New year, new threats - review of fresh vulnerabilities

The beginning of the year will probably be associated with the threat of coronavirus. This topic has dominated the media reports in recent weeks. It is also an excellent example of the fact that new threats may always appear in business, which have not been included in the risk analysis so far.

However, there is just as much going on in the world of cyber threats. On January 14, the end of support for the operating systems from the Windows 7 and Windows Server 2008 family, which was announced for a long time by Microsoft, took place. This means that for one of the most popular systems that are still used, unfortunately, also on company computers, security patches related to new discoveries will no longer be delivered. vulnerabilities.
The proof that this problem cannot be underestimated is the vulnerability found in the Remote Desktop Gateway service at the beginning of the year. It is true that it does not apply to the no longer supported Windows 7 and Windows Server 2008 systems, and to slightly newer editions of Windows Server 2012-2019, but it makes us realize that even in mature operating systems, serious vulnerabilities will still be found. The vulnerability, marked with the CVE-2020-0609 identifier, is, what is important, a critical vulnerability as it allows remote code execution (RCE).

The vulnerability in Microsoft SQL Server Reporting Services (CVE-2020-0618) identified in February is of exactly the same nature. And that's not all in the case of Microsoft, unfortunately. Another remote code execution is possible in the Exachange server, and more precisely in the Exchange Control Panel component. And this is also a vulnerability from the beginning of this year (CVE-2020-0688).

As you can see, users of Microsoft's systems must be vigilant when it comes to security. But is it only them?

Another noteworthy vulnerability found at the beginning of this year is the CVE-2020-0022 identifier that allows remote code execution via the bluetooth protocol in Android. It applies to devices with Android 8 and 9 and partially 10 (in this case it is only possible to stop the service).
Let us remember that today various versions of the Android system, or its alternatives, can be found on devices such as TV sets, smartwatches, cameras, voip phones, household appliances, web cameras, toys and many, many others. Their manufacturers usually do little when it comes to user safety. Therefore, it is difficult to expect updates patching the above vulnerability in all available systems.

Speaking of Android, it is also worth mentioning another product from Google - the Chrome browser. In version 80.0.3987.122, three security-critical vulnerabilities have been patched. And as can be easily deduced from the CVE ID, they too were identified early this year (CVE-2020-6418).

So we have bugs in Microsoft's systems, bugs in Android mobile devices and bugs in the popular browser. If someone was not within the range of any of these vulnerabilities, then he could still fall victim to a vulnerability in NAS, Firewall or UTM devices produced by Zyxell. They have identified a command injection vulnerability that allows running system commands with root rights from the login form.

As you can see, the beginning of the year is a series of serious threats, which, importantly, are very actively used by intruders. Exploits for most of the vulnerabilities described above are already available. The vulnerability in Zyxell devices was available in the form of a 0-day before its official announcement and publication of the update.