Apple fixes four 0-day vulnerabilities in WebKit
Apple released yesterday a security update to fix four 0-day vulnerabilities that could be actively exploited, according to Apple itself. These four flaws were found in Webkit, the rendering engine used by Safari browser, but also by different components of its systems to display web content without using a browser. While Apple has not shared full details of these vulnerabilities, they claim that processing specially crafted malicious web content would allow an attacker to execute arbitrary code remotely. The flaws have been identified as CVE-2021-30663, CVE-2021-30665, CVE-2021-30666 and CVE-2021-30661, all of which are under possible exploitation. The affected products are iOS, macOS, iPadOS, watchOS and tvOS.
More details: https://support.apple.com/en-us/HT212336
Multiple critical vulnerabilities in Exim mail servers
Qualys research team has discovered 21 critical vulnerabilities in the Exim email server, which is available for most Unix-based operating systems and is pre-installed on several Linux distributions, such as Debian. According to the researchers, an estimated 60 percent of all internet servers run on Exim. Of the total number of vulnerabilities discovered, ten of them could be executed remotely, and eleven could be exploited locally in default or at least very frequent configurations. Some of them could be chained together to execute remote code without authentication and escalate privileges. Most of these bugs would affect all Exim versions prior to 4.94.2, since its launch in 2004.
TsuNAME: a vulnerability allowing attacks against authoritative DNS servers
Researchers have published a joint paper exposing details of a DNS vulnerability, such as TsuNAME, that could be used as an amplification vector in distributed denial of service (DDoS) attacks targeting authoritative DNS servers. This vulnerability affects recursive DNS resolvers, allowing attackers to send uninterrupted queries to authoritative servers that have cyclic dependent records. The effect of many vulnerable recursive resolvers could crash an authoritative server, affecting critical DNS infrastructure such as Top Level Domains (TLDs), potentially affecting country-specific services. Researchers have released the CycleHunter tool to detect cyclic dependencies in DNS zones.
All the details: https://tsuname.io/advisory.pdf
Qualcomm vulnerability affects Android devices
Researchers at Check Point have published the results of a study on a new buffer overflow vulnerability listed as CVE-2020-11292, which could allow a threat actor to access a mobile device’s call and text message (SMS) log, unlock the SIM and eavesdrop on the user’s conversations. The flaw lies in a chip contained in some devices, known as Mobile Station Modem (MSM) created by the Qualcomm company, which is responsible for connecting devices to the network and is managed by the QuRT operating system. Researchers determine that the vulnerability lies in the Qualcomm MSM Interface (QMI) protocol, which, after receiving malformed TLV packets, triggers a memory corruption and allows a threat actor to execute its own code. The vulnerability could be exploited by hiding the malformed TLV packets within radio communications or multimedia content sent by the device. Check Point contacted Qualcomm to notify them of the flaw last year, but there is still no patch as they say it is up to the mobile suppliers themselves to take action.
Full information: https://research.checkpoint.com/2021/security-probe-of-qualcomm-msm/