Well, we made it through the first month of 2021! (Hopefully without any scratches or bruises 😅). As stewards of the lush and vast landscape of security vulnerabilities, we felt obliged to share with you the top trending CVEs of the past month. So, without further ado, The Top Trending CVEs of January 2021:
This CVE is a high severity vulnerability that affects Zyxel firewalls and AP controllers. A hardcoded credential vulnerability was identified in the user account of Zyfwp in some firewalls and AP controllers.
The account was created to send automatic firmware updates to the connected access points through FTP. Some patches are available for these vulnerabilities on the website of the vendor.
The vulnerabilities have identifying information of CVE-2020-29583. CVE-2020-29583 affects Zyxel firewalls version V4.60 and its AP controllers running firmware versions V6.00 through V6.10.
CVE-2020-29583 is caused as a result of an undocumented account (zyfwp) with a fixed password. This account password can be found in clear text located in the firmware. Some attackers can use this account to login to the web interface or ssh server with admin privileges.
Visit the Vicarius Research Center for more information on CVEs and how to remediate them. You can also try a 30-day free trial of our TOPIA solution.
Prefer to listen instead? We got you covered 😏
Microsoft released an update to plug more than eighty security holes in its Windows operating system and other software. Ten of the flaws give Microsoft a critical rating, which means criminals can exploit them to gain control of unpatched systems with little or no interaction from Windows users.
Microsoft’s monthly security patches include an essential patch for Microsoft’s Defender antivirus that was exploited before the patch was released. Cyber criminals exploit this vulnerability to gain privileges to execute malicious code on vulnerable devices where Defender is installed.
With the availability of a new patch, Microsoft has released patches for all the affected operating systems. Cybersecurity experts should assess and rate patching for critical systems. While the attack vector is local because it is file-based, Microsoft Exchange and other public services must be patched first because they have the most exposure to exploitation.
Visit the Vicarius Research Center for more information on CVEs and how to remediate them.
Prefer to listen instead? We got you covered 😏
This vulnerability grants privilege to a remote attacker to brute-force password hashes.
The vulnerability arises from a comparison error in OpenBSDBCrypt.checkPassword() function in core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java when matching passwords and hashes together.
A remote cyber attacker can pass incorrect passwords that the library grants as legal, bypass authentication procedures, and gain illicit access to the application that exploits a vulnerable version of Bouncy Castle.
In some cases where Bcrypt.doCheckPassword() is used to check a password, positive exploitation will cause an authentication bypass.
An attacker must brute-force password attempts until the bypass is activated. Many passwords can be bypassed from multiple attempts. Some password hashes may take more attempts; this is determined by the number of bytes that are between 0 and 60. All password hashes can be bypassed with sufficient attempts. In some cases, password hashes can be bypassed with little effort.
Bcrypt hashing-based authentication can be used for verification checks in APIs and web applications.
Bcrypt hashing is used to check user passwords. When the authentication bypass is activated, cyber attackers may perform the same operations as an authorized user. This includes gaining administrator-level access to a sign-on system.
Visit the Vicarius Research Center for more information on CVEs and how to remediate them.
Prefer to listen instead? We got you covered 😏
Photo by camilo jimenez on Unsplash
February 2021 Patch Tuesday Rundown
Kent Weigle March 03, 2021Could the Vulnerability Fujiwhara Effect Be the New Normal?
Kent Weigle January 18, 2021Six Ways to Improve Your Patch Management Practices
Kent Weigle January 05, 2021Top Trending CVEs of January 2021
Kent Weigle February 01, 2021So I Really Have to Update Chrome?
Kent Weigle February 08, 2021