HP releases MDS patches, Siemens medical devices get bug fixes and more: Patch Tuesday - Week 4, May 2019

Apple

Apple has released security updates for three of its software products: iTunes for Windows, iCloud for Windows and iOS. These updates patch major vulnerabilities in software components in these products. Vulnerabilities include memory corruption issues, input validation flaws, and out-of-bounds reads that could lead to remote code execution (RCE), privilege escalation or information disclosure (ID).

The latest version of both iTunes for Windows (12.9.5) and iCloud for Windows (7.12) is now available for Windows 7 and subsequent versions. Likewise, iOS 12.3.1 is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. Apple users are advised to update to these new versions.

Cisco

Cisco has published security advisories to address multiple vulnerabilities in NX-OS, FXOS and Cisco’s Secure Boot implementation. Among them, two flaws were rated as high-impact. CVE-2019-1649, found in Secure Boot, was the result of an incorrect code present in the implementation, that could lead to attackers write modified firmware images in Secure Boot. Similarly, CVE-2019-1858, found in Simple Network Management Protocol (SNMP) of FXOS and NXOS could enable attackers to put devices in a denial-of-service (DoS) condition.

Software updates have been released by Cisco to resolve all these vulnerabilities. Users are advised to apply these updates soon.

HP

For this week, HP releases security updates for MDS flaws that impacted millions of Intel-powered devices around the world. The updates patch specific PC series and point-of-sale systems made by HP. Furthermore, the company has also announced firmware updates to fix five flaws existing in various HP LaserJet Pro and MFP Printers. The flaws could be exploited to carry out Cross-site scripting (XSS), Cross-site request forgery (CSRF) or buffer overflow attacks.

RedHat

RedHat fixes numerous critical vulnerabilities found in applications for Enterprise Linux distributions and other products this week. The 11 advisories published by the company address vulnerabilities in certain applications such as Mozilla Firefox and Pacemaker, which affected RedHat’s distros. In addition, Kernel-based Virtual Machines(KVM) for these distros also had a major flaw (CVE-2019-10132) that was resolved.

Other applications that were patched include libvirt, .NET Core, MariaDB, RedHat Quay, and functional issues in Python language. Users are suggested to go through the advisories carefully and patch them at the earliest. The advisories detailing the affected distros can be read here.

Siemens

Siemens has published advisories that address a serious flaw in Microsoft’s Remote Desktop Services (RDS). This software is used by several products made by the company’s healthcare affiliate Siemens Healthineers. Designated as CVE-2019-0708, the RCE flaw has a CVSS score of 9.8. It affected certain product lines meant for Advanced Therapy, Radiation Oncology, Laboratory Diagnostics, Radiography, Mobile X-ray and Point of Care Diagnostics.

Updates for affected products can be found here.

Ubuntu

A host of vulnerabilities affecting certain Ubuntu-related software applications has been addressed with updates. Vulnerabilities in the products could allow attackers to perform RCE or cause DoS and crash the applications. Following are the updated Ubuntu applications:

• LibRaw
• urllib3
• Firefox
• PHP
• WebKitGTK+
• curl
• MariaDB
• Samba
• Keepalived
• FreeRDP
• Thunderbird
• GNOME

The advisories provide details on software updates to fix these flaws. Users are suggested to follow the steps indicated in the advisories to apply these updates.