Qualys Discovers Critical Flaw With OpenBSD Mail Server, Multiple Programs Vulnerable
This week Qualys Research Labs, a vulnerability management provider, discovered a vulnerability in the OpenSMTPD Mail server used in conjunction with the OpenBSD operating system. This flaw – identified as CVE-2020-7247 – allows for an attacker to execute arbitrary code with command privileges. OpenSMTPD as a service is present in many Linux distributions such as FreeBSD, Debian, Fedora, and Alpine. Although it was discovered only recently, it is possiblethe vulnerability has been present since May 2018. While the exploitation has limitations in its applicability in terms of local part length – the maximum number of characters allowed is 64. Qualys discovered an easy work around for this problem through its research using the Morris Worm.
Using a technique from the Morris Worm, Qualys was able to bypass the limitations by executing the body of the mail as a shell script in Sendmail. The key finding from Qualys Research Lab was that the technical expertise required to execute a successful attack using this vulnerability was low. Once it was discovered, Qualys worked quickly with OpenBSD to make sure that the vulnerability was disclosed in tandem with the patch to fix it. As of now it is unknown if any successful attacks were already carried out using the exploit.
Users who operate OpenBSD and Linux distribution should patch their systems immediately. The OpenSMTPD development team prepared a patch that is available both on GitHub and opensmtpd.org. While both OpenBSD and Linux distributions are a smaller subset of the market share, both are commonly used in business operations today. Furthermore, it is unknown which OpenBSD or Linux distributions are vulnerable to the flaw. Potentially any Linux-based OS or OpenBSDs are compromised. If you operate either a Linux distribution or OpenBSD you should seek to remediate your systems immediately. Companies like IBM, Google, and Amazon among others are currently still operating certain systems and servers using Linux distributions.
Want to Know More?
Build an Information Security Strategy
Twilio Breach and Cloud Security
By exploiting a five-year-old configuration error, a hacker was able to access Amazon’s S3 cloud storage buckets on which Twilio’s code was loaded. As a result, customers were able to unknowingly download the modified code for twenty-four hours.
Qualys and Ivanti Partnership Boasts an Incredibly Robust Vulnerability Management Platform
Qualys VMDR and Ivanti have announced a new partnership dedicated to improving the detection and patching of vulnerabilities. Announced July 30, the Qualys and Ivanti Partnership have already gone live as an integrated component of the VMDR solution.
Remote Work Landscape Pushes Microsoft to Releases Endpoint DLP and Double Key Encryption Features for Added Data Security
Microsoft recently previewed the specific features to tackle data security and risk management for end users with Microsoft Endpoint Data Loss Prevention (DLP) and Double Key Encryption. The reason for the launch? The increasing shift towards a remote work environment and a need to mitigate the accompanying risks.
IBM Raises Price on Software Support; Shoves Customers Toward the Cloud
IBM is changing the terms of its ubiquitous Passport Advantage agreement to remove entitled discounts on over 5,000 on-premises software products, resulting in an immediate price increase for IBM Software & Support (S&S) across its vast customer landscape.
RiskSense Releases a Unified Infrastructure Security Risk Management Program
RiskSense announced on July 13 its new version of the cloud-delivered RiskSense risk management platform. The main draw of the program is its holistic risk calculation across CVEs and CWEs.
DeviceLock Acquired by Cyberprotection Vendor Acronis
To bolster and broaden its data privacy capabilities for end users, cyber and data protection vendor Acronis has acquired DLP player DeviceLock. The acquisition aligns with the increasingly prevalent role that data privacy plays in cybersecurity.
Address the Root of Your Vulnerabilities in a Resource-Tight Period
Cyberthreats are omnipresent for any enterprise. Monitoring ingress and egress points while still conducting business is a balance security professionals attempt to strike. Couple this with the continued security issues around remote work during the pandemic, and security teams have their hands full.
CORL Technologies Launches Its Vendor Risk Management Resource Center
Navigating the vendor risk management space, particularly in the current environment that consists of a mix of cloud, managed services, and critical supply chain, is key to ensuring that you don’t inadvertently introduce new risks through this dynamic channel.
Kenna Security Releases Tool for the Custom Benchmarking of Vulnerability Management Programs
On May 26, Kenna Security released its new Prioritization to Prediction Benchmark Survey. This free tool provides organizations with the ability to compare their vulnerability management programs to industry averages Kenna Security has compiled over the years.