Weekly Security News – 10th June 2024

NHS under attack, Zyxel emergency patch and Android vulnerabilities patched... welcome to this week's Security News!

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

Zyxel issues emergency RCE patch for end-of-life NAS devices

Zyxel Networks has released an emergency security update to address three critical vulnerabilities impacting older NAS devices that have reached end-of-life. The flaws impact NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older. The networking solutions vendor addressed three critical flaws, which enable attackers to perform command injection and remote code execution. However, two of the flaws allowing privilege escalation and information disclosure were not fixed in the end-of-life products.

Linux Kernel Use-after-free Vulnerability

Linux kernel contains a vulnerability that could allow an attacker to achieve local privilege escalation. Based on evidence of active exploitation, CISA have added CVE-2024-1086 to their known exploited vulnerabilities catalog. The vulnerability has a CVSSv3 score of 7.8. CVE-2024-1086 was added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability Catalog based on evidence of exploitation in the wild. Affected organisations are encouraged to contact their relevant Linux IT suppliers and apply the relevant updates.

Cyber Attacks

Critical incident over London hospitals' cyber-attack

Major hospitals in London have declared a critical incident after a cyber-attack led to operations being cancelled and emergency patients being diverted elsewhere. It applies to hospitals partnered with Synnovis – a provider of pathology services. King’s College Hospital, Guy’s, and St Thomas’ – including the Royal Brompton and the Evelina London Children’s Hospital – and primary care services are among those affected. The incident has had a “major impact” on the delivery of services, especially blood transfusions and test results. Some procedures have been cancelled or have been redirected to other NHS providers as the hospitals try to establish what work can be carried out safely. The NHS said emergency care continued to be available.

Oracle WebLogic Server OS Command Injection Flaw Under Active Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting the Oracle WebLogic Server to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2017-3506 (CVSS score: 7.4), the issue concerns an operating system (OS) command injection vulnerability that could be exploited to obtain unauthorized access to susceptible servers and take complete control. “Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document,” CISA said.

In Other News...

37 Vulnerabilities Patched in Android

Google this week started rolling out the June 2024 set of monthly security updates for Android, with patches for 37 vulnerabilities, including multiple high-severity elevation of privilege bugs. The first part of this month’s security update, which arrives on devices as the 2024-06-01 security patch level, resolves 19 flaws in the Framework and System components. “The most severe of these issues is a high security vulnerability in the System component that could lead to local escalation of privilege with no additional execution privileges needed,” Google notes in its advisory.

Cisco Patches Webex Bugs Following Exposure of German Government Meetings

Cisco on Tuesday released a security advisory after the media reported that the German government’s Webex meetings were exposed, potentially allowing adversaries to obtain highly sensitive information. German publication Zeit Online [paywalled content] reported on May 4 that vulnerabilities in the German government’s implementation of the Cisco Webex video conferencing software could have been exploited to obtain links to internal meetings and the meeting rooms of high-ranking officials. The German government has been using the on-premises version of Webex to store data on local servers and ensure that it would not leave the country.