Tehtris, a cybersecurity firm, has recently conducted research shedding light on some of the crucial Common Vulnerabilities and Exposures (CVEs). Let’s delve into these vulnerabilities.
CVE-2017-9841: A Security Gap in PHP Unit
This CVE, boasting a high CVSS 3.1 score of 9.8, lies within PHP Unit, a widely-used testing framework. It permits remote attackers to execute arbitrary PHP code, constituting a serious threat due to the popularity of PHP. According to Tehtris research, this vulnerability accounts for a significant 28% of the threats they identified.
CVE-2019-9670 and CVE-2019-9621: The Dual Threat in Synacor Zimbra Collaboration Suite
Synacor Zimbra Collaboration Suite, a prevalent email and collaboration software, was found to harbor two notable vulnerabilities.
CVE-2019-9670, an XML External Entity injection (XXE) vulnerability. With a CVSS 3.0 score of 9.8, this vulnerability allows an attacker to interact with any reachable back-end components or potentially open remote file shares that the software can access. This vulnerability represents 18% of the threats identified by Tehtris.
CVE-2019-9621, another vulnerability in Synacor Zimbra Collaboration Suite, is not yet mentioned in CISA’s known vulnerabilities catalog. Despite having a lower CVSS 3.0 score of 7.5, this vulnerability is still of high concern. It too contributes to 18% of the threats observed in Tehtris’s study.
CVE-2021-41173: Crashing the Go Ethereum Protocol
A more recent vulnerability is
CVE-2021-41173, found in the Go Ethereum protocol. Despite a lower CVSS 3.1 score of 5.7, it still presents a significant threat as it leads to crashes, potentially disrupting important blockchain operations. This vulnerability also constitutes 18% of the threats highlighted in the Tehtris research.
CVE-2018-10561: An Omitted Threat
CVE-2018-10561 is a vulnerability not explicitly described in the Tehtris research but is worth noting. This security gap lies in DASAN H660RM devices with firmware 1.03-0022, which could allow remote attackers to execute arbitrary commands via a crafted HTTP request.
Done reading? Continue with “The How and Why of Attack Surface Management“.