In 2017, VSEC provided services to a large number of domestic and global Clients, ensuring the safety of many systems. Most of the Clients are well-known enterprises, so the number of users of Clients is also huge, reaching tens of millions. This also means that VSEC has helped protect directly and indirectly the mass of users from attacks.
In the process of collaboration, VSEC has recognized some of the same bugs and vulnerabilities in Clients’ systems. All of them are high risks. Therefore, VSEC synthesizes these common vulnerabilities so that everyone is proactively aware and takes reasonable steps to ensure their self-defense of system. These vulnerabilities appear mainly on servers and web applications.
How to fix the vulnerability:
- ETERNALBLUE (MS-17-010)
Update the patch from Microsoft https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
- HTTP.sys Remote Code Execution Vulnerability (MS-15-034)
Update the patch: https://technet.microsoft.com/library/security/ms15-034
- Weblogic Server RCE (CVE-2015-4852), IBM WebSphere RCE (CVE-2015-7450)
Updated the patch from the publisher.
- SQL injection và XSS:
To fix these 2 vulnerabilities, the developers should follow the rules in the inspection of the input data:
- For SQL injection vulnerability, all user-supplied data should be parameterized or creating a white-list before processed furthermore.
- For XSS, it is necessary to use html encoding when returning data to the client side.
- Broken Access Control:
Checking for each request to decide which rights or resources is accepted on Application (etc: checking user’s session…)
- Apache Struts Remote Code Execution (CVE-2017-5638)
This is a very serious flaw, advising developers to update to the latest version of the apache struts2 framework.
The technologier is developed, the more vulnerabilities are hard to recognize, the speculation is only temporary and not radical, including the warning that VSEC and other network security companies. Therefor to maximize the security of your system, if you do not have your own technical team, look for professional security service providers, security expert and specialized technical systems will protect your system in the most comprehensive way!