IT security is all about staying on top of vulnerabilities. Many of those could be fixed through a simple patch management program, and yet many noteworthy data breaches happen because known vulnerabilities were never patched. Each month we list some of those biggest flaws — along with their fixes — to keep you on top of vulnerabilities.
1. Authentication Bypass Vulnerability in Cisco Elastic Services Controller
CVE identifier: CVE-2019-1867
CVSS Base Score: 10.0
The vulnerability: A vulnerability in the REST API of Cisco Elastic Services Controller (ESC), caused by improper validation of API requests, could allow an unauthenticated remote attacker to bypass authentication and execute arbitrary actions through the REST API with administrative privileges on an affected system.
The fix: Cisco has released software updates to address the issue.
More info: Cisco has details here.
2. Arbitrary Code Execution Flaw in Microsoft Windows Remote Desktop Services
CVE identifier: CVE-2019-0708 (a.k.a. BlueKeep)
CVSS Base Score: 9.8
The vulnerability: A flaw in the Remote Desktop Services component of Microsoft Windows, caused by the fact that the software improperly handles Remote Desktop Protocol (RDP) requests, could enable an unauthenticated remote attacker to execute arbitrary code on a targeted system.
The fix: Microsoft has released software updates to address the issue.
More info: Cisco has details here, and Microsoft has more information here.
3. Arbitrary Code Execution Vulnerability in IBM WebSphere Application Server
CVE identifier: CVE-2019-4279
CVSS Base Score: 9.8
The vulnerability: A flaw in IBM WebSphere Application Server 8.5 and 9.0 could enable a remote attacker to execute arbitrary code on a targeted system.
The fix: IBM has released software updates to address the issue.
More info: NIST has details here, and IBM has more information here.
4. Stack-Based Buffer Overflow Vulnerability in atftp atftpd
CVE identifier: CVE-2019-11365
CVSS Base Score: 9.8
The vulnerability: A vulnerability in the atftpd daemon of atftp, caused by an insecurely implemented strncpy call, could enable an unauthenticated remote attacker to trigger a stack-based buffer overflow condition, which could be leveraged to execute arbitrary code or cause a denial of service condition on a targeted system. Proof-of-concept code demonstrating an exploit of the vulnerability is publicly available.
The fix: atftp has released software updates to address the issue.
More info: Cisco has details here, and Pulse Security has more information here.
5. Code Execution Flaw in Atlassian Crowd and Crowd Data Center
CVE identifier: CVE-2019-11580
CVSS Base Score: 9.8
The vulnerability: A flaw in Atlassian Crowd and Crowd Data Center, caused by the fact that the pdkinstall development plugin was incorrectly enabled in release builds, could allow a remote attacker to install arbitrary plugins and execute arbitrary code on a targeted system.
The fix: Atlassian team has released software updates and a workaround to address the issue.
More info: IBM X-Force Exchange has details here, and Atlassian has more information here.
6. Two Out-of-Bounds Access Vulnerabilities in cJSON
CVE identifiers: CVE-2019-11834, CVE-2019-11835
CVSS Base Scores: 9.8, 9.8
The vulnerability: Two flaws in cJSON, caused by an out-of-bounds access condition in the software, could enable an unauthenticated remote attacker to cause a buffer overflow condition and compromise the targeted system completely. Proof-of-concept code demonstrating an exploit of the flaws is publicly available.
The fix: Software updates have been released to address the issue.
More info: Cisco has details here and here, and more information is available here and here.
7. Heap Buffer Overflow Vulnerability in GNU Wget
CVE identifier: CVE-2019-5953
CVSS Base Score: 9.8
The vulnerability: A vulnerability in GNU Wget 1.20.1 and earlier could allow a remote attacker to cause a denial of service condition or execute arbitrary code on a targeted system.
The fix: Software updates have been released to address the issue.
More info: NIST has details here, and more information is available here.
8. Default SSH Key Vulnerability in Cisco Nexus 9000 Series Fabric Switches
CVE identifier: CVE-2019-1804
CVSS Base Score: 9.8
The vulnerability: A flaw in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software, caused by the presence of a default SSH key pair present in all devices, could enable an unauthenticated remote attacker to connect to a targeted system with the privileges of the root user.
The fix: Cisco has released software updates to address the issue.
More info: Cisco has details here.
9. Two SQL Injection Vulnerabilities in OpenEMR
CVE identifiers: CVE-2018-17179, CVE-2018-17181
CVSS Base Scores: 9.8, 9.8
The vulnerability: Two vulnerabilities in OpenEMR could enable unauthenticated remote attackers to conduct SQL injection attacks on a targeted system – the first flaw exists in the make_task function as defined in the /interface/forms/eye_mag/php/taskman_functions.php source code file, and the second flaw exists in the SaveAudit function in the /portal/lib/paylib.php source code file and the portalAudit function in the /portal/lib/appsql.class.php source code file.
The fix: OpenEMR has released software updates to address the issue.
More info: Cisco has details here and here, and more information on the update available is available here.
10. XML External Entity Vulnerability in Apache PDFBox
CVE identifier: CVE-2019-0228
CVSS Base Score: 9.8
The vulnerability: A vulnerability in Apache PDFBox 2.0.14, caused by the software’s failure to properly initialize the XML parser, could enable a remote attacker to conduct an XML External Entity (XXE) attack on a targeted system. The flaw was uncovered by Kurt Boberg of DocuSign.
The fix: Apache has released software updates to address the issue.
More info: NIST has details here, and Apache has more information here.
11. Three Remote Code Execution Flaws in Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager
CVE identifiers: CVE-2019-1821, CVE-2019-1822, CVE-2019-1823
CVSS Base Scores: 9.8, 9.8, 9.8
The vulnerability: Three vulnerabilities in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager, caused by the fact that the software improperly validates user-supplied input, could enable a remote attacker to execute arbitrary code with elevated privileges on the underlying OS. One of the issues can be exploited by an unauthenticated attacker who has network access to the affected admin interface, while the second and third require that the attacker have valid credentials to log into the affected interface.
The fix: Cisco has released software updates to address the issue.
More info: Cisco has details here.
12. Buffer Over-Read Vulnerability in dhcpcd
CVE identifier: CVE-2019-11766
CVSS Base Score: 9.8
The vulnerability: A flaw in the D6_OPTION_PD_EXCLUE feature of dhcpcd could enable an attacker to cause an out-of-bounds read error and execute arbitrary code or cause a denial of service condition on a targeted system.
The fix: Software updates have been released to address the issue.
More info: Cisco has details here, and more information is available here.
Looking for more? Last month’s vulnerability roundup can be found here.
