SANS NewsBites

FAA to Strengthen File Integrity Management; Zero-Days Mean Expediting Patching Windows Now; Find and Patch Vulnerable ClamAV Instances

February 17, 2023  |  Volume XXV - Issue #14

Top of the News


2023-02-15

AA Tells Senate Panel About New Procedures to Protect Against NOTAM Outages

In a hearing before the US Senate Commerce Committee, the Federal Aviation Administration’s (FAA’s) acting administrator Billy Nolen said that the agency has taken steps to help prevent a repeat of the January 11 Notice to Air Missions (NOTAM) system outage. Nolen told the panel, “After the incident, we implemented a synchronization delay to ensure that bad data from a database cannot affect a backup database. Additionally, we have implemented a new protocol that requires more than one individual to be present and engaged in oversight when work on the database occurs.”

Editor's Note

Let’s be clear: the issue was not contractors, it was the failure by the FAA to realize that pilots accessing NOTAM information was a go/no-go for flying and that any changes/update to the data files was a potentially disastrous event. File Integrity Management tools and processes have been around for a long, long time but often are not used on the files and executables that need to be the most resilient.

John Pescatore
John Pescatore

In a hearing before the US Senate Commerce Committee, the Federal Aviation Administration’s (FAA’s) acting administrator Billy Nolen said that the agency has taken steps to help prevent a repeat of the January 11 Notice to Air Missions (NOTAM) system outage. Nolen told the panel, “After the incident, we implemented a synchronization delay to ensure that bad data from a database cannot affect a backup database. Additionally, we have implemented a new protocol that requires more than one individual to be present and engaged in oversight when work on the database occurs.”

Lee Neely
Lee Neely

It still comes down to people, process, and technology. People: were the contractors, and FAA personnel for that matter, sufficiently trained to understand and maintain a critical flight system used by the aviation industry? Process: was the update sufficiently QA’ed/tested prior to implementing on both active/backup NOTAM system? Technology: let’s not forget, the NOTAM system is 30 years old; it can be difficult to find qualified engineers to maintain. Which brings us back to people.

Curtis Dukes
Curtis Dukes

2023-02-15

Microsoft’s February Patch Tuesday Includes Three Zero-days

On Tuesday, February 14, Microsoft released updates to address at least 75 vulnerabilities in multiple products, including three flaws that are being actively exploited: a security feature bypass in Microsoft Publisher; a privilege elevation vulnerability in Windows Common Log File System Driver; and a remote code execution vulnerability in Windows Graphics Component.

Editor's Note

This is obviously justification for the continuing need to shorten time to patch, but I’d like to see Microsoft come forward with a “why these vulnerabilities were there and what we are doing to reduce the odds of something like this happening again, and here are Microsoft’s plans for making easier for our customers to more quickly patch flaws found in our products.”

John Pescatore
John Pescatore

While it’s pretty much SOP to push these updates expeditiously, use the zero-day fixes to counter any attempts to delay the rollout. Note that MS is in the NIST KEV with a 3/7/23 due date you can leverage.

Lee Neely
Lee Neely

Three actively exploited vulnerabilities will demand immediate attention by IT staff. It does beg the question: What has changed, if anything, with Microsoft’s security development lifecycle (SDL)? Microsoft rightfully changed the software development landscape with the introduction of SDL back in 2004. Is it time for a new security development lifecycle push within the industry?

Curtis Dukes
Curtis Dukes

2023-02-16

Cisco Updates Address ClamAV Vulnerability

Cisco has released updates to address a vulnerability in the ClamAV scanning library; the issue affects several Cisco products. The missing buffer size check issue could result in a heap buffer overflow write.

Editor's Note

Do not overlook this vulnerability. ClamAV is often embedded in other products without explicitly declaring its presence. Watch out for related updates from various vendors. The vulnerability affects HFS+ files. This file type, an older Apple file system, may not be used in your environment, but the target is the antivirus scanner that may scan the file (and expose itself to exploitation) regardless of you using or not using the file type.

Johannes Ullrich
Johannes Ullrich

The flaw lies in the HFS+ scanning engine and Cisco has updates. There are no workarounds. Cisco categorizes this as a critical flaw: make sure your team has a definitive plan for addressing affected components that fits your policies and risk tolerance.

Lee Neely
Lee Neely

The Rest of the Week's News


2023-02-15

Hyundai and Kia Release Software Updates to Prevent Auto Theft

Hyundai and Kia have released software updates to address vulnerabilities that could be exploited to steal vehicles. According to the US National Highway Traffic Safety Administration (NHTSA), “The software updates the theft alarm software logic to extend the length of the alarm sound from 30 seconds to one minute and requires the key to be in the ignition switch to turn the vehicle on.”

Editor's Note

There is a lot of talk about various car related vulnerabilities, but this issue is actually widely exploited and must be patched quickly. It also illustrates the difficulties of rolling out these patches for cars that were never meant to receive regular software updates.

Johannes Ullrich
Johannes Ullrich

The software update, which includes a window sticker indicator that the vehicle has anti-theft protection, will replace the efforts to deliver steering wheel locks to owners. The changes will take a bit to deploy, so you may want to check with your local law enforcement for a steering wheel lock to use until the update is deployed to your vehicle.

Lee Neely
Lee Neely

A new play on social media platforms… a guide to vehicle theft. Three observations: 1) perhaps a bit more content moderation by TikTok; 2) extending the alarm sound, surely to be a hit in the neighborhood; and 3) of course the software update will be free; it’s about brand protection.

Curtis Dukes
Curtis Dukes

Since car alarms have such high false alarm rates, I doubt doubling the length of the annoying noise will reduce theft rates. But, requiring the keys to be in the ignition before the engine starts is just another example of strong authentication being a “key” requirement…

John Pescatore
John Pescatore

2023-02-14

Microsoft Update Removes Internet Explorer 11 from Most Versions of Windows 10

An update for Microsoft’s Edge browser released this week will delete Internet Explorer 11 (IE11) in most versions of Windows. Users will be redirected to Edge. IE11 Bookmarks and browsing data will be ported from IE11 to Edge. IE11 will still be accessible on Windows Server, non-consumer versions of Windows 10, and Windows 7 and 8.

Editor's Note

It is time to retire Internet Explorer (IE). It has secured its place in the history of the world wide web and more modern browsers exist today – Edge being one of them.

Curtis Dukes
Curtis Dukes

Edge still has an IE 11 compatibility mode you can leverage. Better still provide a sandboxed browser for applications which still require IE 11. (And have a frank talk with your vendor/etc. about getting on current browsers. ) IE 11 support was pretty much done last June. While Edge will support IE 11 mode through 2029, you really don’t want to be locked into that with changes to user technology and other browsers you’re going to want to adopt.

Lee Neely
Lee Neely

At some point software becomes obsolete. While it takes courage, at that point it should be withdrawn from use by both the vendor and the users. That is particularly true for frequently patched code and for code where newer functionally equivalent code exists.

William Hugh Murray
William Hugh Murray

2023-02-16

CommonSpirit Health Cyberattack Costs Top $150m to Date

A ransomware attack that targeted CommonSpirit Health last October has cost the organization at least $150 million so far, according to a quarterly financial report. The attack caused outages at multiple hospitals and exposed data belonging to more than 600,000 patients.

Editor's Note

The “at least $150M so far” works out to about $250 per patient which is already high for a breach of this size. The phrase “cybersecurity incident” was listed a dozen times as the major reason for missing financial projections, and CommonSpirit Health stated they haven’t yet received any compensation from their cyberinsurance carrier.. Even after any compensation there, this will be another example of cost to avoid being much less than the real financial impact of an incident.

John Pescatore
John Pescatore

his attack could be much worse. They serve 20 million patients, so this is about 3 percent. Capturing the full cost of an incident is tricky as you not only have recovery costs but also costs of incorporating alternate or workarounds and loss of existing and future business. Don’t let cost accounting distract you from building and testing DR plans; the better those are, including your ability to execute them, the cost and time to recover will be reduced, mitigating some of the non-IT costs/business impacts.

Lee Neely
Lee Neely

Ransomware attacks affect every industry vertical and this journal article presents an excellent case study for board and company executive teams. Leadership teams often debate the cost of cybersecurity tools against profit margins. Let’s be clear: the cost of an effective vulnerability management program is far less than the cost of incident response, recovery, and impact to the company brand.

Curtis Dukes
Curtis Dukes

2023-02-15

Community Health Systems Discloses Breach That Affected Patient Data

In a Form 8-K filing with the US Securities and Exchange Committee (SEC), Community Health Systems said that hackers exploited a vulnerability in Fortra’s GoAnywhere managed file transfer product to compromise patient data. The breach affected the protected health information (PHI) and other personal data of one million individuals.

Editor's Note

Threat actors exploited a vulnerability in their file transfer system which has a patch from February 7, 2023, and needs access to the administrator console to exploit. While we can’t know what vulnerabilities are present or be discovered, we can secure access to administrative consoles to make it hard for threat actors to exploit as yet unknown weaknesses. You can also monitor those accesses, following up on any anomaly.

Lee Neely
Lee Neely

The attack that affected Community Health Systems turned out to be a zero-day exploit. ‘Zero days’ are difficult to defend against until the vendor issues a patch. While that is of little solace to the million or so affected, the company did act responsibly once notified of the attack.

Curtis Dukes
Curtis Dukes

2023-02-15

US Customs and Border Protection Can Now Read e-Passports

US Customs and Border Protection (CBP) now has the ability to verify cryptographic signatures in passport RFID chips, which have been in used since 2006. CBP recently disclosed that they implemented the necessary software upgrades last spring.

Editor's Note

’d like to see the DHS Office of Inspector General do an audit to make sure the software upgrades and the cryptographic verification is actually implemented correctly and working. Maybe it took 16 years to do just that, and the initial use on 3 million visitors did find 12 fraudulent actors, but crypto is easy to do badly and performance in production should be verified before trusted.

John Pescatore
John Pescatore

This has been operating since June, after a mandate three years ago by two senators for CBP to implement the system as the e-passports had been issued for years. It is intended to catch people traveling with forged documents. It’s also designed to be less intrusive than facial recognition. Thus far, 12 fraudsters have been caught and the only challenge is recognizing e-passports issued by Andorra, a small country of about 80,000 between France and Spain.

Lee Neely
Lee Neely

2023-02-16

CISA Adds Five Vulnerabilities to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog. Three are Microsoft issues that were addressed in this week’s Patch Tuesday: a security feature bypass vulnerability in Office and two privilege elevation vulnerabilities in Windows. The fourth is a type confusion vulnerability in Apple WebKit, which affects multiple products. The fifth is a command injection vulnerability in Cacti. The Microsoft and Apple vulnerabilities must be mitigated by March 7; the Cacti vulnerability has a mitigation due date of March 9.

Editor's Note

Even if you’re not bound to the KEV to report on addressing vulnerabilities, it’s a good idea to keep an eye on it as it highlights vulnerabilities being actively exploited in the wild, along with the needed fixes, so there is no reason you can’t be prepared to resist those attacks. Advisories are also looking at that catalog, so maybe don’t wait for the due date to implement fixes?

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

HTML Phishing Attachment with Browser-in-the-Browser Technique

https://isc.sans.edu/diary/HTML+phishing+attachment+with+browserinthebrowser+technique/29556

DNS Recon Redux

https://isc.sans.edu/diary/DNS+Recon+Redux+Zone+Transfers+plus+a+time+machine+for+When+You+Cant+do+a+Zone+Transfer/29552

Microsoft February 2023 Patch Tuesday

https://isc.sans.edu/diary/Microsoft+February+2023+Patch+Tuesday/29548

Windows Server 2022 Might Not Start Up After Updates

https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022#windows-server-2022-might-not-start-up

New ESXiArgs Encryption Routing Outmaneuvers Recovery Methods

https://www.malwarebytes.com/blog/news/2023/02/new-esxiargs-encryption-routine-outmaneuvers-recovery-methods

PHP Updates

https://www.php.net

ClamAV Patches

https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

GitHub Copilot Update

https://github.blog/2023-02-14-github-copilot-now-has-a-better-ai-model-and-new-capabilities/

Hyundai Software Update

https://www.hyundaiantitheft.com

Citrix Patches CVE-2023-24486, CVE-2023-24484, CVE-2023-24485, and CVE-2023-24483

https://www.cisa.gov/uscert/ncas/current-activity/2023/02/14/citrix-releases-security-updates-workspace-apps-virtual-apps-and

HA Proxy Patch CVE-2023-25725

https://www.mail-archive.com/haproxy@formilux.org/msg43229.html

Firefox Patches

https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/

Adobe Patches

https://helpx.adobe.com/security/security-bulletin.html

Intel OpenBMC Vulnerabilities

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00737.html