotely accessing operational technology networks could allow attackers to overwrite data, execute malicious code or commands, cause a DoS condition, and more. "Exploiting these vulnerabilities can give an attacker direct access to the field devices and cause some physical damage," Claroty researchers noted.
Cisco on Wednesday released security advisories to inform customers of several critical vulnerabilities that can be exploited remotely to hack small business routers and firewalls that are no longer being sold. One of the critical flaws, which is tracked as CVE-2020-3330 and has a CVSS score of 9.8, affects Cisco Small Business RV110W Wireless-N VPN firewalls and it allows a remote and unauthenticated attacker to take full control of a device by connecting to it using a default and static password.
Researchers have discovered several potentially serious vulnerabilities affecting monitoring, cooling and power distribution products made by Germany-based Rittal. According to Austria-based cybersecurity company SEC Consult, Rittal's CMC III industrial and IT monitoring system, LCP CW cooling system, and the entire portfolio of power distribution units are impacted by six types of vulnerabilities.
Adobe has patched over a dozen vulnerabilities in its Creative Cloud, Media Encoder, Genuine Service, ColdFusion and Download Manager products. In the Windows version of Download Manager, Adobe fixed a critical command injection issue that could lead to arbitrary code execution, the company said in an advisory.
A report released Tuesday by security provider Tala Security maintains that most major websites are ill-equipped to combat the flaws in JavaScript, thus putting their customer and user data at risk. For its "2020 Global Data at Risk State of the Web Report," Tala analyzed the security defenses of the top 1,000 websites as ranked by Alexa.
Facebook announced on Friday that it's offering significant rewards through its bug bounty program for vulnerabilities found in Hermes and Spark AR. Hermes is a JavaScript engine that Facebook released as open source one year ago. Hermes is used by the social media giant's React Native apps for Android and other software, including Spark AR, an augmented reality platform that is used to create effects on Facebook, Instagram and even on Facebook's Portal smart displays.
Juniper Networks this week informed customers that it has patched many vulnerabilities in its products, mostly ones that can be exploited for denial-of-service attacks. Over a dozen advisories have been published by the company to describe several vulnerabilities that are specific to Juniper products, as well as tens of flaws impacting third-party components.
Hackers are apparently scanning the web for systems affected by the recently disclosed Citrix vulnerabilities, which the vendor suggested are less likely to be exploited. Citrix informed customers earlier this week that it has patched a total of 11 vulnerabilities affecting its ADC, Gateway, and SD-WAN WANOP networking products.
A dozen vulnerabilities have been found in OpenClinic GA, a popular open source hospital management system, including flaws that can be exploited to access sensitive information or install malware on the hosting server. OpenClinic GA is described as an "Integrated hospital information management system covering management of administrative, financial, clinical, lab, x-ray, pharmacy, meals distribution and other data." The product is used worldwide and it has been downloaded nearly 120,000 times from SourceForge.