Patch Ivanti Endpoint Manager ASAP : SEC Requires Publicly Traded Companies to Report Incidents in 4 Days; Carefully Check and Update Ubuntu for Needed Fixes to OverlayFS Driver

CVE-2023-35078, remote authentication bypass, gets a (perfect) CVSS score of 10. This flaw affects all the supported as well as older unsupported versions of Ivanti EPMM (formerly MobileIron Core). The reason you may not have heard the connection to the attack on the Norwegian government sites is that information was being held back until the patch had been released from Ivanti. Ivanti is also actively engaging with customers to get the patch applied as well as help investigate compromises where needed. If you're an Ivanti site, make sure that not only are you running a supported patched version but also that you're following their latest security guidance.

Ivanti’s Endpoint Manager Mobile (formerly MobileIron) has a 37% market share in the mobile device management market. That’s a sizeable target market for evil-doers. Heed the vendor advice, download and install the patch now.

The four day reporting requirement is in line with long standing SEC requirements for material financial event disclosures – not unreasonable. A sidenote: as part of this rule making, the SEC decided to NOT require Boards of Directors to disclosure cybersecurity expertise on the board, which many cut into demand for CISOs as directors.

There’s been a lot of debate in this country on when a cyber incident should be reported. Some have advocated for as little as 24 hours; others, only report once an incident has been contained. Four days, or 96 hours, seems about right. Additionally, the SEC change on requiring a cybersecurity expert on the board reflects not only their oversight responsibility but equally important, the role of company leadership to manage risk to include cyber incidents. A reasonable rule change by the SEC.

Make sure that you've got all your required reporting intervals tracked. I remember having notification windows as short as 24 hours for PII breaches, so make sure you're tracking, missing the windows can be awkward. As the SEC is backing down on required cyber expertise in the boardroom, CISOs will need to actively work to maintain the relationship with the CEO/board so they have a seat at the table when needed. If you're uncertain how-to talk to the board effectively, work with the CEO to resolve that.

Material to investors, not other constituents, e.g., customers, employees. The four day clock begins to tick when it is determined that the incident is material, not when the breach or compromise is first detected; counsel may want to engage with the SEC earlier. Note that there may be other reporting requirements to other agencies, e.g., CISA. Note that under this rule Microsoft would not have to report the compromise of its signing key to the SEC, even though it has a impact on infrastructure.

This is an interesting vulnerability and shows some of the risks of modifying software components. Ubuntu modified a critical feature of the OverlayFS driver, which later resulted in Ubuntu not correctly incorporating a security fix released for the Linux kernel.

The issue is that Ubuntu uses the OverlayFS, a union mount file system, with specific modifications from 2018, which were safe, but when the Linux kernel project made changes to the OverlayFS in 2019 & 2022, they conflicted with Ubuntu's changes resulting in the two flaws. (CVE-2023-2640, CVSS score 7.8 and CVE-2023-32629, CVSS score 5.4.) This means those flaws have been out there for a while, and weaponized exploits are publicly available. The fix is to apply the listed package updates in the Ubuntu security bulletin USN-6250-1: Linux kernel vulnerabilities (https://ubuntu.com/security/notices/USN-6250-1) and reboot. Linux distributions with the non-customized OverlayFS are not impacted.

It never helps to hide security flaws. I think this is a great effort to bring to light some of the flaws being patched silently, and looking forward how PySecDB will evolve.

Great to see a high school researcher involved in bringing this forward!

Having a structure and framework for consistently identifying security fixes will help downstream users of your code understand what's being addressed as part of ongoing supply chain risk management activities. While PySecDB is only available for non-commercial research or personal use, it moves the bar in the right direction.

This vulnerability is a privilege escalation issue that can be used if the attacker already has access to the specific router. Overall, this isn't a huge deal, but may allow attackers to evade detection and prevent attempts to evict the attacker from the router.

This started as a vulnerability, which didn't have a CVE, at REcon, June 2023 by Margin Research employees, along with an exploit called FOISted which could get a root shell. The 500,000-900,000 vulnerable routers are indexed by Shodan, making them easy to find. While you need credentials to exploit the flaw, odds are many of those routers still have the default or weak credentials as the router doesn't enforce any sort of password strength. You need to do three things: update the firmware, make sure that you've got strong credentials and disable WAN based administration.

Just as prior lists of file transfer service victims continued to grow, expect the same with MOVEit. The latest members of the club include Chuck E. Cheese (the pizza and birthday party chain), Deloitte, the Hallmark Channel and Maximus. While patches are now regularly provided for MOVEit, it's still an active target, effectively blood in the water when detected, patched or not. It's time to MOVEon to another solution.

The steady increase in victims exploited by MOVEit is to be expected. The vulnerability was first announced o/a 31 May. A series of patches were then made available starting on 15 June. That gap provided plenty of time for evil-doers to find targets and exploit. This incident should serve as a case study as organizations revisit their patch management and incident response plans.

The updated guidance from TSA is a mixed bag, some good, some frankly odd rule changes. Two that stand out: 1) the requirement for Owner/Operators to include TSA specified Critical Cyber Systems; and, 2) a Cybersecurity Assessment Plan where only a third of the controls need to be audited per year. To me, it isn’t clear that TSA knows what controls (err critical cyber systems) are effective in mitigating attacks, yet they are the decider for a privately owned company. What’s completely odd is that the critical infrastructure provider is only required to assess a third of their critical security controls per year. Seems that you would define a common set of critical security controls that are implementable and then measure on a frequent basis. One example of that approach is the CIS Critical Security Controls, implementation group 1.

A few changes here. These are good enhancements intended to ensure the cybersecurity measures are implemented, functioning and incidents can be responded to reliably. Required cybersecurity implementation plans must now be tested and evaluated, according to an operator provided schedule, as well as provide an annual report. Additionally, the required incident response plan must also be tested on at least two objectives of that plan. The requirements, while reasonable, will need appropriate resources and priority, or we'll only have more plans and reports filling our digital shelves.

While early reporting does not indicate loss of user data, it is having a catastrophic effect on business operations. As this incident and CardioComm Solutions response to it plays out, it will make a great use case for boards to discuss from a risk management perspective (e.g., what cyber related business risks were CardioComm managing).

The incident is confined to company servers, not client server environments. As such they don't believe any customer health information has been compromised as that is not collected by their servers. Even so, they are proactively taking actions commensurate with identity theft protections in case they are needed. If you have their client server, make sure that you've properly secured and isolated it, keeping an eye out for added guidance or patches from CardioComm.