Check for Use of OpenSSL 3.0.7 and Prepare to Patch Critical Flaw; FTC Punishes Drizly CEO; Patch Cisco AnyConnect to Protect Against Active Exploits

While people are working on performing the diffing of patches to try and understand the impact, OpenSSL 3.0 may not be as widely deployed as the version with Heartbleed. It’s a wait-to-see scenario. A core library like this may still impact many systems. Hopefully, with the advent of SBOM (software bill of material) products, companies can quickly find and attempt to patch these libraries quickly.

Moses Frost

The notice from OpenSSL doesn’t disclose the exact vulnerability, only categorizing it as critical, which means it affects common configurations and is likely to be exploitable. OpenSSL policy is to keep the specific issues private and trigger a new release. Given the prevalence of OpenSSL it makes sense to be careful disclosing the exact issue as there could be an enormous attack surface. What you can do is make sure that you update your OpenSSL installs, and applications with embedded OpenSSL, judiciously after the update is released. Review your software inventory and make a prioritized list, much like you did for Log4J.

Lee Neely

While on the surface this seems like a good one to show your CEO, I doubt this action against Drizly’s CEO will stand up to any formal appeal or legal challenge. As Commissioner Wilson’s dissent points out, this is saying that if any business decision made to take a security or privacy risk turns out to be the wrong decision, a CEO could be sanctioned. That seems unrealistic.

John Pescatore

With this sanction, the FTC is shining a light on the CEO and indirectly, the company executive team. While unlikely that the order will survive on appeal, it serves notice to every CEO that they are fully accountable for implementing and actively managing the company cyber security program.

Curtis Dukes

As Drizly is now part of Uber, the proposed order applies to the company as well as the former CEO, not only requiring increased security and training but also deletion of unnecessary data. The FTC intends the message to be: protecting American’s data is not discretionary and is to be prioritized. Keep an eye out for new FTC orders raising the bar on cyber security expectations. The proposed order, when finalized, will be in effect for twenty years.

Lee Neely

Interesting move by the FTC. This is a perfect case to set precedence over corporate maleficence and oversight. We will have to watch this one more closely, as if this does follow the CEO from company to company, we may see changes in the boardroom based on this.

Moses Frost

The good news is this only impacts your Windows client. The bad news is probably most of your clients are Windows-based. There are no workarounds: you need to get your clients to at least 4.9.00086. Use the firewall’s capability to update the client to push an update when users next connect. Consider using your endpoint management to also distribute the updated client. POC exploit code was available 8/13, and Cisco became aware of active exploitation attempts 10/25. CISA is giving agencies until 11/14 to fix this. I’d advise not waiting.

Lee Neely

It’s rather odd that these two LPEs are being actively exploited years after they are released. It is also probably not surprising as many customers are reluctant to upgrade their versions of AnyConnect unless there is a specific feature needed, such as “Windows 11” support. As of the time of the publishing of this, it’s important to note that the DarkReading article mentions a Cisco Gigabyte Driver, which I believe is a mistake. Cisco doesn’t own Gigabyte. I believe they are referring to the motherboard manufacturer being added to the CISA KEV.

Moses Frost

The driver blocklist was introduced as an optional feature in Windows 10, version 1809 and is enabled on systems which enable HVCI or run in S mode. As of Windows 11, version 22H2, it is enabled by default. This can be managed with the Windows Security app, but the version which manages this setting hasn’t been released yet. Part of the fix was that Microsoft was supposed to be providing updates to the on-device database of flawed drivers; these updates are now working. While not every flawed driver will be detected, it adds one more layer to our defenses at the endpoint. That said, use caution enabling the blocklist as it can result in a blue screen (aka hard stop) or inability to (re)install needed drivers.

Lee Neely

The updates include the anticipated iPadOS 16. iOS 16.1 and iPadOS 16 address 36 CVEs. Apple also just released iOS/iPadOS 15.7.1 which addresses 20 CVEs. All of the iOS/iPadOS updates address a recent zero-day, CVE-2022-42827 which is being actively exploited. Note apple has released updated security bulletins for their recent updates (macOS, tvOS, iOS/iPadOS, watchOS, etc.) which include additional CVEs addressed. Note that when deploying iPadOS 16, the on-device version is listed as 16.1. The iOS/iPadOS zero-day has been added to the CISA KVE with a fix date of 11/15/22.

Lee Neely

Seems like only yesterday that Apple marketed itself as highly attack resistant when compared to other edge devices. We know several things changed over that time: the CPU, an increase in attack surface with the seamless integration of mobile devices, commoditization of vulnerabilities. Expect this to be the new normal for Apple and its high in demand products.

Curtis Dukes

Essentially the full disk access privilege gets revoked for security tools. The fix was intended to prevent attackers from gaining the access they needed to operate. If affected, you need to unlock the preferences, revoke the privilege explicitly, lock the preferences, then repeat granting the privilege this time. This doesn’t impact enterprise systems pushing Ventura updates via their MDM.

Lee Neely

PayPal was one of the founding members of FIDO Alliance, will be good to see them urge their 200M+ users to move away from reusable passwords.

John Pescatore

At a bare minimum enable 2FA on your PayPal account. Better still, setup a PassKey, particularly if you're using SMS for 2FA. If you’re wondering what FIDO authentication looks like to an end-user – here’s your opportunity.

Lee Neely

Keep in mind that webauthn is primarily a convenience feature, not a security measure. It aids security by making it easier to do the safe thing. Its widespread adoption by websites and their users may reduce use and leakage of passwords and their fraudulent reuse. From a security perspective, it substitutes beneficial use of a device, something one has and can use, for entry of a password. It resists the leaky browser problem as relates to credentials but use of browsers leaves users vulnerable to leakage of other data.

William Hugh Murray

Improving cybersecurity of critical infrastructure is a national priority. Current fragmented efforts by each industry sector point to the need for a common and prioritized set of safeguards to achieve a baseline cybersecurity posture. The CIS Critical Security Controls, starting with implementation group 1 are measurably effective against the top five attack types being used against every industry sector.

Curtis Dukes

The Cybersecurity Performance Goals (CPGs) are intended to be a fast-start guide to implementing the larger NIST CSF and are intended to be broadly applicable. CISA and NIST would like to see all organizations leverage the CSF, which is intended to not only be cross-sector and cross-industry relevant, but also maps to multiple security frameworks (NIST, ISO, etc.) NIST is setting up a discussions website, leveraging GitHub discussions, for feedback on the CPGs. See the NIST cross-sector CPG site: https://www.cisa.gov/cpg for the goals as well as links to the discussion site.

Lee Neely

Whether or not an enterprise is “critical infrastructure organization,” if it attaches to the public networks, it becomes a part of our collective infrastructure and should behave accordingly.

William Hugh Murray

This is a great example of what cyber insurance can do for an organisation. Cyber insurance won’t prevent an attack, nor will it by itself reduce the technical risks you may face, however it does help you cover the financial risk from a cybersecurity breach.

Brian Honan

Before casting doubts on being self-insured, check with your insurance providers to make sure you understand what sorts of incidents are _NOT_ covered. You may find you’ve got a gap you didn’t anticipate. In addition to the fines above, Medibank is also expected to have large regulatory fines. Take note of the support Medibank is providing to customers, statements about impact as well as operational status to include financial impact and investor briefings. Are you prepared to be this transparent in a breach as well as provide your customers with this level of support? Double check that at the highest levels.

Lee Neely

Make sure that you’re referencing the most current repository name for your GitHub requests. Monitor for redirected repositories and update your configuration to use the updated location as well as verify the intended packages are at that location. The vulnerability existed when a user renamed their repository, which caused redirects to be setup from the old name to the new, and someone else registered on GitHub with the vacated username, which removed the redirects, and that person now can deliver their package to systems expecting the moved one. GitHub now has a process whereby popular usernames, when changed, are retired so that you cannot activate a vacated username.

Lee Neely