Critical Zero-day Flaw Identified In Hillrom Cardiology Devices
A high-severity flaw in multiple cardiac healthcare devices could allow malicious third-parties to access privileged accounts without a password and seize control of the devices. The authentication bypass vulnerability in certain products made by Hillrom exists when the devices have been configured to use single sign-on (SSO). It allows the manual entry of all active directory (AD) accounts provisioned within the application, meaning access will be granted without having to provide the associated password.
Binaré’s platform will check your medical IoT device for a wide range of vulnerabilities and security issues and will give you a detailed report on them. Make a step towards security of your business already today: try our FREE Demo at https://binare.io/!
More information about the incident:
https://portswigger.net/daily-swig/zero-day-vulnerability-in-hillrom-cardiology-devices-could-allow-attackers-full-control?&web_view=true
Vulnerabilities In Metal Detector Peripheral Identified – An Open Door For Attackers To Manipulate Security Devices
Cisco Talos identified several security flaws in a device from Garrett Metal Detectors that could allow remote malicious third-parties to bypass authentication requirements, manipulate metal detector configurations, and even execute arbitrary code on the device. The specific location of the vulnerabilities identified is the Garrett iC module, which provides network connectivity to the Garrett PD 6500i or Garrett MZ 6100 walk-through metal detectors commonly used at security checkpoints. The security flaws discovered can be divided into the following groups:
- Stack-based buffer overflow security flaws that an attacker could trigger by sending a specially crafted packet to the device (CVE-2021-21901, CVE-2021-21903, CVE-2021-21905 & CVE-2021-21906)
- Directory traversal vulnerabilities that allow an authenticated attacker to conditionally read, write and delete files on the device (CVE-2021-21904, CVE-2021-21907, CVE-2021-21908 & CVE-2021-21909)
- A race condition in the authentication phase of a command-line utility exposed over the network (CVE-2021-21902)
Binaré provides you not only with the platform but also with professional services that will help your business to avoid cyberattacks. Get an improved cybersecurity posture with Binaré’s expert and advisory services! Sign up here https://try.binare.io/get_in_touch and we will reach out to you as soon as possible.
More information about the incident:
https://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-detector.html?&web_view=true
Western Digital Customers Warned To Update Their My Cloud Devices To Latest Firmware Version
Western Digital has informed its customers to update their WD My Cloud devices to the latest firmware version to continue receiving security updates on My Cloud OS firmware that is reaching the end of support. Devices running an outdated firmware will not get security updates in the future and, therefore, they will be more exposed to cyber-attacks. That is why it is important to disconnect these devices from the internet, disable remote access, and use a strong, unique password.
Binaré has come up with a solution that prevents businesses from cyber-attacks. Binaré is concerned about the security of IoT device your business is using. Come to our web page and check your device with our FREE Demo! The link for the web page: https://binare.io/.
More information about the incident:
https://securityaffairs.co/wordpress/125767/hacking/my-cloud-devices-firmaware-update.html?web_view=true
Lenovo Laptops Found Vulnerable To Privilege Escalation Exploit
A privilege elevation vulnerability affecting the ImControllerService service in Lenovo laptops, including ThinkPad and Yoga models, allows cybercriminals to perform commands with admin rights. The security flaws are tracked as CVE-2021-3922 & CVE-2021-3969 and affect the ImControllerService component of all Lenovo System Interface Foundation versions below 1.1.20.3. The vulnerabilities were discovered by NCC Group cybersecurity researchers who reported their discoveries to Lenovo laptops makers on October 29, 2021.
Binaré’s platform will check your IoT device for a wide range of vulnerabilities and security issues and will give you a detailed report on them. Make a step towards security of your business already today: try our FREE Demo at https://binare.io/!
More information about the incident:
https://heimdalsecurity.com/blog/lenovo-laptops-vulnerable-to-privilege-escalation-exploit/?web_view=true
Billions of Devices At the Risk of Coexistence Attacks
Cybersecurity researchers have identified and published a paper to prove that it is possible to manipulate traffic and extract passwords on a WiFi chip. The researchers showed privilege escalations from a Bluetooth chip to code execution on a WiFi chip. In addition, the researchers demonstrated coexistence attacks on Cypress, Silicon Labs, and Broadcom chips. Since the research paper has been shared with chip vendors, only some have released security updates against the security flaw. “As many devices still remain exposed to the attack, chip vendors are requested to take proactive measures for better protection”.
Binaré recommends smart device manufacturers as well as businesses that use smart devices to check them for vulnerabilities with Binaré’s automated IoT vulnerability management and firmware analysis platform to make the use of these devices safe. Assess the security risk your IoT device possesses for FREE with our Demo here: https://binare.io/.
More information about the incident:
https://cyware.com/news/billions-of-devices-are-at-the-risk-of-coexistence-attacks-98aef691
Free icons courtesy of flaticon.com by authors: kerismaker, Freepik, vectorsmarket15, kendis lasman, Backwoods