dcsimg

IT Security Vulnerability Roundup – September 2018

Download our in-depth report: The Ultimate Guide to IT Security Vendors

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Email  

Many new vulnerabilities come to light every month, and September has been no exception. Below is a look at 12 particularly impactful vulnerabilities that were revealed over the past 30 days.

1. Potential Remote Code Execution Flaw in IBM WebSphere Application Server

CVE identifier: CVE-2018-1567

CVSS Base Score: 9.8

The vulnerability: A vulnerability in the IBM WebSphere application server could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. The vulnerability affects version 7.0, 8.0, 8.5 and 9.0 of the IBM WebSphere Application server.

The fix: IBM has released interim fixes and fix packs for each affected version.

More info: IBM provides details here.

2. Privilege Escalation Vulnerability in NordVPN

CVE identifier: CVE-2018-3952

CVSS Base Score: 8.8

The vulnerability: An exploitable code execution vulnerability in the connect functionality of NordVPN 6.14.28.0 could allow a specially crafted configuration file to cause a privilege escalation, enabling the execution of arbitrary commands with system privileges.

The fix: NordVPN has released a patch for the flaw prior to its public disclosure.

More info: The vulnerability was discovered by Cisco Talos researchers, who have more information here. IBM X-Force also has information on the flaw here.

3. Privilege Escalation Vulnerability in ProtonVPN

CVE identifier: CVE-2018-4010

CVSS Base Score: 8.8

The vulnerability: Like the NordVPN vulnerability described above, an exploitable code execution vulnerability in the connect functionality of ProtonVPN 1.5.1 could allow a specially crafted configuration file to cause a privilege escalation, enabling the execution of arbitrary commands with system privileges.

The fix: ProtonVPN has released a patch for the flaw.

More info: The vulnerability was discovered by Cisco Talos researchers, who have more information here. NIST also has information on the flaw here.

4. Server Side Request Forgery Vulnerability in IBM API Connect

CVE identifier: CVE-2018-1789

CVSS Base Score: 8.4

The vulnerability: Versions 2018.1.0 through 2018.3.4 of IBM API Connect could allow an atacker to send a specially crafted request to conduct a server side request forgery attack.

The fix: IBM has released fixes for the vulnerability.

More info: IBM has more information here and here.

5. Integer Overflow Flaw in Linux Kernel

CVE identifier: CVE-2018-14634

CVSS Base Score: 7.8

The vulnerabilities: An integer overflow flaw in the Linux kernel's create_elf_tables() function could allow an unprivileged local user to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerable.

The fix: Updates are available to mitigate the flaw.

More info: Qualys, which uncovered the flaw, has more information here, and Red Hat has information here.

6. Arbitrary File Deletion Flaw in HongCMS

CVE identifier: CVE-2018-16774

CVSS Base Score: 7.5

The vulnerability: Version 3.0.0 of HongCMS allows arbitrary file deletion.

The fix: No fix was available at time of publication.

More info: The breach was first disclosed on GitHub. NIST has more information here.

7. SQL Injection Flaw in IBM Security Identity Governance Virtual Appliance

CVE identifier: CVE-2018-1756

CVSS Base Score: 7.5

The vulnerability: Versions 5.2.3.2 and 5.2.4 of IBM Security Identity Governance and Intelligence were vulnerable to SQL injection, which could allow a remote attacker to view information in the back-end database.

The fix: IBM has released fixes for the vulnerability.

More info: IBM has more information on the flaws here and here.

8. Vulnerabilities in Intel CSME, Intel Server Platform Service, Intel TXE

CVE identifier: CVE-2018-3655

CVSS Base Score: 7.3

The vulnerability: A flaw in a subsystem in Intel CSME before version 11.21.55, Intel Server Platform Service before version 4.0, and Intel Trusted Execution Engine (TXE) before version 3.1.55 could allow an unauthenticated user to modify or disclose information.

The fix: All users of Intel CSME, Intel Server Platform Service and Intel TXE are advised to update to the latest version.

More info: The breach was first discovered by Positive Technologies, which has detailed information here. Intel has published an advisory here, and NIST has more information here.

9. Privilege Escalation Vulnerability in Adobe Flash Player

CVE identifier: CVE-2018-15967

CVSS Base Score: 6.5

The vulnerability: A privilege escalation vulnerability in Adobe Flash Player versions 30.0.0.154 and earlier could lead to information disclosure.

The fix: All users are advised to update to the latest version.

More info: Adobe has more information here, and Red Hat has information here.

10. Arbitrary Code Execution, Cross-Site Scripting Vulnerabilities in Hoosk

CVE identifier: CVE-2018-16771, CVE-2018-16772

CVSS Base Score: 9.8, 4.8

The vulnerability: Version 1.7.0 of the Hoosk content management system allows cross-site scripting via the Navigation Title of a new page entered at admin/pages/new, and could allow a remote attacker to execute arbitrary code on the affected system via the SiteURL entry in the installation process

The fix: No fixes were available at time of publication.

More info: The flaws were first disclosed on GitHub. NIST has more information here and here.

11. Cross-Site Scripting, HTML Injection Flaws in IBM Campaign

CVE identifiers: CVE-2018-1114, CVE-2018-1115

CVSS Base Scores: 5.4, 5.4

The vulnerabilities: Versions 9.1, 9.1.2 and 10 of IBM Campaign are vulnerable to HTML injection, allowing malicious HTML code to be executed in a victim's Web browser within the security context of the hosting site; and to cross-site scripting, allowing users to embed arbitrary JavaScript code in the Web UI, potentially leading to credentials disclosure within a trusted session.

The fix: IBM has released updates to patch both vulnerabilities.

More info: IBM has published security bulletins on the two flaws, including links to patches, here and here.

12. Security Feature Bypass Flaw, Remote Execution Flaws in Internet Explorer

CVE identifiers: CVE-2018-8447, CVE-2018-8461, CVE-2018-8470

The vulnerabilities: Two separate remote code execution vulnerabilities were found in Internet Explorer, one that only affects version 11, and one that affects versions 9, 10 and 11. A security feature bypass vulnerability was also found in Internet Explorer 11, which could allow a universal cross-site scripting (UXSS) condition.

The fix: IBM has released updates to address the vulnerabilities.

More info: IBM has more information on the flaws here, here and here.

See our August security vulnerability roundup

Submit a Comment

Loading Comments...