Drupal SQLi exploited in the wild, plus a perfect-10 DNS poisoning bug in Unbound

Unbound on Azure Linux 3.0 is vulnerable to DNS cache poisoning through promiscuous authority-section records. An attacker can inject forged DNS answers into the resolver cache, redirecting traffic for arbitrary domains. CVSS 10.0, though EPSS is very low (0.0003) and there's no known exploitation yet.

Included because

CVSS 10.0; network-facing service; cache poisoning can affect entire environments downstream

Affected estate

Azure Linux 3.0 systems running Unbound 1.19.1-5 as a caching or recursive DNS resolver.

How to check

Run `rpm -q unbound` or `tdnf list installed unbound` and confirm the version is 1.19.1-5 or earlier.

Action

Update Unbound via `tdnf update unbound`, then restart the service with `systemctl restart unbound`.

Urgency

Patch within 24 hours

Why it matters

Cache poisoning on a DNS resolver lets an attacker redirect all downstream clients to malicious servers without touching the clients themselves.

Source

NVD

An integer overflow in rsync before 3.4.3 can leak sensitive data during file transfers. An attacker who controls or compromises an rsync endpoint could trigger the overflow to read memory contents they shouldn't have access to. CVSS 8.1, no known exploitation yet.

Included because

CVSS 8.1; common utility on Linux systems; information disclosure risk

Affected estate

Azure Linux 3.0 hosts running rsync 3.4.1-2. Also applies to any Linux system running rsync below 3.4.3.

How to check

Run `rsync --version` or `rpm -q rsync` to confirm the installed version.

Action

Update rsync to 3.4.3+ and verify with `rsync --version`.

Urgency

Patch this week

Why it matters

Information disclosure through a tool commonly used for backups and replication could expose file contents or credentials in transit.

Source

NVD

Memcached before 1.6.42 has a timing side channel in SASL authentication. The server exits its username-check loop early when it finds a valid user, which lets an attacker figure out valid usernames by measuring response times. This is a prerequisite for credential-stuffing or brute-force attacks, not direct code execution.

Included because

CVSS 8.1; timing side channel enables credential attacks; common caching service

Affected estate

Azure Linux 3.0 systems running memcached 1.6.27-4 or older with SASL password authentication configured.

How to check

Run `memcached -h 2>&1 | head -1` or `rpm -q memcached` to check the version. Confirm SASL is enabled by looking for `-S` in the service arguments.

Action

Update memcached to 1.6.42+ and restart the service. If SASL isn't needed, consider disabling it and relying on network-level access controls instead.

Urgency

Patch this week

Why it matters

Username enumeration via timing makes brute-force attacks much more efficient, especially if memcached is reachable from untrusted networks.

Source

NVD

A buffer over-read in the Windows DWM (Desktop Window Manager) Core Library lets a logged-in attacker escalate privileges locally. This requires an attacker to already have code execution on the box, so it's a post-compromise escalation path, not a remote entry point. CVSS 7.8, no exploitation reported yet.

Included because

CVSS 7.8; local privilege escalation; widespread Windows desktop deployment

Affected estate

Windows 10 Version 1607 (32-bit and x64), Version 1809 (32-bit and x64), and Version 21H2 (32-bit). Other builds may also be affected; check the Microsoft advisory.

How to check

Run `winver` or query `(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').DisplayVersion` to confirm the OS build. Check installed KBs with `Get-HotFix`.

Action

Deploy the latest cumulative update for the affected Windows 10 versions via WSUS, Intune, or Windows Update.

Urgency

Patch this week

Why it matters

Local privilege escalation lets an attacker who already has a foothold go from standard user to SYSTEM, which is the typical next step in a compromise chain.

Source

Microsoft Security Response Center