Security Advisories for the week ending September 10, 2021
- Microsoft Releases Mitigations and Workarounds for Ongoing Office 365 Zero-Day Attacks
- Apple Releases Security Updates for iOS and iPadOS
- WordPress Releases Security Update
- Cisco Releases Security Updates for Multiple Products
- Citrix Releases Security Updates for Hypervisor
- Zoho Releases Security Update for ADSelfService Plus
- Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
_______________________________
Microsoft Releases Mitigations and Workarounds for Ongoing Office 365 Zero-Day Attacks
Situation
Microsoft has released mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) found in Microsoft’s Internet Explorer's Trident engine (MSHTML).
Problem
The vulnerability is due to MSHTML, the browser rendering engine that is also used by Microsoft Office documents. An attacker could exploit this vulnerability by specially crafting Microsoft Office document that uses a malicious ActiveX control. Microsoft is aware of this vulnerability actively being exploited in the wild.
This security issue affects Windows Server 2008 through 2019 and Windows 8.1 through 10 and has a severity level of 8.8 out of the maximum 10
Implication
Successful exploitation of this vulnerability can allow a remote attacker to take control of an affected device.
Need
Since there's no patch available yet, its strongly recommend that Office users be extremely cautious about Office files and do not open anything if not fully trust the source. As well as users and administrators keep their antimalware products up to date. The CISA encourages users and administrators to review Microsoft’s advisory and to implement the mitigations and workarounds. Microsoft’s security advisory can be found in the link below.
Microsoft’s Security Advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
________________________________
Apple Releases Security Updates for iOS and iPadOS
Situation
Apple has released security updates to address two vulnerabilities (CVE-2021-30860 and CVE-2021-30858) found in iOS and iPadOS. CISA is aware of public reporting that these vulnerabilities may have been exploited in the wild.
Problem
The two vulnerabilities that were patched are a integer overflow vulnerability (CVE-2021-30860) found in the coregraphics framework and a use after free vulnerability (CVE-2021-30858) found in WebKit. These vulnerabilities were fixed with improved input validation for coregraphics and with improved memory management with WebKit. There have been reports of these vulnerabilities being exploited in the wild.
Implication
An attacker can exploit these vulnerabilities with ether a maliciously crafted PDF for coregraphics or maliciously crafted web content for WebKit. With both of these vulnerabilities able to cause a arbitrary code execution. An attacker could exploit these vulnerabilities to take control of an affected device.
Need
Apple an CISA recommends users and administrators to update their iOS and iPadOS to 14.8 or newer. Additional information can be found in the link below.
Apple security patch notes:
https://support.apple.com/en-us/HT212807
________________________________
WordPress Releases Security Update
Situation
WordPress 5.4-5.8 are affected by multiple vulnerabilities.
Problem
The vulnerabilities addressed in the update include a data exposure vulnerability within the REST API, a XSS vulnerability in the block editor, and a Lodash library has been updated to version 4.17.21 in each branch to incorporate upstream security fixes.
Implication
An attacker could exploit some of these vulnerabilities to take control of an affected system
Need
CISA encourages users and administrators to review the WordPress Security and Maintenance Release and upgrade to WordPress 5.8.1.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/09/10/wordpress-releases-security-update
For a more technical overview:
https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
________________________________
Cisco Releases Security Updates for Multiple Products
Situation
Cisco has released security updates to address vulnerabilities in multiple Cisco products.
Problem
These vulnerabilities address the following products: Cisco IOS XR Software for ASR 9000 Series Routers, which contains a vulnerability in the Layer 2 punt code of Cisco IOS XR Software running on Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, adjacent attacker to cause the affected line card to reboot; Cisco IOS XR Software IP Service Level Agreements and Two-Way Active Measurement Protocol, which contains a vulnerability in the IP Service Level Agreements (IP SLA) responder and Two-Way Active Measurement Protocol (TWAMP) features that could allow an unauthenticated, remote attacker to cause device packet memory to become exhausted or cause the IP SLA process to crash, resulting in a denial of service (DoS) condition; a Cisco IOS XR Software Arbitrary File Read and Write Vulnerability in the SSH Server process of Cisco IOS XR Software could allow an authenticated, remote attacker to overwrite and read arbitrary files on the local device; and Cisco IOS XR Software Authenticated User Privilege Escalation vulnerabilities in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker with a low-privileged account to elevate privileges on an affected device.
Implication
An attacker could exploit some of these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates.
For a brief overview:
For a more technical overview:
https://tools.cisco.com/security/center/publicationListing.x
________________________________
Citrix Releases Security Updates for Hypervisor
Situation
Citrix has released security updates to address vulnerabilities in Hypervisor.
Problem
Several security issues have been discovered in Citrix Hypervisor that, collectively, may allow privileged code in a guest VM to compromise or crash the host. All currently supported versions of Citrix Hypervisor are affected by all of these issues with the exception of CVE-2021-28699 which only affects Citrix Hypervisor 8.2 LTSR. Citrix is notifying customers and channel partners about this potential security issue.
Implication
An attacker could exploit these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review Citrix Security Update CTX325319 and apply the necessary updates.
For a brief overview:
For a more technical overview:
https://support.citrix.com/article/CTX325319
________________________________
Zoho Releases Security Update for ADSelfService Plus
Situation
Zoho has released a security update on a vulnerability (CVE-2021-40539) affecting ManageEngine ADSelfService Plus builds 6113 and below.
Problem
ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution for Active Directory and cloud apps. An authentication bypass vulnerability affecting REST API URLs has been detected that could result in remote code execution by sending a specially crafted request.
Implication
A remote attacker could exploit this vulnerability to take control of an affected system.
Need
CISA encourages users and administrators to review the Zoho advisory for more information and to update to ADSelfService Plus build 6114. Additionally, CISA strongly urges organizations ensure ADSelfService Plus is not directly accessible from the internet.
For a brief overview:
For a more technical overview:
________________________________
Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
Situation
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird.
Problem
Firefox for Android allowed navigations through the intent:// protocol, which could be used to cause crashes and UI spoofs and to launch pages and execute scripts in Internet Explorer in unprivileged mode. Also, some bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Implication
An attacker could exploit some of these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review the Mozilla security advisories for Firefox 92, Firefox ESR 78.14, and Thunderbird 78.14.
For a brief overview:
For a more technical overview:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-38/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-39/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-42/