Every week, we catalog the major industrial cybersecurity vulnerabilities and updates you should know about. Here are the notable threats from the week of Sept. 20-26. Learn more by clicking on the links below.
WEEK OF SEPTEMBER 20- SEPTEMBER 26, 2021
IBM – September 23, 2021
Cisco – September 23, 2021
Cisco released security updates for multiple Cisco products with vulnerabilities that could lead to an attacker taking control of an affected system.
CISA, FBI and NSA – September 22, 2021
CISA, the FBI and the NSA released a joint cybersecurity advisory (CSA) reporting that there has been an increase of Conti ransomware attacks. The advisory gives recommended mitigations such as updating operating systems and software, using multi-factor authentication and implementing network segmentation.
VMware – September 21, 2021
VMware released security updates for vCenter and Cloud Foundation to address vulnerabilities that could allow an attacker to take control of an affected system.
NETGEAR – September 21, 2021
NETGEAR routers had a remote code execution vulnerability, CVE-2021-40847, that would allow a remote attacker to take control of an affected system. They have released security updates.
Linux kernel – September 20, 2021
arch/mips/net/bpf_jit.c in the Linux kernel through 5.14.6 can produce bad machine code when tranforming unprivileged cBPF programs, which would allow an attacker to execute arbitrary code.
MaianAffiliate – September 20, 2021
MaianAffiliate v.1.0 is facing problems with code injection by adding a new product by using the admin panel–the injected payload then showing on the affiliate main page.
WEEK OF SEPTEMBER 13-19, 2021
Zoho – September 16, 2021
The Federal Bureau of Investigation (FBI), U.S. Coast Guard Cyber Command (CGCYBER) and CISA made a joint advisory, talking about the CVE-2021-40539 vulnerability in ManageEngine ADSelfService Plus. Critical infrastructure companies are at serious risk without updating it.
Drupal – September 16, 2021
Drupal has released multiple security updates for vulnerabilities that could allow an attacker to take control of affected systems.
U.N. – September 15, 2021
The U.N. human rights chief is trying to postpone the use of AI technology that poses a risk to human rights because of the vulnerabilities still existing.
Apple – September 14, 2021
Due to a major software flaw that allows Pegasus spyware to be automatically installed on phones, Apple users are urged to update their phones. Pegasus allows the hacker to read messages, have access to photos, turn on the phone’s camera and track the person’s movements.
Microsoft – September 14, 2021
Microsoft released multiple updates for vulnerabilities in Microsoft software that allows hackers to take control of affected systems.
Adobe – September 14, 2021
Adobe released security updates for vulnerabilities that allow attackers to take control of an affected system for multiple Adobe products.
Citrix – September 14, 2021
Citrix released a security update for ShareFile storage zones controller that addresses a vulnerability that would allow someone to take control of an affected system.
SAP – September 14, 2021
SAP released updates for multiple products that address vulnerabilities an attacker could use to take control of affected systems.
WEEK OF SEPTEMBER 6-12, 2021
Parlai – September 10, 2021
Affected versions of Parlai are vulnerable to YAML deserialization due to unsafe loading that leads to arbitrary code execution.
Cisco – September 9, 2021
Cisco released security updates for IOS XR Software for ASR 9000 Series Routers, IOS XR Software IP Service Level Agreements and Two-Way Active Measurement Protocol, and IOS XR Software that have denial-of-service, arbitrary file read and write, and user privilege escalation vulnerabilities.
Citrix – September 9, 2021
Citrix released security updates for Hypervisor to prevent an attacker from having the ability to take control of an affected system.
NCCoE – September 8, 2021
The National Cybersecurity Center of Excellence (NCCoE) released a revised draft report that is about ransomware risk management, which is available for public comment.
Mozilla – September 8, 2021
Mozilla released security updates for Firefox, Firefox ESR and Thunderbird addressing vulnerabilities that could allow an attacker to take control of an affected system.
Microsoft – September 7, 2021
Microsoft released mitigations and workarounds for the remote code execution threat, CVE-2021-40444, which would allow a remote attacker to take control of an affected system.
Zoho – September 7, 2021
Zoho released a security update for the ManageEngine ADSelfService Plus builds 6113 and below that has has the CVE-2021-40539 vulnerability, which would allow an attacker to take control of the system. CISA strongly suggests that ADSelfService Plus is not accessible from the internet.
WEEK OF AUGUST 30- SEPTEMBER 5, 2021
Atlassian – September 3, 2021
Atlassian released security updates for the Confluence server and data center to address a remote code execution vulnerability. Without the updates, a remote attacker could take control of an affected system.
Cisco – September 2, 2021
Cisco released security updates for Cisco Enterprise Network Function Virtualization Infrastructure Software (NFVIS) to address a vulnerability that could lead to an attacker taking control of an affected system.
Microsoft Edge – September 2, 2021
There is an elevation of privilege vulnerability.
Adobe Acrobat Reader – September 2, 2021
Some Acrobat Reader DC versions are affected by an out-of-bounds read vulnerability that could let an attacker achieve arbitrary code execution.
Adobe After Effects – September 2, 2021
Versions 18.2.1 and earlier of Adobe After Effects are affected by an out-of-bounds read vulnerability when parsing a specially crafted file, which could let an attacker disclose arbitrary memory information.
Modicon PLC controller – September 2, 2021
There is a CWE-476: NULL Pointer Dereference vulnerability that could cause a denial-of-service on the Modicon PLC controller and simulator when updating the controller application.
Google Chrome – September 1, 2021
Google released security updates for Chrome for Windows, Mac and Linux to address a vulnerability that could lead an attacker to take control of an affected system.
Bluetooth devices – September 1, 2021
Researchers have released 16 security vulnerabilities, which would allow an attacker to remotely shut down a headset or speaker and allow an attacker to execute arbitrary code in a controller.
WEEK OF AUGUST 23-29, 2021
Microsoft – August 27, 2021
Microsoft Azure Cosmos DB guidance has been released after a misconfiguration had been fixed for the Azure cloud. This page explains how to roll and regenerate certificate keys and how to secure access to data in Azure Cosmos DB.
Cacti – August 27, 2021
There are multiple cross cite scripting vulnerabilities in Cacti 1.2.12. The affected systems are reports_admin.php, data_queries.php, datat.ph_inpup, graph_templates.php, graphs.php, reports_admin.php and data_input.php.
IBM – August 27, 2021
There is a vulnerability to cross-site scripting for IBM Maximo Asset Management 7.6.0 and 7.6.1. This vulnerability could lead to disclosure of private credentials.
Cisco – August 26, 2021
Cisco released security updates for multiple products that addressed vulnerabilities that could allow a threat actor to take control of an affected system. The products include Cisco Application Policy Infrastructure Controller Arbitrary File, BlackBerry QNX-2021-001, Cisco NX-OS Software VXLAN OAM (NGOAM), Cisco NX-OS Software MPLS OAM, Cisco Nexus 9000 Series Fabric Switches ACI Mode Multi-Pod and Multi-Site TCP, Cisco Nexus 9000 Series Fabric Switches ACI Mode Queue Wedge, Cisco Application Policy Infrastructure Controller and Cisco Application Policy Infrastructure Controller App.
OpenZepplin – August 26, 2021
OpenZepplin has vulnerabilities that affect certain versions of TimelockController that could allow an attacker to escalate privileges.
VMware – August 25, 2021
VMware released security updates for multiple products to prevent an attacker from being able to take control of an affected system.
OpenSSL – August 25, 2021
OpenSSL released a security update for version 1.1.1k to address vulnerabilities that could lead to a denial-of-service condition.
F5 – August 25, 2021
F5 released a security advisory for multiple versions of BIG-IP and BIG-IQ.
CISA – August 24, 2021
CISA released five Pulse Secure-related MARs (malware analysis report).
Week of August 16-22, 2021
ProxyShell – August 21, 2021
CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 are vulnerabilities that an attacker could use to send arbitrary code on an affected machine. Microsoft’s May list of updates should protect against these vulnerabilities.
Cisco – August 19, 2021
Cisco has released seven security updates to address vulnerabilities that lead to allowing an attacker to take control of affected systems.
BIND – August 19, 2021
The Internet Systems Consortium (ISC) has released a security advisory that refers to a vulnerability affecting multiple versions of the ISC Berkeley Internet Name Domain (BIND), which would cause a denial-of-service condition.
Kalay – August 18, 2021
CISA has released an Industrial Control Systems (ICS) advisory for a vulnerability affecting several versions of ThroughTek Kalay P2P Software Development Kit (SDK). Some Internet of Things (IoT) devices are at risk of having their privacy invaded. Through the vulnerability, an attacker could take control of an affected system.
CISA – August 18, 2021
CISA has released a document about how to protect against ransomware data breaches so organizations can reduce their risk to attacks and protect their information better.
Adobe – August 18, 2021
Adobe has released security updates for APSB21-60 Captivate, APSB21-65 XMP Toolkit SDK, APSB21-68 Photoshop, APSB21-69 Bridge and APSB21-70 Media Encoder. There are multiple vulnerabilities for these products that could allow an attacker to take control of those systems.
WebAccess/NMS Hole – August 17, 2021
Advantech has released a security update to protect against an improper authentication vulnerability in its WebAccess/NMS. The vulnerability would allow an attacker access to resources monitored and controlled by the WebAccess/NMS.
BlackBerry – August 17, 2021
BlackBerry announced that its QNX real time operating system (RTOS) is affected by a BadAlloc vulnerability, CVE-2021-22156. This vulnerability could allow an attacker to cause a denial-of-service condition, put arbitrary code on affected devices or taking control of sensitive systems.
Mozilla – August 16, 2021
Mozilla has a security update available for Firefox and Thunderbird to prevent an attacker access to take control of an affected system.
Apple – August 16, 2021
Apple has released a security update for iCloud for Windows 12.5 to prevent someone taking control of an affected system.
Week of August 9-15, 2021
Mozilla – August 12, 2021
Mozilla released security updates for Thunderbird 91 to prevent an attacker from taking control of an affected system.
WebAssembly – August 11, 2021
Swivel, a new compiler framework, was developed to protect WebAssembly against Spectre attacks.
SAP – August 10, 2021
SAP released 14 security updates to prevent an attacker from taking control of an affected system.
Intel – August 10, 2021
Intel released multiple security updates on six different products: NUC 9 Extreme Laptop Kits, NUC Pro Chassis Element Driver, Ethernet Linux Driver, Optane PMem, Graphics Drivers and Ethernet Adapters 800 Series.
Citrix – August 10, 2021
Citrix released a security update for ShareFile storage zones controller to prevent access to private information on an affected system.
Microsoft – August 10, 2021
Microsoft released 27 security updates to prevent an attacker from taking control of an affected system.
Google – August 10, 2021
Google updates its Titan security keys with USB-A and a USB-C versions.
Adobe – August 10, 2021
Adobe released security updates for APSB21-66 Connect and ASPB21-64 Magento.
Mozilla – August 10, 2021
Mozilla released security updates for Firefox 91, Firefox ESR 78.13 and Thunderbird 78.13 to prevent an attacker from taking control of an affected device.
Week of August 2-8, 2021
Pulse Connect Secure – August 6, 2021
Ivanti released a security update for Pulse Connect Secure to prevent attackers potential to take over an affected system.
Cisco – August 5, 2021
Multiple Cisco products have security updates to stop attackers from taking control of an affected system. RV340, RV340W, RV345 and RV345P Dual WAN Gigabit VPN Routers, Small Business RV160 and RV260 Series VPN Routers, Packet Tracer for Windows DLL, Network Services Orchestrator CLI Secure Shell Server and ConfD all should be updated.
InterNiche products – August 5, 2021
CISA released an Industrial Control Systems advisory. The vulnerabilities found in the InterNiche products such as versions of InterNiche stack before v4.3 and versions of NicheLite before v4.3 could allow an attacker to take control of the affected systems.
DNS vulnerability – August 5, 2021
Security researchers found DNS-as-a-service vulnerabilities that could allow attackers access to sensitive corporate network information.
VMware – August 5, 2021
VMware released security updates for multiple products so attackers will not be able to access confidential information.
CODESYS EtherNetIP – August 4, 2021
Versions of CODESYS EtherNetIP before 126.96.36.199 are vulnerable to certain requests resulting in null pointer dereference.
Google – August 4, 2021
Google released an updated version of Chrome for Windows, Mac and Linux that addressed vulnerabilities that would lead to attackers taking control of an affected system.
Swisslog Healthcare – August 3, 2021
Multiple vulnerabilities were found in Swisslog Healthcare Translogic Pneumatic Tube Systems that could allow an attacker to take over an affected system.
Kubernetes Hardening Guidance – August 2, 2021
The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released a report on the difficulties of securely managing a Kubernetes cluster and explained hardening strategies.
Week of July 26-August 1, 2021
Trend Micro Apex One – July 30, 2021
Trend Micro Apex One, Apex One as a Service, OfficeScan XG and Worry-Free Business Security 10.0 SP1 are vulnerable to an attacker escalating privileges on affected installations.
Wireless Devices – July 29, 2021
The NSA released an information sheet about cybersecurity addressing wireless devices in public settings. It explains how to identify possible public connection vulnerabilities and how to protect devices and data better.
IBM – July 29, 2021
Due to an unsafe deserialization flaw, the IBM Partner Engagement Manager 2.0 is vulnerable to an attacker sending arbitrary code on the system.
Dell EMC NetWorker – July 29, 2021
Versions 18.x,19.x prior to 188.8.131.52 and 184.108.40.206 contain an Information Disclosure in Log Files vulnerability, which means that an attacker could read sensitive information in log files.
Visual Studio Code – July 29, 2021
The PHP Mess Detector before 1.3.0 for Visual Studio Code is vulnerable to attackers putting arbitrary code into a workspace folder.
PowerVM Logical Partition Mobility (LPM) – July 29, 2021
The encryption key exchange for PowerVM Hypervisor FW920, FW930, FW940 and FW950 could be hacked, and an attacker could decrypt the stolen migration traffic.
Geutebrück G-Cam E2 and G-Code – July 27, 2021
There is an Industrial Control Systems (ICS) advisory from CISA for the Geutebruck G-CAM E2 devices and Encoder G-Code versions. The vulnerabilities include missing authentication for critical function, command injection and stack-based buffer overflow, which would allow an attacker to take control of an affected system remotely.
Apple – July 27, 2021
For products such as the MacOS Big SUR, IOS 14.7.1 and iPad 14.7.1, there have been updates made available to deter any exploitation of memory corruption and allowing execution of arbitrary code with kernel privileges.
Microsoft – July 27, 2021
In response to a PetitPotam threat, Microsoft has released a statement on how to prevent NTLM relay attacks. Using certificate authority web enrollment and certificate enrollment web service would leave a user vulnerable without the necessary settings.
Week of July 19-25, 2021
Drupal Core – July 21, 2021
Drupal Core released an update to fix the security risk of extracting tar archives, which are critical third-party libraries. The update does not allow symlinks, which should mitigate future potential risks.
Cisco Intersight Virtual Appliance – July 21, 2021
Cisco released security updates to mitigate unauthenticated, adjacent attacker access to sensitive internal services. Without this update, an attacker could make configuration changes on the affected system.
Pulse Secure Devices – July 21, 2021
The Cybersecurity and Infrastructure Security Agency (CISA) has an ongoing response to Pulse Secure compromises and has analyzed 13 malware samples.
Oracle – July 20, 2021
Oracle launched a critical patch update to address more than 300 vulnerabilities, which could have allowed a remote attacker to take control of an affected system.
Adobe – July 20, 2021
Adobe released security updates for multiple Adobe products such as Photoshop, Audition, Media Encoder and more to address threats of an attacker taking control of an affected system.
Microsoft Windows 10/11 – July 20, 2021
Microsoft Windows 10/11 has been found to allow local users access to admin passwords, which could give them total system access due to Windows security account manager (SAM) being too permissive. With these stolen privileges, someone could install programs, create new accounts and have access to private data.
Citrix – July 19, 2021
Citrix released security updates to address multiple vulnerabilities in Application Delivery Controller (ADC), Gateway and SD-WAN WANOP Edition. Results of a successful attack include limited space consumption on the appliance, theft of a valid user session and a session fixation by an authorized user.