Weekly threat roundup: Zyxel, Samsung Galaxy, Windows 10

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Admin-level backdoor in Zyxel’s VPNs

The Zyxel company logo as seen on its website through a magnifying glass

Zyxel customers are being urged to upgrade the firmware of their virtual private network (VPN), firewall, and access point controller products due to a serious hardcoded credential vulnerability.

Assigned CVE-2020-29583, the now-patched vulnerability essentially served as a backdoor account using a username and password that were both visible in plain text within Zyxel system binaries that run firmware version 4.60 Patch0. This ‘zyfwp’ account was included to deliver automatic firmware updates, although an individual could exploit the embedded flaw to gain root access to the Zyxel device, according to researchers with Eye Control.

The flaw affected dozens of individual products, with businesses using the company’s VPNs, firewalls, and access point controllers being urged to install version 4.60 Patch1 as soon as possible.

Samsung Galaxy fingerprint glitches return

A smartphone with a fingerprint scanner displayed on the screen

The latest Samsung Galaxy Note 20 series was embedded with a fingerprint scanning flaw that mirrored the alarming 'fake fingerprint' vulnerability in Samsung Galaxy S10 and Note 10 devices.

A firmware update released this month patched a number of vulnerabilities, including SVE-2020-19216, branded ‘false recognition of fingerprint scanner’. According to the description, the flaw centred on odd behaviour centred on the smartphone’s screen protector resulting in a high false recognition rate.

There’s nothing in the patch notes that suggest the flaw led to a higher ‘false acceptance rate’, which was the problem plaguing the previous generation of Samsung Galaxy devices. These problems were so severe that major banks, such as Nationwide and Natwest, withdrew biometric support for their apps on affected devices until the issues were resolved.

Windows 10 escalation of privilege flaw

The Windows key being pushed on a blue laptop

On Christmas Eve, Google’s Project Zero security team published the details around a severe elevation of privilege flaw in Windows 10 that has been exploited in the wild.

The privilege of escalation vulnerability was first disclosed to Microsoft on 24 September, although it was eventually disclosed publicly after the 90-day window elapsed, even though a patch had yet to be released.

The flaw involves the ‘splwow64’ process and can be exploited if an attacker sends a local procedure call (LCP) message from another low-intensity malicious process. This would allow them to write arbitrary values to an arbitrary address in splwow64’s memory space.

The researcher behind the disclosure, Maddie Stone, said the original issue, assigned CVE-2020-0986, wasn’t properly fixed when Microsoft first attempted to patch it in June 2020, and that attackers only needed to make a few tweaks to continue to exploit the flaw, now identified as CVE-2020-17008. It’s expected that a patch will be available in the next patch Tuesday round of fixes.

TCP/IP flaws expose IoT and OT systems

Dozens of vulnerabilities are embedded in millions of internet of things (IoT) and operation technology (OT) systems, according to a report published in December by Forescout Research Labs.

The findings identified 33 flaws in four TCP/IP stacks, dubbed AMNESIA:33, leaving products belonging to more than 150 vendors compromised. Analysis has found the TCP/IP stacks are vulnerable across the board, with many of these flaws arising from bad software development practices. Feature-rich protocols, such as DNS, are also particularly affected.

Despite its claims that millions of devices are affected, the researchers added that it’s difficult to determine which devices are affected because of the complexity of IoT and OT supply chains.

However, some mitigating actions can be taken, such as disabling or blocking IPv6 traffic when it’s not needed since a handful of the flaws relate to IPv6 components. Devices should also be configured to rely on internal DNS servers as much as possible. Businesses should, finally, monitor network traffic for malformed packets.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

Monero miners target cloud-native development environments
cryptocurrencies

Monero miners target cloud-native development environments

5 Mar 2021
IT security awareness and training firm KnowBe4 acquires MediaPRO
Acquisition

IT security awareness and training firm KnowBe4 acquires MediaPRO

3 Mar 2021
High-risk email security threats increased by 32% last year
phishing

High-risk email security threats increased by 32% last year

3 Mar 2021
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

3 Mar 2021

Most Popular

Star Alliance passenger data stolen in SITA data breach
data breaches

Star Alliance passenger data stolen in SITA data breach

5 Mar 2021
I went shopping at Amazon’s till-less supermarket so that you don’t have to
automation

I went shopping at Amazon’s till-less supermarket so that you don’t have to

5 Mar 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021