SANS Institute

SANS NewsBites Vol. 26 Num. 76 : Critical Flaws in Ivanti Endpoint Manager and Zimbra postjournal Added to CISA;’s Known Exploited Vulnerabilities Catalog; Akamai: CUPS Vulnerabilities Can be Chained for DDoS Attacks

SANS Institute sent this email to their subscribers on October 4, 2024.

Annotated News Update from the Leader in Information Security Training, Certification and Research


GIAC CERTFICATIONS NewsBites SANS Annotated News Update from the Leader in Information Security Training, Certification and Research
Top of The News
The Rest of the Week's News
Internet Storm Center Tech Corner
Cybersecurity Training Update

  Top of the News
  The Rest of the Week's News
  Internet Storm Center Tech Corner
 

 
SANS Institute
11200 Rockville Pike, Suite 200, North Bethesda, MD, 20852

To create a SANS Portal Account visit create new account.
To change your email address visit .
To change your email preferences or unsubscribe visit manage subscriptions.

.

This mailbox is not monitored. Please email [email protected] or call 301-654-7267 for assistance.

Text-only version of this email

Annotated News Update from the Leader in Information Security Training, Certification and Research GIAC CERTFICATIONS NewsBites SANS Annotated News Update from the Leader in Information Security Training, Certification and Research October 4, 2024                                                            Vol. 26, Num. 76 Top of The News * Ivanti: Known Endpoint Manager Vulnerability is Being Actively Exploited * Patch Now: Critical Zimbra Flaw in postjournal is Being Actively Exploited * Akamai Researchers Find that CUPS Vulnerabilities Can be Exploited to Launch DDoS Attacks The Rest of the Week's News * Multiple Flaws Found in DrayTek Vigor Routers * Fixes Available for Multiple Jenkins Vulnerabilities * Aqua Nautilus Dissects Parasitic “perfctl” Cryptomining Malware * Update Available to Address Flaw in Avast Antivirus for Windows * T-Mobile to Pay $15.75 Million Fine and Spend the Same on Security * UK Nuclear Safety Regulator Fines Nuclear Facility Overseer for Cybersecurity Failings * Stronger OT Security: International Guidance and MITRE EMB3D * NVD Enrichment Backlog Update * Taking Down State-Sponsored Threat Actor Domains Internet Storm Center Tech Corner Cybersecurity Training Update SANS Rocky Mountain Fall 2024 | October 21-26 Denver, CO or Live Online (MT) 10 courses SANS HackFest Summit: Oct 28-29 | Training: Oct 29 - Nov 4 Hollywood, CA & Live Online SANS Cyber Defense Initiative(R) 2024 | December 13-18 Washington, DC or Live Online (ET) 40+ courses | 1 Cyber Range Special offers on OnDemand training available now through October 13  Popular, New & Updated Courses FOR518: Mac and iOS Forensic Analysis and Incident Response (GIME) SEC587:Advanced Open-Source Intelligence (OSINT) Gathering and Analysis SEC510: Cloud Security Controls and Mitigations (GPCS) View all Courses Cybersecurity Awareness Month – Claim Your Free AI Toolkit Embrace AI’s potential while staying secure. The SANS AI Toolkit helps your workforce capitalize on AI while defending against its risks. - Free technical content sponsored by SANS #Webcast: SANS 2024 ICS/OT Survey: The State of ICS/OT Cybersecurity | Wednesday, October 9, 10:30 AM ET | SANS Certified Instructor, Jason Christopher, explores the growing trends in cyber threats, vulnerabilities, and risks across industrial environments, including actionable recommendations for how organizations can improve their security posture.   Top of the News Ivanti: Known Endpoint Manager Vulnerability is Being Actively Exploited (October 2 & 3, 2024) Earlier this week, Ivanti updated a May advisory to note that one of the vulnerabilities it addresses (CVE-2024-29824) is being actively exploited. CVE-2024-29824 is a critical SQL-injection vulnerability affecting Ivanti Endpoint Manager. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to their Known Exploited Vulnerabilities (KEV) catalog; Federal Civilian Executive Branch (FCEB) agencies are expected to address the issue by October 23. Editor's Note [Ullrich] Of course it is exploited. Ivanti vulnerabilities have become common enough where attackers have playbooks as to how to effectively exploit them. If attackers have playbooks to exploit a product, you had better have a playbook to keep it up to date and to deal with the resulting incidents if you are not up to date. [Dukes] One’s strategy shouldn’t be to manage updates depending on whether the vulnerability is being actively exploited. It should be based on the criticality of the vulnerability (Arbitrary Code Execution). The hot patch should have been applied back in May. For those that haven’t yet patched, now you may be in a race with a determined adversary – don’t lose. [Neely] CVE-2024-29824, SQL Injection vulnerability, has a CVSS score of 9.6 and is due to improper input sanitization of special elements in a SQL command. The flaw affects Ivanti endpoint manager (EPM) up to 2022 su5. Address the issue by updating your Ivanti EPM to the latest version. Read more in: - forums.ivanti.com: Security Advisory May 2024 (Updated October 2, 2024) - www.helpnetsecurity.com: Critical Ivanti Endpoint Manager flaw exploited (CVE-2024-29824) - www.securityweek.com: Ivanti EPM Vulnerability Exploited in the Wild - thehackernews.com: Ivanti Endpoint Manager Flaw Actively Targeted, CISA Warns Agencies to Patch - www.cisa.gov: Known Exploited Vulnerabilities Catalog - nvd.nist.gov: CVE-2024-29824 Detail Patch Now: Critical Zimbra Flaw in postjournal is being Actively Exploited (September 27 & October 2, 2024) Zimbra has released an update to address a critical inadequate user input sanitation vulnerability in its postjournal service. The flaw could be exploited by unauthenticated attackers to execute arbitrary commands on vulnerable installations. The flaw is being actively exploited, and has prompted warnings from Computer Emergency Response Teams (CERTs) in Italy and Latvia, as well as from multiple threat researchers. Users are urged to install the latest Zimbra update or disable postjournal. Editor's Note [Neely] CVE-2024-45519, RCE flaw, has a CVSS 3 score of 10.0, and has been added to the NIST KEV catalog with a due date of 10/24/24. The fix is to either disable if not used, or to update postjournal to the latest version, ensure mynetworks is properly configured to prevent unauthorized access, and apply all Zimbra updates. Read more in: - blog.projectdiscovery.io: Zimbra - Remote Command Execution (CVE-2024-45519) - x.com: Threat Insight - wiki.zimbra.com: Zimbra Security Advisories - www.theregister.com: 'Patch yesterday': Zimbra mail servers under siege through RCE vuln - therecord.media: Zimbra bug causes alarm among researchers, CERTs after exploitation attempts - www.scworld.com: Zimbra email platform under active attack, RCE possible - arstechnica.com: Attackers exploit critical Zimbra vulnerability using cc’d email addresses - www.helpnetsecurity.com: Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) - nvd.nist.gov: CVE-2024-45519 Detail Akamai Researchers Find that CUPS Vulnerabilities Can be Exploited to Launch DDoS Attacks (October 1, 2, & 3, 2024) Researchers at Akamai have determined that several of the recently-disclosed vulnerabilities in the Common UNIX Printing System (CUPS) could be chained to launch distributed denial-of-service (DDoS) attacks. According to Akamai, “Research shows that, to begin the attack, the attacking system only needs to send a single packet to a vulnerable and exposed CUPS service with internet connectivity, [and] …it would take an attacker mere seconds to co-opt every vulnerable CUPS service currently exposed on the internet and cost the attacker less than a single US cent on modern hyperscaler platforms.” Editor's Note [Ullrich] This is an interesting exploit vector and longer term, it may have a larger impact than the remote code execution issues. [Neely] If you're not using CUPS, don't just disable it, uninstall it so the vulnerable code is removed. IF you are using it, apply the updated fixes to cups-lib. Consider carefully how you're exposing TCP and UDP Port 631 (Internet Printing Protocol). [Murray] Simone Margaritelli has been trying for months to get the CUPS developers to acknowledge this vulnerability. Block port 631. Read more in: - www.akamai.com: When CUPS Runneth Over: The Threat of DDoS - therecord.media: Experts warn of DDoS attacks using linux printing vulnerability - www.helpnetsecurity.com: CUPS vulnerabilities could be abused for DDoS attacks Sponsored Links Webcast: General Quarters! The Impact of Cybersecurity on the Maritime Industry | Thursday, October 17, 11:30 ET | In this webcast, SANS experts will explore the critical role of cybersecurity in safeguarding maritime operations. Save your seat today! Virtual Event: AI Summit Solutions Track on October 29th | Join us for our upcoming free virtual event to learn how industry leading technologies and techniques can enhance your ability to examine and analyze incidents like never before using AI. Save your seat today! Virtual Event: Fall Cyber Solutions Fest 2024 | Wednesday, November 6 – Friday, November 8 | This free virtual event features 5 tracks ranging from emerging technologies available today to zero trust and threat hunting. Whether you're just starting out in the world of cyber or are a seasoned pro, these tracks will take your cybersecurity skills to the next level. Save your seat today!   The Rest of the Week's News Multiple Flaws Found in DrayTek Vigor Routers (October 2, 2024) Researchers at Forescout’s Vedere Labs identified 14 security issues affecting DrayTek Vigor routers. One of the flaws is rated maximum severity (CVSS 10.0) and a second is rated critical (CVSS 9.1). Nine are rated high-severity (between CVSS 7.0 and 8.9), and three are rated medium-severity. The flaws can be exploited to take control of vulnerable routers and from there steal data, deploy malware, and launch denial-of-service attacks. Most of the vulnerabilities affect the routers’ web-based user interface. While DrayTek warns that the routers’ control panels should be accessible only from local networks, the researchers at Forescout found more than 700,000 devices had their web interfaces exposed to the public Internet. The flaws affect 24 models of DrayTek Vigor routers, some of which are no longer supported. DrayTek has made patches available for all affected models, end-of-life included. Editor's Note [Ullrich] Never ever expose these admin interfaces to the internet. They are all vulnerable. For some of them, the vulnerability just hasn't been published yet. [Dukes] Two things that should drive patch prioritization: 1) the large number of vulnerabilities; and 2) the criticality of the vulnerabilities. For the first, it gives the evildoer a lot to work with in developing an exploit. For the second, a criticality of 10.0 effectively means that the router is remotely vulnerable with low complexity. Although we can chastise DrayTek for having so many vulnerabilities, they at least did the right thing by including patches for end-of-life products. [Neely] The DrayTek routers are primarily used for commercial customers; it's important to get these patched to protect their business, providing VPN, firewall, content filtering, VoIP and bandwidth management. Of the 24 impacted models, 11 are EOL. Aside from updating the firmware, protect the management interface from unauthorized devices, replace EOL devices (the update for EOL devices only addresses CVE-2024-41592, the GetCGI() function with buffer overflow, CVSS score 10). Read more in: - www.forescout.com: DRAY:BREAK | Breaking Into DrayTek Routers before Threat Actors Do It Again (PDF) - www.draytek.com: Firmware / Software - www.theregister.com: 700K+ DrayTek routers are sitting ducks on the internet, open to remote hijacking - www.scworld.com: 14 DrayTek vulnerabilities patched, including max-severity RCE flaw - www.securityweek.com: New Vulnerabilities Expose Hundreds of Thousands of DrayTek Routers to Hacking Fixes Available for Multiple Jenkins Vulnerabilities (October 2 & 3, 2024) Jenkins has released updates to address five vulnerabilities in multiple products. A pair of vulnerabilities (CVE-2024-47806 and CVE-2024-47807) in the OpenId Connect Authentication Plugin are considered high-severity; they involve audience and issuer claim validation and could be exploited to gain elevated privileges. The other three vulnerabilities are considered medium-severity. Editor's Note [Neely] The three medium-severity flaws could be used to access and decode encrypted credential values, API keys, Certificates and secret files. Check your component product versions, update Jenkins Weekly to 2.479, Jenkins LTS to 2.462.3, Credentials plugin to1381.v2c3a_12074da_b_ and OpenID Connect Authentication Plugin to 4.355.v3a_fb_fca_b_96d4. Jenkins advises to update immediately. Read more in: - www.securityweek.com: Jenkins Patches High-Impact Vulnerabilities in Server and Plugins - securityonline.info: Security Vulnerabilities Uncovered in Jenkins: Immediate Updates Recommended - www.jenkins.io: Jenkins Security Advisory 2024-10-02  - nvd.nist.gov: CVE-2024-47806 Detail - nvd.nist.gov: CVE-2024-47807 Detail Aqua Nautilus Dissects Parasitic “perfctl” Cryptomining Malware (October 2 & 3, 2024) On October 3, 2024, Aqua Nautilus published analysis of the "perfctl" malware, which researchers discovered on a honeypot server, and whose effects have been observed on Linux servers worldwide for three years. The malware breaches systems through "misconfigurations or exposed secrets," often exploiting two known, patched vulnerabilities: CVE-2023-33246, affecting Apache RocketMQ 5.1.0 and older, and CVE-2021-4034, a flaw in Polkit. The attack is "elusive and persistent," waiting for a server to be idle: an obfuscated payload is downloaded, executed, copied into a directory for temporary files, then the original process is terminated and the original file deleted. Copies of the malware and its elements are named to camouflage as legitimate Linux files and processes, embedding themselves in the target server with rootkits and "trojanized versions" of normal utilities. Once established, the malware begins cryptomining and in some cases proxyjacking to sell unused bandwidth. Aqua Nautilus recommends "system monitoring, network traffic analysis, file and process integrity monitoring, and proactive mitigation" via patching, restricting file execution, disabling unused services, implementing strict privilege management, and segmenting networks. Read more in: - www.aquasec.com: perfctl: A Stealthy Malware Targeting Millions of Linux Servers - thehackernews.com: New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking - www.bleepingcomputer.com: Linux malware “perfctl” behind years-long cryptomining campaign - www.darkreading.com: Near-'perfctl' Fileless Malware Targets Millions of Linux Servers Update Available to Address Flaw in Avast Antivirus for Windows (October 3, 2024) A vulnerability in Avast Antivirus for Windows could be exploited to gain elevated privileges on unpatched systems. The high-severity race-condition flaw (CVE-2024-5102) exists in the “Repair” feature of Avast Antivirus for Windows versions older than 24.2. Users are urged to ensure they are running the most recent version of the product. Editor's Note [Neely] Flaws in your endpoint protection solution should be rapidly addressed regardless of score. The flaw stems from how the repair function handles symbolic links; an attacker can manipulate those links to have it delete or recreate arbitrary files as well as execute code with system privileges. The root cause is improper link resolution before file access and improper validation of input. Read more in: - securityonline.info: CVE-2024-5102: Avast Antivirus Flaw Could Allow Hackers to Delete Files and Run Code as SYSTEM - support.norton.com: Norton Security Advisories - nvd.nist.gov: CVE-2024-5102 Detail T-Mobile to Pay $15.75 Million Fine and Spend the Same on Security (October 2 & 3, 2024) A court order released on September 30, 2024, approves a Consent Decree settling legal action against T-Mobile by the Federal Communications Commission. The FCC had been investigating T-Mobile after four major data breaches between 2021 and 2023, aiming to determine the company's culpability per the Communications Act of 1934; the act "expects telecommunications carriers to take 'every reasonable precaution' to protect their customers' proprietary or personal information." The breaches resulted in the theft and release of millions of customers’ "names, addresses, dates of birth, Social Security numbers, driver's license numbers," and service plan details. Half of the $31.5 million settlement will be paid as civil penalty to the US Treasury, and the other half must be spent to "address foundational security flaws" within two years: applying secure authentication practices, building zero-trust architecture, improving data hygiene, and arranging for third-party assessments, among other measures. Editor's Note [Neely] While T-Mobile has had as many as 7 breaches over the last five years, this settlement covers the last four (since 2021). You may recall in 2021 things kicked off with an attacker stealing personal and device related information, including PINs, for 76.6 million current, former, and prospective T-Mobile customers. The good news is that the FCC is actively raising the bar, requiring breach notifications, stating "Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections. We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences." The hard part, if you're a T-Mobile customer, is deciding if you can survive until the changes are made or if you should switch to AT&T, Sprint or Verizon who have had other issues of late. [Dukes] The FCC is increasingly holding organizations accountable for not exhibiting a standard of reasonableness when it comes to protecting consumer information. This is the latest installment. For companies wishing to stay out of the FCC, or judicial branch crosshairs, the Center for Internet Security recently published a ‘Guide to Defining Reasonable Cybersecurity’ that specifies what must be done to meet the standard of reasonable cybersecurity. Read more in: - www.theregister.com: T-Mobile US to cough up $31.5M after that long string of security SNAFUs - docs.fcc.gov: DA 24-860 (PDF) - docs.fcc.gov: FCC Reaches Multi-Million Dollar Settlement of Investigations Into T-Mobile Data Breaches With Significant Improvements to Company’s Cybersecurity (PDF) - : T-Mobile pays $16 million fine for three years’ worth of data breaches UK Nuclear Safety Regulator Fines Nuclear Facility Overseer for Cybersecurity Failings (October 3, 2024) The UK’s Office for Nuclear Regulation (ONR) has fined nuclear waste processing firm Sellafield Ltd £332,500 (436,439 USD) for issues with “management of the security around its information technology systems between 2019 to 2023 and its breaches of the Nuclear Industries Security Regulations 2003.” An investigation determined that Sellafield’s IT systems could have allowed unauthorized access and data loss. The Chief Magistrate presiding in court earlier this week also fined Sellafield £53,253 (69,900 USD) to cover costs associated with the prosecution. Editor's Note [Dukes] Another example of the standard ‘duty of care’ being applied by the judicial system to an organization. Besides the monetary fine, the settlement typically requires the organization to apply additional security controls and submit annual risk management reports on the state of its cybersecurity program. You can get ahead of this by implementing and measuring yourself against one of several well-known cybersecurity frameworks: NIST CSF, ISO 27001, and the CIS Critical Security Controls. Read more in: - onr.org.uk: Sellafield Ltd fined £332,500 for cyber security shortfalls - : Sellafield Fines by Regulator of Cybersecurity Policy Failings - www.theguardian.com: Sellafield ordered to pay nearly £400,000 over cybersecurity failings - www.bbc.com: Sellafield fined for cyber security breaches - therecord.media: Sellafield, UK’s largest nuclear site, fined £330,000 for cybersecurity failings - www.reuters.com: UK's nuclear waste unit Sellafield fined for cybersecurity failings Stronger OT Security: International Guidance and MITRE EMB3D (October 2, 2024) A new publication of joint guidance from security organizations in Australia, Canada, Germany, Japan, Korea, New Zealand, the US, and the UK outlines core principles for maintaining security in Operational Technology (OT). OT systems are “vital services;” they are also complex, diverse, and difficult to change, making security difficult to assess. The document emphasizes checking decisions against six principles: 1. “Safety is paramount,” specifically physical safety of human beings; 2. “Knowledge of the business is crucial ... Top-down thinking has historically led many organisations to seek to separate OT from IT;" 3. “OT data is extremely valuable and needs to be protected;” 4. “Segment and segregate OT from all other networks;” 5. “The supply chain must be secure;” and 6. “People are essential for OT cyber security.” Within days of this guidance, MITRE fully published EMB3D: a “living framework” for linking device properties to threats and mitigations in OT as well as IoT, automotive, healthcare, and other applications. The framework is informed by major vulnerability enumerations, and the mitigations are "mapped to the security controls" from International Society of Automation and International Electrotechnical Commission's ISA/EIC 62443 Series of Standards. Editor's Note [Murray] Flat networks continue to be problematic everywhere but exposing OT to the public networks is reckless. Read more in: - www.securityweek.com: US, Allies Release Guidance on Securing OT Environments - www.cyber.gov.au: Principles of operational technology cyber security - www.securityweek.com: MITRE Adds Mitigations to EMB3D Threat Model - emb3d.mitre.org/: The MITRE EMB3D Threat Model - emb3d.mitre.org: Whitepaper: The EMB3D Threat Model for Embedded Devices (PDF) NVD Enrichment Backlog Update (September 30 & October 2, 2024) The US National Institute of Standards and Technology’s (NIST’s) National Vulnerability Database (NVD) is still showing a significant enrichment backlog. What this means is that while new CVEs appear in the NVD, some currently offer only minimal information instead of an organized aggregation of publicly available data about the vulnerability. The backlog issue began in February 2024. In May, NIST hired a third-party consultant to help with the backlog. Editor's Note [Neely] The trend is moving in the right direction: as of September 21, 72.4% of CVEs were not analyzed compared to 93.4% in May. NIST missed their self-imposed deadline of September 30th to clear the backlog; it's not clear what it'll take to clear it, as well as to thwart efforts to create alternates to the NIST vulnerability repositories. [Murray] One can only love the characterization of "significant enrichment backlog." They have had a broken system for months. Read more in: - nvd.nist.gov: NVD Dashboard - vulncheck.com: Danger is Still Lurking in the NVD Backlog - nvd.nist.gov: CVEs and the NVD Process - www.theregister.com: NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great Taking Down State-Sponsored Threat Actor Domains (October 3, 2024) The US Justice Department (DoJ) has unsealed a warrant that authorized the seizure of more than 100 domains associated with cyberthreat actors with ties to Russia’s government. The domains have been used to conduct computer fraud and other abuses in the US. A civil lawsuit filed by Microsoft and the NGO Information Sharing and Analysis Center (NGO-ISAC) sought the seizure of 66 domains; the DoJ seized an additional 41 domains. Editor's Note [Dukes] While the work of government and the private sector is applauded, two areas need additional focus: 1) the speed in moving from detection of criminal domains to their seizure; and 2) detection of new criminal domains. For the first, it appears it took upwards of a year to seize the domains identified as supporting criminal activity. For the second, global collaboration and information sharing is needed. Let’s celebrate the win and continue the fight against cyber criminals. Read more in: - blogs.microsoft.com: Protecting Democratic Institutions from Cyber Threats - www.justice.gov: Justice Department Disrupts Russian Intelligence Spear-Phishing Efforts - www.nextgov.com: DOJ, Microsoft disrupt Russian hackers targeting civil society orgs - cyberscoop.com: DOJ, Microsoft seize more than 100 domains used by the FSB - www.securityweek.com: Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group   Internet Storm Center Tech Corner Hurricane Helene Aftermath - Cyber Security Awareness Month Security Related Docker Containers Kickstart Your DShield Honeypot SANS Munich (free Community Night Tuesday October 15th) CreanaKeeper Use of Cloud Services Optigo Spectra Vulnerabilities Pixel Addressing Vulnerabilities in Cellular Modems CUPS DDoS Attack Draytek Vulnerabilities Zimbra - Remote Command Execution (CVE-2024-45519) Enhancing the security of Microsoft Edge extensions with the new Publish API CVE-2024-36435 Deep-Dive: The Year’s Most Critical BMC Security Flaw The Editorial Board of SANS NewsBites Brian Honan Curt Dukes Chris Elgee David Hoelzer Ed Skoudis Gal Shpantzer Jake Williams Dr. Johannes Ullrich John Pescatore Josh Wright Kathy Bradford Lance Spitzner Lee Neely Mark Weatherford Moses Frost Suzanne Vautrinot William Hugh Murray SANS Institute 11200 Rockville Pike, Suite 200, North Bethesda, MD, 20852 To create a SANS Portal Account visit create new account. To change your email address visit . To change your email preferences or unsubscribe visit manage subscriptions. . This mailbox is not monitored. Please email [email protected] or call 301-654-7267 for assistance.
Show all

The Latest Emails Sent By SANS Institute

More Emails, Deals & Coupons From SANS Institute

Email Offers, Discounts & Promos From Our Top Stores