CISA Adds Multiple Flaws to Their Known Exploited Vulnerabilities Database: Three-Month-Old SharePoint Vulnerability, RCE Flaw in FortiManager, and DoS Vulnerability in Cisco ASA and FTD Software

The US Cybersecurity and Infrastructure Security Agency (CISA) has added five vulnerabilities to their Known Exploited Vulnerabilities (KEV) database, including a Microsoft SharePoint deserialization flaw (CVE-2024-38094) that was initially disclosed in July. The other flaws added to KEV include an unspecified vulnerability in ScienceLogic SL1; a missing authentication vulnerability in Fortinet FortiManager (see story below); a cross-site scripting (XSS) Vulnerability in RoundCube Webmail; and a denial-of-service vulnerability in Cisco ASA and FTD (see story below).

Fortinet privately informed customers about a remote code execution flaw in FortiManager, and is receiving criticism for waiting days to publish a public advisory. CVE-2024-47575 is rated critical (CVSS 9.8), and allows remote code execution due to "missing authentication for critical function ... in FortiManager fgfmd daemon." While some specifics remain unclear, independent researcher Kevin Beaumont posits the issue is "a default FortiManager setting that allows devices with unknown or unauthorized serial numbers to register themselves into an organization's FortiManager dashboard." The US Cybersecurity and Infrastructure Security Agency (CISA) says this vulnerability is actively being exploited in the wild, and has added it to the Known Exploited Vulnerability database. Analysts at Mandiant consider this a "mass exploit situation," which they believe to be ongoing since June 27, 2024, tracked as threat cluster UNC5820. Fortinet urges users of FortiManager 7.6 and below to update, detailing version-specific workarounds.

Cisco has released updates to address an actively exploited denial-of-service vulnerability affecting the Remote Access VPN service in their Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The issue is due to resource exhaustion. While the vulnerability is rated medium severity, it is being actively exploited and has been added to CISAÕs Known exploited Vulnerabilities (KEV) catalog. Cisco's advisory includes a list of affected products as well as a list of indicators of compromise.

In the Microsoft Threat Intelligence Briefing video in the first story of Rest of the News, Health-ISAC CSO Errol Weiss says ISACs are like 'virtual neighborhood watch programs.' ISACs provide a hub for sharing sector-specific threat information. In the words of the National Council of ISACs, the 'ISACs collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency.'

We encourage you to find out more about ISACs here:

National Council of ISACs: https://www.nationalisacs.org/about-isacs

Microsoft's report, "US Healthcare at risk: Strengthening resiliency against ransomware attacks," is packed with facts and data about how cybersecurity incidents in the healthcare sector affect patient care, including the ripple effect at healthcare facilities closest to those affected by breaches. In a video Threat Intelligence Briefing, Sherrod DeGrippo, Director of Threat Intelligence Strategy for Microsoft Threat Intelligence first leads a roundtable discussion with Microsoft senior security researchers and the Health-ISAC's CSO. She then visits the University of California San Diego's (UCSD's) Center for Healthcare Cybersecurity where she speaks with doctors about how ransomware attacks affect patients and healthcare providers and how they envision helping healthcare providers improve outcomes in these dangerous and frustrating situations.

"Anyone can now access [surveillance] capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites," reports Brian Krebs. His article details an ongoing privacy crisis created by an industry of data brokers selling invasively trackable ad data. Investigation by Atlas Data Privacy Corp. led to a lawsuit against Babel Street, a company whose technology "allows customers to draw a digital polygon around nearly any location on a map of the world, and view a slightly dated ... time-lapse history of the mobile devices seen coming in and out of the specified area." Atlas Corp's private investigator was given a trial of Babel Street with no verification that he was authorized to use it as a "contractor of the government." The investigator was able to demonstrate Babel Street's capability to effectively identify visitors to "mosques, synagogues, [and] courtrooms," as well as patients and employees of abortion clinics, and to track those individuals' movements and identify their home addresses and workplaces, even merely by association with family members' devices. The basis for the lawsuit is violation of "Daniel's Law, a New Jersey statute allowing law enforcement, government personnel, judges and their families to have their information completely removed from commercial data brokers." Personally identifiable details including name, email address, social media profile, GPS coordinates, and "consumer category" associated with a device's Mobile Advertising ID (MAID) -- referred to in Google devices as "Android Advertising ID" (AAID), and in Apple devices as "Identifier for Advertisers" (IDFA) -- may be sold to brokers by any number of apps, or widely broadcast unsecured when being served a "realtime bid" online advertisement. The article notes that "Android users can delete their ad ID permanently," and Apple users can turn off apps' ability to request tracking, and disable Apple's own "personalized ads" feature. Zach Edwards, senior threat analyst at SilentPush comments: "The privacy risks here will remain until Apple and Google permanently turn off their mobile advertising ID schemes and admit to the American public that this is the technology that has been supporting the global data broker ecosystem."

VMware has released patches to address two vulnerabilities in vCenter Server that were inadequately addressed by patches released last month. The issues affect VMware vCenter Server and Cloud Foundation products. One of the vulnerabilities is a critical heap overflow issue (CVE-2024-38812). The flaw lies in the implementation of the DCEDRPC protocol. The second vulnerability is a high-severity privilege elevation issue (CVE-2024-38812).

On October 7, 2024, Samsung disclosed and patched a high severity use-after-free vulnerability (CVE-2024-44068) affecting "Samsung Exynos mobile processors versions 9820, 9825, 980, 990, 850, and W920." Google Threat Analysis Group (TAG) researchers have since asserted that this vulnerability has already been used as a component of an exploit enabling remote code execution "in a privileged cameraserver process." Another exploit, not "in the wild," but in the Pwn2Own Ireland hacking challenge on October 24, 2024, allowed competitor Ken Gannon to successfully "get a shell and install an app" by chaining five flaws "including path traversal" on the Samsung Galaxy S24 smartphone.

Landmark, a Texas-based third-party insurance administrator, has disclosed a data breach that affects more than 800,000 individuals. The incident was detected in May; the compromised data include names, Social Security numbers, tax ID numbers, drivers' license and state-issued identification card numbers, passport numbers, bank account and routing numbers, medical information, health insurance policy information, dates of birth, and/or life and annuity policy information. A forensic investigation determined that 'data [were] encrypted and exfiltrated from Landmark's system,' according to the Supplemental Notice of Data Breach Involving Landmark Admin, LLC (link available on the Maine AG data breach notification page for Landmark).

Four companies have agreed to monetary penalties to settle charges of 'materially misleading disclosures' brought by the US Securities and Exchange Commission. The charges against the four companies - Unisys, Avaya, Check Point, and Mimecast - arose from an investigation that involved public companies possibly affected by the SolarWinds compromise. In total, the four companies will pay civil penalties of nearly $7 million.

Ireland's Data Protection Commission (DPC) has fined LinkedIn Ireland Û310 million (US $336 million) for using LinkedIn user data for targeted advertising and behavioral analysis without obtaining user consent. DPC found that LinkedIn violated several provisions of the EUÕs General Data Protection Rule (GDPR).