Please see Security Advisories for the week ending April 23, 2021
- Trend Micro Antivirus Products Exploited Wildly
- CISA Incident Response to SUPERNOVA Malware
- Drupal Releases Security Updates on Several Products
- Juniper Networks Releases Security Updates
- SonicWall Releases Patches for Email Security Products
- CISA Issues Emergency Directive on Pulse Connect Secure
- VMware Releases Security Update
- Oracle Releases April 2021 Critical Patch Updates for several products
- Mozilla Releases Security Update for Firefox, Firefox ESR, and Thunderbird
________________________________
Trend Micro Antivirus Products Exploited Wildly
Situation:
A threat actor is currently exploiting a bug in Trend Micro’s security products specifically affecting Office Scan and Apex One.
Problem:
An attacker could manipulate a specific product folder to temporarily disable OS security services, and using low-privileged code, attain privilege escalation.
Implication:
A threat actor could exploit this bug to perform privilege escalation on affected Windows systems.
Need:
Trend Micro released patches for this issue and recommends updating as soon as possible. Trend Micro also emphasized that Windows 10 version 1909 mitigates hard links effectively, but older versions could be affected.
For a more technical overview:
________________________________
CISA Incident Response to SUPERNOVA Malware
Situation:
CISA has released analysis of malware created by an APT (advanced persistent threat), called “SUPERNOVA”.
Problem:
Beginning in approximately March 2020, CISA responded to a long-term compromise in the enterprise level network of an anonymous entity. The APT actor connected to the network via Pulse Secure VPN through multiple user accounts which lacked multi-factor authentication, then installed SUPERNOVA on their SolarWinds Orion server, and having established persistence with the installation of SUPERNOVA webshell, the actor(s) proceeded then to perform reconnaissance, domain mapping, and credential theft. SUPERNOVA was installed directly on the Orion server as it is designed to look like part of the product.
Implication:
While the actor(s) leveraged vulnerabilities within the Orion product suite, the actor(s) was aided in their endeavor by the weaknesses in the entity’s environment, namely the lack of multifactor authentication for the user accounts on the VPN appliance. Weaknesses in security posture such as these - including failure to apply product updates and patches - always leave the door open for compromise.
Need:
In light of these events, CISA encourages users and administrators to review AR21-112A for recommendations on strengthening the security posture of corporate network environments, and to review ED21-01 and AA20-352A for additional assistance with addressing vulnerabilities in their SolarWinds Orion deployments.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/04/22/cisa-incident-response-supernova-malware
________________________________
Drupal Releases Security Updates on Several Products
Situation:
Drupal has released security updates to address a vulnerability affecting Drupal 7, 8.9, 9.0, and 9.1.
Problem:
Drupal’s sanitization API for versions 7, 8.9, 9.0, and 9.1 fail to properly filter cross-site scripting under certain, unspecified circumstances.
Implication:
An attacker could exploit this vulnerability to take control of an affected system.
Need:
CISA encourages administrators and users to review Drupal Advisory SA-CORE-2021-002 and apply the necessary updates.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/04/22/drupal-releases-security-updates
________________________________
Juniper Networks Releases Security Updates
Situation
Juniper Networks has released multiple security updates to address vulnerabilities affecting multiple products.
Problem
Juniper Networks has released these security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to cause take control of an affected system.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
CISA and Juniper Networks encourages users and administrators to review the Juniper Networks technical overview page linked down below and apply the necessary updates.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/juniper-networks-releases-security-updates
For a more technical overview:
https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES
________________________________
SonicWall Releases Patches for Email Security Products
Situation
SonicWall has verified, tested and published patches to mitigate three zero-day vulnerabilities on its hosted and on-premises email security products.
Problem
The three zero-day vulnerabilities found are:
- CVE-2021-20021 a vulnerability that could allow an attacker to potentially create an administrative account by sending a crafted HTTP request to the remote host.
- CVE-2021-20022 a vulnerability that could allow a post-authenticated attacker to potentially upload an arbitrary file to the remote host.
- CVE-2021-20023 a vulnerability that could allow a post-authenticated attacker to potentially read an arbitrary file from the remote host.
SonicWall is aware of at least one known case of these vulnerabilities being exploited in the wild.
Implication
If a remote attacker is able to successfully exploit these vulnerabilities it could allow them to take control of and/or view sensitive information on the affected system.
Need
SonicWall strongly recommends that organizations using Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade.
For a more technical overview:
________________________________
CISA Issues Emergency Directive on Pulse Connect Secure
Situation:
CISA has issued an Emergency Directive, ED 21-03 and Alert AA21-110A to address vulnerabilities affecting Pulse Connect Secure.
Problem:
Active exploitation of vulnerabilities in Pulse Connect Secure have been observed by CISA. Threat actors have been leveraging multiple vulnerabilities (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and CVE-2021-22893) to achieve initial access, then placing webshells on the PCS appliance, which enable them to perform authentication bypass and password logging, as well as establishing persistent access through maintenance and patching.
Implication:
Threat actors could exploit these vulnerabilities to gain unauthorized access and potentially compromise critical information systems.
Need:
Because of the use of Pulse Connect Secure by Federal agencies as well as the private sector, CISA – under the delegated authority of the Department of Homeland Security – requires that Federal agencies to run the Pulse Secure Connect Integrity Tool, to verify the integrity of the entire filesystem of any PCS deployment, and to update to the latest version of the software.
For a more technical overview:
https://cyber.dhs.gov/ed/21-03/
________________________________
VMware Releases Security Update
Situation
VMware has released security updates to address a vulnerability in VMware NSX-T.
Problem
A privilege escalation vulnerability was found in VMware NSX-T. This is due to an issue with RBAC (Role based access control).
Implication
An attacker with local guest user account can assign privileges higher than their own permission level.
Need
Apply the security updates for VMware NSX-T.
For a more technical overview:
https://www.vmware.com/security/advisories/VMSA-2021-0006.html
________________________________
Oracle Releases April 2021 Critical Patch Updates for several products
Situation
Oracle has released security updates for April 2021. Products include Agile Product Lifecycle Management, Enterprise Manager, JD Edwards, MySQL, PeopleSoft, VirtualBox, and much more.
Problem
A large amount of critical level vulnerabilities have been found and patched in Oracle products. The vulnerabilities found vary but a large amount are easy to execute and can be executed remotely.
Implication
A remote attacker could exploit these vulnerabilities to take control of the affected systems.
Need
These updates are considered “Critical Level” by Oracle and this level of updates only happen 4 times a year. It is strongly recommended to patch these critical vulnerabilities as soon as possible.
For a more technical overview:
https://www.oracle.com/security-alerts/cpuapr2021.html
________________________________
Mozilla Releases Security Update for Firefox, Firefox ESR, and Thunderbird
Situation:
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird.
Problem:
Firefox version 88, Firefox ESR (Extended Support Release) version 78.10, and Thunderbird version 78.10 contained security vulnerabilities relating to integer overflow, spoofing, and privilege escalation.
Implication:
An attacker can exploit some of these vulnerabilities to take control of an affected system.
Need:
Cybersecurity & Infrastructure Security Agency recommends that all those using these products review these Mozilla advisories and apply the relevant updates.
For a more technical overview:
Firefox: https://www.mozilla.org/en-US/security/advisories/mfsa2021-16/
Firefox ESR: https://www.mozilla.org/en-US/security/advisories/mfsa2021-15/
Thunderbird: https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/