Security Flaws & Fixes - W/E - 2/14/20
Adobe Squashes Flash Bug in Monthly Security Update (02/11/2020)
Adobe issued a number of advisories to mitigate security issues in its products. The vendor posted an update for Flash Player to fix a critical flaw as well as patched 17 vulnerabilities in Acrobat/Reader. Framemaker, Experience Manager, and Digital Editions were among the products that received updates.
Adobe issued a number of advisories to mitigate security issues in its products. The vendor posted an update for Flash Player to fix a critical flaw as well as patched 17 vulnerabilities in Acrobat/Reader. Framemaker, Experience Manager, and Digital Editions were among the products that received updates.
Cybersecurity Weaknesses in OCWR's System Need Addressing (02/12/2020)
The Government Accountability Office (GAO) delivered recommendations to the Office of Congressional Workplace Rights due to problematic cybersecurity management practices related to its Secure Online Claims Reporting and Tracking E-filing System (SOCRATES). According to a report, important security controls needed to ensure the confidentiality, integrity, and availability of SOCRATES were not fully tested before the system was deployed and penetration testing had not been fully completed before deployment. The GAO's suggestions are intended to help address these weaknesses.
The Government Accountability Office (GAO) delivered recommendations to the Office of Congressional Workplace Rights due to problematic cybersecurity management practices related to its Secure Online Claims Reporting and Tracking E-filing System (SOCRATES). According to a report, important security controls needed to ensure the confidentiality, integrity, and availability of SOCRATES were not fully tested before the system was deployed and penetration testing had not been fully completed before deployment. The GAO's suggestions are intended to help address these weaknesses.
DHS Needs to Address Cybersecurity Shortcomings Ahead of 2020 Elections (02/10/2020)
A report from the Government Accountability Office (GAO) has found that the Cybersecurity and Infrastructure Security Agency (CISA) has not yet completed its strategic and operations plans to help state and local officials safeguard the 2020 elections or documented how it will address prior challenges. The report discusses the Department of Homeland Security's (DHS) election security efforts and selected election officials' perspectives on them and is making three recommendations, including that the CISA Director urgently finalize the strategic plan and the supporting operations plan for securing election infrastructure.
A report from the Government Accountability Office (GAO) has found that the Cybersecurity and Infrastructure Security Agency (CISA) has not yet completed its strategic and operations plans to help state and local officials safeguard the 2020 elections or documented how it will address prior challenges. The report discusses the Department of Homeland Security's (DHS) election security efforts and selected election officials' perspectives on them and is making three recommendations, including that the CISA Director urgently finalize the strategic plan and the supporting operations plan for securing election infrastructure.
Digi Recommends Update to Secure ConnectPort LTS 32 MEI (02/12/2020)
Digi's ConnectPort LTS 32 MEI is affected by multiple vulnerabilities, including a cross-site scripting issue. Successful exploitation of these vulnerabilities could limit system availability. Digi recommends users upgrade to the mandatory release of ConnectPort LTS Version 1.4.5. The ICS-CERT has issued its own advisory with further information.
Digi's ConnectPort LTS 32 MEI is affected by multiple vulnerabilities, including a cross-site scripting issue. Successful exploitation of these vulnerabilities could limit system availability. Digi recommends users upgrade to the mandatory release of ConnectPort LTS Version 1.4.5. The ICS-CERT has issued its own advisory with further information.
DoS, Account Takeover Possible Thanks to Vulnerabilities in SoundCloud Music Platform (02/13/2020)
Checkmarx identified multiple vulnerabilities in the online music platform SoundCloud which could lead to account takeover, denial-of-service, and service exploitation. The issues were all found in SoundCloud's API endpoints and have been disclosed privately. SoundCloud confirmed the vulnerabilities and issued patches in December and January.
Checkmarx identified multiple vulnerabilities in the online music platform SoundCloud which could lead to account takeover, denial-of-service, and service exploitation. The issues were all found in SoundCloud's API endpoints and have been disclosed privately. SoundCloud confirmed the vulnerabilities and issued patches in December and January.
Firefox 73 Is Released by Mozilla (02/11/2020)
Mozilla released multiple updates, including Firefox 73 and new version of Firefox ESR and Thunderbird. Among the issues fixed in Firefox 73 is a patch for a missing bounds check on shared memory that could have led to a memory corruption and an exploitable crash.
Mozilla released multiple updates, including Firefox 73 and new version of Firefox ESR and Thunderbird. Among the issues fixed in Firefox 73 is a patch for a missing bounds check on shared memory that could have led to a memory corruption and an exploitable crash.
IBM ServeRAID Manager Exposes Unauthenticated Java Remote Method Invocation (02/12/2020)
The CERT Coordination Center issued an advisory for IBM ServeRAID Manager, which exposes a Java RMI that allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. ServeRAID Manager uses a Java remote method invocation (RMI) interface on a TCP port that listens on all interfaces by default. An unauthenticated attacker with network access can exploit the vulnerable RMI interface to launch a remote class loader attack. ServeRAID Manager is no longer supported and it is unlikely that IBM will release fixes.
The CERT Coordination Center issued an advisory for IBM ServeRAID Manager, which exposes a Java RMI that allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. ServeRAID Manager uses a Java remote method invocation (RMI) interface on a TCP port that listens on all interfaces by default. An unauthenticated attacker with network access can exploit the vulnerable RMI interface to launch a remote class loader attack. ServeRAID Manager is no longer supported and it is unlikely that IBM will release fixes.
Intel's Products Receive Security Updates (02/11/2020)
Intel released multiple advisories to address flaws in RWC3, MPSS, RWC2, SGX SDK, CSME, and Renesas Electronics' USB 3.0 Driver. Users should immediately implement the patches to mitigate security risks, which include information disclosure, denial-of-service, and privilege escalation conditions.
Intel released multiple advisories to address flaws in RWC3, MPSS, RWC2, SGX SDK, CSME, and Renesas Electronics' USB 3.0 Driver. Users should immediately implement the patches to mitigate security risks, which include information disclosure, denial-of-service, and privilege escalation conditions.
Microsoft Mitigates Close to 100 Vulnerabilities Across Its Product Lines (02/11/2020)
Nearly 100 vulnerabilities have been resolved in Microsoft's products thanks to its Patch Tuesday batch of security fixes. A zero-day bug in Internet Explorer has been plugged and at least a dozen of the vulnerabilities addressed in its bulletins have been deemed "critical" by Microsoft.
Nearly 100 vulnerabilities have been resolved in Microsoft's products thanks to its Patch Tuesday batch of security fixes. A zero-day bug in Internet Explorer has been plugged and at least a dozen of the vulnerabilities addressed in its bulletins have been deemed "critical" by Microsoft.
SAP Corrects Security Vulnerabilities Across Its Product Suites (02/12/2020)
SAP released 13 security notes for its February Patch Day and included updates for two previously issued advisories. One of the earlier security notes is considered a "hot news" item and includes an update for the supported Chromium version in SAP Business Client.
SAP released 13 security notes for its February Patch Day and included updates for two previously issued advisories. One of the earlier security notes is considered a "hot news" item and includes an update for the supported Chromium version in SAP Business Client.
Siemens Advises on Security Issues within Multiple Products (02/11/2020)
In an effort to mitigate vulnerabilities in its products, Siemens released nearly 80 advisories. Among the products affected by security bugs are the SIMATIC portfolio, the vendor's industrial products, the SINAMICS and SIMOTION families, and more.
In an effort to mitigate vulnerabilities in its products, Siemens released nearly 80 advisories. Among the products affected by security bugs are the SIMATIC portfolio, the vendor's industrial products, the SINAMICS and SIMOTION families, and more.
Updates Mitigate Issues in HUSKY RTU from Synergy (02/11/2020)
Improper authentication and improper input validation bugs have been discovered in Synergy Systems & Solutions' HUSKY RTU, a remote terminal unit. Versions 5.0 and prior are affected. According to an ICS-CERT advisory, users should immediately upgrade their firmware.
Improper authentication and improper input validation bugs have been discovered in Synergy Systems & Solutions' HUSKY RTU, a remote terminal unit. Versions 5.0 and prior are affected. According to an ICS-CERT advisory, users should immediately upgrade their firmware.
WSJ: US Claims Huawei has "Covert" Backdoors in Telecom Equipment (02/12/2020)
US officials speaking to The Wall Street Journal claim to have evidence that controversial Chinese telecommunications equipment maker Huawei can "covertly" access carriers' networks via backdoors it builds into its equipment. The company has been under ceaseless scrutiny in recent years, after the federal government began discouraged and banned the use of its products by US telecom providers over concerns that it illegally accessed user and network data, which it would then share with Chinese intelligence officials. While many equipment makers include some form of backdoor access for law enforcement officials, the Journal's sources claim that Huawei didn't share the existence of its backdoor with any level of US law enforcement. Huawei has, of course, rejected these claims, as it has with nearly all claims of wrongdoing levied against it by the US government. It should be noted that the Journal's sources provided no evidence of Huawei ever having actually used this supposed covert capability, and that Huawei claims any attempt to do so on its part could be easily detected by US carriers. However, this remains the first specific reference to wrongdoing that any US official has shared relating to Huawei's ongoing status as a blackballed provider of telecom hardware.
US officials speaking to The Wall Street Journal claim to have evidence that controversial Chinese telecommunications equipment maker Huawei can "covertly" access carriers' networks via backdoors it builds into its equipment. The company has been under ceaseless scrutiny in recent years, after the federal government began discouraged and banned the use of its products by US telecom providers over concerns that it illegally accessed user and network data, which it would then share with Chinese intelligence officials. While many equipment makers include some form of backdoor access for law enforcement officials, the Journal's sources claim that Huawei didn't share the existence of its backdoor with any level of US law enforcement. Huawei has, of course, rejected these claims, as it has with nearly all claims of wrongdoing levied against it by the US government. It should be noted that the Journal's sources provided no evidence of Huawei ever having actually used this supposed covert capability, and that Huawei claims any attempt to do so on its part could be easily detected by US carriers. However, this remains the first specific reference to wrongdoing that any US official has shared relating to Huawei's ongoing status as a blackballed provider of telecom hardware.