Please see Security Advisories for the week ending September 17, 2021
- Microsoft Releases Security Update for Azure Linux Open Management Infrastructure
- Drupal Releases Multiple Security Updates
- FBI-CISA-CGCYBER Advisory on APT Exploitation of ManageEngine ADSelfService Plus Vulnerability
- Citrix Releases Security Update for ShareFile Storage Zones Controller
- Adobe Releases Security Updates for Multiple Products
- Microsoft Releases September 2021 Security Updates
- Google Releases Security Updates for Chrome Browser
- SAP Releases September 2021 Security Updates
_______________________________
Microsoft Releases Security Update for Azure Linux Open Management Infrastructure
Situation
Microsoft has released an update to address a remote code execution vulnerability in Azure Linux Open Management Infrastructure (OMI).
Problem
Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework: CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.
Implication
An attacker could use this vulnerability to take control of an affected system.
Need
CISA encourages users and administrators to review the Microsoft Security Advisory to apply the necessary update.
For a brief overview:
For a more technical overview:
________________________________
Drupal Releases Multiple Security Updates
Situation
Drupal has released security updates to address multiple vulnerabilities affecting Drupal 8.9, 9.1, and 9.2.
Problem
The vulnerabilities addressed in the update include cross-site request forgery due to QuickEdit failing to properly validate access to routes, cross-site scripting in the core Media module due to allowances for embedding internal/external media in content fields, the possibility of file validation bypass because the Drupal JSON:API and REST/File modules allow file uploads through their HTTP APIs, a potential for unintended disclosure of field data because the QuickEdit module does not properly check access to fields in some circumstances, and unintended access bypass because under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content.
Implication
An attacker could exploit some of these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review the following Drupal security advisories and apply the necessary updates.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/09/16/drupal-releases-multiple-security-updates
For a more technical overview:
________________________________
FBI-CISA-CGCYBER Advisory on APT Exploitation of ManageEngine ADSelfService Plus Vulnerability
Situation
The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have released a Joint Cybersecurity Advisory (CSA) detailing the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus—a self-service password management and single sign-on solution.
Problem
CVE-2021-40539, rated critical by the Common Vulnerability Scoring System (CVSS), is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.
Implication
An attacker could use this vulnerability to take control of an affected system.
Need
CISA strongly encourages users and administrators to review Joint FBI-CISA-CGCYBER CSA: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus and immediately implement the recommended mitigations, which include updating to ManageEngine ADSelfService Plus build 6114.
For a brief overview:
For a more technical overview:
https://us-cert.cisa.gov/ncas/alerts/aa21-259a
________________________________
Citrix Releases Security Update for ShareFile Storage Zones Controller
Situation
Citrix has released a security patch for Citrix Sharefile Storage.
Problem
A vulnerability was found that allowed an unauthenticated attacker to remotely compromise the storage zone controllers.
Implication
An attacker can exploit these to take over the affected system.
Need
Citrix ShareFile storage zone controllers should update to the 5.11.20 version.
For more information: https://support.citrix.com/article/CTX328123
________________________________
Adobe Releases Security Updates for Multiple Products
Situation
Adobe has released security updates for multiple Adobe products including Photoshop, ColdFusion, Framemaker, Premiere Pro, Acrobat and Reader, and more.
Problem
Vulnerabilities fixed include out of bounds read, buffer overflow, XSS, improper input validation, incorrect permissions, and more.
Implication
An attacker can exploit these to take over the affected system.
Need
Please apply the latest updates to all Adobe products in use.
For more information: https://helpx.adobe.com/security.html
________________________________
Microsoft Releases September 2021 Security Updates
Situation
Microsoft has released updates for September 2021. These updates address a wide variety of Microsoft products including Windows, Office, BitLocker, and much more.
Problem
Microsoft has addressed a wide range of vulnerabilities including memory corruption, use after free, heap buffer overflow, privilege escalation, and more.
Implication
If an attacker is able to successfully exploit some of these vulnerabilities it could allow them to take control of an affected device.
Need
Apply the latest updates to Microsoft products.
For more information: https://msrc.microsoft.com/update-guide/releaseNote/2021Sep
________________________________
Google Releases Security Updates for Chrome Browser
Situation
Google has released Chrome version 93.0.4577.82 for Windows, Mac, and Linux operating systems.
Problem
Google has patched 11 vulnerabilities of which nine are of high severity. Of the high severity vulnerabilities, they include use after free, out of bounds write and memory access, buffer overflow, inappropriate implementation, and type Confusion bugs. Google is also aware of two of these vulnerabilities CVE-2021-30632 and CVE-2021-30633 have exploits that currently exist in the wild.
Implication
If an attacker is able to exploit some of these vulnerabilities it could allow them to take control of the affected device and/or access private data.
Need
Google recommends users and administrators update their desktop Chrome browser to version 93.0.4577.82 or newer. For additional information please visit the link below
Google security advisory:
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
________________________________
SAP Releases September 2021 Security Updates
Situation
SAP has released September 2021 security updates for SAP NetWeaver, SAP Business One, SAP ERP Financial Accounting, SAP 3D Visual Enterprise Viewer, SAP Web Dispatcher, SAP Contact Center, and more.
Problem
SAP has addressed vulnerabilities ranging from medium to high, such as remote code execution, cross-site scripting (XSS), missing authorization checks, OS command injection, SQL injection, unrestricted file upload and others.
Implication
If an attacker is able to successfully exploit some of these vulnerabilities it could allow them to take control of an affected device.
Need
SAP strongly recommends that the customer make sure to apply the security updates. Additional information can be found below.
SAP Security Notes for September 2021:
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405