White House Cyber Summit; Azure Cosmos DB Vulnerability Fixed; SteelSeries Fixes Installation App Bug that Grants Admin Rights

The commitment includes more collaboration between private industry and NIST, which should increase the applicability of NIST standards making it easier to achieve commonality between the two sectors on security standards and practices: reducing the inherent challenges of verification of security across differing baselines. With all the high-tech initiatives on the agenda, it’s critical not to lose focus on the basics. Participants committed money and resources to make that happen. While many pledges are focused on education and training, Microsoft has also committed $150 million in technical services to help federal, state, and local governments upgrade their security practices.

Lee Neely

Meetings like this sometimes involve classified information we may never see. It makes me wonder what any org would spend on security if they had a more complete picture of what goes on.

Christopher Elgee

Microsoft disabled the vulnerable feature on August 14th, and published the issue on August 26th. Microsoft advises users to regenerate their Cosmos DB primary keys, and leverage a vNET or firewall to further protect their Cosmos DB Accounts.

Lee Neely

I have to give some credit to Microsoft about being open about this vulnerability. The advantage of SaaS is that the vendor will patch it for you. But this also implies that the vulnerabilities are never disclosed, and users are not aware that their data may have been exposed to these risks. Thanks, Microsoft, for being transparent.

Johannes Ullrich

Given how pervasive the cloud has become, I am happy to see that Microsoft reacted quickly to solve the issue. This level of commitment and response is exactly what cloud consumers are looking for when they inherit risk and put more trust on cloud providers.

SANS Cloud Security

One advantage of using the cloud is that the provider fixes the vulnerability once instead of every customer having to fix it, often across multiple systems.

William Hugh Murray

As I said last week with respect to the Razer mouse driver vulnerability: Allowing regular users to install drivers that are executed with elevated privileges is a bad idea. But I doubt this architectural issue will be fixable. Expect more of the same in future Newsbites.

Johannes Ullrich

An external emulator can be used to mimic HID device signatures, which will trigger the auto-installation of drivers or trigger the SteelSeries installer without the actual device. This time there is a hyperlink in the EULA which, when clicked opens IE with System privileges. The update from SteelSeries includes a work-around which disables the software auto-launch of their installer upon detection of a new SteelSeries device. Note that software to manage allowed/disallowed USB device connections often doesn’t allow you to block the connection of keyboards and mice. The long term fix for both be a trade-off between automatically installing drivers and the interruption requiring the user to grant explicit admin privilege granting at the time the installation happens.

Lee Neely

This directive, coupled with the promised investment of money and resources from private sector participants Google, Microsoft, and IBM, will be key in producing a result in a timely fashion. Funding and private sector active participation are key to achieving the desired outcomes.

Lee Neely

Read the section describing what you need to do carefully. While the listed versions have fixes, you need to make plans to move to 7.13.0 (or later). If you cannot implement the update, there is a workaround script to provide a temporary fix until you do. Note that as you need to shutdown Confluence to apply that fix, it may be less disruptive to simply apply the update, allowing for a single service outage.

Lee Neely

Atlassian/Confluence is often used to manage software development projects. If you need extra support from management to fix this: Call it a "Supply Chain" vulnerability (which it is). Interesting wording from Atlassian to say it can be exploited by authenticated and “in some instances unauthenticated” users. Nice form of advisory speak to tell you: Patch this quickly.

Johannes Ullrich

Microsoft lists the conditions under which your exchange servers are vulnerable. The recommendation is to apply the one of the latest CU (Cumulative Update) and SU (Security Update). If you’re using Exchange Online – don’t click the done button until you are certain your hybrid Exchange servers are addressed. Verify those hybrid servers are still needed, and if they are needed only to support your migration to Exchange Online, retire them.

Lee Neely

F5 recommends updating your BIG-IP appliances to at least BIG-IP 14.1.0 and your BIG-IP VEs to at least BIG-IP 15.1.0. Take a serious look at moving to BIG-IP 16.1.0 or higher which is repeatedly listed as having the fixes to the identified vulnerabilities. Note that some of the fixes will introduce a loss of functionality: read the supporting bulletins to verify any additional actions needed beyond the update itself. Where possible test these changes in non-production devices first.

Lee Neely

There are no workarounds for this flaw. With the exception of Cisco APIC version 5.2, all other releases have update requirements. Making plans to update to version 5.2 are ideal. Ensure your hardware is sufficient, including memory, to support that version prior to attempting that update.

Lee Neely

Read the IC3 notice to understand the behavior of this ransomware, including how it hides its actions, and IOCs to incorporate in your SIEM. Note that Hive deletes volume shadow copies including disk backup copies and snapshots. This is another case where data is exfiltrated and threats of publishing are used to further extort payment. Review your ransomware preparedness plan, making sure you’ve already established a connection/contact with your local FBI field office, rather than trying to figure that out when responding to an incident.

Lee Neely