SANS NewsBites

CISA Adds Multiple Flaws to Their Known Exploited Vulnerabilities Database: Three-Month-Old SharePoint Vulnerability, RCE Flaw in FortiManager, and DoS Vulnerability in Cisco ASA and FTD Software

October 25, 2024  |  Volume XXVI - Issue #82

Top of the News


2024-10-24

CISA Adds Five Flaws to KEV Catalog, Including Three-Month-Old Microsoft SharePoint Deserialization Vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has added five vulnerabilities to their Known Exploited Vulnerabilities (KEV) database, including a Microsoft SharePoint deserialization flaw (CVE-2024-38094) that was initially disclosed in July. The other flaws added to KEV include an unspecified vulnerability in ScienceLogic SL1; a missing authentication vulnerability in Fortinet FortiManager (see story below); a cross-site scripting (XSS) Vulnerability in RoundCube Webmail; and a denial-of-service vulnerability in Cisco ASA and FTD (see story below).

Editor's Note

The fix for SharePoint has been out for three months, it should already be in place. The KEV due date is November 12. Ask why you're still running SharePoint on premises, and, if viable, insist on a plan to move to the hosted version.

Lee Neely
Lee Neely

With these additions, CISA is up to 150 KEV entries for 2024. In comparison, VulnCheck had over 390 in the first 6 months. Why the disparity in numbers? Bottom line: defenders are best served by updating their software as patches become available; don't wait for it to be catalogued in a known exploited vulnerability database.

Curtis Dukes
Curtis Dukes

2024-10-24

RCE Flaw in FortiManager Actively Exploited Since June 2024

Fortinet privately informed customers about a remote code execution flaw in FortiManager, and is receiving criticism for waiting days to publish a public advisory. CVE-2024-47575 is rated critical (CVSS 9.8), and allows remote code execution due to "missing authentication for critical function ... in FortiManager fgfmd daemon." While some specifics remain unclear, independent researcher Kevin Beaumont posits the issue is "a default FortiManager setting that allows devices with unknown or unauthorized serial numbers to register themselves into an organization's FortiManager dashboard." The US Cybersecurity and Infrastructure Security Agency (CISA) says this vulnerability is actively being exploited in the wild, and has added it to the Known Exploited Vulnerability database. Analysts at Mandiant consider this a "mass exploit situation," which they believe to be ongoing since June 27, 2024, tracked as threat cluster UNC5820. Fortinet urges users of FortiManager 7.6 and below to update, detailing version-specific workarounds.

Editor's Note

Fortinet recently released an analysis of exploitation of zero-day flaws in Ivanti's products but seems to be much more closemouthed on actively exploited vulnerabilities in their own products. This is not good for Fortinet's customers or anyone else. Fortinet management should issue a statement on how they plan to change whatever corporate policies are driving this behavior.

John Pescatore
John Pescatore

Fortinet has historically remained opaque about vulnerabilities and their details. Target updating to the latest version of 7.6 rather than remaining on a patched but older version. CVE-2024-47575 has a CVSS score of 9.8, and doesn't look that hard to exploit. The KEV due date is November 13; I suggest you deploy before Halloween.

Lee Neely
Lee Neely

An interesting debate: should the vendor privately inform its users of a critical vulnerability first before going public, or simply default to public announcement? Both have advantages and disadvantages. Regardless, Fortinet product users should update their software now.

Curtis Dukes
Curtis Dukes

2024-10-24

Cisco Patches Actively Exploited Flaw in ASA and FTD Software

Cisco has released updates to address an actively exploited denial-of-service vulnerability affecting the Remote Access VPN service in their Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The issue is due to resource exhaustion. While the vulnerability is rated medium severity, it is being actively exploited and has been added to CISAÕs Known exploited Vulnerabilities (KEV) catalog. Cisco's advisory includes a list of affected products as well as a list of indicators of compromise.

Editor's Note

This is being categorized as an emergency patch release. That should be an indication to you about the seriousness of the flaw and associated exploit activity. KEV due date is November 14.

Lee Neely
Lee Neely

2024-10-25

ISACs: The Virtual Neighborhood Watch for Cybersecurity Threats

In the Microsoft Threat Intelligence Briefing video in the first story of Rest of the News, Health-ISAC CSO Errol Weiss says ISACs are like 'virtual neighborhood watch programs.' ISACs provide a hub for sharing sector-specific threat information. In the words of the National Council of ISACs, the 'ISACs collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency.'

We encourage you to find out more about ISACs here:

National Council of ISACs: https://www.nationalisacs.org/about-isacs

The Rest of the Week's News


2024-10-24

Microsoft Report on Ransomware and Healthcare

Microsoft's report, "US Healthcare at risk: Strengthening resiliency against ransomware attacks," is packed with facts and data about how cybersecurity incidents in the healthcare sector affect patient care, including the ripple effect at healthcare facilities closest to those affected by breaches. In a video Threat Intelligence Briefing, Sherrod DeGrippo, Director of Threat Intelligence Strategy for Microsoft Threat Intelligence first leads a roundtable discussion with Microsoft senior security researchers and the Health-ISAC's CSO. She then visits the University of California San Diego's (UCSD's) Center for Healthcare Cybersecurity where she speaks with doctors about how ransomware attacks affect patients and healthcare providers and how they envision helping healthcare providers improve outcomes in these dangerous and frustrating situations.

Editor's Note

If you work in healthcare, you can find plenty of numbers in this report to help you fight for budget but really nothing new or all that impactful in this report. Summary: like all other sectors, healthcare has been slow to move away from reusable passwords which has resulted in many expensive damaging ransomware incidents that cost way more to deal with than would have been spent to prevent them.

John Pescatore
John Pescatore

Microsoft joins others helping the healthcare industry understand the ransomware landscape and how it targets them. The trick is finding the resources and time to implement security enhancements in a 24x7x365 environment with few downtime windows.

Lee Neely
Lee Neely

2024-10-23

Mobile Ad Data Industry Endangers Privacy, Violates Laws

"Anyone can now access [surveillance] capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites," reports Brian Krebs. His article details an ongoing privacy crisis created by an industry of data brokers selling invasively trackable ad data. Investigation by Atlas Data Privacy Corp. led to a lawsuit against Babel Street, a company whose technology "allows customers to draw a digital polygon around nearly any location on a map of the world, and view a slightly dated ... time-lapse history of the mobile devices seen coming in and out of the specified area." Atlas Corp's private investigator was given a trial of Babel Street with no verification that he was authorized to use it as a "contractor of the government." The investigator was able to demonstrate Babel Street's capability to effectively identify visitors to "mosques, synagogues, [and] courtrooms," as well as patients and employees of abortion clinics, and to track those individuals' movements and identify their home addresses and workplaces, even merely by association with family members' devices. The basis for the lawsuit is violation of "Daniel's Law, a New Jersey statute allowing law enforcement, government personnel, judges and their families to have their information completely removed from commercial data brokers." Personally identifiable details including name, email address, social media profile, GPS coordinates, and "consumer category" associated with a device's Mobile Advertising ID (MAID) -- referred to in Google devices as "Android Advertising ID" (AAID), and in Apple devices as "Identifier for Advertisers" (IDFA) -- may be sold to brokers by any number of apps, or widely broadcast unsecured when being served a "realtime bid" online advertisement. The article notes that "Android users can delete their ad ID permanently," and Apple users can turn off apps' ability to request tracking, and disable Apple's own "personalized ads" feature. Zach Edwards, senior threat analyst at SilentPush comments: "The privacy risks here will remain until Apple and Google permanently turn off their mobile advertising ID schemes and admit to the American public that this is the technology that has been supporting the global data broker ecosystem."

Editor's Note

The Krebs article is worth a read to understand the issues of how your advertising and tracking data are used, as well as the fight between data brokers and privacy advocates like Atlas. While that sorts itself out, disable tracking services on your devices, delete the advertising ID if on Android, disable personalized ads on iOS, and in general deny applications location access except when they truly need it. While many of these settings are default secure, you need to check and make sure they still are set that way, including checking the location service settings for your applications.

Lee Neely
Lee Neely

2024-10-22

VMware Releases New Patches for Critical Flaws in vCenter Server

VMware has released patches to address two vulnerabilities in vCenter Server that were inadequately addressed by patches released last month. The issues affect VMware vCenter Server and Cloud Foundation products. One of the vulnerabilities is a critical heap overflow issue (CVE-2024-38812). The flaw lies in the implementation of the DCEDRPC protocol. The second vulnerability is a high-severity privilege elevation issue (CVE-2024-38812).

Editor's Note

CVE-2024-38812, out of bound write/heap overflow, CVSS score 9.8, has no workarounds. The fix is to update to the patched version of vCenter. If you're on version 4, 5, or 5.1, update to version 8, there is no other patch. Also make sure that you isolate your management interface.

Lee Neely
Lee Neely

2024-10-24

Samsung Exploits, One Wild, One Domesticated

On October 7, 2024, Samsung disclosed and patched a high severity use-after-free vulnerability (CVE-2024-44068) affecting "Samsung Exynos mobile processors versions 9820, 9825, 980, 990, 850, and W920." Google Threat Analysis Group (TAG) researchers have since asserted that this vulnerability has already been used as a component of an exploit enabling remote code execution "in a privileged cameraserver process." Another exploit, not "in the wild," but in the Pwn2Own Ireland hacking challenge on October 24, 2024, allowed competitor Ken Gannon to successfully "get a shell and install an app" by chaining five flaws "including path traversal" on the Samsung Galaxy S24 smartphone.

Editor's Note

CVE-2024-44068 has a CVSS score of 8.1. Samsung released security updates to address the flaw; make sure that you're applying them.

Lee Neely
Lee Neely

2024-10-24

US Insurance Third-Party Administrator Reports Data Breach

Landmark, a Texas-based third-party insurance administrator, has disclosed a data breach that affects more than 800,000 individuals. The incident was detected in May; the compromised data include names, Social Security numbers, tax ID numbers, drivers' license and state-issued identification card numbers, passport numbers, bank account and routing numbers, medical information, health insurance policy information, dates of birth, and/or life and annuity policy information. A forensic investigation determined that 'data [were] encrypted and exfiltrated from Landmark's system,' according to the Supplemental Notice of Data Breach Involving Landmark Admin, LLC (link available on the Maine AG data breach notification page for Landmark).

Editor's Note

This is another third-party service provider compromise, and should be a motivator to make sure that you're assessing third-party security, not just as part of the contract award, but regularly while you're in business. Dig deep on breach notification and response; make sure you understand roles and responsibilities before the chips are down.

Lee Neely
Lee Neely

Five months after the data breach, notification letters are finally sent. The good news is they are offering 12 months of credit monitoring service and an insurance reimbursement policy. The bad news is it does nothing for the past five months when key attributes that make up one's digital identity could have been used for criminal use.

Curtis Dukes
Curtis Dukes

2024-10-22

Companies Agree to Pay Civil Penalties to Settle SEC Charges Related to 'Materially Misleading Disclosures'

Four companies have agreed to monetary penalties to settle charges of 'materially misleading disclosures' brought by the US Securities and Exchange Commission. The charges against the four companies - Unisys, Avaya, Check Point, and Mimecast - arose from an investigation that involved public companies possibly affected by the SolarWinds compromise. In total, the four companies will pay civil penalties of nearly $7 million.

Editor's Note

While Unisys is also paying fines for control violations, all four essentially are paying fines for applying wordmanship to required disclosures that are supposed to provide investors with meaningful information about events that would impact stock market value. 'Downplaying' breach impact just lying to investors, never a good business practice. This is a good topic for a tabletop session with the management team and corporate communications.

John Pescatore
John Pescatore

The SEC is taking steps to ensure publicly traded companies take cybersecurity seriously, adding penalties to their reporting requirements. While the funds to pay the fines aren't supposed to come from the shareholders, it's not clear they won't. Make sure you're prepared to not only be fully transparent when reporting but also have a robust cybersecurity program which is actively monitored.

Lee Neely
Lee Neely

An interesting twist, where SEC is enforcing its interpretation of a cybersecurity material disclosure requirement. What's difficult for companies to determine in whether to provide a disclosure is the definition of material. In other words, did the incident have a significant impact on the company's financial condition, operations, or market valuation? Yes, the SolarWinds incident had a widespread impact on the cybersecurity community, but what was the material effect on these four companies individually? The companies said that it had little impact Ñ is that misleading the investor?

Curtis Dukes
Curtis Dukes

2024-10-24

Irish Data Protection Commission Fines LinkedIn Ireland for User Data Misuse

Ireland's Data Protection Commission (DPC) has fined LinkedIn Ireland Û310 million (US $336 million) for using LinkedIn user data for targeted advertising and behavioral analysis without obtaining user consent. DPC found that LinkedIn violated several provisions of the EUÕs General Data Protection Rule (GDPR).

Editor's Note

LinkedIn believes they were fully following GDPR requirements, and is preparing a response to DPC accordingly. DPC is actively pursuing tech companies to ensure user privacy is protected. As other privacy acts are passed, one hopes a similar active stance will be taken to ensure they are followed. Make sure you're having conversations with your legal and privacy officers about your adherence to relevant regulations. Don't wait to adjust if you're not.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Development Features Enabled in Production

https://isc.sans.edu/diary/Development+Features+Enabled+in+Prodcution/31380

Everybody Loves Bash Scripts Including Attackers

https://isc.sans.edu/diary/Everybody+Loves+Bash+Scripts+Including+Attackers/31376

How much HTTP (not HTTPS) Traffic is Traversing Your Perimeter?

https://isc.sans.edu/diary/How+much+HTTP+not+HTTPS+Traffic+is+Traversing+Your+Perimeter/31372

Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials

https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/

Cisco Secure Firewall Management Center Software Command Injection Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-v3AWDqN7

Exposing the Danger Within: Hardcoded Cloud Credentials in Popular Mobile Apps

https://www.security.com/threat-intelligence/exposing-danger-within-hardcoded-cloud-credentials-popular-mobile-apps

FortiManager Exploited Vulnerability

https://www.fortiguard.com/psirt/FG-IR-24-423

OpenSSL Vulnerability

https://openssl-library.org/news/secadv/20241016.txt

SharePoint Exploit

https://www.cisa.gov/news-events/alerts/2024/10/22/cisa-adds-one-known-exploited-vulnerability-catalog

https://github.com/testanull/MS-SharePoint-July-Patch-RCE-PoC

Reduced Certificate Lifetime

https://github.com/cabforum/servercert/pull/553

VMSA-2024-0019: VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813)

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968

Unifi Security Advisory Bulletin 043

https://community.ui.com/releases/Security-Advisory-Bulletin-043-043/28e45c75-314e-4f07-a4f3-d17f67bd53f7

Fake attachment. Roundcube mail server attacks exploit CVE-2024-37383 vulnerability.

https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/fake-attachment-roundcube-mail-server-attacks-exploit-cve-2024-37383-vulnerability

Atlassian Security Bulletin - October 15 2024

https://confluence.atlassian.com/security/security-bulletin-october-15-2024-1442910972.html

OneDev Arbitrary file reading for unauthenticated user

https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489