Please see Security Advisories for the week ending April 1, 2022
- Apple Releases Security Updates
- CISA Adds Eight Known Exploited Vulnerabilities to Catalog
- CISA Releases Security Advisories for Rockwell Automation Products
- Spring Releases Security Updates Addressing “Spring4Shell” and Spring Cloud Function Vulnerabilities
- Palo Alto Networks Security Advisory – March 30, 2022
- FBI Releases PIN on Phishing Campaign against U.S. Election Officials
- Google Releases Security Updates for Chrome
_______________________________
Apple Releases Security Updates
Situation
Apple has released security updates to address vulnerabilities found in macOS, iOS and iPadOS.
Problem
The vulnerabilities that have been patched are CVE-2022-22674 and CVE-2022-22675. These vulnerabilities have been seen currently being exploited in the wild.
Implication
An attacker could exploit one of these vulnerabilities to take control of an affected device.
Need
The CISA encourages users and administrators to review the Apple security page and apply the necessary updates.
Link to CISA Bulletin:
https://www.cisa.gov/uscert/ncas/current-activity/2022/04/01/apple-releases-security-updates-0
For a more technical overview:
https://support.apple.com/en-us/HT201222
________________________________
CISA Adds Eight Known Exploited Vulnerabilities to Catalog
Situation
CISA has added 7 new vulnerabilities to its “Known Exploited Vulnerabilities Catalog”, based on evidence of active exploitation.
Problem
These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
Implication
Attackers are already exploiting these vulnerabilities to compromise systems and exfiltrate information
Need
CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.
FCEB agencies are required to remediate identified vulnerabilities in the ” Known Exploited Vulnerabilities Catalogue”.
Note: Required according to “Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities”
For more technical details:
Known Exploited Vulnerabilities Catalogue:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the “Date Added to Catalog” column, which will sort by descending dates.
Binding Operational Directive (BOD) 22-01:
________________________________
CISA Releases Security Advisories for Rockwell Automation Products
Situation
CISA has released two Industrial Controls Systems Advisories (ICSAs).
Problem
Vulnerabilities have been discovered in Rockwell Automation products.
Implication
An attacker could exploit these vulnerabilities to inject code on affected system.
Need
CISA encourages users and administrators to review ICSA-22-090-05: Rockwell Automation Logix Controllers and ICSA-22-090-07: Rockwell Automation Studio 5000 Logix Designer for more information and to apply the necessary mitigations and detection method.
Link to CISA Bulletin:
https://content.govdelivery.com/accounts/USDHSCISA/bulletins/3115790
ICSA-22-090-05: Rockwell Automation Logix Controllers:
https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-05
ICSA-22-090-07: Rockwell Automation Studio 5000 Logix Designer:
https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-07
________________________________
Spring Releases Security Updates Addressing “Spring4Shell” and Spring Cloud Function Vulnerabilities
Situation
Spring by VMWare has released Spring Cloud Function versions 3.1.7 and 3.2.3 to address remote code execution (RCE) vulnerability CVE-2022-22963 dubbed Spring4Shell.
Problem
The Spring4Shell vulnerability bypasses the patch for CVE-2010-1622, causing CVE-2010-1622 to become exploitable again. The bypass of the patch can occur because Java Development Kit (JDK) versions 9 and later provide two sandbox restriction methods, providing a path to exploit CVE-2010-1622.
Implication
A remote attacker could exploit these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to immediately apply the necessary updates in the Spring Blog posts that provide the Spring Cloud Function updates addressing CVE-2022-22963 and the Spring Framework updates addressing CVE-2022-22965. CISA also recommends reviewing VMWare Tanzu Vulnerability Report CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+.
For a brief overview:
https://www.cisa.gov/uscert/ncas/current-activity/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and
Spring Blog posts:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
VMWare Tanzu post:
https://tanzu.vmware.com/security/cve-2022-22965
________________________________
Palo Alto Networks Security Advisory – March 30, 2022
Situation
Palo Alto Networks has published one new security advisories addressing issues found in the PAN-OS, Global Protect, Cortex XDR Agent software.
Problem
Palo Alto Networks has identified a vulnerability that causes the open ssl library to enter an infinite loop when parsing an invalid certificate that can result in a Denial of service to the application. A verified certificate is not needed to exploit this vulnerability since parsing a bad certificate triggers the loop before the verification completes.
Implication
An attacker could use this exploit with a invalid certificate to cause a denial of service to the Pan infrastructure keeping it too busy to be used.
Need
Palo Alto encourages users and administrators to review the advisories and follow the recommended guidelines.
CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778
https://security.paloaltonetworks.com/CVE-2022-0778
Additional listing of vulnerability’s listed.
https://security.paloaltonetworks.com/
________________________________
FBI Releases PIN on Phishing Campaign against U.S. Election Officials
Situation
The Federal Bureau of Investigation (FBI) has released a Private Industry Notification (PIN) to warn U.S. election and other state and local government officials about invoice-themed phishing emails that could be used to harvest officials’ login credentials.
Problem
Phishing attacks targeting US election officials have been seen since last October 2021.
Implication
Harvested credentials will allow threat actors to have undetected access to victim systems.
Need
FBI recommends training employees to watch for phishing attempts and to apply spam filters to prevent phishing emails form reaching users.
For a brief overview:
https://www.ic3.gov/Media/News/2022/220329.pdf
________________________________
Google Releases Security Updates for Chrome
Situation
Google has released Chrome version 99.0.4844.84 for Windows, Mac, and Linux.
Problem
Google is aware that an exploit for CVE-2022-1096 exists in the wild.
Implication
an attacker could exploit the vulnerability to take control of an affected system.
Need
Review the catalog by CISA and apply the necessary updates
Google Releases Security Updates for Chrome:
https://www.cisa.gov/uscert/ncas/current-activity/2022/03/28/google-releases-security-updates-chrome
For a more technical overview:
https://chromereleases.googleblog.com/search/label/Stable%20updates