SANS NewsBites

Dedicate Resources to Patching for Microsoft Vulnerability Tuesday, Especially Sysmon; After Microsoft Flaws, Patch VMware Workspace ONE Assist; If You Use ABB Flow Controls, Patch Those, Too

November 11, 2022  |  Volume XXIV - Issue #88

Top of the News


2022-11-09

Microsoft November 2022 Patch Tuesday

As part of its November 2022 Patch Tuesday, Microsoft released fixes for six zero-day vulnerabilities, including two in Exchange Server that are known collectively as ProxyNotShell. In all, Microsoft released fixes for nearly 70 security issues.

Editor's Note

Lots of interesting patches this time. One not to overlook is the patch for the sysmon issue. It could be devastating to a network that has sysmon deployed throughout the network. You essentially instrumented the network with a tool to assist attackers. Patch quickly and monitor what sysmon is doing (with sysmon?)

Johannes Ullrich
Johannes Ullrich

Don't you wish we just had to watch the election returns this Tuesday? Fixing six zero-days is awesome, particularly as these are being actively exploited in the wild. And the most severe four (CVE-2022-41091, CVE-2022-41073, CVE-2022-41125 and CVE-2022-41128) are in the CISA KEV catalog with remediation dates of 11/29. CVE-2022-41128 is a fix to Microsoft scripting languages, which can be leveraged to infect users who browse to a malicious site; CVE-2022-41073 is another Windows Print Spooler fix, CVE-2022-41125 addresses a privilege escalation flaw in the Windows Cryptographic API; CVE-2022-41091 addresses a security bypass to "Windows Mark of the Web" - that flag that marks the files as being from an untrusted source. The last two are Exchange flaws (CVE-2022-41040 and CVE-2022-41082) addressing remote code execution when PowerShell is accessible to the attacker. Check out the SANS ISC link below for a rundown on the rest of the story.

Lee Neely
Lee Neely

Given the large number of critical vulnerabilities (11), several of which have been actively exploited, priority has to be given to this patch update.

Curtis Dukes
Curtis Dukes

Read more in


2022-11-09

VMware Workspace ONE Assist Updates Fix Critical Flaws

VMware has released updates to address three critical vulnerabilities in its Workplace ONE Assist remote access tool. The flaws, an authentication bypass issue, a broken authentication method, and broken authentication control, have received CVSSv3 scores of 9.8. The updates also address two moderate severity vulnerabilities. Users are urged to update to Workspace ONE Assist 22.10.

Editor's Note

Older VMware flaws are already heavily targeted by attackers. This will provide them with yet another avenue. And remember: This isn't just a "Patch Now" issue. Because there will likely be more issues like that. This is a "Figure out how to build a moat" issue.

Johannes Ullrich
Johannes Ullrich

There are no workarounds here, this is a patch it to fix it scenario. An attacker can exploit the flaws if they can reach your network with Workspace One Assist without authentication to obtain administrative access. The update addresses five CVEs in total - including XSS and an authentication token exploit, seems like a good idea to just apply the update.

Lee Neely
Lee Neely

2022-11-10

Fixes Available for High-Severity Flaw in ABB Flow Computers and Controllers

Researchers from Claroty have detected a path-traversal vulnerability that affects flow computers and remote controllers used in the oil and gas industries. The issue affects ABB TotalFlow flow computers and controllers. ABB released firmware patches to address the issue in July.

Editor's Note

I like the first bullet item in the Claroty executive summary on their findings: “Flow computers calculate oil and gas volume and flow rates; these measurements are critical not only to process safety, but are also used as inputs in other areas, *including billing*.” Note that many news reports picked up on the “including billing” and the connection to the Colonial Gas pipeline ransomware attack that caused gas shortages because billing apps went down. If you are using ABB controllers, use that same focus on the business/billing disruption to get patching prioritized.

John Pescatore
John Pescatore

These are driven by an ARM v8 processor running Linux. The flaw can be leveraged to get root on those devices, read/write files - these computers calculate volume and flow rates used by alarms, safety and billing systems. An attack could impact a company's ability to bill and/or disrupt the flow altogether. If you have some of these, apply the update as well as make sure that they are properly isolated/segmented. Read the report from Claroty if you've wondered what these can do.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-11-10

Apple Releases Unscheduled Updates for iOS and macOS

Apple has released updates for iOS, iPadOS, and macOS to address a pair of critical vulnerabilities. The arbitrary code execution flaws in the libxml 2 library were detected by researcher from Google Project Zero. Users are urged to update to ioS 16.1.1, iPadOS 16.1.1, and macOS Ventura 13.0.1.

Editor's Note

This update fixes two specific XML parser issues. Details about these issues, with proof of concept code, were released the same day the update was released. I don't care if you wait patching this. If you don't, it may make for a neat future NewsBites story about how your organization was compromised.

Johannes Ullrich
Johannes Ullrich

I know, you are still finishing rolling out iOS/iPadOS 16.1, and you noticed 16.2 is only a few weeks away, so you were hoping for breathing room. The good news is users who haven't updated will get 16.1.1 when they do, and that these updates are only for iOS/iPadOS 16, as well as macOS Ventura. Exploiting the flaws allows an attacker to terminate a running application or execute arbitrary commands on the device. There are also unspecified bug fixes in these updates which help with some petty annoyances your users may be facing.

Lee Neely
Lee Neely

2022-11-10

IoT Purchasing Rules for Federal Agencies Take Effect in December

Starting next month, US federal agencies will be required to implement Internet of Things (IoT) cybersecurity guidelines developed by the National Institute of Standards and Technology (NIST). The IoT Cybersecurity Act of 2020 directed NIST to create a series of documents to address the needs of federal agencies seeking to deploy IoT devices within their systems.

Editor's Note

Back in 1994, NIST put out FIPS 140-1, Security Requirements for Cryptographic Modules. In 1995, Netscape came out with SSL 2.0 for transport security in their Navigator browser. When the US Federal government started requiring government agencies require FIPS 140-1 compliance, it drove testing of SSL 2.0 and vulnerabilities were quickly found and fixed – and anyone (OK, back then mostly Microsoft) wanting to provide a browser for government use had to get their crypto tested and validated. SSL didn’t solve all security problems, but it did raise the bar and it is good to see the US government using its buying power to do the same thing for device security.

John Pescatore
John Pescatore

One of the challenges is that traditional IT security follows frameworks like NIST SP 800-53, while our OT operators are following the Purdue model. Having guidance to help crosswalk the two universes is critical to success. Keep an eye on SP 800-82, SP 800-181 and SP 800-313. NIST publications often include guidance and insight which is applicable beyond the federal government, consider leveraging these to raise the bar on your IoT acquisitions.

Lee Neely
Lee Neely

While mandated for federal agencies, every Industry sector will benefit by following the cybersecurity guidance in NIST Special Publication 800-213. Now is the time to build IoT cybersecurity requirements into your IT risk management process for the entire connected enterprise.

Curtis Dukes
Curtis Dukes

2022-11-10

CISA Provides Resources to Help Agencies Manage Known Exploited Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) has released resources to help federal agencies comply with a binding operational directive (BOD) that requires them to reduce the significant risk of known exploited vulnerabilities. In a blog post, CISA Executive Assistant Director for Cybersecurity Eric Goldstein introduces the tools through a three step process for improving vulnerability management: introducing greater automation; the use of Vulnerability Exploitability Exchange to determine if a products is affected by a known vulnerability; and prioritizing vulnerability management resources through Stakeholder Specific Vulnerability Categorization.

Editor's Note

A tool like the SSVC can help prioritize remediation efforts, but before you run out and grab something new, check your inventory for products which may already have this (or similar) capability and look at leveraging that first. We all have "shelfware" or narrowly implemented products, and as tempting as best-of-breed is, it's still generally easier to use all the features in existing products than trying to integrate several disparate products which are "supposed" to be able to talk to each other.

Lee Neely
Lee Neely

In this case, I have to treat CISA like I would any vendor. The Security Content Automation Protocol (SCAP) standards first came out of the US government in 2009 – announcing more such standards really does not equate to CISA “transforming the vulnerability management landscape.” They need to focus on helping government agencies overcome the obstacles they faced trying to make automation work, which had more to do with overhyping what would and would not make sense to automate than it did with needing new ways to find out and rank vulnerability severity. I’d like to see a focus on a simple use case: reduce average time to patch servers from months to days to hours. Then start thinking about automation overall.

John Pescatore
John Pescatore

2022-11-10

GitHub Introduces New Vulnerability Reporting Feature

GitHub has created a communication channel that will allow researchers to disclo.se vulnerabilities to project maintainers more easily. Previously, it was often difficult to find contact information and vulnerabilities were reported over social media. The private vulnerability reporting feature is free and is currently in beta.

Editor's Note

The idea is this is private notification of flaws, and package maintainers can elect to ignore or seek more information. I know it's upsetting to have someone tell you your code is broken, you worked really hard on it, but it's better to have a direct approach than learning it's being spread over social media. Learn to embrace and respond to the feedback, the goal is to raise the bar, not denigrate the developer. make sure that your company has a security link on their web site which leads to clear flaw reporting instructions for the same reasons.

Lee Neely
Lee Neely

Microsoft acquired GitHub a bit over 4 years ago and GitHub just announced it had passed $1B in revenue – good to see more (needed) investment by GitHub in security. If your company’s product is software, this is also a good reminder to check if you have the processes and contact points in place to rapidly learn of and deal with vulnerabilities in your product. All too often, for example, www.yourcompany.com/security is hyping up product security features vs. making it easy for someone to report a bug and get an acknowledgement.

John Pescatore
John Pescatore

2022-11-09

Lenovo Fixes Two of Three Notebook BIOS Vulnerabilities

Lenovo has released updates to fix vulnerabilities in the Unified Extensible Firmware Interface (UEFI) that affect several of the company’s notebook models. The flaws could be exploited to modify secure boot settings. While three vulnerabilities have been identified, Lenovo is releasing foxes for just two, as the third affects a device that is no longer supported.

Editor's Note

The flaws allow the secure boot database (DBX) to be reset. That resets what is allowed and denied by the secure boot process, allowing a hacker's code to be loaded at boot time. If you're not managing the firmware on your fleet of laptops, you need to start figuring that out before your attackers do. Even so, test your process, BIOS updates can brick or otherwise be disruptive to users. The timing of which is never convenient, in fact, quite the opposite. At a bare minimum, track the versions and watch for unexpected updates.

Lee Neely
Lee Neely

2022-11-09

Google Updates Chrome for Desktop

Google has updated the Stable channel for Chrome for desktop to version 107.0.5304.110 for Mac and Linux and 107.0.5304.106/.107 for Windows. The updated versions of the browser address 10 vulnerabilities, including six high severity issues.

Editor's Note

Your Chrome and Chromium browsers are affected here. Odds are, by now, the user's browsers have already downloaded the update and the browser needs a relaunch. This update includes more updates to the V8 JavaScript engine (the last Chrome KEV update was also a V8 fix) speech recognition, WebWorkers and WebCodecs. These new updates are not yet in the CISA KEV catalog.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Do you collect "Observables" or "IOCs"

https://isc.sans.edu/diary/Do+you+collect+Observables+or+IOCs/29238


Another Script-Based Ransomware

https://isc.sans.edu/diary/Another+ScriptBased+Ransomware/29234/


Microsoft Patches

https://isc.sans.edu/diary/Microsoft+November+2022+Patch+Tuesday/29230/


Microsoft Exchange Updates

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2022-exchange-server-security-updates/ba-p/3669045


Android Update Fixes Lock Screen Bypass

https://source.android.com/docs/security/bulletin/2022-11-01

https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/


Apple Security Updates

https://support.apple.com/en-us/HT201222


libxml Vulnerability Details

https://gitlab.gnome.org/GNOME/libxml2/-/issues/381


CVE-2022-45063: xterm remote code execution vulnerability

https://www.openwall.com/lists/oss-security/2022/11/10/1


Lenovo UEFI Patch

https://www.welivesecurity.com/2022/04/19/when-secure-isnt-secure-uefi-vulnerabilities-lenovo-consumer-laptops/


FoxIT Update

https://www.foxit.com/support/security-bulletins.html


SAP Update

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10


VMWare Workspace One Updates CVE-2022-31686, CVE-2022-31687, CVE-2022-31688

https://www.vmware.com/security/advisories/VMSA-2022-0028.html


Citrix Gateway / Citrix ADC Vulnerabilities CVE-2022-27510

https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516