Please see Security Advisories for the week ending July 16, 2021
- Microsoft Releases July 2021 Security Updates
- Cisco Releases Security Updates
- Google Releases Security Updates for Chrome
- Juniper Networks Releases Security Updates for Multiple Products
- Kaseya Ransomware Attack: Guidance and Resources
- Ransomware Risk in Unpatched, EOL SonicWall SRA and SMA 8.x Products
- VMware Releases Security Update
- Critical ForgeRock Access Management Vulnerability
- Apache Releases Security Advisory for Tomcat
- CISA Issues Emergency Directive on Microsoft Windows Print Spooler
- SolarWinds Releases Advisory for Serv-U Vulnerability
- Citrix Releases Security Updates for Virtual Apps and Desktops
_______________________________
Microsoft Releases July 2021 Security Updates
Situation
Microsoft has released updates to address multiple vulnerabilities in multiple Microsoft software products and platforms.
Problem
The catalogue of products addressed in these newly released vulnerability updates from Microsoft is extensive, ranging from applications like Microsoft Office product suite, to system services, drivers, APIs, operating system components, and more. The vulnerabilities are wide ranging as well – remote code execution, privilege escalation, authentication bypass, denial of service, memory spoofing, and more. Being too numerous to effectively summarize, we recommend readers of this advisory follow CISAs recommendation to review the Update Summaryand Deployment Information summary to determine which updates are applicable to their respective environments.
Implication
A remote attacker can exploit some of these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review Microsoft’s July 2021 Security Update Summary and Deployment Information and apply the necessary updates.
For a brief overview:
For a more technical overview:
https://msrc.microsoft.com/update-guide/releaseNote/2021-Jul
&
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33782
________________________________
Cisco Releases Security Updates
Situation
Cisco has released security updates to address a vulnerability in Adaptive Security Appliance Software Release 9.16.1 and Firepower Threat Defense Software Release 7.0.0.
Problem
A vulnerability in the software cryptography module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker or an unauthenticated attacker in a man-in-the-middle position to cause an unexpected reload of the device that results in a denial of service (DoS) condition. The vulnerability is due to a logic error in how the software cryptography module handles specific types of decryption errors. An attacker could exploit this vulnerability by sending malicious packets over an established IPsec connection. A successful exploit could cause the device to crash, forcing it to reload. This would not cause a compromise of encrypted data.
Implication
A remote attacker could exploit this vulnerability to cause a denial-of-service condition.
Need
CISA encourages users and administrators to review Cisco Advisory cisco-sa-asa-ftd-ipsec-dos-TFKQbgWC and apply the necessary updates.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/07/16/cisco-releases-security-updates
For a more technical overview:
________________________________
Google Releases Security Updates for Chrome
Situation
Google has discovered and patched several vulnerabilities for its Chrome web browser software.
Problem
Google has identified several security vulnerabilities for its Chrome web browser software that an attacker can exploit to take control of affected systems.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
Google has released Chrome version 91.0.4472.164 for: Windows, Mac and Linux. Please upgrade to latest version to ensure that you are protected.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/07/16/google-releases-security-updates-chrome
For a more technical overview:
https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html
________________________________
Juniper Networks Releases Security Updates for Multiple Products
Situation
Juniper Networks has released security updates to address vulnerabilities affecting multiple products. This issue affects all versions of Junos OS Evolved, and the following platforms: EX9200 Series, MX Series, and SRX4600.
Problem
Regarding Juniper OS, an Out-of-bounds Read vulnerability has been found in the processing of specially crafted LLDP frames by the Layer 2 Control Protocol Daemon (l2cpd) of Juniper Networks Junos OS and Junos OS Evolved may allow an attacker to cause a Denial of Service (DoS), or may lead to remote code execution (RCE). Regarding the EX, MX, and SRX platforms, improper handling of exceptional conditions in ethernet interface frame processing of Juniper Networks Junos OS allows an attacker to send specially crafted frames over the local Ethernet segment, causing the interface to go into a down state, resulting in a Denial of Service (DoS) condition.
Implication
An attacker could exploit some of these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.
For a brief overview:
To review Junipers Security Advisories:
https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES
________________________________
Kaseya Ransomware Attack: Guidance and Resources
Situation
CISA has created a webpage to provide information and guidance for the recent ransomware attack against Kaseya customers that include managed service providers (MSPs) and customers of those MSPs.
Proble
Since July 2, 2021, CISA, along with the Federal Bureau of Investigation (FBI), has been responding to a global cybersecurity incident, in which cyber threat actors executed ransomware attacks—leveraging a vulnerability in the software of Kaseya VSA on-premises products—against managed service providers (MSPs) and their downstream customers. On July 2, 2021, Kaseya shut down their SaaS servers and recommended Kaseya VSA customers shutdown their on-premises VSA servers – according to Kaseya, there is no evidence that any Kaseya SaaS customers were compromised, the servers were taken offline as a precautionary measure. On July 11, 2021, Kaseya began the restoration of their SaaS servers and released a patch for on-premises VSA servers.
Implication
Entities who use Kaseya products in their network environments who have not applied the relevant updates for those products could be vulnerable to a Kaseya ransomeware attack.
Need
CISA encourages affected organizations to review Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers for more information and to apply the relevant updates for Kaseya products in their environments.
For a brief overview:
For a more technical overview:
https://us-cert.cisa.gov/kaseya-ransomware-attack
________________________________
Ransomware Risk in Unpatched, EOL SonicWall SRA and SMA 8.x Products
Situation
CISA is aware of threat actors actively targeting a known, previously patched, vulnerability in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware.
Problem
Through the course of collaboration with trusted third parties, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials. The exploitation targets a known vulnerability that has been patched in newer versions of firmware.
Implication
Threat actors can exploit this vulnerability to initiate a targeted ransomware attack.
Need
CISA encourages users and administrators to review the SonicWall security advisory and upgrade to the newest firmware or disconnect EOL appliances as soon as possible.
For a brief overview:
For a more technical overview:
________________________________
VMware Releases Security Update
Situation
VMware has released a security update to address two vulnerabilities in VMware ESXi and VMware Cloud Foundation
Problem
SFCB (Small Footprint CIM Broker) as used in ESXi has an authentication bypass vulnerability, having a severity score of 7.0 (important). Where a malicious actor with network access to port 5989 on ESXi can exploit this vulnerability to bypass SFCB authentication by sending a specially crafted request.
OpenSLP as used in ESXi has a denial-of-service vulnerability due a heap out-of-bounds read issue. Where a malicious actor with network access to port 427 on ESXi may be able to trigger a heap out-of-bounds read in OpenSLP service resulting in a denial-of-service condition
Implication
An attacker is to exploit these vulnerabilities it could allow them to take control of or disrupt the service of an affected system.
Need
VMware recommends updating all affected products to protects against these vulnerabilities. Additional information and patch notes can be found in the link below.
For a more technical overview:
https://www.vmware.com/security/advisories/VMSA-2021-0014.html
________________________________
Critical ForgeRock Access Management Vulnerability
Situation
Malicious cyber actors have been seen actively exploiting a pre-authorization remote code execution vulnerability (CVE-2021-35464) found in ForgeRock Access Management (AM) software. ForgeRock Access Management is a commercial open access management software that is based on OpenAM. This vulnerability affects versions 6.0.0.x and all versions of 6.5, up to and including 6.5.3; it will also affect older unsupported versions.
Problem
The pre-authorization remote code execution vulnerability exists due to unsafe Java deserialization found in the Jato framework which is used by ForgeRock Access Management. This vulnerability requires only a single GET/POST request for code execution. ForgeRock versions that are below 7.0 running on Java 8 are susceptible to this vulnerability. This vulnerability has been seen actively being exploited in the wild.
Implication
An attacker who is successfully able to exploit this vulnerability can perform a remote code execution by sending a specially crafted request to an exposed remote endpoint, taking over the affected system.
Need
The Cybersecurity and Infrastructure Security Agency (CISA) recommends Access Management users:
- Review the ForgeRock Security Advisory
- Check for vulnerable instances of the Access Management software (see ForgeRock’s Technical Impact Assessment); and
- Prioritize deploying an update to Access Management version 7 or apply the workaround urgently.
For a brief overview:
For a more technical overview:
https://backstage.forgerock.com/knowledge/kb/article/a47894244
ForgeRock’s Technical Impact Assessment (PDF):
https://backstage.forgerock.com/cloud-storage-ws/api/v1/cloudstorage/getfile/oEQfKvz8SWSCaq8F2bfwhw
________________________________
Apache Releases Security Advisory for Tomcat
Situation
Apache has released security updates for Tomcat. Affected versions are:
Apache Tomcat 10.0.0-M1 to 10.0.6
Apache Tomcat 9.0.0.M1 to 9.0.46
Apache Tomcat 8.5.0 to 8.5.66
Problem
An incorrect parsing of HTTP transfer-encoding requests can lead to request smuggling.
Implication
An attacker can exploit this vulnerability to obtain sensitive information.
Need
If you have the above Tomcat versions, update to the following:
- Upgrade to Apache Tomcat 10.0.7 or later
- Upgrade to Apache Tomcat 9.0.48 or later
- Upgrade to Apache Tomcat 8.5.68 or later
For a brief overview:
________________________________
CISA Issues Emergency Directive on Microsoft Windows Print Spooler
Situation
CISA has issued Emergency Directive 21-04: Mitigate Windows Print Spooler Service Vulnerability detailed in CVE-2021-34527. Attackers can exploit this vulnerability to execute code and quickly compromise the identity infrastructure of an organization
Problem
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Implication
If a system is not up to date an attacker can remotely execute control and compromise an entire organizations infrastructure. This could result in loss of control of affected systems.
Need
Microsoft has published updates in its July 2021 update. CISA strongly recommends that government and private sector organizations ensure that the Microsoft July 2021 updates have been successfully distributed installed.
For a brief overview:
For a more technical overview:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
________________________________
SolarWinds Releases Advisory for Serv-U Vulnerability
Situation
SolarWinds has released an advisory addressing a vulnerability—CVE-2021-35211—affecting Serv-U Managed File Transfer and Serv-U Secure FTP. Note: this vulnerability does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products.
Problem
SolarWinds was recently notified by Microsoft of a security vulnerability related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system.
Implication
Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.
Need
CISA encourages users and administrators to review the SolarWinds advisory and install the necessary updates.
For a brief overview:
For a more technical overview:
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
________________________________
Citrix Releases Security Updates for Virtual Apps and Desktops
Situation
Citrix has released security updates to address a vulnerability in multiple versions of Virtual Apps and Desktops.
Problem
A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM. The vulnerability affects the following supported versions of Citrix Virtual Apps and Desktops and XenApp / XenDesktop: Citrix Virtual Apps and Desktops 2106 and earlier versions, Apps and Desktops 1912 LTSR CU3 and earlier versions of 1912 LTSR, and XenApp / XenDesktop 7.15 LTSR CU7 and earlier versions of 7.15 LTSR.
Note: Citrix Virtual Apps and Desktops 2106 is only affected when Citrix Profile Management is installed on a Windows VDA as Citrix Profile Management WMI Plugin is not affected in this version.
Implication
An attacker could exploit some of these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review Citrix Security Update CTX319750 and apply the necessary updates.
For a brief overview:
For a more technical overview: