Cyber Security

BillQuick says patch coming after Huntress report identifies vulnerabilities utilized in ransomware assault

Particular function

Cyberwar and the Future of Cybersecurity

At present’s safety threats have expanded in scope and seriousness. There can now be hundreds of thousands — and even billions — of {dollars} in danger when data safety is not dealt with correctly.

Read More

BillQuick has stated a short-term patch might be launched to handle among the vulnerabilities recognized this weekend by Huntress. 

In a blog post on Friday, Huntress safety researcher Caleb Stewart stated the corporate’s ThreatOps workforce “found a essential vulnerability in a number of variations of BillQuick Internet Suite, a time and billing system from BQE Software program.” 

“Hackers had been in a position to efficiently exploit CVE-2021-42258 — utilizing it to achieve preliminary entry to a US engineering firm — and deploy ransomware throughout the sufferer’s community. Contemplating BQE’s self-proclaimed person base of 400,000 customers worldwide, a malicious marketing campaign concentrating on their buyer base is regarding,” Stewart stated. 

“This incident highlights a repeating sample plaguing SMB software program: well-established distributors are doing little or no to proactively safe their purposes and topic their unwitting clients to vital legal responsibility when delicate information is inevitably leaked and/or ransomed.”

Huntress additionally discovered eight different vulnerabilities: CVE-2021-42344, CVE-2021-42345, CVE-2021-42346, CVE-2021-42571, CVE-2021-42572, CVE-2021-42573, CVE-2021-42741, CVE-2021-42742.

In an announcement to ZDNet, BQE Software program stated their engineering workforce is conscious of the problems with BillQuick Internet Suite, which clients use to host BillQuick, and stated that vulnerability had been patched. 

“Huntress additionally recognized further vulnerabilities, which we now have been actively investigating. We count on a short-term patch to the BQE Internet Suite vulnerabilities to be in place by the top of the day on 10/26/2021 together with a agency timeline on when a full repair might be carried out,” the spokesperson added. 

“The problem with BQE Internet Suite impacts fewer than 10% of our clients; we might be proactively speaking to every of them the existence of those points, once they can count on the problems to be resolved, and what steps they’ll take within the interim to reduce their publicity.”

Huntress defined how they had been in a position to recreate the SQL injection-based assault, which they confirmed can be utilized to entry clients’ BillQuick information and run malicious instructions on their on-premises Home windows servers.

Huntress stated it labored with BQE Software program on the difficulty and recommended the corporate for being responsive whereas additionally taking the problems severely.

However the weblog submit notes that the bug may simply be triggered by “merely navigating to the login web page and getting into a single quote (`’`).”

“Additional, the error handlers for this web page show a full traceback, which may include delicate details about the server-side code,” Stewart wrote. 

CVE-2021-42258 was patched by BQE Software on October 7 in WebSuite 2021 model However the eight different points nonetheless want patches. 

Stewart informed BleepingComputer that unnamed hackers used CVE-2021-42258 as an entry level into the US engineering firm as a part of a ransomware assault that came about over the Columbus Day weekend. The information outlet reported that the ransomware group didn’t go away a ransom notice and didn’t have a readily identifiable identify.

Source link

Cyber Security

Intel, VMware Be part of Patch Tuesday Parade

Know-how giants Intel Corp. and VMware joined the Patch Tuesday parade this week, rolling out fixes for safety defects that expose customers to malicious hacker assaults.

Intel launched two advisories to repair privilege escalation and knowledge disclosure vulnerabilities within the SGX software program growth equipment and {Hardware} Accelerated Execution Supervisor (HAXM) software program merchandise.

The extra critical of the 2 flaws — CVE-2021-0186 — impacts the Software program Guard Extensions (SGX) Software program Improvement Package (SDK) purposes compiled for SGX2-enabled processors and will enable escalation of privilege in sure circumstances.

Intel has tagged the bug with a “excessive danger” ranking and a CVSS Base Rating of 8.2 and credited a number of tutorial establishments with reporting the problem.

[ READ: MS Patch Tuesday: 71 Vulns, One Exploited as Zero-Day ]

The second Intel advisory covers a pair of safety vulnerabilities within the Intel {Hardware} Accelerated Execution Supervisor (HAXM) software program which will enable escalation of privilege or info disclosure.   The HAXM updates are available on Github.

Individually, VMware launched a trio of advisories to warn about safety defects within the VMware vRealize IT operations administration platform.

VMware launched patches for an open-redirect flaw in the vRealize Orchestrator product (reasonable severity), a CSV injection vulnerability in vRealize Log (medium-severity) and a low-risk SSRF flaw in vRealize Operations product.

The Intel and VMware updates comply with a significant Patch Tuesday freight prepare for October with zero-day fixes from Microsoft and Apple (iOS 15.0.2), and important updates from Adobe and SAP.

Thus far in 2021, there have been 73 documented in-the-wild zero day assaults, the bulk hitting susceptible code in merchandise bought by Microsoft, Apple and Google.

Associated: MS Patch Tuesday: 71 Vulns, One Exploited as Zero-Day

Associated: Adobe Patches Critical Code Execution Vulnerabilities

Associated: Microsoft Office Zero-Day Hit in Targeted Attacks 

Associated: SAP Patches Critical Vulnerabilities in Environmental Compliance

view counter

Source link

Cyber Security

ICS Patch Tuesday: Siemens and Schneider Electrical Tackle Over 50 Vulnerabilities

Industrial giants Siemens and Schneider Electrical on Tuesday launched practically a dozen safety advisories describing a complete of greater than 50 vulnerabilities affecting their merchandise.

The businesses have launched patches and mitigations to handle these vulnerabilities.


Siemens has launched 5 new advisories protecting 33 vulnerabilities. The corporate knowledgeable prospects that an replace for its SINEC community administration system patches 15 flaws, together with ones that may be exploited for arbitrary code execution. Whereas a few of them have been assigned a excessive severity ranking, exploitation requires authentication.

For its ​​SCALANCE W1750D controller-based direct entry factors, Siemens launched patches and mitigations protecting 15 vulnerabilities, together with important weaknesses that may permit a distant, unauthenticated attacker to trigger a DoS situation or execute arbitrary code on the underlying working system. The W1750D is a brand-labeled machine from Aruba, and a majority of the failings exist within the ArubaOS working system.

The corporate has additionally knowledgeable prospects a couple of important authentication vulnerability within the SIMATIC Course of Historian. An attacker can exploit the flaw to insert, modify or delete knowledge.

The 2 remaining advisories tackle high-severity denial of service (DoS) vulnerabilities in SINUMERIK controllers and RUGGEDCOM ROX gadgets. Within the case of the RUGGEDCOM gadgets, an unauthenticated attacker may trigger a everlasting DoS situation in sure circumstances.

Schneider Electrical

Schneider Electrical has launched 6 new advisories protecting 20 vulnerabilities. One advisory describes the influence of 11 Home windows flaws on the corporate’s Conext solar energy plant merchandise. The safety holes had been patched by Microsoft in 2019 and 2020 and plenty of of them have important or excessive severity rankings.

One other advisory describes two important, one high-severity and one medium-severity vulnerabilities affecting Schneider’s IGSS SCADA system. The corporate says the worst case exploitation state of affairs “may lead to an attacker having access to the Home windows Working System on the machine working IGSS in manufacturing.”

The corporate additionally knowledgeable customers a couple of high-severity data disclosure vulnerability affecting spaceLYnk, Wiser For KNX, and fellerLYnk merchandise, and a high-severity command execution concern within the ConneXium community supervisor software program.

The final advisory describes the influence of two AMNESIA:33 vulnerabilities on Modicon TM5 modules. AMNESIA:33 is the title assigned to 33 flaws recognized final 12 months throughout 4 open supply TCP/IP stacks.

Associated: ICS Patch Tuesday: Siemens and Schneider Electric Address 100 Vulnerabilities

Associated: ICS Patch Tuesday: Siemens, Schneider Electric Address Over 40 Vulnerabilities

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He labored as a highschool IT trainer for 2 years earlier than beginning a profession in journalism as Softpedia’s safety information reporter. Eduard holds a bachelor’s diploma in industrial informatics and a grasp’s diploma in laptop methods utilized in electrical engineering.

Earlier Columns by Eduard Kovacs:

Source link

Cyber Security

Android October patch fixes three essential bugs, 41 flaws in whole

Google has launched the Android October safety updates, addressing 41 vulnerabilities, all ranging between excessive and significant severity.

On the fifth of every month, Google releases the whole safety patch for the Android OS which comprises each the framework and the seller fixes for that month. As such, this replace additionally incorporates fixes for the ten vulnerabilities that have been addressed within the Safety patch stage 2021-10-01, launched a few days again. 

The high-severity flaws fastened this month concern denial of service, elevation of privilege, distant code execution, and data disclosure points.

The three essential severity flaws within the set are tracked as:

  • CVE-2021-0870: Distant code execution flaw in Android System, enabling a distant attacker to execute arbitrary code inside the context of a privileged course of.
  • CVE-2020-11264: Crucial flaw affecting Qualcomm’s WLAN part, in regards to the acceptance of non-EAPOL/WAPI frames from unauthorized friends obtained within the IPA exception path.
  • CVE-2020-11301: Crucial flaw affecting Qualcomm’s WLAN part, in regards to the acceptance of unencrypted (plaintext) frames on safe networks.

Crucial however unexploited

Not one of the 41 flaws addressed this month have been reported to be underneath lively exploitation within the wild, so there ought to be no working exploits for them circulating on the market.

Older units which might be not supported with safety updates now have an elevated assault floor, as a few of the vulnerabilities fastened this month are glorious candidates for menace actors to create working exploits sooner or later.

Bear in mind, Android safety patches aren’t certain to Android variations, and the above fixes concern all variations from Android 8.1 to Android 11. As such, the OS model isn’t a figuring out think about whether or not or not your gadget remains to be supported.

When you have confirmed that your gadget has reached the EOL date, you must both set up a third-party Android distribution that also delivers month-to-month safety patches in your mannequin, or exchange it with a brand new one.

Android followers have been eagerly ready for the discharge of model 12, which was rumored for October 4, 2021, however what they received as a substitute was the source of Android 12 pushed to the Android Open Source Project.

This step signifies that the precise launch is simply across the nook, and OTA improve alerts may hit eligible units, just like the Pixel, very quickly.

Source link

Cyber Security

Apache Warns of Zero-Day Exploit within the Wild — Patch Your Internet Servers Now!

Apache has issued patches to handle two safety vulnerabilities, together with a path traversal and file disclosure flaw in its HTTP server that it stated is being actively exploited within the wild.

“A flaw was present in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker may use a path traversal assault to map URLs to recordsdata outdoors the anticipated doc root,” the open-source challenge maintainers noted in an advisory printed Tuesday.

“If recordsdata outdoors of the doc root aren’t protected by ‘require all denied’ these requests can succeed. Moreover this flaw may leak the supply of interpreted recordsdata like CGI scripts.”

Automatic GitHub Backups

The flaw, tracked as CVE-2021-41773, impacts solely Apache HTTP server model 2.4.49. Ash Daulton and cPanel Safety Staff have been credited with discovering and reporting the problem on September 29, 2021.

Supply: PT SWARM

Additionally resolved by Apache is a null pointer dereference vulnerability noticed throughout processing HTTP/2 requests (CVE-2021-41524), thus permitting an adversary to carry out a denial-of-service (DoS) assault on the server. The non-profit company stated the weak spot was launched in model 2.4.49.

Prevent Data Breaches

Apache customers are highly recommended to patch as quickly as attainable to include the trail traversal vulnerability and mitigate any danger related to energetic exploitation of the flaw.

Source link