Cisco has fixed three bugs in its Cisco Webex video conferencing offering that may allow attackers to:
- Join Webex meetings without appearing in the participant list (CVE-2020-3419)
- Covertly maintain an audio connection to a Webex meeting after being expelled from it (CVE-2020-3471)
- Gain access to information (name, email, IP address, device info) on meeting attendees without being admitted to the meeting (CVE-2020-3441)
About the Cisco Webex vulnerabilities
The three flaws were discovered by IBM researchers, after the company’s research department and the Office of the CISO decided to analyze their primary tool for remote meetings (i.e., Cisco Webex).
“These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants,” the researchers shared.
“These flaws affect both scheduled meetings with unique meeting URLs and Webex Personal Rooms. Personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner’s name and organization name. These technical vulnerabilities could be further exploited with a combination of social engineering, open source intelligence (OSINT) and cognitive overloading techniques.”
The vulnerabilities can all be exploited by unauthenticated, remote attackers, either by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site or by browsing the Webex roster.
More details about the possible attacks are available in this blog post, though details about the flaws will be limited until more users are able to implement the provided updates/patches.
Patches and security updates
The bugs affect both Cisco Webex Meetings sites (cloud-based) and Cisco Webex Meetings Server (on-premises).
Cisco addressed them in Cisco Webex Meetings sites a few days ago and no user action is required.
Users of Cisco Webex Meetings Server are advised to upgrade to 3.0MR3 Security Patch 5 or 4.0MR3 Security Patch 4, which contain the needed fixes.
CVE-2020-3419 also affects all Cisco Webex Meetings apps releases 40.10.9 and earlier for iOS and Android, so users are urged to implement the provided updates.
Cisco has patched two vulnerabilities in its Cisco Security Manager solution, both of which could allow unauthenticated, remote attackers to gain access to sensitive information on an affected system.
Those are part of a batch of twelve vulnerabilities flagged in July 2020 by Florian Hauser, a security researcher and red teamer at Code White.
About the Cisco Security Manager vulnerabilities
Cisco Security Manager is a security management application that provides insight into and control of Cisco security and network devices deployed by enterprises – security appliances, intrusion prevention systems, firewalls, routers, switches, etc.
Cisco has fixed two vulnerabilities affecting Cisco Security Manager v4.21 and earlier, by pushing out v4.22:
- CVE-2020-27130, a critical path traversal vulnerability that could be exploited by sending a crafted request to the affected device and could result in the attacker downloading arbitrary files from it
- CVE-2020-27125, which could allow an attacker to view static credentials in the solution’s source code
Cisco has also simultaneously announced that it will fix multiple Java deserialization vulnerabilities (collectively designated as CVE-2020-27131) in the upcoming v4.23 of the Cisco Security Manager solution. Those could allow unauthenticated, remote attackers to execute arbitrary commands on an affected instance and could be triggered by sending a malicious serialized Java object to a specific listener on an affected system.
The company’s Product Security Incident Response Team (PSIRT) has noted that public announcements about all these vulnerabilities are available, but that they are “not aware” of instances of actual malicious use in the wild.
The public announcements they are referring to is a post on Gist, a pastebin service operated by GitHub, through which Hauser shared PoCs for the flaws he discovered and flagged.
Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.
The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.
The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.
As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.
Cloud adoption also accelerated
Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.
As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.
“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”
Additional report findings
So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.
Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.
Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.
Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.
iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.
Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.
Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.
Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).
On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.
UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.
Earlier this year, businesses across the globe transitioned to a remote work environment almost overnight at unprecedented scale and speed. Security teams worked around the clock to empower and protect their newly distributed teams.
Protect and support a remote workforce
Cisco’s report found the majority of organizations around the world were at best only somewhat prepared in supporting their remote workforce. But, it has accelerated the adoption of technologies that enable employees to work securely from anywhere and on any device – preparing businesses to be flexible for whatever comes next. The survey found that:
- 85% of organizations said that cybersecurity is extremely important or more important than before COVID-19
- Secure access is the top cybersecurity challenge faced by the largest proportion of organizations (62%) when supporting remote workers
- One in two respondents said endpoints, including corporate laptops and personal devices, are a challenge to protect in a remote environment
- 66% of respondents indicated that the COVID-19 situation will result in an increase in cybersecurity investments
“Security and privacy are among the most significant social and economic issues of our lifetime,” said Jeetu Patel, SVP and GM of Cisco’s Security & Applications business.
“Cybersecurity historically has been overly complex. With this new way of working here to stay and organizations looking to increase their investment in cybersecurity, there’s a unique opportunity to transform the way we approach security as an industry to better meet the needs of our customers and end-users.”
People worried about the privacy of their tools
People are worried about the privacy of remote work tools and are skeptical whether companies are doing what is needed to keep their data safe. Despite the pandemic, they want little or no change to privacy requirements, and they want to see companies be more transparent regarding how they use their customer’s data.
Organizations have the opportunity to build confidence and trust by embedding privacy into their products and communicating their practices clearly and simply to their customers. The survey found that:
- 60% of respondents were concerned about the privacy of remote collaboration tools
- 53% want little or no change to existing privacy laws
- 48% feel they are unable to effectively protect their data today, and the main reason is that they can’t figure out what companies are doing with their data
- 56% believe governments should play a primary role in protecting consumer data, and consumers are highly supportive of the privacy laws enacted in their country
“Privacy is much more than just a compliance obligation. It is a fundamental human right and business imperative that is critical to building and maintaining customer trust,” said Harvey Jang, VP, Chief Privacy Officer, Cisco. “The core privacy and ethical principles of transparency, fairness, and accountability will guide us in this new, digital-first world.”
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks.
“Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching,” the agency noted.
The list of vulnerabilities exploited by Chinese hackers
The list is as follows:
The vulnerability list they shared is likely not complete, as Chinese-sponsored actors may use other known and unknown vulnerabilities. All network defenders – but especially those working on securing critical systems in organizations on which US national security and defense are depending on – should consider patching these as a priority.
Mitigations are also available
If patching is not possible, the risk of exploitation for most of these can be lowered by implementing mitigations provided by the vendors. CISA also advises implementing general mitigations like:
- Disabling external management capabilities and setting up an out-of-band management network
- Blocking obsolete or unused protocols at the network edge and disabling them in device configurations
- Isolating Internet-facing services in a network DMZ to reduce the exposure of the internal network
- Enabling robust logging of Internet-facing services and monitoring the logs for signs of compromise
The agency also noted that the problem of data stolen or modified before a device has been patched cannot be solved only by patching, and that password changes and reviews of accounts are a good practice.
Additional “most exploited vulnerabilities” lists
Earlier this year, CISA released a list of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals, the NSA and the Australian Signals Directorate released a list of web application vulnerabilities that are commonly exploited to install web shell malware, and Recorded Future published a list of ten software vulnerabilities most exploited by cybercriminals in 2019.
Admins and network defenders are encouraged to peruse them and patch those flaws as well.
We are beginning to shift away from what has long been our first and last line of defense: the password. It’s an exciting time. Since the beginning, passwords have aggravated people. Meanwhile, passwords have become the de facto first step in most attacks. Yet I can’t help but think, what will the consequences of our actions be?
Intended and unintended consequences
Back when overhead cameras came to the express toll routes in Ontario, Canada, it wasn’t long before the SQL injection to drop tables made its way onto bumper stickers. More recently in California, researcher Joe Tartaro purchased a license plate that said NULL. With the bumper stickers, the story goes, everyone sharing the road would get a few hours of toll-free driving. But with the NULL license plate? Tartaro ended up on the hook for every traffic ticket with no plate specified, to the tune of thousands of dollars.
One organization I advised recently completed an initiative to reduce the number of agents on the endpoint. In a year when many are extending the lifespan and performance of endpoints while eliminating location-dependent security controls, this shift makes strategic sense.
Another CISO I spoke with recently consolidated multi-factor authenticators onto a single platform. Standardizing the user experience and reducing costs is always a pragmatic move. Yet these moves limited future moves. In both cases, any initiative by the security team which changed authenticators or added agents ended up stuck in park, waiting for a greenlight.
Be careful not to limit future moves
To make moves that open up possibilities, security teams think along two lines: usability and defensibility. That is, how will the change impact the workforce, near term and long term? On the opposite angle, how will the change affect criminal behavior, near term and long term?
Whether decreasing the number of passwords required through single sign-on (SSO) or eliminating the password altogether in favor of a strong authentication factor (passwordless), the priority is on the workforce experience. The number one reason for tackling the password problem given by security leaders is improving the user experience. It is a rare security control that makes people’s lives easier and leadership wants to take full advantage.
There are two considerations when planning for usability. The first is ensuring the tactic addresses the common friction points. For example, with passwordless, does the approach provide access to devices and applications people work with? Is it more convenient and faster what they do today? The second consideration is evaluating what the tactic allows the security team to do next. Does the approach to passwordless or SSO block a future initiative due to lock-in? Or will the change enable us to take future steps to secure authentication?
The one thing we know for certain is, whatever steps we take, criminals will take steps to get around us. In the sixty years since the first password leak, we’ve done everything we can, using both machine and man. We’ve encrypted passwords. We’ve hashed them. We increased key length and algorithm strength. At the same time, we’ve asked users to create longer passwords, more complex passwords, unique passwords. We’ve provided security awareness training. None of these steps were taken in a vacuum. Criminals cracked files, created rainbow tables, brute-forced and phished credentials. Sixty years of experience suggests the advancement we make will be met with an advanced attack.
We must increase the trust in authentication while increasing usability, and we must take steps that open up future options. Security teams can increase trust by pairing user authentication with device authentication. Now the adversary must both compromise the authentication and gain access to the device.
To reduce the likelihood of device compromise, set policies to prevent unpatched, insecure, infected, or compromised devices from authenticating. The likelihood can be even further reduced by capturing telemetry, modeling activity, and comparing activity to the user’s baseline. Now the adversary must compromise authentication, gain access to the endpoint device, avoid endpoint detection, and avoid behavior analytics.
Technology is full of unintended consequences. Some lead to tollfree drives and others lead to unexpected fees. Some open new opportunities, others new vulnerabilities. Today, many are moving to improve user experience by reducing or removing passwords. The consequences won’t be known immediately. We must ensure our approach meets the use cases the workforce cares about while positioning us to address longer-term goals and challenges.
Additionally, we must get ahead of adversaries and criminals. With device trust and behavior analytics, we must increase trust in passwordless authentication. We can’t predict what is to come, but these are steps security teams can take today to better position and protect our organizations.
CBTS announces its CBTS Microsoft Direct Route Services, which unify user communications and collaboration by connecting CBTS Cisco hosted voice solutions and legacy on-premises phone infrastructures to Microsoft Teams.
The Solution integrates Teams with a hardened voice core built on the Cisco Broadworks platform, giving enterprises the ability to integrate their voice and collaboration solutions into one communications stream, while giving users access to advanced voice applications like integrated omni-channel contact centers, AI-powered IVR, advanced reporting and analytics, call recording, e911, and mass notification solutions.
Deployments are tailored to specific requirements, delivering quick access to the Office 365 apps, files, and services team members need while maintaining security, compliance, and manageability across all locations.
“The ways organizations conduct business have changed with the steady rise of remote working, and that’s only accelerated in 2020. Employees not only seek greater work-life balance, but it’s a necessity during the pandemic, and technology needs to keep up,” said Tony King, CBTS Chief Communications Architect.
“Enterprises need to keep their employees successful and connected, and by integrating reliable, stable, and secure enterprise phone systems with Microsoft Teams, we can help clients do that. Giving enterprises a reliable integrated communications and collaborations solution, along with all the integrated advanced voice applications we offer, is required – especially for larger organizations.”
By combining these Microsoft and Cisco best of breed technologies, organizations unlock numerous benefits:
- Multiple call flow combinations to take advantage of existing communications infrastructure and minimize reliance on personal devices to conduct business.
- Multiple delivery models allow for organizations to utilize OTT, SD-WAN, NaaS, MPLS, VPLS, or NNI depending on their needs.
- Overlay advanced PBX features like call reporting, call recording, AI-enabled Interactive Voice Response (IVR), and AI-powered analytics.
- Integrated Omnichannel contact center.
- Common dial plan allowing extension dialing between legacy systems and Microsoft Teams users, with local calling and pooled long distance usage included.
- Automated disaster recovery and business continuity planning.
- Emergency mass notification and paging is a fully integrated solution.
- Dynamically routed 911 services with full caller detail.
- 24x7x365 U.S. based support.
With guidance and hands-on implementation from CBTS engineers, clients can consolidate licensing, decommission unused hardware, and convert unknown capital expenditures into a fixed monthly expense, with CBTS dedicated project managers, account executives, and support staff available to help along the way.
“We’re thrilled to deliver CBTS Microsoft Direct Route Services for clients who need next-generation communications and collaboration tools for their remote workers,” added Greg Wheeler, Senior Vice President of U.S. Sales & Global Programs for CBTS.
“As a Microsoft Gold Partner and a Cisco Gold Partner, we’re uniquely positioned to design, deliver, implement, and provide 24x7x365 support for the secure communications and collaboration infrastructure businesses need to thrive today and into the post-pandemic era.”
NVIDIA has released security updates for the NVIDIA GPU Display Driver and the NVIDIA Virtual GPU Manager that fix a variety of serious vulnerabilities.
The driver security update should be implemented by users of the company’s desktop, workstation and data center GPUs, while the vGPU software update is available for the Virtual GPU Manager component on Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, and Nutanix AHV enterprise virtualization solutions.
NVIDIA GPU Display Driver security updates
Four security holes have been plugged in the Display Driver:
- CVE‑2020‑5979 affects the Control Panel component and may lead to privilege escalation
- CVE‑2020‑5980 affects multiple components and may lead to code execution or DOS
- CVE‑2020‑5981 affects the DirectX11 user mode driver and can, according to NVIDIA, lead to DoS
- CVE‑2020‑5982 affects the kernel mode layer and can lead to DoS.
CVE‑2020‑5980 was unearthed by Andy Gill of Pen Test Partners and the discovery detailed in a blog post published on Thursday.
The vulnerability allows for DLL hijacking, i.e., exploitation of execution flow of an application via external DLLs.
“If a vulnerable application is configured to run at a higher privilege level, then the malicious DLL that is loaded will also be executed at a higher level, thus achieving escalation of privilege. Often the application will behave no differently because malicious DLLs may also be configured to load the legitimate DLLs they were meant to replace or where a DLL doesn’t exist,” Gill explained.
CVE‑2020‑5981 was discovered by Piotr Bania of Cisco Talos. The CVE number covers multiple vulnerabilities and, Cisco claims, they could be exploited to achieve remote code execution (and not just DoS).
“An adversary could exploit these vulnerabilities by supplying the user with a malformed shader, eventually allowing them to execute code on the victim machine. These bugs could also allow the attacker to perform a guest-to-host escape through Hyper-V RemoteFX on Windows machines,” they say.
Users are advised to check which NVIDIA display driver version is currently installed on their system(s) and update it if necessary (updates are available from here).
NVIDIA vGPU Software security updates
Vulnerabilities CVE‑2020‑5983 to CVE‑2020‑5989 are found in the vGPU plugin and could lead to DoS, information disclosure, code execution, tampering, and privilege escalation.
Users are advised to upgrade to vGPU Software versions 11.1, 10.4, or 8.5 – updates are available through the NVIDIA Licensing Portal.
Phunware announced that Cisco Meraki will now feature the Company’s Smart Workplace solution for employers in its Meraki Marketplace. Developed on Phunware’s patented Multiscreen-as-a-Service (MaaS) platform, this mobile-first solution has been designed to effectively address critical challenges brought on by managing a workplace not only in a post-pandemic world, but also one that has now become mobile-first.
Cisco Systems acquired Meraki in 2012, and today, Cisco Meraki is a leader in cloud controlled WiFi, routing and security, all managed from a centralized dashboard.
The Meraki Marketplace is an exclusive catalog of Technology Partners like Phunware that showcases applications developed on top of the Meraki platform, allowing customers and partners to view, demo and deploy commercial solutions.
“We developed MaaS to enable large corporations like Cisco to efficiently distribute our software globally for digital transformation initiatives in mobile environments,” said Alan S. Knitowski, President, CEO and Co-Founder of Phunware.
“Our Smart Workplace solution can help enable thousands of Cisco Meraki customers to not only increase employee productivity and satisfaction, but also to provide their visitors and guests with enhanced brand experiences while onsite, including automated arrival and reception check-ins, health surveys, location tracing, broadcast, geofence and beacon-based messaging and personnel and staff engagement by name, position and department.”
Phunware’s MaaS Smart Workplace solution is optimized to help employers manage room bookings, enable positioning, wayfinding and navigation throughout its facilities, enable location sharing amongst its employees, partners and customers and extend its other building services via mobile integration and activation.
Platform integrations with existing third-party solutions also support additional services, including parking management, food ordering, asset tracking, interactive directories, fitness access, security and user feedback, all of which can help drive utilization of onsite services by making them more easily accessible and consumable on mobile.
These new listings are in addition to Phunware’s COVID-19 pandemic response listings, as well as its previous listing for its patented MaaS Location Based Services (LBS) software that offers customers native, mobile-first capabilities that deliver proximity, sub one-second, real-time blue dot indoor positioning, navigation and wayfinding functionality across any campus or facility while simplifying and streamlining the underlying integration and management of hardware and software.
Through this expanded integration, MSPs will be able to more easily discover and monitor Cisco Meraki devices from within their N-central dashboards. The announcement further underscores the SolarWinds commitment to fuel partner success and help MSPs create a more connected and efficient ecosystem.
The integration will include routers, switches, and access points as part of the portfolio of Cisco Meraki cloud-managed solutions. By integrating these devices with the N-central platform, SolarWinds MSP partners can see the status of Cisco Meraki customers’ devices right in their monitoring and management dashboard, enable notifications and alerts, and monitor connectivity and traffic—as well as conduct license warranty reporting.
This streamlines the efficiencies for MSPs by allowing them to keep tabs on the health of their Cisco Meraki devices (as part of the continuing buildout of a fully integrated ecosystem), while leveraging the power of N-central to control, customize, and help secure complex environments.
“Cisco Meraki offers a comprehensive set of cloud solutions that give IT providers the opportunity to streamline and simplify the digital workplace, a goal that has never been more paramount as the definition of the workplace is in flux. Daily shifts from work from home and returning to the office require an elastic office space and IT infrastructure,” said Mav Turner, group vice president of products for SolarWinds MSP.
“This goal is fully aligned with SolarWinds MSP, as we work to empower MSPs to more easily fulfill a market need that has spiked almost overnight. As MSP customers seek their help more than ever, we believe the integration with Cisco Meraki and N-central will play another important role in supporting them.”
“SolarWinds N-central is known for its power as a remote monitoring and management solution that centralizes the ability for an MSP to see and manage everything from one easy-to-use dashboard,” said Marc Inderhees, Cisco-as-a-Service Sales Acceleration Leader, Cisco Systems.
“We are excited about the new integration of Cisco Meraki with N-central to give SolarWinds MSP partners a direct path for discovering and monitoring Cisco Meraki devices in their SolarWinds dashboard, so they can focus more of their time and energy on taking care of the businesses they support. Working with SolarWinds and its MSP partners will provide our mutual customers with even more opportunities to thrive and succeed.”
“Like most IT service providers, we’re more hyper-focused than ever right now, making sure the businesses we serve are up and running and secure,” stated Jeffrey Bowles, IT Lead/Partner, Act360 Web & IT Inc.
“To do that effectively, we have to be able to work as efficiently as possible. Having more visibility and direct monitoring of our Cisco Meraki devices from within our SolarWinds N-central dashboard is a key piece of the efficiency puzzle, and we’re excited to have this new capability.”
The Cisco Meraki integration expands on the growing list of industry-leading technology providers seeking an alliance with SolarWinds MSP to streamline and improve customer access to centralized monitoring, management, and security capabilities.
The U.S. Justice Department this week indicted seven Chinese nationals for a decade-long hacking spree that targeted more than 100 high-tech and online gaming companies. The government alleges the men used malware-laced phishing emails and “supply chain” attacks to steal data from companies and their customers. One of the alleged hackers was first profiled here in 2012 as the owner of a Chinese antivirus firm.
Charging documents say the seven men are part of a hacking group known variously as “APT41,” “Barium,” “Winnti,” “Wicked Panda,” and “Wicked Spider.” Once inside of a target organization, the hackers stole source code, software code signing certificates, customer account data and other information they could use or resell.
APT41’s activities span from the mid-2000s to the present day. Earlier this year, for example, the group was tied to a particularly aggressive malware campaign that exploited recent vulnerabilities in widely-used networking products, including flaws in Cisco and D-Link routers, as well as Citrix and Pulse VPN appliances. Security firm FireEye dubbed that hacking blitz “one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.”
The government alleges the group monetized its illicit access by deploying ransomware and “cryptojacking” tools (using compromised systems to mine cryptocurrencies like Bitcoin). In addition, the gang targeted video game companies and their customers in a bid to steal digital items of value that could be resold, such as points, powers and other items that could be used to enhance the game-playing experience.
APT41 was known to hide its malware inside fake resumes that were sent to targets. It also deployed more complex supply chain attacks, in which they would hack a software company and modify the code with malware.
“The victim software firm — unaware of the changes to its product, would subsequently distribute the modified software to its third-party customers, who were thereby defrauded into installing malicious software code on their own computers,” the indictments explain.
While the various charging documents released in this case do not mention it per se, it is clear that members of this group also favored another form of supply chain attacks — hiding their malware inside commercial tools they created and advertised as legitimate security software and PC utilities.
One of the men indicted as part of APT41 — now 35-year-old Tan DaiLin — was the subject of a 2012 KrebsOnSecurity story that sought to shed light on a Chinese antivirus product marketed as Anvisoft. At the time, the product had been “whitelisted” or marked as safe by competing, more established antivirus vendors, although the company seemed unresponsive to user complaints and to questions about its leadership and origins.
Anvisoft claimed to be based in California and Canada, but a search on the company’s brand name turned up trademark registration records that put Anvisoft in the high-tech zone of Chengdu in the Sichuan Province of China.
A review of Anvisoft’s website registration records showed the company’s domain originally was created by Tan DaiLin, an infamous Chinese hacker who went by the aliases “Wicked Rose” and “Withered Rose.” At the time of story, DaiLin was 28 years old.
That story cited a 2007 report (PDF) from iDefense, which detailed DaiLin’s role as the leader of a state-sponsored, four-man hacking team called NCPH (short for Network Crack Program Hacker). According to iDefense, in 2006 the group was responsible for crafting a rootkit that took advantage of a zero-day vulnerability in Microsoft Word, and was used in attacks on “a large DoD entity” within the USA.
“Wicked Rose and the NCPH hacking group are implicated in multiple Office based attacks over a two year period,” the iDefense report stated.
When I first scanned Anvisoft at Virustotal.com back in 2012, none of the antivirus products detected it as suspicious or malicious. But in the days that followed, several antivirus products began flagging it for bundling at least two trojan horse programs designed to steal passwords from various online gaming platforms.
Security analysts and U.S. prosecutors say APT41 operated out of a Chinese enterprise called Chengdu 404 that purported to be a network technology company but which served a legal front for the hacking group’s illegal activities, and that Chengdu 404 used its global network of compromised systems as a kind of dragnet for information that might be useful to the Chinese Communist Party.
“CHENGDU 404 developed a ‘big data’ product named ‘SonarX,’ which was described…as an ‘Information Risk Assessment System,’” the government’s indictment reads. “SonarX served as an easily searchable repository for social media data that previously had been obtained by CHENGDU 404.”
The group allegedly used SonarX to search for individuals linked to various Hong Kong democracy and independence movements, and snoop on a U.S.-backed media outlet that ran stories examining the Chinese government’s treatment of Uyghur people living in its Xinjian region.
As noted by TechCrunch, after the indictments were filed prosecutors said they obtained warrants to seize websites, domains and servers associated with the group’s operations, effectively shutting them down and hindering their operations.
“The alleged hackers are still believed to be in China, but the allegations serve as a ‘name and shame’ effort employed by the Justice Department in recent years against state-backed cyber attackers,” wrote TechCrunch’s Zack Whittaker.
A technical support intervention has revealed two zero-day vulnerabilities in the OS running on Cisco enterprise-grade routers that attackers are trying to actively exploit.
Cisco plans to release software updates to plug these security holes, but in the meantime administrators are advised to implement one or all of the provided mitigations.
About the vulnerabilities
The two zero-day flaws – CVE-2020-3566 and CVE-2020-3569 – affect the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software, running on Cisco enterprise-grade routers for service providers, data centers, enterprises, and critical infrastructure.
They can be exploited by an unauthenticated, remote attacker by sending crafted IGMP (Internet Group Management Protocol) traffic to an affected device.
“A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols,” Cisco explained.
Proposed mitigations include:
- Implementing a rate limiter for IGMP traffic
- implementing an access control entry (ACE) to an existing interface access control list (ACL). “Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface,” the company noted.
The company has also provided indicators of compromise, i.e., messages that can be seen in the system logs if a device is experiencing memory exhaustion based on exploitation of these vulnerabilities.
“These vulnerabilities affect any Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing,” they added.
BT Security has announced the key partners that it will work with going forward to provide industry-leading managed security services to customers. The decision follows BT’s largest-ever appraisal of its security suppliers, and a comprehensive review of the security vendor ecosystem as a whole.
BT’s decision to refine its security partner base was driven by the recognition that many of its customers find it difficult to navigate today’s complex security landscape.
The huge range of suppliers and products in the market can be bewildering, and lead to the adoption of multiple overlapping systems. This in turn can render security estates difficult to manage, burdened with unnecessary costs and, ultimately, with lower overall levels of protection.
BT Security is reflecting its customers’ desire to reduce complexity by having a leaner set of partners and clearly laying out its view of the best providers for specific security requirements.
The confirmed partners were agreed following a detailed evaluation of their respective capabilities across all security control and threat management technologies. The final selection provides BT’s view of the security market’s leading providers, who will support a harmonized portfolio of solutions to its customers going forward.
Kevin Brown, Managing Director of BT Security, said: “Our new security partner ecosystem showcases the benefits of BT Security as a Managed Security Services Provider. We’re able to use our deep experience and insight of the security ecosystem to help our customers navigate what can be an incredibly confusing market.
“We’re also ensuring that BT Security customers will benefit from working with the best suppliers from across the security industry.”
McAfee, Palo Alto Networks and Fortinet were selected as BT Security’s ‘Critical Partners’. Each of those companies will provide a range of services and products that will be incorporated into BT Security’s global portfolio, as well as providing holistic support to its commercial and operational activities.
BT Security will also work with these partners to develop a roadmap of security solutions which continue to reflect evolving customer demands and integrate the latest developments in security automation.
Lynn Doherty, Executive Vice President of Global Sales and Marketing at McAfee, said: “We’re proud to partner with BT to fight against cybercrime and accelerate new business environments for our customers as they look for more solution integrations, deeper engagement and faster modernization efforts.
“Together through our strategic service provider partners, like BT, McAfee is able to deliver world class security services that enable organizations to evolve their defenses into areas like Secure Access Service Edge (SASE) and Extended Detection and Response (XDR).”
Alex Zinin, VP, Global Service Provider Business at Palo Alto Networks, said: “We’ve been working closely with BT Security for several years to bring innovative cybersecurity solutions to our joint customers.
“We are honored to be selected as one of their critical partners to continue this close collaboration, in recognition of the breadth of our security capabilities across multiple market segments. This comes at a time when it’s never been more essential for communications and security to be closely aligned to help all organisations with staff working remotely.
“We look forward to working together as we strive to make each day safer and more secure than the one before.”
John Maddison, Executive Vice President of Products and Chief Marketing Officer at Fortinet, said: “Digital Innovation is disrupting all industries, markets, and segments, leading to increased risk as cyber threats take advantage of this disruption.
“To protect against known advanced threats as well as unknown sophisticated attacks, Fortinet enables organizations to apply security anywhere and protect all edges – including WAN, cloud, data center, endpoint, identity, and home – while reducing the number of required products to save costs and remove complexity.
“We’re proud to partner with BT Security to help customers address the most critical security challenges and protect data across the entire digital infrastructure.”
Microsoft, IBM and Cisco were all confirmed as ‘Strategic Partners’ for BT Security. This categorization reflects not only their relationship with BT Security, but also their broader activities and remit across the whole of BT.
BT Security also confirmed a further nine ‘Ecosystem Partners’, who will be incorporated into its global portfolio of solutions for customers due to their complementary technology capabilities. These partners are Skybox, Forescout, Zscaler, Check Point, CrowdStrike, Okta, Qualys, Netscout and F5.
Through deeper strategic relationships, BT Security and its partners will work together to provide better customer experience and protection, while those selected partners will also be BT Security’s main collaborators as they look to develop future customer solutions.
BT Security will regularly review the partnerships to monitor the latest vendor developments, while continuing to assess the wider industry for new and emergent security companies and technologies.
Cisco has released another batch of critical security updates for flaws in Cisco Data Center Network Manager (DCMN) and the Cisco SD-WAN Solution software.
Cisco Data Center Network Manager flaws
Cisco Data Center Network Manager is the network management platform for all NX-OS-enabled deployments, spanning new fabric architectures, IP Fabric for Media, and storage networking deployments for the Cisco Nexus-powered data center.
These latest updates fix:
- One critical authentication bypass vulnerability (CVE-2020-3382) in the solution’s REST API that could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device
- Five high-risk flaws that could allow an authenticated, remote attacker to inject arbitrary commands on the affected device, write arbitrary files in the system with the privileges of the logged-in user, perform arbitrary actions through the REST API with administrative privileges, and interact with and use certain functions within the Cisco DCNM
- Three medium-risk bugs (XSS, SQL injection, information disclosure)
The vulnerabilities affect various versions of the Cisco Data Center Network Manager software and their exploitability occasionally depends on how the Cisco DCNM appliances were installed. But the fixes are all included in the latest Cisco DCNM software releases: 11.4(1) and later.
The flaws were either reported by security researchers or found by Cisco during internal security testing, and there is no indication that any of them are actively exploited.
The Cisco SD-WAN Solution software flaws
Cisco SD-WAN gives users the ability to manage connectivity across their WAN from a single dashboard: the Cisco vManage console.
The company has found:
- A critical buffer overflow vulnerability (CVE-2020-3375) affecting Cisco SD-WAN Solution software that could be exploited by sending crafted traffic to an affected device and could allow the attacker to gain access to information that they are not authorized to access, make changes to the system that they are not authorized to make, and execute commands on an affected system with privileges of the root user
- A critical vulnerability (CVE-2020-3374) in the web-based management interface of Cisco SD-WAN vManage Software that could be exploited by sending crafted HTTP requests to it and could allow the attacker to access sensitive information, modify the system configuration, or impact the availability of the affected system.
Again, there is no indication that these flaws are being exploited, but Cisco urges admins to implement the security updates as soon as possible, as there are no workarounds for addressing these flaws.
Security advisories for all of the fixed flaws can be found here.
An unauthenticated file read vulnerability (CVE-2020-3452) affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software is being exploited by attackers in the wild.
For the moment, it seems that it is being used just to read LUA source files, but it can be used to view files that may contain information such as WebVPN configuration, bookmarks, web cookies, partial web content, and HTTP URLs.
There’s a proof of concept doing the rounds for directory path traversal (yes, it’s 1998 again) in Cisco AnyConnect SSL VPN.
It’s already being mass spammed across internet.
As far as I can see people can only read LUA source files so far, so not terribly problematic as is. https://t.co/kSIFQdz1go
— Kevin Beaumont (@GossiTheDog) July 24, 2020
About the vulnerability (CVE-2020-3452)
CVE-2020-3452 affects the web services interface of Cisco ASA and Cisco FTD software and can be exploited by remote unauthenticated attackers to read sensitive files within the web services file system on the targeted device (but not to obtain access to ASA or FTD system files or underlying operating system files).
“The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device,” Cisco explained.
Devices are vulnerable only if they are running a vulnerable release of the software AND are configured with either WebVPN or AnyConnect features.
The vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies and Abdulrahman Nour and Ahmed Aboul-Ela of RedForce. Cisco patched it last week by releasing security updates and hotfixes. Shortly after, Aboul-Ela published a PoC for it:
Here is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.
For example to read “/+CSCOE+/portal_inc.lua” file.
Happy Hacking! pic.twitter.com/aBA3R7akkC
— Ahmed Aboul-Ela (@aboul3la) July 22, 2020
Cisco confirmed that wxploitation attempts started the day after. Rapid7 scanned the internet-accessible ASA/FTD devices and found 85,000.
“Since it is difficult (if not impossible) to legally fingerprint Cisco ASA/FTD versions remotely, Rapid7 Labs revisited the ‘uptime’ technique described in a 2016 blog post for another Cisco ASA vulnerability, which shows that only about 10% of Cisco ASA/FTD devices have been rebooted since the release of the patch. This is a likely indicator they’ve been patched,” noted Bob Rudis, Chief Data Scientist at Rapid7.
While much has been written about the immediate pandemic-related challenges, it’s important to apply the lessons learned as many prepare for the future of work.
With this in mind, the Cisco report covers specific lessons that have emerged from the data gathered from COVID-19 experiences. The lessons highlight particular changes in mindset, attitude, direction, and behavior that will be particularly important.
74% IT and business leaders said their business will in some ways emerge stronger from the crisis. While the first half of 2020 was among one of the most tumultuous times in modern history, nearly three-quarters of respondents agreed or strongly agreed with the statement: despite the challenges, our business will emerge stronger in some areas from the current crisis.
This optimism is indicative of the ingenuity and innovation organizations have shown. It has been incredible to see how many initiatives around digital transformation and other forms of modernization scheduled for the medium to long-term, or deferred because of other competing priorities, have been accelerated.
Flexibility is here to stay
Respondents say flexibility is here to stay, and it will benefit organizations as well as employees. 49% of respondents indicated that flexible working hours are here to stay. And when it comes to hiring, 50% of our survey respondents said increased remote work would lead to a more inclusive and extended talent pool.
Businesses are realizing that work can happen anywhere, productivity isn’t lost, and an expanded talent pool will enable stronger and more capable work teams.
Employee wellbeing and work-life balance
The vast majority of managers said they have increased their emphasis on employee wellbeing and work-life balance. 87% of managers who responded to the survey said that as a result of the pandemic they increased emphasis on employee wellbeing and work-life balance.
Of those managers reporting the increased emphasis, 47% said they see this being maintained over the long term.
The pandemic as a catalyst for major change
Study participants said they viewed the pandemic as a catalyst for major change. This newfound focus and priority on health and wellbeing is a silver-lining during what is otherwise a sobering period of time.
The obvious question remains as to whether this mindset shift can withstand the test of time, but participants were optimistic that workplace culture is transforming in the right direction.
“From a business agility and resiliency perspective, it’s important that we learn and adapt quickly from this experience,” said Aruna Ravichandran, VP of Marketing, Cisco‘s Collaboration Group. “You never know when you’ll need to pivot, and we’ve seen that technology like Webex is playing a key role.”
Cisco has fixed 33 CVE-numbered flaws in a variety of its devices, including five critical ones affecting RV-series VPN routers and firewalls and Cisco Prime License Manager, which is used by enterprises to manage user-based licensing.
About the vulnerabilities
With the recent onslaught of critical vulnerabilities affecting networking and security devices, it’s been a tough month for enterprise admins.
The pressure continues with this latest batch of Cisco security updates – the only good news is that none of the patched security holes is being exploited in the wild.
Cisco Small Business RV110W Wireless-N VPN Firewalls with firmware releases prior to v126.96.36.199 can be taken over by attackers via a system account has a default and static password (CVE-2020-3330).
Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers are plagued by a vulnerable web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device (CVE-2020-3323). The same interface on those same devices also sports an authentication bypass flaw that could be triggered via a crafted HTTP request sent to the affected device and could allow the attacker to gain administrative access on the affected device (CVE-2020-3144).
The RV110W Wireless-N VPN Firewalls and RV215W Wireless-N VPN Routers also have a hole that could be exploited by sending crafted requests to a targeted device and could allow the attacker to execute arbitrary code with the privileges of the root user (CVE-2020-3331).
Finally, the flaw affecting Cisco Prime License Manager is “just” a privilege escalation vulnerability, but it’s still deemed to be critical (CVE-2020-3140). Admins in charge of keeping Cisco Unified Communications Manager (Unified CM) Software, Cisco Unified CM Session Management Edition (SME) Software, and Cisco Unity Connection Software up-to-date should also see whether they need to implement this update, since Cisco PLM can be installed as part of that software.
Other, less critical vulnerabilities that have been fixed are found in a variety of Cisco SD-WAN solutions, Cisco WebEx, Cisco Vision Dynamic Signage Director, Cisco Data Center Network Manager, Cisco Meetings App, and Cisco Content Security Management Appliance.
All the relevant security advisories can be found here.
Cisco has released security updates for Cisco Webex Meetings and Cisco Webex Meetings Server that fix several remotely exploitable vulnerabilities, as well as one less severe one that could allow hackers to gain access to a target’s Webex account.
The patched Cisco Webex vulnerabilities
CVE-2020-3361 affects Cisco Webex Meetings sites and Cisco Webex Meetings Server and could allow an unauthenticated, remote attacker to gain unauthorized access to a vulnerable Webex site.
Customers on Cisco-hosted Webex Meetings sites do not need to take any actions to receive this update, but those running Cisco Webex Meetings Server on-premises should apply the updated version.
CVE-2020-3263 is a improper input validation flaw that could allow an unauthenticated, remote attacker to execute programs on an affected end-user system after they’ve persuaded a user to follow a malicious URL.
It affects affects Cisco Webex Meetings Desktop App releases earlier than release 39.5.12.
CVE-2020-3342 is due to improper validation of cryptographic protections on files that are downloaded by the application as part of a software update.
“An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website. The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the user,” Cisco explained.
The flaw affects lockdown versions of Cisco Webex Meetings Desktop App for Mac earlier than release 39.5.11.
Finally, CVE-2020-3347 affects only Cisco Webex Meetings Desktop App for Windows releases earlier than 40.6.0, but may be used by a local, authenticated attacker to retrieve sensitive information and authentication tokens that could help them acces the target’s Webex account.
“In an attack scenario any malicious local user or malicious process running on a computer where Webex Client for Windows is installed can monitor the memory mapped file for a login token. Once found the token, like any leaked credentials, can be transmitted somewhere so that it can be used to login to the Webex account in question, download Recordings, view/edit Meetings and so on,” says Trustwave researcher Martin Rakhmanov, who discovered the flaw.
Cisco announces the general availability globally of Cisco SecureX, the broadest and most integrated cloud-native security platform, included with all Cisco Security products to simplify and enhance the way customers manage security, on June 30, 2020.
SecureX comes as organizations juggle to manage business and security challenges at unprecedented scale. This is due to the acceleration of digital transformation and rise in remote workers.
Cisco has a long-standing commitment to connect and protect its customers working from anywhere, on any device, and furthers its mission to unify and optimize its security portfolio.
Managing an organization’s security is complex – from keeping up with new business processes, tracking evolving threats and navigating a sprawling vendor landscape. Data from the C-suite backs this up.
According to Cisco’s CIO Perspectives 2020 survey of 1,300 global CIOs, the top two challenges facing CIOs are security, followed by complexity. More than two-thirds of CIOs feel they are being stretched too thin.
One-way security leaders are battling this complexity is with vendor consolidation. Newly released data from Cisco’s 2020 CISO Benchmark Report revealed that when dealing with a cyberattack, organizations with more security vendors experienced longer downtime, higher costs and more breached records.
To address current and future security challenges, SecureX connects the breadth of Cisco’s integrated security portfolio with customers’ entire security infrastructure for a consistent and simplified experience.
It unifies visibility, enables automation, and strengthens security across network, endpoints, cloud, and applications. With SecureX all new and existing customers will benefit from these capabilities and more without incurring additional cost:
- Unified visibility – SecureX provides key operational and threat metrics across network, endpoint, cloud, and applications. With the SecureX ribbon feature, the platform is integrated in every single Cisco Security technology so customers can access platform capabilities seamlessly across all products.
- Automation to increase operational efficiency – Customers can automate workflows across products from Cisco Security and third parties so they can focus on more impactful tasks. SecureX can save customers hours of manual work by automating threat hunting based on Cisco Talos threat intelligence and other intelligence sources.
- Strengthened security – SecureX threat response enables security experts to quickly identify impacted targets and remediate within minutes by correlating intelligence data from multiple intelligence sources and telemetry from network, endpoint, email, cloud, and third-party products.
Exceptional customer and partner feedback
“A platform approach like SecureX is the future of security at Mohawk Industries,” said Michael Degroote, Infrastructure Consultant at Mohawk Industries.
“It will make things easier, faster, and we will see much more going on in our environment than ever before. The automation and custom playbooks we have seen in SecureX will make a difference in a zero-trust environment and will improve security for our company even further. We are looking forward to what SecureX brings to us.”
“One of the most important aspects as a CISO is to make sure I feed intelligence into other agencies,” said Mick Jenkins, Chief Information Security Officer at Brunel University. “The platform approach gives us excellent, superb stitching-together of forensic investigations.”
“The harmonized network security and collaborative platform is key when all teams can work together to solve a problem. You’re most vulnerable when you have silos,” said Collin John, Global Security Manager at Alvarez and Marsal. “This platform unifies visibility and taps into DevOps, SecOps, and even infrastructure.”
“We are seeing our customers consolidating the number of security vendors they work with and want solutions that are simple to manage and integrate with their existing security investments.
“Cisco has built a broad and strong portfolio of security solutions and with Cisco SecureX, this now makes it easier for us to show the value of multiple products working together,” said Bob Cagnazzi, CEO at Presidio.
“We’re also excited about the opportunity this creates for Presidio to add services on top of the SecureX platform and further enhance our customers’ experience.”
“With SecureX we wanted to reimagine the way our customers experienced security by making it simple and automated,” said Gee Rittenhouse, SVP and GM of Cisco’s Security Business Group.
“We knew this would be transformative for the industry, but we could never have predicted just how important this would be to security and IT professionals at this very moment. In this new and dynamic world, customers need a security platform that can protect employees wherever they work and meet the challenges of today and the future.”
In addition to the simplified experience SecureX brings, Cisco Security is also unveiling new enhancements and integrations to further secure the remote workforce including:
- Greater unified user and device protection through an integration between endpoint security and MFA.
- Customers can use cloud email with greater confidence. Cloud Mailbox Defense for Office365 provides complete email visibility (inbound, outbound, and internal messages) with context to strengthen protection against advanced email threats such as phishing, ransomware, spoofing and spam.
Cisco has fixed more than two dozen critical and high-severity security vulnerabilities affecting operating systems running on the company’s carrier-grade and industrial routers and switches.
About the vulnerabilities
OSes affected by various combinations of the now-fixed flaws include:
- Cisco IOS – a family of network operating systems used on many Cisco Systems routers and network switches
- IOS XE – installed on a variety of Cisco controllers, switches, edge, branch and virtual routers
- IOS XR – used on Cisco’s high-end Network Converging System (NCS), carrier-grade routers
- NX-OS – installed on Cisco’s Nexus-series hardware-based network switches, fabric extenders, storage switches and fabric interconnects
The four fixed critical vulnerabilities are:
- CVE-2020-3227, a privilege escalation vulnerability – affects Cisco IOS XE Software releases 16.3.1 and later if they are configured with the IOx application hosting infrastructure.
- CVE-2020-3205, a command injection vulnerability and CVE-2020-3198 and CVE-2020-3258, multiple arbitrary code execution flaws – affecting Cisco 809 and 829 Industrial Industrial Integrated Services Routers and Cisco 1000 Series Connected Grid Routers (CGR1000)
The high-severity issues include a wide variety of security flaw, which could allow: command injection, DoS, verification bypass, RCE, arbitrary file creation/read/overwrite, information disclosure, and so on.
Users of Cisco networking equipment should check whether they should upgrade the software and, if that’s the case, do so as soon as they can – though most of the vulnerabilities were discovered during internal testing and none are under active exploitation.
The revelation was made on Thursday, when Cisco published an advisory saying that, on May 7, 2020, they’ve discovered the compromise of six of their salt-master servers, which are part of the Cisco VIRL-PE (Internet Routing Lab Personal Edition) service infrastructure.
About SaltStack Salt, the vulnerabilities, and the problem with patching
SaltStack Salt is open source software that is used for managing and monitoring servers in datacenters and cloud environments. It is installed on a “master” server and it manages “minion” servers via an API agent.
The two recently revealed vulnerabilities – CVE-2020-11651 (an authentication bypass flaw) and CVE-2020-11652 (a directory traversal flaw) – can be exploited by unauthenticated, remote attackers to achieve RCE as root on both masters and minions.
The flaws were fixed in late April, but not all exposed Salt servers have been patched. A few weeks ago, Censys put the number of potentially vulnerable, internet-exposed Salt servers at 2,928.
One of the things that likely prolonged the deployment of patches is the fact that Salt is integrated in other solutions, and developers of those solutions took some time to push out security updates.
VMware vRealize Operations Manager is one of those solutions, and so are two network architecture modeling and testing solutions by Cisco.
“Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version of SaltStack that is running the salt-master service that is affected by these vulnerabilities,” Cisco shared.
“Cisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE. Those servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised.”
The company has remediated the affected servers on the same day and has provided software updates that address these vulnerabilities, so that enterprise admins that installed these solutions on-premises can fix them.
For more information about which software releases are affected and under what conditions, admins should peruse the advisory, which also offers some workarounds.
Cisco did not say what the attackers ultimate goal was, but in previously disclosed attacks, their intent was to install cryptocoin miners.