Weekly threat roundup: IBM, VMware and Python

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

IBM fixes Integration Designer bug

Hackers were, until recently, able to exploit multiple vulnerabilities in IBM systems including a remote code execution flaw found in Integration Designer, a key software development tool. These bugs have been patched alongside several others affecting IBM’s Planning Analytics Workspace.

Tracked as CVE-2020-27221 and CVE-2020-14782, these flaws were embedded in the IBM Runtime Environment Java 7 and 8 used by this service, as well as IBM’s Business Automation Workflow and Business Process Manager packages.

The first is deemed a critical vulnerability and is rated 9.8 on the CVSS threat severity scale. It relates to the Eclipse OpenJ9 component, which is vulnerable to stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending a long string, hackers could overflow a buffer and execute arbitrary code remotely on the system. 

Hackers actively scanning for vulnerable VMware systems

Although VMware has recently patched a handful of flaws in its ESXi and vSphere Client services, hackers are scanning for exposed VMware vCenter servers that haven’t yet been patched, according to Bad Packets.

The company this week fixed three flaws present across VMware ESXi bare-metal hypervisor and vSphere Client virtual infrastructure management platform. The bugs included a severe flaw rated 9.8 on the CVSS scale, and tracked as CVE-2021-21972.

Attackers with access to port 443 could exploit this flaw to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server, according to VMware. 

Also patched was CVE-2021-21974, a heap buffer overflow vulnerability in the OpenSLP component of ESXi. Rated 8.8, hackers lying dormant within the same network segment as ESXi with access to port 427 may trigger the issue in OpenSLP which could also result in remote code execution. 

Virtual event platforms exposed MSPs to attack

Vulnerabilities found in two of the top five most widely-used virtual event management platforms had exposed conference-goers and managed service providers (MSPs) to potential cyber attacks.

Webcasts.com and VFairs are embedded with vulnerabilities ranging from information disclosure bugs to remote code execution flaws. The security firm Huntress discovered these vulnerabilities after attending events hosted on these platforms and opting to do “some poking and prodding”.

The companies running these events platforms were notified of the vulnerabilities in September and October 2020 and have since issued fixes. Huntress couldn’t confirm if any successful attacks exploited these flaws, but warned it could well be possible that many other virtual event management platforms are also embedded with similar vulnerabilities.

RCE concern in Python

The Python Software Foundation (PSF) is urging developers to upgrade to Python 3.9.2 and 3.8.8 to mitigate the threat posed by two vulnerabilities, including one categorised as a ‘remote code execution’ bug.

Although this flaw, tagged CVE-202103177, is listed as a potential remote-code execution risk, the foundation claims that practical exploits of this flaw are very unlikely due to several testing conditions that need to be met. 

Researchers with Red Hat, who’ve analysed the flaw, have only rated it 5.9 on the CVSS scale because the highest threat is to system availability, i.e. hackers exploiting this to shut down a system. It’s described as a stack-based buffer overflow in Python’s ctypes module. Apps using ctypes without carefully validating the input passed to it may be exposed to this flaw, which could allow hackers to overflow a buffer on the stack and crash the application.