Before we dive into the details of this vulnerability, we want to make it clear that there’s no need for panic. Many systems permit the use of various types of code in configuration files, and there are legitimate use cases to include string and variable interpolation in the configuration of applications and systems. This is not Log4Shell all over again. This is simple configuration manipulation.
Read also: Google fixed a zero-day vulnerability in Chrome browser, Marriott fell a victim of cyber extortionists, and more.
The world of healthcare has gone digital. Records can now be transferred anywhere they are needed, from hospital to hospital, or even directly to the patient’s email inbox. While the digitalization of healthcare records is extremely convenient but it is now equally dangerous. These sensitive PHI data are exposed to various forms of cyber threats and vulnerabilities.
Webhooks are one of the best ways to transfer information about occasional events from one system to another. In contrast to methods like HTTP polling — which involves the client repeatedly asking for information from the server — webhooks are triggered by events. This makes them simple and effective. A client can subscribe to a webhook to send a message to an endpoint whenever a specific event happens.
In the OT space it is increasingly common to see devices that are used to bridge the gap between the world of PLCs and IP based networks. These types of devices are commonly referred to as ‘smart-devices’. While smart-devices offer the convenience of remote management, this functionality also may create potential weaknesses exploitable by threat actors as well, and practical exploitation of such flaws is being witnessed in the wild.
Typically, when a web app needs something from an external server, the client sends a request to that server, the server responds, and the connection is subsequently closed. Consider a web app that shows stock prices. The client must repeatedly request updated prices from the server to provide the latest prices.
As your development and security teams grow, it becomes critical that each of your team members using Snyk has only the required permissions to do their job. You need to ensure everyone can perform their jobs with ease, while also avoiding security and compliance issues. A developer, for example, needs the ability to find and fix vulnerabilities in his code but should not be able to change Snyk billing details.
Headline grabbing vulnerabilities, like SolarWinds and Log4Shell, target management software and end hosts, but if you search for “most exploited vulnerabilities” on Google, you will quickly learn that some of them directly target network and security devices as well as server load balancers. These are the 3 most exploited CVEs in the last couple of years: Would you be surprised to learn that network device operating systems can be vulnerable to security flaws like any other software?
