Contact

DataEndure | Managed Cybersecurity. It's about time.

Under Attack?
Home > Security Advisories > Security Advisory for the week ending September 15, 2023

Security Advisory for the week ending September 15, 2023

• Mozilla Releases Security Updates for Multiple Products
• Palo Alto Networks Security Advisories – September 2023
• Microsoft Releases September 2023 Updates
• Apple Releases Security Updates for iOS and macOS
• NSA, FBI, and CISA Release Cybersecurity Information Sheet on Deepfake Threats
• Cisco warns of VPN Zero-Day Exploited by Ransomware Gangs

Mozilla Releases Security Updates for Multiple Products

Situation:
Mozilla has released security updates to address a vulnerability affecting Firefox, Firefox ESR, and Thunderbird

Problem:
A cyber threat actor can exploit this vulnerability to take control of an affected system

Implication:
Opening a malicious WebP image could lead to a heap buffer overflow in the content process, allowing data to overflow into adjacent memory locations.

Need:
We recommend updating Firefox, Firefox ESR, Thunderbird to the following versions where the vulnerability was fixed.

  • Firefox 117.0.1
  • Firefox ESR 102.15.1
  • Firefox ESR 115.2.1
  • Thunderbird 102.15.1
  • Thunderbird 115.2.2

Additional Resources:

Mozilla Releases Security Updates for Multiple Products:
https://www.cisa.gov/news-events/alerts/2023/09/13/mozilla-releases-security-updates-multiple-products

Mozilla Foundation Security Advisory 2023-40:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
Palo Alto Networks Security Advisories – September 2023

Situation:
Palo Alto Networks has published two new Security Advisories and one Informational Bulletin on September 13, 2023

Problem:
Vulnerabilities have been discovered in PAN-OS BGP software, Cortex XDR Agent, as well as a combination of attacks targeting PAN-OS/Prisma Access with GlobalProtect.

Implication:
PAN-OS BGP software – BGP software such as FRRouting FRR included as part of the PAN-OS virtual routing feature enable a remote attacker to incorrectly reset network sessions though an invalid BGP update. This issue is applicable only to firewalls configured with virtual routers that have BGP enabled.

Cortex XDR Agent – A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to disable the agent.

PAN-OS/Prisma Access with GlobalProtect –  a combination of attacks referred to as  “TunnelCrack” has been discovered. These attacks leak VPN client traffic outside of the protected VPN tunnel when clients connect to untrusted networks,

Need:
PAN-OS BGP software – Until the PAN-OS hotfix is released, You can prevent exploitation of this issue by inserting an unimpacted BGP router—configured to drop the invalid BGP update instead of propagating it—between the attacker-originated BGP update and the PAN-OS virtual router. This stops the invalid BGP update from reaching the PAN-OS virtual router.

Cortex XDR Agent – We recommend updating Cortex XDR Agents to  the following versions; Cortex XDR agent 7.9.101-CE, Cortex XDR agent 7.9.3, Cortex XDR agent 8.0.2, and all later Cortex XDR agent versions.

PAN-OS/Prisma Access with GlobalProtect – LocalNet attacks are completely mitigated by enabling the “No direct access to local network” feature in the Split Tunnel tab on the firewall. ServerIP attacks are completely mitigated by navigating to Network > GlobalProtect > Portal > Agent > External Gateway and setting an IP address instead of an FQDN for the gateway configuration. Gateway certificates will need to be updated to include the IP address as a SAN or as a common name.

Additional Resources:

Palo Alto Networks Security Advisories:
https://security.paloaltonetworks.com/

CVE-2023-38802 PAN-OS: Denial-of-Service (DoS) Vulnerability in BGP Software:
https://security.paloaltonetworks.com/CVE-2023-38802

CVE-2023-3280 Cortex XDR Agent: Local Windows User Can Disable the Agent:
https://security.paloaltonetworks.com/CVE-2023-3280

PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671, CVE-2023-36672, CVE-2023-35838, and CVE-2023-36673):
https://security.paloaltonetworks.com/PAN-SA-2023-0004
Microsoft Releases September 2023 Updates

Situation:
Microsoft has found a vulnerability in their software that could allow threat actors to take control over your computer.

Problem:
There are vulnerabilities in Microsoft software that could be exploited by cybercriminals.

Implication:
If these problems aren’t fixed with updates, hackers can gain control of your computer, potentially causing data loss or other security issues.

Need:
We recommend reviewing Microsoft Security Update Guide, apply the necessary updates and regularly make it a practice to check for and install software updates and security patches from Microsoft. This helps keep your system protected against potential threats.

Additional Resources:

September 2023 Security Update Guide
https://msrc.microsoft.com/update-guide/releaseNote/2023-Sep

Microsoft Releases September 2023 Updates
https://www.cisa.gov/news-events/alerts/2023/09/12/microsoft-releases-september-2023-updates
Apple Releases Security Updates for iOS and macOS

Situation:
Apple has identified a security vulnerability CVE-2023-41064 in their products that could allow threat actors to take control of a device. To address this issue they have released updates for iOS, iPadOS, macOS Monterey, and macOS Big Sur. Users and administrators are encouraged to review these advisories and install the necessary updates to protect their devices from potential attacks.

Problem:
There is a security vulnerability present in multiple Apple products, including iOS, iPadOS, macOS Monterey, and macOS Big Sur. This vulnerability could potentially be exploited by a cyber threat actor, allowing them to gain control of affected devices. The issue is that this security flaw poses a risk to the security and privacy of users, and it needs to be addressed promptly by installing the provided updates to fix the vulnerability.

Implication:
If the security vulnerability is not addressed there could be several potential risks. One risk is a security breach hackers could exploit the vulnerability to gain unauthorized access to your device. This could lead to identity theft, surveillance, or unauthorized control of your device. This could also lead to data exposure meaning your personal and sensitive information could be compromised. Attackers can also use this vulnerability to inject malware and ransomware onto your device causing major financial loss, data loss, or disruption of normal device functionality.

Need:
We encourage users and administrators to review the following advisories and apply the necessary updates.

Additional Resources:

iOS 15.7.9 and iPadOS 15.7.9
https://support.apple.com/en-us/HT213913

macOS Monterey 12.6.9
https://support.apple.com/en-us/HT213914

macOS Big Sur 11.7.10
https://support.apple.com/en-us/HT213915
NSA, FBI, and CISA Release Cybersecurity Information Sheet on Deepfake Threats

Situation:
NSA, FBI, and CISA Release Cybersecurity Information Sheet on Deepfake Threats

Problem:
Threats from synthetic media, such as deepfakes, have exponentially increased—presenting a growing challenge for users of modern technology and communications

Implication:
Public concern around synthetic media includes disinformation operations, designed to influence the public and spread false information about political, social, military, or economic issues to cause confusion, unrest, and uncertainty. This also includes executive impersonation for brand manipulation, impersonation for financial gain and impersonation to gain access.

Need:
Select and implement technologies to detect deepfakes and demonstrate media provenance such as real-time verification capabilities and procedures. Also, protect public data of high-priority individuals. This would include the use of active authentication techniques such as watermarks and/or CAI standards.

Additional Resources:

NSA, FBI, and CISA Release Cybersecurity Information Sheet on Deepfake Threats:
https://www.cisa.gov/news-events/alerts/2023/09/12/nsa-fbi-and-cisa-release-cybersecurity-information-sheet-deepfake-threats

Contextualizing Deepfake Threats to Organizations:
https://media.defense.gov/2023/Sep/12/2003298925/-1/-1/0/CSI-DEEPFAKE-THREATS.PDF
Cisco warns of VPN Zero-Day Exploited by Ransomware Gangs

Situation:
Cisco is warning of a CVE-2023-20269 zero-day vulnerability in its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) that is actively exploited by ransomware operations to gain initial access to corporate networks. This allows attackers to use brute force techniques against existing accounts. By accessing those accounts, the attackers can establish a clientless SSL VPN session in the breached organization’s network, which can have varying repercussions depending on the victim’s network configuration.

Problem:
The problem is that some Cisco network devices have a vulnerability that allows hackers to use brute force techniques with no limitations, meaning the attacker can use countless username and password combinations without being rate-limited or blocked for abuse.

Implication:
If the problem isn’t addressed, the hackers can continue to exploit this vulnerability which could lead to; unauthorized access, data theft and ransomware attacks.

Need:
Cisco will release a security update to address CVE-2023-20269, but until fixes are made available, system administrators are recommended to take the following actions:

Use DAP (Dynamic Access Policies) to stop VPN tunnels with DefaultADMINGroup or DefaultL2LGroup.
Deny access with Default Group Policy by adjusting vpn-simultaneous-logins for DfltGrpPolicy to zero, and ensuring that all VPN session profiles point to a custom policy.
Implement LOCAL user database restrictions by locking specific users to a single profile with the ‘group-lock’ option, and prevent VPN setups by setting ‘vpn-simultaneous-logins’ to zero.
Cisco also recommends securing Default Remote Access VPN profiles by pointing all non-default profiles to a sinkhole AAA server (dummy LDAP server) and enabling logging to catch potential attack incidents early.

Finally, it is crucial to note that multi-factor authentication (MFA) mitigates the risk, as even successfully brute-forcing account credentials wouldn’t be enough to hijack MFA-secured accounts and use them to establish VPN connections.

Additional Resources:

Interim Security Bulletin
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC#fs

Hacking campaign bruteforces Cisco VPNs to breach networks
https://www.bleepingcomputer.com/news/security/hacking-campaign-bruteforces-cisco-vpns-to-breach-networks/

CVE-2023-20269
https://nvd.nist.gov/vuln/detail/CVE-2023-20269

 

Get started today!

We're here to help. Talk to us to learn more about how we can help your organization achieve digital resilience with solutions custom-built to meet the needs of your business.

DataEndure
590 Laurelwood Drive
Santa Clara, CA 95054
800.969.4268

DataEndure © 2023. All Rights Reserved.  Privacy Policy