Cyber Security

Intel, VMware Be part of Patch Tuesday Parade

Know-how giants Intel Corp. and VMware joined the Patch Tuesday parade this week, rolling out fixes for safety defects that expose customers to malicious hacker assaults.

Intel launched two advisories to repair privilege escalation and knowledge disclosure vulnerabilities within the SGX software program growth equipment and {Hardware} Accelerated Execution Supervisor (HAXM) software program merchandise.

The extra critical of the 2 flaws — CVE-2021-0186 — impacts the Software program Guard Extensions (SGX) Software program Improvement Package (SDK) purposes compiled for SGX2-enabled processors and will enable escalation of privilege in sure circumstances.

Intel has tagged the bug with a “excessive danger” ranking and a CVSS Base Rating of 8.2 and credited a number of tutorial establishments with reporting the problem.

[ READ: MS Patch Tuesday: 71 Vulns, One Exploited as Zero-Day ]

The second Intel advisory covers a pair of safety vulnerabilities within the Intel {Hardware} Accelerated Execution Supervisor (HAXM) software program which will enable escalation of privilege or info disclosure.   The HAXM updates are available on Github.

Individually, VMware launched a trio of advisories to warn about safety defects within the VMware vRealize IT operations administration platform.

VMware launched patches for an open-redirect flaw in the vRealize Orchestrator product (reasonable severity), a CSV injection vulnerability in vRealize Log (medium-severity) and a low-risk SSRF flaw in vRealize Operations product.

The Intel and VMware updates comply with a significant Patch Tuesday freight prepare for October with zero-day fixes from Microsoft and Apple (iOS 15.0.2), and important updates from Adobe and SAP.

Thus far in 2021, there have been 73 documented in-the-wild zero day assaults, the bulk hitting susceptible code in merchandise bought by Microsoft, Apple and Google.

Associated: MS Patch Tuesday: 71 Vulns, One Exploited as Zero-Day

Associated: Adobe Patches Critical Code Execution Vulnerabilities

Associated: Microsoft Office Zero-Day Hit in Targeted Attacks 

Associated: SAP Patches Critical Vulnerabilities in Environmental Compliance

view counter

Source link

Cyber Security

ICS Patch Tuesday: Siemens and Schneider Electrical Tackle Over 50 Vulnerabilities

Industrial giants Siemens and Schneider Electrical on Tuesday launched practically a dozen safety advisories describing a complete of greater than 50 vulnerabilities affecting their merchandise.

The businesses have launched patches and mitigations to handle these vulnerabilities.


Siemens has launched 5 new advisories protecting 33 vulnerabilities. The corporate knowledgeable prospects that an replace for its SINEC community administration system patches 15 flaws, together with ones that may be exploited for arbitrary code execution. Whereas a few of them have been assigned a excessive severity ranking, exploitation requires authentication.

For its ​​SCALANCE W1750D controller-based direct entry factors, Siemens launched patches and mitigations protecting 15 vulnerabilities, together with important weaknesses that may permit a distant, unauthenticated attacker to trigger a DoS situation or execute arbitrary code on the underlying working system. The W1750D is a brand-labeled machine from Aruba, and a majority of the failings exist within the ArubaOS working system.

The corporate has additionally knowledgeable prospects a couple of important authentication vulnerability within the SIMATIC Course of Historian. An attacker can exploit the flaw to insert, modify or delete knowledge.

The 2 remaining advisories tackle high-severity denial of service (DoS) vulnerabilities in SINUMERIK controllers and RUGGEDCOM ROX gadgets. Within the case of the RUGGEDCOM gadgets, an unauthenticated attacker may trigger a everlasting DoS situation in sure circumstances.

Schneider Electrical

Schneider Electrical has launched 6 new advisories protecting 20 vulnerabilities. One advisory describes the influence of 11 Home windows flaws on the corporate’s Conext solar energy plant merchandise. The safety holes had been patched by Microsoft in 2019 and 2020 and plenty of of them have important or excessive severity rankings.

One other advisory describes two important, one high-severity and one medium-severity vulnerabilities affecting Schneider’s IGSS SCADA system. The corporate says the worst case exploitation state of affairs “may lead to an attacker having access to the Home windows Working System on the machine working IGSS in manufacturing.”

The corporate additionally knowledgeable customers a couple of high-severity data disclosure vulnerability affecting spaceLYnk, Wiser For KNX, and fellerLYnk merchandise, and a high-severity command execution concern within the ConneXium community supervisor software program.

The final advisory describes the influence of two AMNESIA:33 vulnerabilities on Modicon TM5 modules. AMNESIA:33 is the title assigned to 33 flaws recognized final 12 months throughout 4 open supply TCP/IP stacks.

Associated: ICS Patch Tuesday: Siemens and Schneider Electric Address 100 Vulnerabilities

Associated: ICS Patch Tuesday: Siemens, Schneider Electric Address Over 40 Vulnerabilities

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He labored as a highschool IT trainer for 2 years earlier than beginning a profession in journalism as Softpedia’s safety information reporter. Eduard holds a bachelor’s diploma in industrial informatics and a grasp’s diploma in laptop methods utilized in electrical engineering.

Earlier Columns by Eduard Kovacs:

Source link