Please see Security Advisories for the week ending December 11, 2020
- Active Exploitation of SolarWinds Software Observed in the Wild
- Cisco Releases Security Updates for Jabber Desktop and Mobile Client Software
- Adobe has releases security updates for multiple products
- Palo Alto Networks has published 3 new Security Advisories
- CERT/CC Releases Information on Vulnerabilities Affecting Open-Source TCP/IP Stacks
- OpenSSL Releases Security Update
- Microsoft Releases December 2020 Security Updates
- SAP Releases December 2020 Security Updates
- Cisco Releases Security Advisory for Vulnerability in AnyConnect Software
- NSA Releases Security Advisory on Russian State-Sponsored Actors Actively Exploiting VMware's Vulnerability
________________________________
Active Exploitation of SolarWinds Software Observed in the Wild
Situation
SolarWinds has found highly sophisticated, manual exploitations for versions 2019.4 to 2020.2.1. This attack is extremely targeted and manually executed and is likely performed by a nation state.
Problem
Attackers are performing a supply chain attack to distribute malware called SUNBURST through SolarWinds business updates.
Implication
The malware is highly sophisticated and can transfer and execute files, profile systems, reboot machines, and disable security services. It can also obfuscate itself to avoid detection.
Need
SolarWinds has recommended to update to the latest version:
https://www.solarwinds.com/securityadvisory
For a more technical overview from FireEye: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
________________________________
Cisco Releases Security Updates for Jabber Desktop and Mobile Client Software
Situation
Cisco has discovered several vulnerabilities in Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms.
Problem
Cisco has found multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms that could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, gain access to sensitive information, and take control of an affected system.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
Cisco advises patching the software to the most recent security update.
For a brief overview:
For a more technical overview:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ZktzjpgO
________________________________
Adobe has releases security updates for multiple products
Situation
Adobe has released security updates for Adobe Acrobat, Reader, Lightroom, Experience Manage (AEM), and Prelude to address multiple important and critical vulnerability.
Problem
The vulnerabilities that were found could allow an attacker to perform an arbitrary code execution, obtain sensitive information, or perform an arbitrary JavaScript execution in the browser.
Implication
Is an attacker is able to successfully exploit some of these vulnerabilities it could allow them to take control of the affected system or obtain sensitive information.
Need
Adobe recommends updating all affected products to the latest version. Additional information for each respective product can be found in the links below.
Adobe Acrobat and Reader:
https://helpx.adobe.com/security/products/acrobat/apsb20-75.html
Adobe Lightroom:
https://helpx.adobe.com/security/products/lightroom/apsb20-74.html
Adobe Experience Manage (AEM):
https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html
Adobe Prelude:
https://helpx.adobe.com/security/products/prelude/apsb20-70.html
________________________________
Palo Alto Networks has published 3 new Security Advisories
Situation
Palo Alto Networks have published 3 new advisories that address 3 different CVEs for Cortex XDR Agent.
Problem
The vulnerabilities vary from local privilege escalation in the Cortex XDR Agent to
improper handling of exceptional conditions found in the Cortex XDR Agent.
Implication
With CVE-2020-2049, a local attacker can execute programs with system level privileges infiltrating the systems and with CVE-2020-2020, a local attacker can prevent Cortex XDR Agent from starting.
Need
If you are running Cortex XDR Agent, please update to the latest available versions. For more information on affected versions, see information below:
CVE-2020-2049: https://security.paloaltonetworks.com/CVE-2020-2049
CVE-2020-2020: https://security.paloaltonetworks.com/CVE-2020-2020
PAN-SA-2020-0011: https://security.paloaltonetworks.com/PAN-SA-2020-0011
________________________________
CERT/CC Releases Information on Vulnerabilities Affecting Open-Source TCP/IP Stacks
Situation
CERT has released information on 33 vulnerabilities (Amensia:33) that affect multiple open-source TCP/IP stacks, commonly used in IoT devices.
Problem
Issues with memory management have been found in multiple embedded TCP/IP stacks.
Implication
A remote, unauthenticated attacker can craft malicious packets to cause denial of service, information disclosure, or arbitrary code execution.
Need
If you are using IoT devices, update to the latest version of the affected embedded TCP/IP software.
For a more technical overview:
https://www.kb.cert.org/vuls/id/815128
________________________________
OpenSSL Releases Security Update
Situation
OpenSSL has released a security update that affects all versions of 1.02 and 1.1.1 released before 1.1.1i.
Problem
A vulnerability was found in a function that compares different instances of X.509 GeneralName. An attacker that controls both items (such as a malicious certificate and a malicious CRL) being compared, can trigger a crash.
Implication
Attackers exploiting this vulnerability can trigger a crash.
Need
OpenSSL 1.1.1 should upgrade to 1.1.1i.
OpenSSL 1.0.2 are out of support and have no updates unless they are a premium customer.
For a more technical overview:
https://www.openssl.org/news/secadv/20201208.txt
________________________________
Microsoft Releases December 2020 Security Updates
Situation
Microsoft has released its monthly security updates for December 2020. These updates address vulnerabilities in the following Microsoft software:
- Microsoft Windows
- Microsoft Edge (EdgeHTML-based)
- Microsoft Edge for Android
- ChakraCore
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Exchange Server
- Azure DevOps
- Microsoft Dynamics
- Visual Studio
- Azure SDK
- Azure Sphere
Problem
Microsoft has released patches for 58 vulnerabilities, of these nine are listed as Critical, 48 as Important, and two as Moderate in severity. With 22 of these vulnerabilities being remote code executions.
Implication
If an attacker is able to successfully exploit some of these vulnerabilities it could allow them to take control of the affected system.
Need
Microsoft recommends updating all affected Microsoft software as soon as possible to protect against these vulnerabilities. Additional information can be found in the link below.
Microsoft December 2020 release notes:
https://msrc.microsoft.com/update-guide/releaseNote/2020-Dec
________________________________
SAP Releases December 2020 Security Updates
Situation
SAP has released security updates to address various vulnerabilities affecting multiple products.
Problem
SAP has patched multiple vulnerabilities ranging from 3.4 to 10 CVSS. These vulnerabilities include code injection, cross-site scripting (XSS), missing authentication check, and more.
Implication
If an attacker is able to successfully exploit these vulnerabilities it could allow them to take control of the affected system.
Need
It is recommended to patch all SAP products as soon as possible. For additional information visit the SAP security patch notes in the link below.
For a more technical overview:
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079
________________________________
Cisco Releases Security Advisory for Vulnerability in AnyConnect Software
Situation
Cisco has released a security advisory for Cisco AnyConnect Secure Mobility Client (Windows, MacOS, Linux). This vulnerability affects all versions and there is no current update to address it.
Problem
Cisco AnyConnect Secure Mobility Client contains a vulnerability (CVE-2020-3556) that allows a local attacker to perform arbitrary code execution.
Implication
Prerequisites for this exploit are credentials on systems where AnyConnect client is being run, ability to login to system and establish a connection, and ability to execute code on system. An attacker exploiting this can run malicious scripts.
Need
Cisco recommends upgrading to the latest release and editing the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and Ensure that BypassDownloader is set to false.
For a more technical overview:
________________________________
NSA Releases Security Advisory on Russian State-Sponsored Actors Actively Exploiting VMware's Vulnerability
Situation
The National Security Agency (NSA) has released a Cybersecurity Advisory on Russian state-sponsored actors actively exploiting the recently patched VMware CVE-2020-4006 vulnerability.
Problem
Malicious Russian state-sponsored actors are exploiting the command-injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. Exploiting the vulnerability requires authenticated password-based access to the web-based management interface of the device, Russian state-sponsored actors have been seen gaining access through the use compromised credentials.
Implication
If an attacker is able to successfully exploit this vulnerability it can allow them to access protected data on the affected systems.
Need
Update affected VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector to the latest version as soon as possible.
VMware update instruction:
https://kb.vmware.com/s/article/81754
For a more technical overview:
https://media.defense.gov/2020/Dec/07/2002547071/-1/-1/0/CSA_VMWARE%20ACCESS_U_OO_195076_20.PDF