OpenSSH regreSSHion Vulnerability; Juniper Releases Patches for Critical Session Smart Router Flaw; Threat Actor are Targeting EoL D-Link Routers

This is a signal handler race condition. When a user doesn't login in the LoginGraceTime interval (600 seconds default) and sshd is sent a SIGALRM asynchronously, attackers can take advantage of functions, such as syslog(), which are not async-signal safe. The tricky part is identifying the vulnerable versions of OpenSSH. OpenSSH versions before 4.4p1 are vulnerable, 4.4p1 up to, but not including 8.5p1 are not vulnerable due to a patch for CVE-2006-5051), while versions 8.5p1 up to, but not including 9.8p1 are vulnerable due to removal a critical component which blocks the exploit. OpenBSD systems are unaffected due to security mechanisms included in that OS since 2001. The optimal fix is to apply the patches when released for your distribution. In the meantime, limit access to SSH services, using network-based controls, not through controls in your OpenSSH service as well as monitor SSH connections for abuse, particularly Internet facing ones.

Lee Neely

Race condition vulnerabilities can be finicky to exploit and require a different skill set to master. That said, given upwards of 700K potential victims, evil doers are paying attention. Prudence dictates downloading and patching as updates become available.

Curtis Dukes

CVE-2024-2973, API authentication bypass flaw, CVSS 3.1 or 4.0 score of 10.0 should get your attention. Juniper has updated SS$-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts and subsequent versions. Make sure you're on one of those versions. Juniper claims the fix is applied automatically on managed routers by a Conductor or on WAN assurance routers. The fix can be applied without downtime to the router, it may impact the web-based and API management for up to 30 seconds. That should make this far easier to deploy than updates which disrupt user traffic.

Lee Neely

CVE-2024-0769, path traversal flaw in a HTTP POST, CVSS score of 9.8, had POC exploit code published in January. Regardless of whether the D-Link DIR-859 routers were supported in January, at this point, these are EOL devices you need to replace them, like now, then excess the old ones, don't leave them where someone could redeploy them, and the vulnerability.

Lee Neely

Individuals/organizations should always plan for HW/SW obsolescence, especially when the vendor announces that a product is no longer be supported. That's a no-brainer and widely recognized security best practice. Otherwise, you become a target and the question the court will be asking is harm caused by this lapse in security judgment.

Curtis Dukes

Cisco has assigned CVE-2024-20399 a CVSS score of 6.0. While the exploit requires existing administrative credentials, the exploit allows execution of commands as root in the underlying OS. Devices running the Cisco NX-OS without the bash-shell feature, you're likely vulnerable. There are no workarounds, so you'll need to apply the update as well as verify that your device has sufficient memory as well as meet hardware and software requirements for continued support.

Lee Neely

On the surface, these draft cybersecurity rules seem reasonable and easily implementable. The only one that is questionable is the 24-hour notification of equipment defect. Equipment defects should already be accounted for in the contingency plan for delivering alerts to the public.

Curtis Dukes

With luck, this will reduce or eliminate abuses of emergency alert and warning systems. If you are using such a system in your shop, make sure that you've not opened yourself up to abuse in the name of making things easier in a disaster. Keep an eye on these rules as they finalize for suggestions to keep the bar sufficiently high.

Lee Neely

Not backing up one's data in today's hyper-connected, hyper-informed world is mystifying, especially for government. Revisit CIS Critical Security Control 11, Data Recovery, and its five safeguards. Yes, there is a cost in time and resources but there comes a day.

Curtis Dukes

Beware of services which are offered as optional. It makes the acceptance much easier, but you can wind up with gaps in your defenses. Decide whether you want to accept alternate solutions, which you want to verify meet the same requirements as your standard offering or set a deadline by which your standard services are required. Make sure that you can monitor for use, as well as having some tangible consequences for non-compliance. During an incident is not the time to discover services are not backed up.

Lee Neely

The Evil Twin attack leverages preferred networks in your device, so it's a good idea to prune that list. In addition, make sure devices are not configured to AutoConnect to discovered hotspots, and that users are trained on proper protocols for using non-corporate WiFi - such as VPNs. Don't assume that since most services operate over TLS, they are then immune from MITM or SSL downgrade scenarios. Reduce the odds of success by leveraging HSTS and SSL preload configurations on services you control.

Lee Neely

Credential harvesting is a leading attack technique used by cybercriminals. Mimicking public WiFi via a rogue hotspot, only increases the likelihood of success as they are difficult to identify, and users need to remain online. Protect your accounts with multi-factor authentication.

Curtis Dukes

The Arc browser is being touted as the Chrome replacement (calmer and more personal user experience) you're looking for. Users who download the fake DMG file are prompted to install Arc by right-clicking and opening rather than the traditional double click or drag to Applications folder. The right-click mechanism bypasses the restriction that prevents installation of apps not signed by an Apple vetted developer. Make sure your user training includes caution around not just installing applications from known good sources, but also standard mechanisms.

Lee Neely

In essence, if you were communicating with Microsoft Corporate accounts, which were compromised during the Midnight Blizzard campaign, back in April, you'll be notified. Microsoft has created a portal for you to view the affected emails, which could be mistaken for a phishing attack, so read carefully.

Lee Neely

While it's distressing that the affected user counts have increased so much, it's good to see the institutions discovering and disclosing the full scope of the incident. Having been, as many of you have as well, a member of at least one group with exfiltrated information, I can attest it's important to know sooner than later when you're affected, which is why I advocate having ID theft and credit monitoring/restoration services regardless of your information being compromised.

Lee Neely