Please see Security Advisories for the week ending August 6, 2021
- VMware Releases Security Updates for Multiple Products
- Cisco Releases Security Updates for Multiple Products
- Google Releases Security Updates for Chrome Browser
- NSA Releases Guidance on Securing Wireless Devices While in Public
_______________________________
VMware Releases Security Updates for Multiple Products
Situation
VMware has released security updates to address vulnerabilities in multiple products.
Problem
VMware Workspace ONE Access and Identity Manager, allows the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 8.6. A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app, in addition a malicious actor could access /cfg diagnostic endpoints without authentication.
Implication
An attacker could exploit these vulnerabilities to gain access to confidential information.
Need
CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0016 and apply the necessary updates or workaround.
For a brief overview:
For a more technical overview:
https://www.vmware.com/security/advisories/VMSA-2021-0016.html
________________________________
Cisco Releases Security Updates for Multiple Products
Situation
Cisco has released security updates to address vulnerabilities in multiple Cisco products.
Problem
The following products contain vulnerabilities: Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers, Cisco Small Business RV160 and RV260 Series VPN Routers, Cisco Packet Tracer for Windows, Cisco Network Services Orchestrator, and ConfD.
Implication
An attacker could exploit these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review the Cisco advisories and apply the necessary updates.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/08/05/cisco-releases-security-updates
For a more technical overview:
https://tools.cisco.com/security/center/publicationListing.x
_______________________________
Google Releases Security Updates for Chrome Browser
Situation
Google has released Chrome version 92.0.4515.131 for Windows, Mac, and Linux operating systems.
Problem
The vulnerabilities that were patched are five high severity and two medium. Of the high severity vulnerabilities, they include a Heap buffer overflow in Bookmarks, use after free in File System API, out of bounds write in Tab Group, out of bounds read in Tab Strip, and use after free in Page Info UI.
Implication
If an attacker is able to exploit some of these vulnerabilities it could allow them to take control of the affected device.
Need
Google recommends users and administrators update their desktop Chrome browser to version 92.0.4515.131 or newer. For additional information please visit the link below.
Google security advisory:
https://chromereleases.googleblog.com/2021/08/the-stable-channel-has-been-updated-to.html
_______________________________
NSA Releases Guidance on Securing Wireless Devices While in Public
Situation
The National Security Agency (NSA) has released an information sheet with guidance on securing wireless devices while in public for National Security System, Department of Defense, and Defense Industrial Base teleworkers, as well as the public. This information sheet provides information on malicious techniques used by cyber actors to target wireless devices and ways to protect against it.
Problem
Wireless infrastructure, if not properly secured leaves a large surface area of vulnerability for any network environment implementing it. With that in mind, the National Security Agency (NSA) has provided an information sheet covering the various parameters of wireless infrastructure and how to properly secure it. They’ve also posted an article about the risks of information collection by mobile apps and how to avoid malicious apps and limit the amount of information collected by them.
Implication
Failing to follow these guidelines to ensure that wireless infrastructure is properly secured could leave one vulnerable to compromise. Also, failing to be aware of the risks associated with mobile apps could result in one having more personal information shared with third party entities than one may wish.
Need
CISA encourages organization leaders, administrators, and users to review NSA’s guidance on Securing Wireless Devices in Public Settings and CISA’s Security Tip on Privacy and Mobile Device Apps for information on protecting devices and data.
For a brief overview:
For a more technical overview: