Comprehensive software reviews to make better IT decisions
Qualys Discovers Critical Flaw With OpenBSD Mail Server, Multiple Programs Vulnerable
This week Qualys Research Labs, a vulnerability management provider, discovered a vulnerability in the OpenSMTPD Mail server used in conjunction with the OpenBSD operating system. This flaw – identified as CVE-2020-7247 – allows for an attacker to execute arbitrary code with command privileges. OpenSMTPD as a service is present in many Linux distributions such as FreeBSD, Debian, Fedora, and Alpine. Although it was discovered only recently, it is possiblethe vulnerability has been present since May 2018. While the exploitation has limitations in its applicability in terms of local part length – the maximum number of characters allowed is 64. Qualys discovered an easy work around for this problem through its research using the Morris Worm.
Using a technique from the Morris Worm, Qualys was able to bypass the limitations by executing the body of the mail as a shell script in Sendmail. The key finding from Qualys Research Lab was that the technical expertise required to execute a successful attack using this vulnerability was low. Once it was discovered, Qualys worked quickly with OpenBSD to make sure that the vulnerability was disclosed in tandem with the patch to fix it. As of now it is unknown if any successful attacks were already carried out using the exploit.
Users who operate OpenBSD and Linux distribution should patch their systems immediately. The OpenSMTPD development team prepared a patch that is available both on GitHub and opensmtpd.org. While both OpenBSD and Linux distributions are a smaller subset of the market share, both are commonly used in business operations today. Furthermore, it is unknown which OpenBSD or Linux distributions are vulnerable to the flaw. Potentially any Linux-based OS or OpenBSDs are compromised. If you operate either a Linux distribution or OpenBSD you should seek to remediate your systems immediately. Companies like IBM, Google, and Amazon among others are currently still operating certain systems and servers using Linux distributions.
Want to Know More?
COVID-19 has changed a great deal about how businesses operate. From a security perspective, however, COVID-19 caught many businesses off guard. The shift from working in the office to working from home has made it difficult for security measures to keep pace. Specifically, how are businesses meant to maintain the same secure networks when their employees are no longer working in the office? Outside of the security of the IT departments, IT and security have a tough time ensuring that patching and vulnerability management remain at the forefront of a business’s priorities.
From employee management through leadership and communication, increased cyber threats, logistics and operations to post-pandemic planning and risk mitigation, the threat landscape has experienced enormous change. These noticeable shifts force us to consider rethinking and retooling how we address risk.
GTB Technologies, a smaller vendor known for dedicating itself solely to DLP solutions, has introduced a new multi-tenancy feature for its SDK that aims to improve quality and efficiency for DLP-integrated application development.
In an interview with Allison Furneaux, VP Marketing at CyberSaint Inc., developers of CyberStrong Integrated Risk Management platform in June 2020, Allison indicated that its focus has been on cybersecurity from the beginning.
LogicGate is a governance, risk and compliance automation platform offered by LogicGate Inc., headquartered in Chicago, that helps organizations to automate their risk processes.
I recently had the opportunity to speak with Jason Rohlf, VP Solutions, Mark Scheinkoenig, VP Commercial Sales, and Emily Figg, VP Marketing about their GRC solution at Onspring to discuss the product audience and upcoming features.
The Department of Justice is looking to acquire a GRC tool for the Office of the CIO within the FBI’s Enterprise Information Security Section.
Google has identified “unsafe” code in the Chromium web browser engine. This flaw introduces a potential vulnerability that effects Google Chrome, as well as all Chromium-based web browsers.
The International Association of Privacy Professionals (IAPP) has released its 2020 Privacy Tech Vendor report, reviewing key software solution vendors within the space. This year’s report highlighted the recent addition of Data Subject Request (DSR) to the feature categories.