Patching Exchange Server Flaw Worth Effort of Authenticating; Microsoft Vulnerability Tuesday Includes Patches for Two Flaws Under Active Exploit; Patch Citrix ADCs and Gateways to Prevent Showstopper Denial of Service Attacks

It is with deep sadness that we announce that SANS founder and the originator of NewsBites Alan Paller passed away on November 9. The SANS press release on his passing is at https://www.sans.org/press/announcements/alan-paller-cyber-security-industry-titan-and-sans-institute-founder-passes-away/

For those of us who worked with Alan, his driving force was a vision that never wavered: security could only be improved by raising the quality of security operations by increasing and professionalizing the skill levels of security teams and managers. We often say security success is a mixture of people, process, and technology – Alan reminded us that those people need to have deep, hands-on skills to create and run impactful security processes as well as to select and develop effective security technologies, tools, and products.

Alan’s commitment to that vision over the years helped keep SANS focused on having the best security instructors developing the most effective courses and always measuring success of every SANS course or conference by making sure it met his number one criterion: the student or attendee must be able to go back to work afterward and do something new and better – not just be able to talk about new and better security. Equally important, Alan instilled in SANS the idea that if SANS stayed focused on helping the security community “fight the good fight,” success would always follow. Alan championed and dedicated SANS resources to increasing essential security hygiene, security team diversity, and growing the number of people joining the cybersecurity profession long before any profit was possible from those efforts.

On a personal level, if you were part of an effort with Alan that was fighting the good security fight and were lucky enough to have Alan introduce you at a conference or meeting, his lavish praise was legendary and inspiring. The security community is a better place for Alan’s tireless efforts over the past 30+ years. At SANS we already miss him intensely and we will work hard to continue to live up to his guiding vision.

Microsoft has fixed vulnerabilities in on-premises Exchange Server 2013, 2016, and 2019. One of the flaws, a post-authentication vulnerability, has been exploited in “limited targeted attacks.” Microsoft is urging users to apply the updates immediately. The fixes were released as part of Microsoft’s Patch Tuesday.

Read more in

Microsoft’s Patch Tuesday for November 2021 includes fixes for at least 55 security issues in its products. Two of the flaws are being actively exploited and four vulnerabilities were disclosed before Tuesday. Microsoft has acknowledged that the updates may cause authentication issues on Domain Controller running Windows Server.

Read more in

Citrix has fixed two vulnerabilities. The first is a critical uncontrolled resource consumption issue affecting its Application Delivery Controller (ADC) and Gateway products; the vulnerability could be exploited to crash networks without authentication. The second is a low-severity uncontrolled resource consumption issue affecting ADC, Gateway, and the Citrix SD-WAN WANOP Edition appliance; the flaw could be exploited to cause temporary disruption of the Management GUI, Nitro API and RPC communication.

Read more in

US President Joe Biden has signed The Secure Equipment Act into law, closing what one FCC Commissioner has called “the Huawei loophole.” According to a White House statement, the law “requires the Federal Communications Commission to adopt rules clarifying that it will no longer review or approve any authorization application for equipment that poses an unacceptable risk to national security.” Small and medium-sized companies wanting to replace Huawei and ZTE equipment can request reimbursement from the FCC.

Read more in

US legislators have introduced a bill that would establish ransomware response rules for financial institutions. If the Ransomware and Financial Stability Act passes, financial institutions suffering ransomware attacks would be required to inform the Director of the Treasury Department's Financial Crimes Enforcement Network (FinCEN) about the details of the attack, including demanded ransom. The bill would also require financial institutions to obtain a Ransomware Payment Authorization prior to paying any ransomware demand over $100,000.

Read more in

According to a recent annual financial audit report, hackers had access to a server belonging to a Queensland (Australia) water supplier for nine months, from August 2020 through May 2021. SunWater operates dams, pumping stations, and pipelines. The audit report includes information from the examination of six Queensland water sector entities.

Read more in

Google’s Threat Analysis Group (TAG) detected watering hole attacks targeting visitors to several Hong Kong websites. “The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.” Apple released a fix for the issue in September.

Read more in

Palo Alto Networks has patched a critical buffer overflow vulnerability in its firewalls that use the GlobalProtect Portal VPN. The flaw affects PAN-OS versions 8.1.17 and older. Researchers detected the vulnerability in November 2020 but did not notify Palo Alto Networks in September.

Read more in

A US federal grand jury has indicted former Broadcom engineer Peter Kisang Kim on multiple charges of theft of trade secrets. Kim worked at Broadcom for more than 20 years. He allegedly stole trade secrets; the purloined information was stored in non-public document repositories that were restricted to employees working on specific projects or within specific suborganizations. Kim allegedly took the data with him when he started working for a Chinese company.

Read more in