Ivanti Vulnerabilities Exploited; Easy Patch Tuesday; Nine More Exploited Vulnerabilities

Ivanti users should consult the excellent write up by Volexity for details. Connect Secure used to be known as Pulse Secure before being acquired by Ivanti in 2020. The product has a rich vulnerability history and has frequently been used to breach corporate networks. Connect Secure has likely become expensive to maintain for Ivanti with its legacy Perl codebase and complex software architecture typical for a legacy product. This will make it difficult for Ivanti to invest into proactively identifying security vulnerabilities, relying on non cooperating third parties to assist in identifying product flaws.

Johannes Ullrich

I had to look this up to make sure because Ivanti has been on an acquisition spree. This is affecting the old Juniper SSL VPN Customers. There is still a pretty sizable set of companies running this tech.

Moses Frost

Ivanti has both published a mitigation you can download and install and provided IOCs you can incorporate into your threat hunting. They are providing guidance for upgrading to newer releases which have more expedited patch release cycles. The patch will be released the weeks of the 22nd of January to the 19th of February, depending on the product version you’re running.

Lee Neely

Given the ease with which the pair of vulnerabilities can be exploited, download and apply the mitigation procedures that Ivanti provides with great haste. You can expect that evildoers are now circling and targeting the VPN appliance.

Curtis Dukes

While the Microsoft vulnerabilities are not actively exploited, CVE-2024-20674, a Kerberos security feature bypass flaw, has a CVSS score of 9.0 and exploit code is expected in under 30 days. As such you’re going to want to get this update deployed quickly.

Lee Neely

No huge surprises here. Are you tracking the KEV catalog? It’s a good source of information on what’s being targeted to aid your decision making processes. While you’re addressing these flaws, make sure your on track for lifecycle replacements - hint: ColdFusion.

Lee Neely

This significance of this analysis does not rest in how these specific vulnerabilities might be maliciously exploited but in what is says about the development of appliances and the Internet of Things. One need not read very far into these reports to conclude that the source of the vulnerabilities is in gratuitous function (starting with an operating system) not essential to the operation, measurement, and reporting function of this tool. Avoiding vulnerabilities in single-use purpose built tools and appliances is not difficult. The problem arises from glitz, bells and whistles, features, complexity, that are not essential to the purpose. Starting with a general purpose OS may make the developer's job a little easier but may not lead to a safe product.

William Hugh Murray

Ukraine being under an active cyber-attack is unsurprising. Denmark being included is as surprising as any other NATO country. In today’s world, you can imagine the amount of caution a vendor’s research team is taking in judging attribution when the stakes are high.

Moses Frost

The law of large numbers at work: FNF says they “…do not believe that the incident will have a material impact on the Company.” An incident this large is likely to have a hard cost in the $100M dollar range but since that is less than 2% of FNF’s reported 12 month profit of $6B, it is not “material” as far as regulators are concerned. But, if management was convinced that spending $10M would have prevented the loss of $100M they may have made that investment.

John Pescatore

Although most attention on ransomware events is focused on small to medium size enterprises (K-12, Healthcare), FNF proves that even fortune 500 companies also fall victim. What’s even more interesting is that the company doesn’t believe it to be a ‘material’ event, thereby, skirting some of the new SEC rules.

Curtis Dukes

This is a signal to other data brokers to watch what they are sharing. Among other concerns, the FTC wants to ensure opt-out requests are honored. Not a wise move to be on the punitive side of the FTC, but they can’t police this entire subject area; congressional privacy legislation is also needed to support enforcement.

Lee Neely

This raise a point that is important to get across to your management: using cloud services does *not* mean having to allow your sensitive data to be stored in countries that don’t meet your regulatory requirements for protecting privacy. Similarly, if you are in the business of providing cloud services, your customers will increasingly have requirements for meeting higher national data privacy standards than the US has.

John Pescatore

This is a continuation of Microsoft efforts to abide by strict privacy laws within the EU. There was hope that the US and EU would reach agreement on data sharing but in the end, this is the most effective way for CSP’s to abide by national privacy laws. Expect other CSP’s to follow Microsoft’s lead.

Curtis Dukes

Microsoft has a vast EU presence, unsurprisingly, so it makes perfect sense for them to focus on EU-based privacy and data sovereignty.

Moses Frost

Wordfence provided a firewall rule for the POST SMTP Mailer paid and free customers January 3rd and February 2nd respectively. Most importantly make sure that you have the updated plugins, 2.8.8 for POST SMTP and 1.9.99 of the AI Engine. Assume attackers are actively looking for known vulnerable plugins on WordPress sites.

Lee Neely

Wordpress’ market share is 43% of all websites. For content management systems its global market share is even higher. Unfortunately, plugins are its Achilles heel. The best protection is to maintain patch diligence and include a firewall to monitor and filter web traffic.

Curtis Dukes

It should no longer be necessary to point out that WordPress plugins are a source of vulnerability for web sites, that most come with no representations of quality, should not be used by default, only by design and intent, and when used must be diligently managed. The issue is plugins in general rather than these two.

William Hugh Murray