Critical Patches Out For Cisco Small Business VPN Routers; Microsoft to Try Reducing Javascript Just In Time Browser Risks; Western Australia Slow to Remove Access from Dead Accounts

The Cisco VPN Routers in question are from the Cisco Small Business Unit, which has almost nothing to do with Cisco’s enterprise product software. It's a completely separate operating system and hardware line. Unfortunately, it does have the Cisco name on it, so many small business customers will purchase it. This is a tragic scenario because these bugs hit companies that may not have all of the other security controls a large organization will have, and may not even patch these systems. This may go unnoticed for quite a while, and may only get addressed if they replace the product in the future. What we have seen is that for "Remote Management" these systems may have their Web Management right on the internet. Since these are VPN Routers, we would not expect that they are all behind a NAT so they may be internet facing.

Moses Frost

These are pre-authentication vulnerabilities, exploitable via the web-based management interface which cannot be disabled on the local LAN connection. Take three steps now: apply the firmware updates; make sure that the management interface is disabled on the WAN connection and review your configuration to make sure it is unaltered. There are no workarounds.

Lee Neely

This brings the total vulnerability count to 7 over the last couple years, for this particular router's web admin interface. If you believe that they found them all: Please allow worldwide access to the admin interface. If you feel like there may be a couple more vulnerabilities that haven't been found/patched yet: Disable access from anything but a few administrator IPs.

Johannes Ullrich

Browsers are the first point of contact between both users and content and users and attacks. Over the years much more effort has gone into making browsers faster and fancier, vs. more secure. In recent years, Google, Mozilla and now Microsoft are adding much needed focus on “safety-first.” While the market share of the Edge browser is under 10%, Microsoft quotes numbers that say more than half of Chrome exploits take advantage of flaws in the JIT compiler. Microsoft’s first look at performance degradation with JIT disabled also showed minimal performance impact.

John Pescatore

The JIT compiler allows JavaScript to achieve near C++ performance speed and a significant number of CVEs are related to the V8 JIT. (TurboFan/Sparkplug). The idea is to disable the JIT and enable other arbitrary-code-execution mitigation options such as Arbitrary Code Guard (ACG) and Controlflow-Enforcement Technology (CET) while maintaining compatibility and speed. Initial tests show performance hits under 15%, Web Assembly is not supported and only CET is enabled. You can enable and test SDSM at edge://flags in the Edge Canary, Dev and Beta versions.

Lee Neely

The main purpose of the JavaScript JIT compiler is to optimize JavaScript and to make it faster. We will see if a browser without JIT will still be usable given the immense JavaScript code bloat on many sites. I assume Microsoft is working on making JavaScript perform without JIT compiler.

Johannes Ullrich

Access to systems, and resulting damage, by former employees is a legitimate threat and accounts need to be disabled immediately on separation. Resist temptation to “hold accounts open” for employees who will be returning in a new status (e.g. consultant); rather review the needed privileges in the new role, only granting those needed, just as you would a new hire.

Lee Neely

Establishing and monitoring “Time to Remove Access” metrics is easy to do and very valuable. Checking that parameter should be part of every security controls test or audit. The Western Australian report showed an average of 7 days between employee termination and IT access removal, but had outliers of up to 161 days. The usual major problem is reliance on multi-step, undocumented people-driven processes vs. some level of integration between HR databases/systems and access removal.

John Pescatore

We continue to be better at getting separated employees off the payroll than at revoking their IT privileges. Payroll is almost always a single point of control while IT privileges may come from many sources.

William Hugh Murray

The core issue is that the username and passwords are not adequately protected (think cleartext) between the engineering workstation and the PLC. Patches are not available yet. Mitigate the risk by limiting the devices which can access the PLC and protecting that communication link via segmentation or other encapsulation. Once patched, limiting access to only authorized devices remains a good practice.

Lee Neely

Big thanks to this group of researchers for doing the work companies developing this code should have done 20-30 years ago. But I am afraid much of the effort will be in vain as this code is embedded in countless unaccounted for devices that will never be patched until a lightning strike carries them across the IoT rainbow bridge to a land without invalid TCP/IP packets.

Johannes Ullrich

The exploit uses DNS to deliver shell code, which means that attacks are still possible if your segmented network has routes to public DNS servers. Other exploits leverage the HTTP server and malformed packets. The best mitigation will be to apply updates when available. Until then, disable the DNS client or block the traffic if not needed, disable or access to the HTTP server, and monitor/block malformed IP and ICMP packets.

Lee Neely

Android 2.3.7, aka Gingerbread, was released in December 2010. It’s time to replace those devices; there are no security updates, and compatibility with applications is going to be more miss than hit. As an enterprise you should have already set a base version of Android 11, and be assessing when you can move that minimum to Android 12. Be sure to also enforce the minimum for users establishing remote connections.

Lee Neely

It's interesting that Google has taken the step to abandon 2.3.7. It would be interesting to see if they are doing this for "Security Reasons" or more practically maybe they are getting rid of specific API's that those products used. 2.3.0 was released in 2010 and after 11 years, it's probably time to discontinue it. It would be interesting to see if these devices continue to live through 3rd party services that are not Google. Those would be a lower trust offering potentially. Several statistics on the internet show that "Other" category for versions of Android this old (older than 3.0) at under 1%. 1% of 2 Billion Android phones would be 20 million. Hopefully it's a smaller number than this.

Moses Frost

The title pretty much captures it all: “Federal Cybersecurity: America’s Data *Still* at Risk” Not much progress since the 2019 report but the pandemic year had major impacts – IT operations were consumed just keeping remote work running and time to patch and other key security metrics suffered.

John Pescatore

Knowing what you have, what it’s supposed to be running, keeping it patched, and monitoring are core critical controls. Agencies are often faced with the daunting task of consuming the NIST cyber security framework and SP 800-53, which can distract them from which controls should be prioritized, simplification is needed to facilitate understanding and mandates such as CDM, Einstein, FISM reporting and assorted BODs consume available resources. As the report suggests, CISA is well positioned to offer services to agencies to help them improve their security posture; even so that support has to be accompanied with ongoing funding for staff, training and licenses to maintain a sufficient level of protection.

Lee Neely

Many of these findings would be true of many private enterprises.

William Hugh Murray

One of the ways to address the cybersecurity gap at utilities is to hire a larger organization to provide shiny cloud based secure options for them. The danger is they may be buffaloed by fancy talk and promises that they may not have the knowledge or skills to challenge. If you’re an operator, review the ThreatLocker report and use the recommendations on how to focus the EPA’s WSCRMG guidance to drive improvements internally or drill down with your service provider to provide written understandable approaches to address all the suggest controls.

Lee Neely

One of the lessons highlighted in the report was the need for multi-party controls over critical functions. This will offer resistance to both attacks from outsiders and the more likely insider error.

William Hugh Murray

You need to participate in this effort. Connection with resources and information sharing across the public and private sectors will provide access to high-quality recommendations and services which will aid planning of defenses and implementations. It will also connect you to a network of resources and expertise you might not otherwise have access to.

Lee Neely

Aggressive measures for those not yet compromised must include isolating the high-risk applications, e-mail and browsing, from electronic healthcare systems.

William Hugh Murray