This week we’ll talk about a critical vulnerability in Mozilla’s Network Security Services, the latest Netgear security advisory, a vulnerability in the Vim text editor, and a fairly new tool that you can use to audit your Python packages.
Mozilla NSS RCE (CVE-2021-43527)
Mozilla’s NSS (Network Security Services) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. It provides a comprehensive open source implementation of many internet security standards and is used in several Mozilla products.
On December 1st, RedHat released a statement warning the users of this package that it was vulnerable to a remote code execution vulnerability. According to the statement, it has a critical impact (CVSS: 8.8) on the affected systems, and there are currently no practical mitigation methods for this vulnerability. RedHat recommends updating the affected packages as soon as possible.
Threat Surface That Extends From Home To Office
Netgear recently released a security advisory stating that they were aware of two security vulnerabilities affecting several of their products, including routers, modems, WiFi mesh systems, and WiFi extenders. One of the vulnerabilities allows post-authentication command injection, resulting in sensitive information disclosure. Netgear strongly recommends their customers update the firmware for the affected devices as soon as possible.
With many employees working remotely and connecting to their employer’s infrastructure, it’s crucial to ensure that components that facilitate communication between the employees’ devices and companies’ networks are reliable and secure. Compromising a weak link in this chain may allow attackers to negate companies’ efforts to secure their systems. Attackers could leverage vulnerabilities in employee-owned networking equipment and ultimately cause service disruptions, loss of data, and even security breaches.
Vim Editor Buffer Overflow (CVE-2021-4019)
As described by the update from Fedora, Vim (VIsual editor iMproved) is an updated and improved version of the Vi editor. Vim is a frequently used tool, and it is bundled with most Linux distributions. Versions of Vim prior to 8.2.3669 were recently discovered to be susceptible to a buffer overflow exploit. When exploited, this vulnerability could cause software crashes, memory modification, or arbitrary code execution.
Pip (pip installs packages) is the package installer for the Python programming language. You can use pip to install packages from the Python Package Index (PyPI) and other indexes. On the other hand, Pip-audit is a newly-developed tool for scanning Python environments for packages with known vulnerabilities. We feel pip-audit is a great tool that our customers can use to keep track of the packages used in their development environments and continually audit for vulnerabilities in these packages as they get discovered.
We always look forward to sharing our knowledge with our customers and Linux lovers. Feel free to leave a comment down below if you have any suggestions, feedback, or knowledge you want to share with the community.