Weekly threat summary: Ethereum, Razer mice, Cisco

Patch management is easier said than done, and security teams are often forced to prioritize fixes for multiple business-critical systems, all of which are released at the same time. For example, it has become common to expect dozens of patches from Microsoft on Patch Tuesday, with other vendors routinely participating as well.

Below, IT Pro has compiled the most urgent revelations of the past seven days, including details such as a summary of the exploit mechanism and whether the vulnerability is being exploited in the wild. This is intended to give teams a sense of which bugs and errors could represent the most dangerous immediate security risks.

Chain split bug found in Ethereum project

The Ethereum blockchain project supervisors are calling on Go developers who use go-ethereum, also known as Geth, to fix a serious vulnerability that could damage the service.

Geth is the official Golang implementation of the Ethereum protocol. It is currently embedded with a bug tracked as CVE-2021-39137 that could undermine the integrity of the blockchain and potentially lead to a massive outage.

The exact attack mechanism has not yet been announced, so that node operators and downstream projects have enough time to apply the update, according to Ethereum’s team leader Péter Szilágyi. In general, however, the bug can cause a chain split, which means that vulnerable geth instances would reject canonical chains.

Razer bug allows a mouse to take over Windows

A security researcher has discovered a bug that allows anyone with Razer peripherals such as a USB mouse to gain administrative privileges on a Windows machine.

The researcher, known as Jonhat, outlined on Twitter how connecting a Razer USB peripheral gives users administrative privileges. This is due to a quirk in the Windows Update tool, which installs and runs the Razer Synapse software by default as a system-level user.

During the installation process, the installation program prompts the user to select a directory in which to install Synapse. Since it runs as a system-level user, anyone can press Shift and right-click an empty area to open PowerShell with full administrative privileges. Razer later contacted the researcher and said their security team was working on a solution as soon as possible.

Cisco fixes a critical bug in the APIC interface for switches

Associated resource

The three biggest IT problems of the new reality and how to solve them

Increase the reliability with standardized operations and service management

download now

Cisco has released a patch to address a critical vulnerability embedded in the Application Policy Infrastructure Controller (APIC) interface on the Nexus 9000 series switches.

APIC is a centralized controller that automates network provisioning and control based on application requirements and policies.

The bug, which was tracked as CVE-2021-1577 and rated 9.1 out of ten on the CVSS Threat Severity Scale, was due to improper access control that could allow a remote attacker to upload files. The bug can potentially be misused to read or write any file on a vulnerable system.

Atlassian warns of a critical Confluence bug

Atlassian has uncovered a vulnerability in its Confluence Server and Confluence Data Center products that could allow an unauthenticated attacker to execute arbitrary code on one of the affected platforms.

Confluence is a workplace collaboration platform that enables a team to collaborate on projects or ideas remotely. Confluence Cloud, which is hosted in the public cloud, is not affected by the bug, it is the local versions of the product that are susceptible to exploitation.

The bug is tracked as CVE-2021-26084 and is rated 9.8 out of ten on the CVSS Threat Severity Scale. Atlassian has not disclosed any exact mechanisms for exploiting, apart from describing the vulnerability as an OGNL injection from Confluence Server Webwork.

Recommended resources

The technology of trust

This is how you protect your most valuable asset

download now

Grow with the task

Shaping the workplace of the future

download now

The future of CIAM

Four trends shaping identity and access management

download now

Five questions to ask yourself before upgrading to a modern SIEM

Do you need a better defense strategy?

download now

Comments are closed.