Veeam releases critical security updates, TFL affected by a "Cyber Security incident" and a council under attack all in this week's security news...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues
Veeam has issued a security bulletin that addresses 18 vulnerabilities affecting multiple Veeam products. The following platforms are known to be affected:
1. Veeam Backup & Replication has six vulnerabilities, with one considered critical and five high severities. Additional plug-ins affected for Veeam Backup & Replication are:
- Veeam backup for Nutanix AHV Plug-in | 12.5.1.8 and earlier
- Veeam backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-in | 12.4.1.45 and earlier
2. Veeam ONE has six vulnerabilities, with two considered critical and four high severities.
3. Veeam Service Provider Console (VSPC) has four vulnerabilities, with two considered critical and two high severities.
4. Veaam Agent for Linux has one privilege escalation vulnerability considered high severity.
Affected organisations are encouraged to review the Veeam Security Bulletin (September 2024) KB4649 and apply the relevant updates. Veeam states that unsupported product versions are not tested but are likely affected and should be considered vulnerable.
Zyxel Releases Multiple Security Advisories
Zyxel has released 3 security advisories to address vulnerabilities in Zyxel firewalls, Access Points (APs), extenders, and security router devices. In the first security advisory, Zyxel describes seven vulnerabilities found in their ATP and USG FLEX firewall product lines. Two vulnerabilities could allow an attacker to create a denial-of-service (DoS) condition, four vulnerabilities could allow an attacker to execute some operating system (OS) commands on an affected device, and one could allow an attacker to gain browser-based information. In the second advisory, Zyxel describes one vulnerability known as CVE-2024-7261, which affects APs and security router devices. CVE-2024-7261 is a command injection vulnerability that could allow an unauthenticated attacker to execute OS commands on an affected device. A buffer overflow vulnerability is addressed in the third advisory, which affects 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices. An unauthenticated attacker could exploit CVE-2024-5412 to cause a DoS condition.
Cyber Attacks
TfL faces 'ongoing cyber security incident'
Transport for London’s (TfL) computer systems have been targeted in an ongoing cyber-attack. It said there was no evidence customer data had been compromised and there was currently no impact on TfL services. Insiders have told BBC London they have been asked to work at home if possible, and that it is the transport provider’s backroom systems at the corporate headquarters that are mainly affected. TfL’s chief technology officer Shashi Verma said: “We have introduced a number of measures to our internal systems to deal with an ongoing cyber security incident”. He added: “The security of our systems and customer data is very important to us and we will continue to assess the situation throughout and after the incident. “There is currently no impact to TfL services, and we are working closely with the National Crime Agency and the National Cyber Security Centre to respond to the incident.”
Tewkesbury Borough council cyber-attack sparks major incident
A council has asked local people to “bear with them” as they face a major incident and recover from a cyber-attack. Tewkesbury Borough Council took “necessary cyber response steps” and began shutting down its systems following the incident on Wednesday afternoon. Council chief executive Alistair Cunningham said there was “no evidence of data removal/exfiltration” from the organisation. An investigation into the attack is under way, and council leaders are working closely with the national cyber security centre and counter-fraud agency. Speaking to BBC Radio Gloucestershire, Mr Cunningham said the council “became aware on Wednesday of unknown user accounts in their system. “As a result of that, we immediately effected a shutdown of all our systems and have been investigating what’s happening”. “There’s no evidence of data removal/exfiltration from the organisation. We do not know the extent of the infiltration of our system” Mr Cunningham said. He added it would be “negligent” to reopen all services before the extent of the attack could be established and that waste and recycling service are still operational.
In Other News...
Android’s September 2024 Update Patches Exploited Vulnerability
Google on Tuesday announced a fresh set of Android security updates that address 35 vulnerabilities, including a local privilege escalation bug exploited in attacks. The exploited flaw, tracked as CVE-2024-32896 (CVSS score of 7.8), is a high-severity issue affecting Android’s Framework component. A logic error in the code could lead to protection bypass, allowing a local attacker to elevate privileges. “The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google notes in the September 2024 Android security bulletin. The bug was initially disclosed in June, when Google warned that it had been exploited as a zero-day to target Pixel devices. The internet giant’s June 2024 Pixel security update resolved the vulnerability. “There are indications that CVE-2024-32896 may be under limited, targeted exploitation,” Google warns again.
Apache fixes critical OFBiz remote code execution vulnerability
Apache has fixed a critical security vulnerability in its open-source OFBiz (Open For Business) software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers. OFBiz is a suite of customer relationship management (CRM) and enterprise resource planning (ERP) business applications that can also be used as a Java-based web framework for developing web applications. Tracked as CVE-2024-45195 and discovered by Rapid7 security researchers, this remote code execution flaw is caused by a forced browsing weakness that exposes restricted paths to unauthenticated direct request attacks. “An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server,” security researcher Ryan Emmons explained on Thursday in a report containing proof-of-concept exploit code. The Apache security team patched the vulnerability in version 18.12.16 by adding authorization checks. OFBiz users are advised to upgrade their installations as soon as possible to block potential attacks.