Security News

Cybersecurity firm Trustwave on Wednesday disclosed the details of several vulnerabilities found by its researchers in SAP Adaptive Server Enterprise. SAP ASE is a relational database management system that is used by many major organizations, particularly in the financial sector.

Several vulnerabilities affecting the Exim mail transfer agent have been exploited by Russia-linked hackers, and administrators have been urged to patch immediately, but hundreds of thousands of servers remain unpatched. The U.S. National Security Agency issued an alert last week to urge users to update their Exim servers to version 4.93 or newer, as earlier versions are impacted by vulnerabilities that have been exploited by a hacker group with ties to the Russian military.

Google has started rolling out the June 2020 security patches for the Android operating system, which address a total of 43 vulnerabilities, including several rated critical. This is one of the two critical remote code execution issues patched in System, both affecting Android releases 8.0 through 10.

Earlier this month, when F-Secure publicly revealed the existence of two vulnerabilities affecting SaltStack Salt and attackers started actively exploiting them, Cisco was among the victims. The revelation was made on Thursday, when Cisco published an advisory saying that, on May 7, 2020, they've discovered the compromise of six of their salt-master servers, which are part of the Cisco VIRL-PE service infrastructure.

Now, Cisco reveals that salt-master servers that are used with Cisco Virtual Internet Routing Lab Personal Edition were upgraded on May 7, and that, on the same day, they were found to have been compromised through the aforementioned vulnerabilities. "Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised. The servers were remediated on May 7, 2020," the company announced in an advisory.

Apple this week released security updates to address over fifty vulnerabilities impacting macOS and Safari. Eighteen of these vulnerabilities are specific to macOS Catalina, but many impact macOS High Sierra and macOS Mojave as well, and patches were released for those platform iterations as well.

A researcher from Kaspersky has identified several vulnerabilities in Emerson OpenEnterprise, a supervisory control and data acquisition solution designed for the oil and gas industry. Roman Lozko, a researcher at Kaspersky's ICS CERT unit, discovered four vulnerabilities in Emerson OpenEnterprise.

The latest Drupal updates patch cross-site scripting and open redirect vulnerabilities, but they have only been assigned "Moderately critical" severity ratings. Drupal 7.70 fixes an open redirect vulnerability related to "Insufficient validation of the destination query parameter in the drupal goto() function." An attacker can exploit the flaw to redirect users to an arbitrary URL by getting them to click on a specially crafted link, Drupal said in its advisory.

Three vulnerabilities identified in QNAP Photo Station last year could be chained to achieve pre-authentication remote code execution on affected QNAP network-attached storage devices. QNAP Photo Station is a photo album application that is present on the majority of QNAP NAS systems, allowing users to easily organize photos and videos on those devices, as well as to share them with others over the Internet.

Adobe informed customers on Tuesday that it has patched memory corruption vulnerabilities, including one that allows arbitrary code execution, in several of its products. All of the security flaws were reported to Adobe by researcher Mat Powell of Trend Micro's Zero Day Initiative.