A weekly recap of pertinent security events you need to be aware of and can read in 7 seconds (or so...)
Using Thrive Themes on your WordPress site?
Do this: Apply the latest WordPress Thrive Themes security updates.
Why: Attackers are actively exploiting two (2) recently-patched vulnerabilities in the popular WordPress marketing platform: Thrive Themes. The noted vulnerabilities allow for attackers compromise websites via an arbitrary file upload.
The following Thrive Themes themes and plugins are known to be vulnerable:
- All Legacy Themes, including Rise, Ignition, and others | Version < 2.0.0
- Thrive Optimize | Version < 188.8.131.52
- Thrive Comments | Version < 184.108.40.206
- Thrive Headline Optimizer | Version < 220.127.116.11
- Thrive Themes Builder | Version < 2.2.4
- Thrive Leads Version | < 18.104.22.168
- Thrive Ultimatum Version | < 22.214.171.124
- Thrive Quiz Builder Version | < 126.96.36.199
- Thrive Apprentice | Version < 188.8.131.52
- Thrive Architect | Version < 184.108.40.206
- Thrive Dashboard | Version < 220.127.116.11
Still Using SolarWinds Orion?
Do this: Upgrade to Orion Platform >= 2020.2.5
Why: Attackers There are four vulnerabilities being exploited, two of which result in RCE (JSON deserialization vuln, Orion Job Scheduler RCE). The other two are less severe but patched in 2020.2.5 as well. Here are the CVEs:
- CVE 2021-3109 (Medium)
- CVE 2021-35856 (High)
- CVE 2021-PENDING RCE in JSON Deserialization(Critical)
- CVE 2021-PENDING Orion Job Scheduler RCE(High)
Using Linux (kernel < 5.11.8)?
Do this: Upgrade your Debian and Red Hat-based distros, additional distros should be patched soon.
Why: Remember Spectre and Meltdown back in 2018? Like a bad penny, they are back in the news with CVEs that can allow access to kernel memory, though the practical implementation of these attacks limits their effectiveness to users of the same system. Here are the CVEs:
- CVE 2020-27170 (Medium)
- CVE 2020-27171 (Medium)
Using an Apple Device with iOS, iPadOS, watchOS?
Do this: Update as soon as convenient.
Why: Like most Apple security updates, it's sparse on details but the risk is that of "universal cross site scripting" due to a flaw in the way the OSes process WebKit instructions.
Additional Info: https://support.apple.com/en-us/HT212257
Running a System/Service that Uses OpenSSL?
Do this: Update to OpenSSL v1.1.1k as soon as possible.
Why: Two vulnerabilities have been discovered in the open source software by Nokia and Akamai, including a DoS vuln and a certificate bypass vulnerability, respectively. Here are the CVEs:
- CVE 2021-3449 (High)
- CVE 2021-3450 (High)
About the Author
Matt Barnett, CISSP, GFCA
Chief Strategist & Cofounder
After years in IT, performing network and system administration, software development, and architecting cloud migrations, Matt began to focus his efforts in cybersecurity. Matt draws on his technical competency and law enforcement background to assist clients, in both proactive and incident response capacities. In addition, Matt has developed an arsenal of applications, strategies, policies, and procedures to assist clients in achieving better cybersecurity.