Weekly threat roundup: Zyxel, Samsung Galaxy, Windows 10

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Admin-level backdoor in Zyxel’s VPNs

Zyxel customers are being urged to upgrade the firmware of their virtual private network (VPN), firewall, and access point controller products due to a serious hardcoded credential vulnerability.

Assigned CVE-2020-29583, the now-patched vulnerability essentially served as a backdoor account using a username and password that were both visible in plain text within Zyxel system binaries that run firmware version 4.60 Patch0. This ‘zyfwp’ account was included to deliver automatic firmware updates, although an individual could exploit the embedded flaw to gain root access to the Zyxel device, according to researchers with Eye Control.

The flaw affected dozens of individual products, with businesses using the company’s VPNs, firewalls, and access point controllers being urged to install version 4.60 Patch1 as soon as possible.

Samsung Galaxy fingerprint glitches return

The latest Samsung Galaxy Note 20 series was embedded with a fingerprint scanning flaw that mirrored the alarming ‘fake fingerprint’ vulnerability in Samsung Galaxy S10 and Note 10 devices.

A firmware update released this month patched a number of vulnerabilities, including SVE-2020-19216, branded ‘false recognition of fingerprint scanner’. According to the description, the flaw centred on odd behaviour centred on the smartphone’s screen protector resulting in a high false recognition rate.

There’s nothing in the patch notes that suggest the flaw led to a higher ‘false acceptance rate’, which was the problem plaguing the previous generation of Samsung Galaxy devices. These problems were so severe that major banks, such as Nationwide and Natwest, withdrew biometric support for their apps on affected devices until the issues were resolved.

Windows 10 escalation of privilege flaw

On Christmas Eve, Google’s Project Zero security team published the details around a severe elevation of privilege flaw in Windows 10 that has been exploited in the wild.

The privilege of escalation vulnerability was first disclosed to Microsoft on 24 September, although it was eventually disclosed publicly after the 90-day window elapsed, even though a patch had yet to be released.

The flaw involves the ‘splwow64’ process and can be exploited if an attacker sends a local procedure call (LCP) message from another low-intensity malicious process. This would allow them to write arbitrary values to an arbitrary address in splwow64’s memory space.

The researcher behind the disclosure, Maddie Stone, said the original issue, assigned CVE-2020-0986, wasn’t properly fixed when Microsoft first attempted to patch it in June 2020, and that attackers only needed to make a few tweaks to continue to exploit the flaw, now identified as CVE-2020-17008. It’s expected that a patch will be available in the next patch Tuesday round of fixes.

TCP/IP flaws expose IoT and OT systems

Dozens of vulnerabilities are embedded in millions of internet of things (IoT) and operation technology (OT) systems, according to a report published in December by Forescout Research Labs.

The findings identified 33 flaws in four TCP/IP stacks, dubbed AMNESIA:33, leaving products belonging to more than 150 vendors compromised. Analysis has found the TCP/IP stacks are vulnerable across the board, with many of these flaws arising from bad software development practices. Feature-rich protocols, such as DNS, are also particularly affected.

Despite its claims that millions of devices are affected, the researchers added that it’s difficult to determine which devices are affected because of the complexity of IoT and OT supply chains.

However, some mitigating actions can be taken, such as disabling or blocking IPv6 traffic when it’s not needed since a handful of the flaws relate to IPv6 components. Devices should also be configured to rely on internal DNS servers as much as possible. Businesses should, finally, monitor network traffic for malformed packets.