Please see Security Advisories for the week ending October 15, 2021
- Apache Releases Security Advisory for Tomcat
- Juniper Networks Releases Security Updates for Multiple Products
- Adobe Releases Security Updates for Multiple Products
- Microsoft Releases October 2021 Security Updates
- Apple Releases Security Update to Address CVE-2021-30883
- NSA Releases Guidance on Avoiding the Dangers of Wildcard TLS Certificates and ALPACA Techniques
- CISA Has Released Two Industrial Control Systems Advisories
- CISA, FBI, and NSA Issue Advisory on Blackmatter Ransomware
_______________________________
Apache Releases Security Advisory for Tomcat
Situation
The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat.
Problem
The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
Implication
An attacker could exploit this vulnerability to cause a denial of service condition.
Need
CISA encourages users and administrators to review Apache’s security advisory for CVE-2021-42340 and apply the necessary updates.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/10/15/apache-releases-security-advisory-tomcat
________________________________
Juniper Networks Releases Security Updates for Multiple Products
Situation
Juniper Networks has released security updates to address vulnerabilities affecting multiple products.
Problem
The products affected are multitudinous, so it is recommended to view the Juniper Security Advisories page to review vulnerabilities specific to products being used in one’s environment.
Implication
An attacker could exploit some of these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.
For a brief overview:
For a more technical overview:
https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES
________________________________
Adobe Releases Security Updates for Multiple Products
Situation
Adobe has released security updates for multiple products including Acrobat and Reader, Connect, Reader Mobile, ops-cli, Commerce, and Campaign Standard.
Problem
Vulnerabilities found include arbitrary code execution, privilege escalation, deserialization of untrusted data, XSS, XSRF, and more.
Implication
If an attacker is able to successfully exploit some of these vulnerabilities it could allow them to take control of an affected device.
Need
Adobe recommends applying the latest updates to the affected products as soon as possible.
Acrobat: https://helpx.adobe.com/security/products/acrobat/apsb21-104.html
Connect: https://helpx.adobe.com/security/products/connect/apsb21-91.html
Reader Mobile: https://helpx.adobe.com/security/products/reader-mobile/apsb21-89.html
Ops-CLI: https://helpx.adobe.com/security/products/ops_cli/apsb21-88.html
Commerce: https://helpx.adobe.com/security/products/magento/apsb21-86.html
Campaign Standard: https://helpx.adobe.com/security/products/campaign/apsb21-52.html
________________________________
Microsoft Releases October 2021 Security Updates
Situation
Microsoft has released updates for October 2021. These updates address a wide variety of Microsoft products including Windows, Office, Exchange, Visual Studio, and much more.
Problem
Microsoft has released patches for 74 vulnerabilities, of these three are listed as Critical, 70 as Important, and one as Low severity. Microsoft has addressed a wide range of vulnerabilities including elevation of privilege, remote code execution, information disclosure, and more. The most severe of which being a Win32k elevation of privilege vulnerability (CVE-2021-40449) which is currently being exploited in the wild.
Implication
If an attacker is able to successfully exploit some of these vulnerabilities it could allow them to take control of an affected device.
Need
Microsoft recommends updating all affected Microsoft software as soon as possible to protect against these vulnerabilities. Additional information and patch notes can be found in the link below.
Microsoft October 2021 release notes:
https://msrc.microsoft.com/update-guide/releaseNote/2021-Oct
________________________________
Apple Releases Security Update to Address CVE-2021-30883
Situation
Apple has released a security update for CVE-2021-30883. This affects iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Problem
A memory corruption vulnerability was found. This would allow an attacker to execute arbitrary code with kernel privileges.
Implication
If an attacker is able to successfully exploit this vulnerability, they could take over the affected system.
Need
Apply the latest update for the affected iOS devices.
For more information: https://support.apple.com/en-us/HT212846
________________________________
NSA Releases Guidance on Avoiding the Dangers of Wildcard TLS Certificates and ALPACA Techniques
Situation
The National Security Agency (NSA) has released a Cybersecurity Information Sheet warning network administrators about the risks of using poorly scoped wildcard Transport Layer Security (TLS) certificates.
Problem
This guidance also outlines the risks of poorly implemented wildcard Transport Layer Security (TLS) certificates that could allow for the exploitation of Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA).
Implication
If an attacker is able to successfully exploit this vulnerability it can allow them to gain access to sensitive information.
Need
The CISA recommends administrators and users to review the NSA’s CSI sheet on “Avoiding Dangers of Wildcard TLS Certificates and the ALPACA Technique” for additional information.
The CIS sheet also lists the following mitigating techniques for wildcard certificate risks:
- Understanding the scope of each wildcard certificate used in your organization
- Using an application gateway or web application firewall in front of servers, including non-HTTP servers
- Using encrypted DNS and validating DNS security extensions to prevent DNS redirection
- Enabling Application-Layer Protocol Negotiation (APLN), a TLS extension that allows the server/application to specify permitted protocols where possible
- Maintaining web browsers at the latest version with current updates
NSA’s CSI full information sheet:
ALPACA attacks technical overview:
________________________________
CISA Has Released Two Industrial Control Systems Advisories
Situation
The CISA has releases two industrial control systems advisories for vulnerabilities found in AUVESY Versiondog and Trane HVAC Systems Controls.
Problem
A number of vulnerabilities have been found and patched in AUVESY Versiondog. Vulnerabilities found include remote code execution, privilege escalation, improper access control, hard-coded cryptographic key, use after free, and more. These vulnerabilities affect all versions prior to v8.0.
A cross-site scripting (XSS) vulnerability has been found and patched on Trane Building Automation Controllers (Tracer SC). This vulnerability affects firmware versions 3.8 and prior.
Implication
If an attacker is able to successfully exploit some of these vulnerabilities it could allow them to take control of an affected system.
Need
The CISA recommends users and administrators apply the most recent update to all affected devices, as well as apply the recommended mitigations to minimize the risk of exploitation of these vulnerabilities. Additional information can be found in the links below.
AUVESY Versiondog Advisory:
https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01
Trane HVAC Systems Controls Advisory:
https://us-cert.cisa.gov/ics/advisories/icsa-21-292-02
________________________________
CISA, FBI, and NSA Issue Advisory on Blackmatter Ransomware
Situation
The CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released joint Cybersecurity Advisory (CSA) to provide information on BlackMatter ransomware. BlackMatter has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.
Problem
First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) this allows the ransomware’s developers to profit from cybercriminal affiliates. The BlackMatter variant uses embedded admin and/or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD. This variant of BlackMatter also uses embedded credentials and SMB protocol to remotely encrypt, from the original compromised host. BlackMatter actors have also been seen using a separate encryption binary for Linux-based machines which they use to encrypt ESXi virtual machines, as well as wiping or reformatting backup data.
Implication
If the BlackMatter ransomware is successfully ran on a device it can allow the attacker to exfiltrate data, remotely encrypts shares via SMB protocol, and wipe backup systems.
Need
The CISA, FBI, and NSA encourage organizations to implement the recommended mitigations found in the joint CSA and visit StopRansomware.gov for more information on protecting against and responding to ransomware attacks.
Joint Cybersecurity Advisory: