Cyber security aggregate rss news

Cyber security aggregator - feeds history

image for Vulnerable Cisco upd ...

 Business

Among the presentations at this Augusts Black Hat 2022 conference, few were of practical use to system administrators and security officers. A welcome exception was the report by Rapid7 researcher, Jacob Baines, who spoke in detail about how hed analyzed Cisco enterprise software and found multiple vulnerabilities   show more ...

therein. Jacobs findings are available as slides, in a detailed report, and as a set of utilities on GitHub. Jacob found 10 issues affecting Cisco Adaptive Security Software, Adaptive Security Device Manager, and Firepower Services Software for ASA. These software solutions control a variety of Cisco systems for enterprise users, including hardware firewalls, end-to-end enterprise security solutions, among others. Seven of these issues Cisco recognized as vulnerabilities, while the remaining three — according to the vendor — dont affect security. At the time of disclosure, two of the seven vulnerabilities had not been closed — despite the fact that Rapid7 informed Cisco back in February/March 2022 (another was supposedly closed later). What are the vulnerabilities? Lets take a look at two of the most noteworthy. The vulnerability CVE-2022-20829 relates to the update delivery method used in Cisco ASA software. The bug is rather trivial: binary update packages are not validated at all during installation; theres no digital signature verification or anything like that. Rapid7 showed how to modify Cisco ASDM binary packages to execute arbitrary code when processed. The second vulnerability of note is CVE-2021-1585. It was discovered in late 2020 by researcher Malcolm Lashley. As he found out, when updates are delivered, the certificate needed to establish a secure connection via a TLS handshake is processed incorrectly. This, in turn, allows an attacker to carry out a man-in-the-middle attack against Cisco clients — that is, substitute their own resource for a legitimate update source. This makes it possible to deliver and execute malicious code instead of a patch. This vulnerability has an interesting history: Malcolm Lashley reported it to Cisco in December 2020. In July 2021, Cisco released details of the vulnerability without a patch. In July 2022, the vulnerability was marked as closed on the internal portal for company clients. Rapid7 showed this not to be the case: if there was a patch, it didnt work. Nor can the other vulnerabilities be described as trivial. For example, CVE-2022-20828 can be used to attack a system administrator through remote access. The demonstration gives an example of how a potential attacker can gain full access to the system by entering a single command. Whats more, Rapid7 found that FirePOWER boot modules are not scanned at all. This means that if any vulnerabilities are closed in the software, its always possible to roll back the boot image to an earlier, unpatched version. Despite the potential for using such a downgrade in real attacks, Cisco did not even consider it a security issue. Update delivery difficulties These vulnerabilities show that even in enterprise software bundled with high-end corporate solutions, the update delivery system can leave much to be desired. Not so long ago, we wrote about a conceptually similar problem in consumer software, namely the Zoom web client for Apple machines. The update checking process seemed quite secure: access to the server was through a secure connection, and the update file was digitally signed. But the signature verification procedure allowed anything to be run instead of a legitimate executable file — and with the highest privileges at that. Theres also an example of malicious updates being used in real attacks: in 2018, Kaspersky researchers detected this method in the Slingshot APT campaign to compromise Mikrotik routers. In Ciscos case, verification of the digital signature of ASDM binary package updates didnt even have to be bypassed: it simply didnt exist (a mechanism supposedly appeared in August 2022, but its reliability has yet to be tested). If truth be told, all the attacks proposed by researchers at Black Hat are quite difficult to carry out. But since we could be talking about a large organization with a lot to lose from file-encrypting ransomware or theft of trade secrets, the risk should be taken seriously. What to do about it Given the specifics of these vulnerabilities, the Rapid7 researchers main recommendation is to limit, to the extent possible, working in administrator mode with full access. And this refers not only to having high privileges while connecting to the infrastructure remotely. There are many examples that show a hack is possible even given maximum offline isolation — through malicious updates or a simple script that exploits a software vulnerability. Careful monitoring of those individuals with full access to the infrastructure, and also limiting actions performed as administrator will help reduce the risk of a successful attack. But the risk wont be eliminated entirely…

 Trends, Reports, Analysis

Phones of at least three human rights investigators in Mexico were infected with Pegasus during the term of President Andres Manuel Lopez Obrador despite the assertions that it would stop using the controversial spyware, a report on Sunday found.

 Trends, Reports, Analysis

Being proactive by scanning their cloud environment for possible vulnerabilities is the best way to address vulnerabilities before they result in breaches. Having clear visibility across the entire attack surface is key to securing the cloud.

 Trends, Reports, Analysis

A total of 1,043 schools and colleges—part of 62 school districts and the campuses of 26 colleges and universities— were hit by ransomware hackers in 2021, according to cybersecurity company Emsisoft.

 Companies to Watch

The new funding, the company says, will help improve the accuracy of vulnerability assessments and accelerate adoption of Detectify’s surface monitoring and application scanning platform.

 Trends, Reports, Analysis

Okta recently released its annual global snapshot of zero trust implementation across industries and found that 72 percent of government organizations surveyed were already employing zero trust methods.

 Malware and Vulnerabilities

One of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. It also gives attackers the ability to execute shell commands.

 Malware and Vulnerabilities

Digital adversaries behind the SolarMarker malware crippled a global tax consulting firm by camouflaging fake Chrome browser updates as part of watering hole attacks. Threat actors use the Google Dorking technique and conduct source code searches to identify such vulnerable websites before injecting the malicious code into them.

 Threat Intel & Info Sharing

The warning was issued as a Private Industry Notification from the FBI Miami Field Office in coordination with the Internet Crime Complaint Center (IC3) yesterday to raise awareness among cryptocurrency investors who are increasingly being targeted.

 Threat Actors

In an ongoing cyberespionage campaign, hacking group Witchetty has been found targeting two governments in the Middle East and a stock exchange in Africa. Among the new tools used by the group is a backdoor named Stegmap. The malware is distributed via the rarely used steganography technique.

 Malware and Vulnerabilities

Vietnamese cybersecurity company GTSC uncovered a zero-day in fully patched Microsoft Exchange servers. The flaws are being tracked (by Zero Day Initiative) as ZDI-CAN-18333 with a CVSS score of 8.8 and ZDI-CAN-18802 with a CVSS score of 6.3. The bug could be abused by attackers to achieve remote access to affected systems. At least one organization has been the victim of an attack campaign exploiting the zero-days.

 Feed

Ubuntu Security Notice 5614-2 - USN-5614-1 fixed a vulnerability in Wayland. This update provides the corresponding update for Ubuntu 16.04 ESM. It was discovered that Wayland incorrectly handled reference counting certain objects. An attacker could use this issue to cause Wayland to crash, resulting in a denial of service, or possibly execute arbitrary code.

 Feed

WordPress Elementor plugin versions 3.6.0 through 3.6.2 suffer from a remote shell upload vulnerability. This is achieved by sending a request to install Elementor Pro from a user supplied zip file. Any user with Subscriber or more permissions is able to execute this.

 Feed

Ubuntu Security Notice 5651-2 - USN-5651-1 fixed a vulnerability in strongSwan. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Lahav Schlesinger discovered that strongSwan incorrectly handled certain OCSP URIs and and CRL distribution points in certificates. A remote attacker   show more ...

could possibly use this issue to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which can lead to a denial-of-service attack.

 Feed

Red Hat Security Advisory 2022-6763-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include a memory leak vulnerability.

 Feed

Ubuntu Security Notice 5651-1 - Lahav Schlesinger discovered that strongSwan incorrectly handled certain OCSP URIs and and CRL distribution points in certificates. A remote attacker could possibly use this issue to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which can lead to a denial-of-service attack.

 Feed

Red Hat Security Advisory 2022-6764-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include a memory leak vulnerability.

 Feed

Ubuntu Security Notice 5653-1 - Benjamin Balder Bach discovered that Django incorrectly handled certain internationalized URLs. A remote attacker could possibly use this issue to cause Django to crash, resulting in a denial of service.

 Feed

Ubuntu Security Notice 5652-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Domingo Dirutigliano and   show more ...

Nicola Guerrera discovered that the netfilter subsystem in the Linux kernel did not properly handle rules that truncated packets below the packet header size. When such rules are in place, a remote attacker could possibly use this to cause a denial of service.

 Feed

Red Hat Security Advisory 2022-6765-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include a memory leak vulnerability.

 Feed

Red Hat Security Advisory 2022-6766-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing   show more ...

systems. Issues addressed include denial of service, information leakage, and open redirection vulnerabilities.

 Feed

This is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.

 Feed

Nicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers. Based on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to

 Feed

Australian telecom giant Optus on Monday confirmed that nearly 2.1 million of its current and former customers suffered a leak of their personal information and at least one form of identification number as a result of a data breach late last month. The company also said it has engaged the services of Deloitte to conduct an external forensic assessment of the attack to "understand how it

 Feed

A 46-year-old man in the U.S. has been sentenced to 25 years in prison after being found guilty of laundering over $9.5 million accrued by carrying out cyber-enabled financial fraud. Elvis Eghosa Ogiekpolor of Norcross, Georgia, operated a money laundering network that opened at least 50 business bank accounts for illicitly receiving funds from unsuspecting individuals and businesses after

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive (BOD) that directs federal agencies in the country to keep track of assets and vulnerabilities on their networks six months from now. To that end, Federal Civilian Executive Branch (FCEB) enterprises have been tasked with two sets of activities: Asset discovery and vulnerability

 Feed

India's Central Bureau of Investigation (CBI) on Monday disclosed that it has detained a Russian national for allegedly hacking into a software platform used to conduct engineering entrance assessments in the country in 2021. "The said accused was detained by the Bureau of Immigration at Indira Gandhi International Airport, Delhi while arriving in India from Almaty, Kazakhstan," the primary

 Feed

A popular Chinese-language YouTube channel has emerged as a means to distribute a trojanized version of a Windows installer for the Tor Browser. Kaspersky dubbed the campaign OnionPoison, with all of the victims located in China. The scale of the attack remains unclear, but the Russian cybersecurity company said it detected victims appearing in its telemetry in March 2022. The malicious version

 Feed

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks. "This vulnerability allows gaining control of Packagist," SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package manager

 Feed

A big promise with a big appeal. You hear that a lot in the world of cybersecurity, where you're often promised a fast, simple fix that will take care of all your cybersecurity needs, solving your security challenges in one go.  It could be an AI-based tool, a new superior management tool, or something else – and it would probably be quite effective at what it promises to do. But is it a silver

 Feed only

Graham Cluley Security News is sponsored this week by the folks at Kolide. Thanks to the great team there for their support! Do you know the old thought experiment about the AI designed to make paper clips that quickly decides that it will have to eliminate all the humans to maximize paper clips? Many security …   show more ...

Continue reading "Kolide can help you nail audits and compliance goals with endpoint security for your entire fleet"

2022-10
Aggregator history
Tuesday, October 04
SAT
SUN
MON
TUE
WED
THU
FRI
OctoberNovemberDecember