Connect with us

ZDNET

Critical remote code execution flaw in thousands of VMWare vCenter servers remains unpatched

Published

on

Researchers have warned that thousands of internet-facing VMWare vCenter servers still harbor critical vulnerabilities weeks after patches were released. 

The vulnerabilities impact VMWare vCenter Server, a centralized management utility. 

VMWare issued patches for two critical bugs, CVE-2021-21985 and CVE-2021-21986, on May 25. 

The first security flaw, CVE-2021-21985, impacts VMware vCenter Server and VMware Cloud Foundation and has been issued a CVSS score of 9.8. This bug was found in a vSAN plugin, enabled by default in the application, that allows attackers to execute remote code execution (RCE) if they have access to port 443.

VMWare said in a security advisory that this severe bug can be exploited so threat actors can access “the underlying operating system that hosts vCenter Server” with “unrestricted privileges.”

The bug impacts vCenter Server 6.5, 6.7, and v.7.0, alongside Cloud Foundation vCenter Server 3.x and 4.x.

The second vulnerability, CVE-2021-21986, is present in the vSphere Client (HTML5) and the vSphere authentication mechanism for a variety of plugins: Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability. 

Considered less critical with a CVSS score of 6.5, this flaw still permits attackers with access to port 443 to “perform actions allowed by the impacted plug-ins without authentication.”

It appears that thousands of internet-facing servers are still exposed and vulnerable to both CVE-2021-21985 and CVE-2021-21986. 

On Tuesday, researchers from Trustwave SpiderLabs said an analysis of VMWare vCenter servers revealed 5,271 instances of VMWare vCenter servers that are available online, the majority of which are running versions 6.7, 6.5, and 7.0, with port 443 the most commonly employed.
 
After using the Shodan search engine for further examination, the team was able to pull data from 4969 instances, and they found that a total of 4019 instances — or 80.88% — remain unpatched. 

The remaining 19.12% are likely to be vulnerable, as they are old versions of the software, including versions 2.5x and 4.0x, that are end-of-life and unsupported. 

At the time the vendor issued the security fixes, VMWare said the vulnerabilities demanded the “immediate attention” of users. As previously reported by ZDNet, the patches may break some third party plugins, and if applying the fixes aren’t possible, server owners are asked to disable VMWare plugins to mitigate the threat of exploit. 

It is recommended that these types of critical bugs are tackled, or mitigated, as quickly as possible. 

Proof-of-Concept (PoC) code has been released for CVE-2021-21985. The issue is severe enough that the US Cybersecurity and Infrastructure Security Agency (CISA) has alerted vendors to patch their builds. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/critical-remote-code-execution-flaw-in-thousands-of-vmware-vcenter-servers-remains-unpatched/#ftag=RSSbaffb68

ZDNET

Microsoft: Zero Trust security just hit the mainstream

Published

on

Zero Trust, the borderless security strategy being pushed by vendors, has fully caught on in the enterprise, according to Microsoft’s latest survey of cybersecurity defenders. 

Microsoft, IBM, Google, AWS, Cisco and others in the cybersecurity industry have been banging the ‘zero trust’ drum for the past few years. 

The case for zero trust was made clearer after this year’s software supply chain attacks on US tech firms, which came amid a mass shift to remote work that demonstrated the need to protect information inside and beyond a trusted environment in a world that spans BYOD, home networks, VPNs, cloud services and more.

As Microsoft has argued, part of zero trust is assuming the corporate network has already been breached, either by hackers targeting that network through phishing or malware, or via an employee’s compromised home device connecting to the network.

The message has gotten through to organizations. Microsoft’s survey of 1,200 security decision makers over the past year found that 96% of consider Zero Trust to be critical to their organization. 

Zero trust will also soon be compulsory for federal agencies, helping standardize the concept in the broader market. US president Joe Biden’s cybersecurity executive order in May mandated agencies move to zero-trust as-a-service architectures and enable two-factor authentication (2FA) within 180 days. 

The Commerce Department’s NIST followed up last week by calling on 18 of the US’s biggest cybersecurity vendors to demonstrate how they would implement a zero trust architecture.    

Microsoft found that 76 percent or organizations are in the process of implementing a Zero Trust architecture — up six percent from last year.

“The shift to hybrid work, accelerated by COVID-19, is also driving the move towards broader adoption of Zero Trust with 81 percent of organizations having already begun the move toward a hybrid workplace,” writes Vasu Jakkal, Microsoft corporate vice president of security, compliance and identity.

“Zero Trust will be critical to help maintain security amid the IT complexity that comes with hybrid work.”

The top reasons for adopting Zero Trust included increased security and compliance agility, speed of threat detection and remediation, and simplicity and availability of security analytics, according to Jakkal. 

It’s all about confirming everything is secure, across identity, endpoints, the network, and other resources using signals and data.

Biden this week highlighted the real-world stakes at play with recent ransomware and supply chain attacks on critical infrastructure, telling the US intelligence community that a major hack would likely be the reason the US enters “a real shooting war with a major power”. The US president yesterday signed a memorandum addressing cybersecurity for critical infrastructure, ordering CISA and NIST to create benchmarks for organizations managing critical infrastructure.

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://www.zdnet.com/article/microsoft-zero-trust-security-just-hit-the-mainstream/#ftag=RSSbaffb68

Continue Reading

ZDNET

Microsoft: Zero Trust security just hit the mainstream

Published

on

Zero Trust, the borderless security strategy being pushed by vendors, has fully caught on in the enterprise, according to Microsoft’s latest survey of cybersecurity defenders. 

Microsoft, IBM, Google, AWS, Cisco and others in the cybersecurity industry have been banging the ‘zero trust’ drum for the past few years. 

The case for zero trust was made clearer after this year’s software supply chain attacks on US tech firms, which came amid a mass shift to remote work that demonstrated the need to protect information inside and beyond a trusted environment in a world that spans BYOD, home networks, VPNs, cloud services and more.

As Microsoft has argued, part of zero trust is assuming the corporate network has already been breached, either by hackers targeting that network through phishing or malware, or via an employee’s compromised home device connecting to the network.

The message has gotten through to organizations. Microsoft’s survey of 1,200 security decision makers over the past year found that 96% of consider Zero Trust to be critical to their organization. 

Zero trust will also soon be compulsory for federal agencies, helping standardize the concept in the broader market. US president Joe Biden’s cybersecurity executive order in May mandated agencies move to zero-trust as-a-service architectures and enable two-factor authentication (2FA) within 180 days. 

The Commerce Department’s NIST followed up last week by calling on 18 of the US’s biggest cybersecurity vendors to demonstrate how they would implement a zero trust architecture.    

Microsoft found that 76 percent or organizations are in the process of implementing a Zero Trust architecture — up six percent from last year.

“The shift to hybrid work, accelerated by COVID-19, is also driving the move towards broader adoption of Zero Trust with 81 percent of organizations having already begun the move toward a hybrid workplace,” writes Vasu Jakkal, Microsoft corporate vice president of security, compliance and identity.

“Zero Trust will be critical to help maintain security amid the IT complexity that comes with hybrid work.”

The top reasons for adopting Zero Trust included increased security and compliance agility, speed of threat detection and remediation, and simplicity and availability of security analytics, according to Jakkal. 

It’s all about confirming everything is secure, across identity, endpoints, the network, and other resources using signals and data.

Biden this week highlighted the real-world stakes at play with recent ransomware and supply chain attacks on critical infrastructure, telling the US intelligence community that a major hack would likely be the reason the US enters “a real shooting war with a major power”. The US president yesterday signed a memorandum addressing cybersecurity for critical infrastructure, ordering CISA and NIST to create benchmarks for organizations managing critical infrastructure.

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://www.zdnet.com/article/microsoft-zero-trust-security-just-hit-the-mainstream/#ftag=RSSbaffb68

Continue Reading

ZDNET

Microsoft: Zero Trust security just hit the mainstream

Published

on

Zero Trust, the borderless security strategy being pushed by vendors, has fully caught on in the enterprise, according to Microsoft’s latest survey of cybersecurity defenders. 

Microsoft, IBM, Google, AWS, Cisco and others in the cybersecurity industry have been banging the ‘zero trust’ drum for the past few years. 

The case for zero trust was made clearer after this year’s software supply chain attacks on US tech firms, which came amid a mass shift to remote work that demonstrated the need to protect information inside and beyond a trusted environment in a world that spans BYOD, home networks, VPNs, cloud services and more.

As Microsoft has argued, part of zero trust is assuming the corporate network has already been breached, either by hackers targeting that network through phishing or malware, or via an employee’s compromised home device connecting to the network.

The message has gotten through to organizations. Microsoft’s survey of 1,200 security decision makers over the past year found that 96% of consider Zero Trust to be critical to their organization. 

Zero trust will also soon be compulsory for federal agencies, helping standardize the concept in the broader market. US president Joe Biden’s cybersecurity executive order in May mandated agencies move to zero-trust as-a-service architectures and enable two-factor authentication (2FA) within 180 days. 

The Commerce Department’s NIST followed up last week by calling on 18 of the US’s biggest cybersecurity vendors to demonstrate how they would implement a zero trust architecture.    

Microsoft found that 76 percent or organizations are in the process of implementing a Zero Trust architecture — up six percent from last year.

“The shift to hybrid work, accelerated by COVID-19, is also driving the move towards broader adoption of Zero Trust with 81 percent of organizations having already begun the move toward a hybrid workplace,” writes Vasu Jakkal, Microsoft corporate vice president of security, compliance and identity.

“Zero Trust will be critical to help maintain security amid the IT complexity that comes with hybrid work.”

The top reasons for adopting Zero Trust included increased security and compliance agility, speed of threat detection and remediation, and simplicity and availability of security analytics, according to Jakkal. 

It’s all about confirming everything is secure, across identity, endpoints, the network, and other resources using signals and data.

Biden this week highlighted the real-world stakes at play with recent ransomware and supply chain attacks on critical infrastructure, telling the US intelligence community that a major hack would likely be the reason the US enters “a real shooting war with a major power”. The US president yesterday signed a memorandum addressing cybersecurity for critical infrastructure, ordering CISA and NIST to create benchmarks for organizations managing critical infrastructure.

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://www.zdnet.com/article/microsoft-zero-trust-security-just-hit-the-mainstream/#ftag=RSSbaffb68

Continue Reading

ZDNET

Apple broke bad news to iPhone fans

Published

on

We’ve known this was a problem.

I expected that if there was any time when Apple top brass would mention it, it would be during the earnings call.

And that’s when it happened.

Apple, like most other tech firms, is feeling the pinch due to component shortages.

A word that came up a lot during the call was “constraints.” It was up to Apple CFO Luca Maestri to break the bad news.

“… we expect supply constraints during the September quarter to be greater than what we experienced during the June quarter. The constraints will primarily impact iPhone and iPad.”

Must read: Don’t buy these Apple products: July 2021 edition

Normally, I’d put this down to scarcity marketing — “get in there quick with your iPhone orders, because otherwise you’ll miss out and the cool kids will laugh at you” sort of thing — but these supply constraints are real and is affecting almost every company that is involved in making things.

CEO Tim Cook went on to fill in some more details about the constraints.

“The majority of constraints we’re seeing are of the variety that I think others are saying that are I would classify as industry shortage. We do have some shortages, in addition to that, that are where the demand has been so great and so beyond our own expectation that it’s difficult to get the entire set of parts within the lead times that we try to get those. So it’s a little bit of that as well.”

A little bit of this, a little bit of that.

On the whole, Apple does like to underpromise and overdeliver, especially where Wall Street is concerned, so it doesn’t surprise me that there’s this air of caution.

It makes sense.

The landscape is changing rapidly.

But I think that it’s interesting and somewhat telling that Apple was willing to make such a statement, a statement that caused stocks to fall as a result.

This statement was not made lightly.

If you’re someone who likes getting a new iPhone as soon as they’re out, you might have to work a little harder this year.

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://www.zdnet.com/article/apple-broke-bad-news-to-iphone-fans/#ftag=RSSbaffb68

Continue Reading
AR/VR5 days ago

Review: Winds & Leaves

AR/VR5 days ago

nDreams Opens Studio Orbital Focusing on Live Service Games for VR

Esports5 days ago

Pokémon Sword and Shield’s Same Double Beat online competition announced for August 13

AI5 days ago

How to Build a Powerful Shopify Chatbot

Energy5 days ago

Save money, stay cool as heat wave hits the Carolinas

Blockchain5 days ago

RUNE Technical Analysis: Look Out for the Second and Third Resistance Levels of $5.29 and $5.75

Blockchain4 days ago

Happy birthday Ethereum!

Gaming5 days ago

Resident Evil Village and Monster Hunter Rise Drive Record Q1 Profits for Capcom

Energy5 days ago

The Shaw Group Partners with Clough in the U.S. to Deliver Pipe Fabrication for Gulf Coast Petrochemical Project

Cyber Security3 days ago

Android Banking Trojan Relies on Screen Recording and Keylogging Instead of HTML

AR/VR5 days ago

Carrier Command 2 VR August Launch Date Confirmed

Cyber Security3 days ago

How to Sell Cybersecurity

Blockchain5 days ago

Cashing Out Buterin’s $1B SHIB Donation Isn’t Easy, Says COVID-Crypto Fund’s Creator

Esports3 days ago

Tribes of Midgard Berserker: How to Unlock

Investing4 days ago

How do you use top stock signals as a beginner?

Energy3 days ago

CEMIG Geracão e Transmissão S.A. Announces Early Tender Date Results of its Cash Tender Offer for its 9.250% Senior Notes due 2024

Esports3 days ago

Tribes of Midgard Berserker: How to Unlock

Energy5 days ago

Fermentation Chemicals Market Procurement Intelligence Report with COVID-19 Impact Analysis | SpendEdge

CNBC5 days ago

Rocket Lab launches US Space Force satellite after its failed mission in May

Gaming5 days ago

Resident Evil Village and Monster Hunter Rise Drive Record Q1 Profits for Capcom

Trending