'Perfect 10' Critical Security Vulnerabilities Revealed: Are You Affected?
New critical security vulnerabilities affecting Adobe, Belkin, Bosch, D-Link, Dell, Qualcomm, WordPress plugins and other products have been recorded in just this last week. When a security vulnerability gets a perfect 10 rating, you know it’s time to take notice and act. That there are two Common Vulnerability Scoring System (CVSS) standards in use, CVSS v2.0 and v3.x, might appear confusing at first, but it’s not really. A perfect 10 ‘high’ v3.x rating usually translates to a 9.8 ‘critical’ for the v2.0 standard. Whichever way you look at it, these are vulnerabilities that demand to be taken seriously. Especially when a bunch impacting no less than ten vendors appear in a single week. That’s what has just happened, and the U.S. government wants to bring it your attention.
Get started on your cybersecurity degree at American Military University.
The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) acts as a risk advisor to the U.S. By sharing security knowledge, it aims to both further the cause of better risk management as well as protect essential national resources. One way in which this knowledge is shared is by using the National Cyber Awareness System (NCAS) to inform and alert regarding high-impact security vulnerabilities and exploits. The NCAS bulletin for the week commencing February 10 has just been published, with hundreds of vulnerabilities listed. Amongst them are no less than 12 that have achieved this perfect 10 rating. One, upon further investigation, was found to be a duplicate, leaving 11 vulnerabilities that impact a total of ten different vendors.
If you thought that was bad enough, the really bad news could still be yet to come: there are more than 200 vulnerabilities in the weekly NCAS bulletin that have yet to have their severity rating calculated. Given the number of exploitable, remote code execution, vulnerabilities amongst them, I wouldn’t be surprised if the true perfect 10 headcount was much, much higher. And, of course, I have not mentioned those vulnerabilities (and there are plenty on the list) that might not hit the heights of a critical rating, but remain requiring of your urgent attention nonetheless. However, for now, let’s look at what we do know. Here are the 11 vulnerabilities from the National Vulnerability Database that have been rated a perfect 10.
CVE-2020-3740 is a memory corruption vulnerability in versions of Adobe Framemaker, from 2019.0.4 and earlier, that could lead to arbitrary code execution. A patch can be downloaded from Adobe to fix this flaw.
CVE-2020-6770 is another remote code execution issue, this time with various versions of the Bosch Mobile Video Service as used alongside some network video recording and security systems. A Bosch security advisory has been posted regarding this vulnerability, which was discovered during internal product testing.
CVE-2013-5945 rings the changes a little this time to bring multiple SQL injection vulnerabilities to a bunch of D-Link routers.
CVE-2013-1360 and CVE-2013-1359 are both concerning Dell products. Both are authentication bypass vulnerabilities for some versions of the SonicWALL global management system and also some Universal Management Appliance versions.
CVE-2019-14514 impacts versions of the Microvirt MEmu Android emulator before 7.0.2 and enables the execution of arbitrary commands having supplied shell metacharacters.
CVE-2014-5091 could enable an attacker to execute arbitrary PHP code courtesy of this vulnerability in Status2K 2.5 server monitoring software.
And finally, CVE-2013-3684 is a cross-site scripting attack vulnerability in the NextGEN Gallery WordPress plugin for versions prior to 1.9.13
Users of any of these products are advised to visit the vendor and update to a fixed version or download a patch, where available. If no solutions are yet available, keep an eye on both the vendor site and the ‘references to advisories, solutions, and tools’ section of the National Vulnerability Database CVE entry as linked to above.