Here’s a brief overview of the most interesting security vulnerabilities that made headlines this week.
As part of July 2020 Patch Tuesday release, Microsoft addressed a total of 123 vulnerabilities affecting its various products, including CVE-2020-1350 (SIGRed). It is a remote code execution flaw, which has been present in Microsoft’s Windows DNS Server for over 17 years. The flaw impacts Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response, which could lead to a heap-based buffer overflow.
July’s Patch Tuesday release also contains fixes for RCE bugs in Microsoft Word, Microsoft Excel, Microsoft Office, Microsoft Outlook, Microsoft Sharepoint, Windows LNK shortcut files, and various Windows graphics components.
Another bug which caused a commotion among cyber security professionals this week is CVE-2020-6287 (aka RECON), which affects the SAP NetWeaver Application Server (AS) Java component and is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5).
By exploiting this flaw, a remote, unauthenticated attacker could create a new SAP user with the highest privileges, and thus fully compromise vulnerable SAP installations, which would allow the attacker to steal or modify highly sensitive information, or disrupt critical business processes. CVE-2020-6287 can be exploited via an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet.
Of note, recently a proof-of-concept code for this flaw has been released, although it does not allow to achieve remote code execution.
Oracle released a mammoth quarterly patch update which addresses a record 433 new security vulnerabilities, many of which affect multiple products, including Oracle Insurance Policy Administration, Java SE, Oracle iLearning, Oracle WebLogic Server, Oracle Banking Platform, Oracle Applications Framework, and others. Hundreds of these vulnerabilities are remotely exploitable without authentication.
Adobe issued security updates to fix a total of 13 new security vulnerabilities affecting 5 of its widely used applications - Adobe Creative Cloud Desktop Application, Adobe Media Encoder, Adobe Genuine Service, Adobe ColdFusion, and Adobe Download Manager that could result in remote code execution, privilege escalation, and information disclosure.
Moxa EDR-G902 and EDR-G903 Series routers (versions prior to 5.4) contain an RCE vulnerability (CVE-2020-14511), which could be exploited to compromise a target system. A remote unauthenticated attacker can perform malicious operation with the crafted web browser cookie, trigger stack-based buffer overflow and execute arbitrary code on the target system.
A high risk vulnerability has been found in Siemens LOGO! Web Server (CVE-2020-7593), which could allow remote code execution. A buffer overflow vulnerability in the Web Server functionality of the device allows an unauthenticated attacker to send specially crafted HTTP requests, which may cause memory corruption and result in remote code execution.
