Please see Security Advisories for the week ending March 26, 2021
- OpenSSL Releases Security Update
- Samba Releases Security Updates
- Cisco Releases Security Updates for Cisco Small Business Routers
- Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
- Adobe Releases Security Updates for ColdFusion
________________________________
OpenSSL Releases Security Update
Situation
OpenSSL has released a security update that affects all versions of 1.02 and 1.1.1 released before 1.1.1J.
Problem
A vulnerability was found in a renegotiation of client hello messages from a client if certain conditions are met in the settings and implementation of TLS.1.2, which could lead to a crash resulting in denial of service.
Implication
Attackers exploiting this vulnerability can trigger a crash resulting in denial of service in versions of OpenSSL 1.1.1 prior to 1.1.1J
Need
All customers running OpenSSL 1.1.1 should upgrade to 1.1.1K. Customers running OpenSSL 1.0.2 are out of support and have no updates unless they are a premium customer.
For a more technical overview:
https://www.openssl.org/news/secadv/20210325.txt
________________________________
Samba Releases Security Updates
Situation
The Samba Team has discovered and patched several vulnerabilities impacting multiple versions of Samba.
Problem
The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. Per CVE-2020-27840; an anonymous attacker can crash the Samba AD DC LDAP server by sending easily crafted DN’s (Distinguished Name) as part of a bind request. More serious heap corruption is likely also possible. And CVE-2021-20277 is about User-controlled LDAP filter strings against the AD DC LDAP server, may crash the LDAP server. An attacker could exploit some of these vulnerabilities to take control of an affected system.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
CISA encourages users and administrators to review the Samba Security Announcements below for CVE-2020-27840 and CVE-2021-20277 and apply the necessary updates and workarounds.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/03/25/samba-releases-security-updates
For a more technical overview:
https://www.samba.org/samba/security/CVE-2020-27840.html
https://www.samba.org/samba/security/CVE-2021-20277.html
________________________________
Cisco Releases Security Updates for Cisco Small Business Routers
Situation
Cisco has discovered and patched a vulnerability found in Cisco Small Business Routers where remote attackers could exploit the vulnerability and take control of the device and network remotely.
Problem
Cisco has discovered and patched a vulnerability found in Cisco Small Business Routers Models RV132W and RV134W Management interface where vulnerable to remote command execution and denial of service. Remote attackers could exploit the vulnerability’s and take control of the device and network remotely.
Implication
If the vulnerabilities were exploited, it could allow remote attackers to compromise the device and possibly pivot into the network.
Need
Cisco recommends installing the latest updates to their products to patch vulnerabilities in the products.
For a more technical overview:
________________________________
Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
Situation
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird.
Problem
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.
Implication
Failure to patch systems leaves them vulnerable to remote attack and possible remote compromise of the affected systems.
Need
Mozilla advises patching to the most up to date versions of: Firefox87, Firefox ESR 78.9, and Thunderbird version 78.9.
For a brief overview:
For a more technical overview:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/
________________________________
Adobe Releases Security Updates for ColdFusion
Situation
Adobe has released security updates to address a vulnerability (CVE-2021-21087) affecting ColdFusion versions 2021, 2016 and 2018. These updates resolve a critical vulnerability that could lead to arbitrary code execution.
Problem
The security updates patch an arbitrary code execution security flaw caused by an improper input validation software vulnerability.
Implication
If an attacker is able to successfully exploit this vulnerability it could allow them to take control of the affected system
Need
Adobe recommends administrators install the security updates for affected ColdFusion Applications as soon as possible. Additional information and patch notes can be found in the link below.
For a more technical overview:https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html
