Patch Tuesday, November 2020 Edition

Adobe and Microsoft each issued a bevy of updates today to plug critical security holes in their software. Microsoft’s release includes fixes for 112 separate flaws, including one zero-day vulnerability that is already being exploited to attack Windows users. Microsoft also is taking flak for changing its security advisories and limiting the amount of information disclosed about each bug.

Some 17 of the 112 issues fixed in today’s patch batch involve “critical” problems in Windows, or those that can be exploited by malware or malcontents to seize complete, remote control over a vulnerable Windows computer without any help from users.

Most of the rest were assigned the rating “important,” which in Redmond parlance refers to a vulnerability whose exploitation could “compromise the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

A chief concern among all these updates this month is CVE-2020-17087, which is an “important” bug in the Windows kernel that is already seeing active exploitation. CVE-2020-17087 is not listed as critical because it’s what’s known as a privilege escalation flaw that would allow an attacker who has already compromised a less powerful user account on a system to gain administrative control. In essence, it would have to be chained with another exploit.

Unfortunately, this is exactly what Google researchers described witnessing recently. On Oct. 20, Google released an update for its Chrome browser which fixed a bug (CVE-2020-15999) that was seen being used in conjunction with CVE-2020-17087 to compromise Windows users.

If you take a look at the advisory Microsoft released today for CVE-2020-17087 (or any others from today’s batch), you might notice they look a bit more sparse. That’s because Microsoft has opted to restructure those advisories around the Common Vulnerability Scoring System (CVSS) format to more closely align the format of the advisories with that of other major software vendors.

But in so doing, Microsoft has also removed some useful information, such as the description explaining in broad terms the scope of the vulnerability, how it can be exploited, and what the result of the exploitation might be. Microsoft explained its reasoning behind this shift in a blog post.

Not everyone is happy with the new format. Bob Huber, chief security officer at Tenable, praised Microsoft for adopting an industry standard, but said the company should consider that folks who review Patch Tuesday releases aren’t security practitioners but rather IT counterparts responsible for actually applying the updates who often aren’t able (and shouldn’t have to) decipher raw CVSS data.

“With this new format, end users are completely blind to how a particular CVE impacts them,” Huber said. “What’s more, this makes it nearly impossible to determine the urgency of a given patch. It’s difficult to understand the benefits to end-users. However, it’s not too difficult to see how this new format benefits bad actors. They’ll reverse engineer the patches and, by Microsoft not being explicit about vulnerability details, the advantage goes to attackers, not defenders. Without the proper context for these CVEs, it becomes increasingly difficult for defenders to prioritize their remediation efforts.”

Dustin Childs with Trend Micro‘s Zero Day Initiative also puzzled over the lack of details included in Microsoft advisories tied to two other flaws fixed today — including one in Microsoft Exchange Server (CVE-2020-16875) and CVE-2020-17051, which is a scary-looking weakness in the Windows Network File System (NFS).

The Exchange problem, Childs said, was reported by the winner of the Pwn2Own Miami bug finding contest.

“With no details provided by Microsoft, we can only assume this is the bypass of CVE-2020-16875 he had previously mentioned,” Childs said. “It is very likely he will publish the details of these bugs soon. Microsoft rates this as important, but I would treat it as critical, especially since people seem to find it hard to patch Exchange at all.”

Likewise, with CVE-2020-17051, there was a noticeable lack of detail for bug that earned a CVSS score of 9.8 (10 is the most dangerous).

“With no description to work from, we need to rely on the CVSS to provide clues about the real risk from the bug,” Childs said. “Consider this is listed as no user interaction with low attack complexity, and considering NFS is a network service, you should treat this as wormable until we learn otherwise.”

Separately, Adobe today released updates to plug at least 14 security holes in Adobe Acrobat and Reader. Details about those fixes are available here. There are no security updates for Adobe’s Flash Player, which Adobe has said will be retired at the end of the year. Microsoft, which has bundled versions of Flash with its Web browsers, says it plans to ship an update in December that will remove Flash from Windows PCs, and last month it made the removal tool available for download.

Windows 10 users should be aware that the operating system will download updates and install them on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you can back up your files and/or system, see this guide.

But please do back up your system before applying any of these updates. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Critical flaw in SonicWall’s firewalls patched, update quickly! (CVE-2020-5135)

Earlier this week SonicWall patched 11 vulnerabilities affecting its Network Security Appliance (NSA). Among those is CVE-2020-5135, a critical stack-based buffer overflow vulnerability in the appliances’ VPN Portal that could be exploited to cause denial of service and possibly remote code execution.

CVE-2020-5135

About CVE-2020-5135

The SonicWall NSAs are next-generation firewall appliances, with a sandbox, an intrusion prevention system, SSL/TLS decryption and inspection capabilities, network-based malware protection, and VPN capabilities.

CVE-2020-5135 was discovered by Nikita Abramov of Positive Technologies and Craig Young of Tripwire’s Vulnerability and Exposures Research Team (VERT), and has been confirmed to affect:

  • SonicOS 6.5.4.7-79n and earlier
  • SonicOS 6.5.1.11-4n and earlier
  • SonicOS 6.0.5.3-93o and earlier
  • SonicOSv 6.5.4.4-44v-21-794 and earlier
  • SonicOS 7.0.0.0-1

“The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access,” Tripwire VERT explained.

“This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”

By using Shodan, both Tripwire and Tenable researchers discovered nearly 800,000 SonicWall NSA devices with the affected HTTP server banner exposed on the internet. Though, as the latter noted, it is impossible to determine the actual number of vulnerable devices because their respective versions could not be determined (i.e., some may already have been patched).

A persistent DoS condition is apparently easy for attackers to achieve, as it requires no prior authentication and can be triggered by sending a specially crafted request to the vulnerable service/SSL VPN portal.

VERT says that a code execution exploit is “likely feasible,” though it’s a bit more difficult to pull off.

Mitigation and remediation

There is currently no evidence that the flaw is being actively exploited nor is there public PoC exploitation code available, so admins have a window of opportunity to upgrade affected devices.

Aside from implementing the offered update, they can alternatively disconnect the SSL VPN portal from the internet, though this action does not mitigate the risk of exploitation of some of the other flaws fixed by the latest updates.

Implementing the security updates is, therefore, the preferred step, especially because vulnerabilities in SSL VPN solutions are often targeted by cybercriminals and threat actors.

Tenable Lumin updates enable orgs to predict which vulnerabilities pose the greatest business risk

Tenable announced new Tenable Lumin innovations that empower customers to align business objectives with cybersecurity initiatives.

The latest enhancements to the Cyber Exposure Management Platform enable organizations to predict which vulnerabilities pose the greatest business risk and act with confidence to effectively reduce risk across their modern, distributed environments.

As the performance of our global economy increasingly depends on the uptime and security of digital infrastructure, cyber risk has become inherent to business risk.

But the modern attack surface has expanded with new assets — from cloud to IoT to operational technology — and CISOs struggle to understand their true level of exposure and address risk based on business priorities.

The following capabilities announced today will help CISOs and their security teams address the challenges of managing, measuring and reducing cyber risk in modern environments:

  • Remediation maturity helps security teams measure their speed and efficiency of remediating vulnerabilities and compares them against external peers and Tenable best practices. Remediation maturity is now generally available in Tenable Lumin.
  • Mitigations evaluates the security team’s response to critical risks when timely remediation isn’t possible. It provides an inventory of end-point security controls for a more complete and accurate picture of an organization’s cyber exposure. This capability will be available in Tenable Lumin later in the fourth quarter of 2020.
  • Predictive scoring delivers more accurate and comprehensive insight into an organization’s overall cyber exposure. Predictive scoring infers the exposure scores of groups of assets before they have been assessed in detail. This capability leverages the data lake of similar assets and the criticality of vulnerabilities found on these devices, helping guide security teams to identify and improve visibility to areas of potential high risk. Predictive scoring will be available in Tenable Lumin later in the fourth quarter of 2020.

Tenable’s predictive technologies are powered by Exposure.ai, which continuously analyzes 20 trillion aspects of threat, vulnerability and asset information with machine learning algorithms to predict critical exposure points before they can be leveraged in an attack.

“Technology investments are now powering our economy and have become central to our very way of life. Modern organizations require an innovative approach to cybersecurity — one that is holistic and predictive, not piecemeal and reactive, and most of all, aligned to the strategic priorities of the business,” said Renaud Deraison, chief technology officer, Tenable.

“Lumin now allows our customers to properly assess and track their Cyber Exposure and the maturity of their processes. For the first time, they can evaluate the ROI of their investments towards remediation and mitigation and understand how they stack up against their peers.”

Microsoft: Attackers Exploiting ‘ZeroLogon’ Windows Flaw

Microsoft warned on Wednesday that malicious hackers are exploiting a particularly dangerous flaw in Windows Server systems that could be used to give attackers the keys to the kingdom inside a vulnerable corporate network. Microsoft’s warning comes just days after the U.S. Department of Homeland Security issued an emergency directive instructing all federal agencies to patch the vulnerability by Sept. 21 at the latest.

DHS’s Cybersecurity and Infrastructure Agency (CISA) said in the directive that it expected imminent exploitation of the flaw — CVE-2020-1472 and dubbed “ZeroLogon” — because exploit code which can be used to take advantage of it was circulating online.

Last night, Microsoft’s Security Intelligence unit tweeted that the company is “tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon vulnerability.”

“We have observed attacks where public exploits have been incorporated into attacker playbooks,” Microsoft said. “We strongly recommend customers to immediately apply security updates.”

Microsoft released a patch for the vulnerability in August, but it is not uncommon for businesses to delay deploying updates for days or weeks while testing to ensure the fixes do not interfere with or disrupt specific applications and software.

CVE-2020-1472 earned Microsoft’s most-dire “critical” severity rating, meaning attackers can exploit it with little or no help from users. The flaw is present in most supported versions of Windows Server, from Server 2008 through Server 2019.

The vulnerability could let an unauthenticated attacker gain administrative access to a Windows domain controller and run an application of their choosing. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.

Scott Caveza, research engineering manager at security firm Tenable, said several samples of malicious .NET executables with the filename ‘SharpZeroLogon.exe’ have been uploaded to VirusTotal, a service owned by Google that scans suspicious files against dozens of antivirus products.

“Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we’re seeing attacks in the wild,” Caveza said. “Administrators should prioritize patching this flaw as soon as possible. Based on the rapid speed of exploitation already, we anticipate this flaw will be a popular choice amongst attackers and integrated into malicious campaigns.”

Microsoft Patch Tuesday, Sept. 2020 Edition

Microsoft today released updates to remedy nearly 130 security vulnerabilities in its Windows operating system and supported software. None of the flaws are known to be currently under active exploitation, but 23 of them could be exploited by malware or malcontents to seize complete control of Windows computers with little or no help from users.

The majority of the most dangerous or “critical” bugs deal with issues in Microsoft’s various Windows operating systems and its web browsers, Internet Explorer and Edge. September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.

Among the chief concerns for enterprises this month is CVE-2020-16875, which involves a critical flaw in the email software Microsoft Exchange Server 2016 and 2019. An attacker could leverage the Exchange bug to run code of his choosing just by sending a booby-trapped email to a vulnerable Exchange server.

“That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” said Dustin Childs, of Trend Micro’s Zero Day Initiative. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon. This should be your top priority.”

Also not great for companies to have around is CVE-2020-1210, which is a remote code execution flaw in supported versions of Microsoft Sharepoint document management software that bad guys could attack by uploading a file to a vulnerable Sharepoint site. Security firm Tenable notes that this bug is reminiscent of CVE-2019-0604, another Sharepoint problem that’s been exploited for cybercriminal gains since April 2019.

Microsoft fixed at least five other serious bugs in Sharepoint versions 2010 through 2019 that also could be used to compromise systems running this software. And because ransomware purveyors have a history of seizing upon Sharepoint flaws to wreak havoc inside enterprises, companies should definitely prioritize deployment of these fixes, says Alan Liska, senior security architect at Recorded Future.

Todd Schell at Ivanti reminds us that Patch Tuesday isn’t just about Windows updates: Google has shipped a critical update for its Chrome browser that resolves at least five security flaws that are rated high severity. If you use Chrome and notice an icon featuring a small upward-facing arrow inside of a circle to the right of the address bar, it’s time to update. Completely closing out Chrome and restarting it should apply the pending updates.

Once again, there are no security updates available today for Adobe’s Flash Player, although the company did ship a non-security software update for the browser plugin. The last time Flash got a security update was June 2020, which may suggest researchers and/or attackers have stopped looking for flaws in it. Adobe says it will retire the plugin at the end of this year, and Microsoft has said it plans to completely remove the program from all Microsoft browsers via Windows Update by then.

Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for Windows updates to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

September 2020 Patch Tuesday: Microsoft fixes over 110 CVEs again

On this September 2020 Patch Tuesday:

  • Microsoft has plugged 129 security holes, including a critical RCE flaw that could be triggered by sending a specially crafted email to an affected Exchange Server installation
  • Adobe has delivered security updates for Adobe Experience Manager, AEM Forms, Framemaker and InDesign
  • Intel has released four security advisories
  • SAP has released 10 security notes and updates to six previously released notes

September 2020 Patch Tuesday

Microsoft’s updates

Microsoft has released patches for 129 CVEs, 23 of which are “critical”, 105 “important”, and one “medium”-risk (a security feature bypass flaw in SQL Server Reporting Services). None of them are publicly known or being actively exploited.

Trend Micro Zero Day Initiative’s Dustin Childs says that patching CVE-2020-16875, a memory corruption vulnerability in Microsoft Exchange, should be top priority for organizations using the popular mail server.

“This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server. That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” he explained. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon.”

Another interesting patch released this month is that for CVE-2020-0951, a security feature bypass flaw in Windows Defender Application Control (WDAC). Patches are available for Windows 10 and Windows Server 2016 and above.

“This patch is interesting for reasons beyond just the bug being fixed. An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. This behavior should be blocked by WDAC, which does make this an interesting bypass. However, what’s really interesting is that this is getting patched at all,” Childs explained.

“Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.”

Many of the critical and important flaws fixed this time affect various editions of Microsoft SharePoint (Server, Enterprise, Foundation). Some require authentication, but many do not, so if you don’t want to fall prey to exploits hidden in specially crafted web requests, pages or SharePoint application packages, see that you install the required updates soon.

Satnam Narang, staff research engineer at Tenable, pointed out that one of them – CVE-2020-1210 – is reminiscent of a similar SharePoint remote code execution flaw, CVE-2019-0604, that has been exploited in the wild by threat actors since at least April 2019.

CVE-2020-0922, a RCE in Microsoft COM (Common Object Model), should also be patched quickly on all Windows and Windows Server systems.

“As COM is the base framework of Microsoft services like ActiveX, OLE, DirectX, and Windows Shell, if left unpatched it would give a malicious player a large target to focus on when seeking out vulnerabilities in a network. Given that the exploit can be taken advantage of through a simple malicious JavaScript or website, potentially delivered through a phishing email, it is necessary to address to minimize a network’s attack surface,” noted Richard Melick, Senior Technical Product Manager, Automox.

He also advised organizations in the financial industry who use Microsoft Dynamics 365 for Finance and Operations (on-premises) and Microsoft Dynamics 365 (on-premises) to quickly patch CVE-2020-16857 and CVE-2020-16862.

“Impacting the on-premise servers with this finance and operations focused service installed, both exploits require a specifically created file to exploit the security vulnerability, allowing the attacker to gain remote code execution capability. More concerning with these vulnerabilities is that both flaws, if exploited, would allow an attacker to steal documents and data deemed critical. Due to the nature and use of Microsoft Dynamics in the financial industry, a theft like this could spell trouble for any company of any size,” he added.

Jimmy Graham, Sr. Director of Product Management, Qualys, says that Windows Codecs, GDI+, Browser, COM, and Text Service Module vulnerabilities should be prioritized for workstation-type devices.

Adobe’s updates

Adobe has released security updates for Adobe Experience Manager (AEM) – a web-based client-server system for building, managing and deploying commercial websites and related services – and the AEM Forms add-on package for all platforms, Adobe Framemaker for Windows and Adobe InDesign for macOS.

The AEM and AEM Forms updates are more important than the rest.

The former fix eight critical and important flaws, most of which allow arbitrary JavaScript execution or HTML injection in the browser. The latter plug three critical security holes that carry the same risk (i.e., that of an attacker running malicious code on a victim’s machine).

The Adobe Framemaker update fixes two critical flaws that could lead to code execution, and the Adobe InDesign update five of them, but as vulnerabilities in these two offerings are not often targeted by attackers, admins are advised to implement them after more critical updates are secured.

None of the fixed vulnerabilities are being currently exploited in the wild.

Intel’s updates

Intel took advantage of the September 2020 Patch Tuesday to release four advisories, accompanying fixes for the Intel Driver & Support Assistant, BIOS firmware for multiple Intel Platforms, and Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).

The latter fixes are the most important, as they fix a privilege escalation flaw that has been deemed to be “critical” for provisioned systems.

SAP’s updates

SAP marked the September 2020 Patch Tuesday by releasing 10 security notes and updates to six previously released ones (for SAP Solution Manager, SAP NetWeaver, SAPUI5 and SAP NetWeaver AS JAVA).

Patches have been provided for newly fixed flaws in a variety of offerings, including SAP Marketing, SAP NetWeaver, SAP Bank Analyzer, SAP S/4HANA Financial Products, SAP Business Objects Business Intelligence Platform, and others.

Potential Apache Struts 2 RCE flaw fixed, PoCs released

Have you already updated your Apache Struts 2 to version 2.5.22, released in November 2019? You might want to, and quickly, as information about a potential RCE vulnerability (CVE-2019-0230) and PoC exploits for it have been published.

CVE-2019-0230

About the vulnerability (CVE-2019-0230)

“CVE-2019-0230 is a forced double Object-Graph Navigation Language (OGNL) evaluation vulnerability that occurs when Struts tries to perform an evaluation of raw user input inside of tag attributes. An attacker could exploit this vulnerability by injecting malicious OGNL expressions into an attribute used within an OGNL expression,” Tenable researchers explained.

It’s rated as important (i.e., not critical) by the Apache Struts Security Team, but could allow attackers to achieve remote code execution.

“There is still not enough information about the potential impact of this vulnerability under real world conditions, but caution is certainly warranted regarding this flaw,” the researchers noted, especially because PoCs for it have been popping up on GitHub.

Whether they will be useful or not remains to be seen, though.

“It’s important to note that because each Struts application is unique, the actual payload needed to exploit it will differ from application to application. Additionally, the application would need to be developed in such a way that it allows an attacker to supply unvalidated input into an attribute used inside of an OGNL expression,” the researchers explained.

CVE-2019-0230 and CVE-2019-0233 (a DoS bug) affect Apache Struts versions 2.0.0 to 2.5.20. They’ve both been fixed in version 2.5.22, to which admins are urged to upgrade (if they haven’t already).

“We continue to urge developers building upon Struts 2 to not use %{…} syntax referencing unvalidated user modifiable input in tag attributes, since this is the ultimate fix for this class of vulnerabilities,” René Gielen, Struts Project Management Committee chair, added.

About Apache Struts 2

Apache Struts 2 is a widely-used open source web application framework for developing Java EE web applications.

A few years ago, analyst Fintan Ryan at RedMonk estimated that nearly 65% of Fortune 100 firms actively use web applications built with the Apache Struts framework.

A security hole (CVE-2017-563) in Apache Struts 2 is how hackers managed to get in to execute the infamous 2017 Equifax data breach, after the company’s site administrators failed to quickly implement the security update that fixed it.

Other critical vulnerabilities affecting the solution have since been unearthed and PoC exploits released for them (e.g., CVE-2018-11776).

CVE-2017-5638 has recently been listed by the US Cybersecurity and Infrastructure Security Agency as one of the ten most often exploited flaws between 2016 and 2019.

RiskSense also recently pointed out that WordPress and Apache Struts had the most weaponized vulnerabilities.

“Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance, or inherent security of applications,” RiskSense CEO Srinivas Mukkamala noted.

“As a result, framework vulnerabilities represent one of the most important, yet poorly understood and often neglected elements of an organization’s attack surface.”

Microsoft Patch Tuesday, August 2020 Edition

Microsoft today released updates to plug at least 120 security holes in its Windows operating systems and supported software, including two newly discovered vulnerabilities that are actively being exploited. Yes, good people of the Windows world, it’s time once again to backup and patch up!

At least 17 of the bugs squashed in August’s patch batch address vulnerabilities Microsoft rates as “critical,” meaning they can be exploited by miscreants or malware to gain complete, remote control over an affected system with little or no help from users. This is the sixth month in a row Microsoft has shipped fixes for more than 100 flaws in its products.

The most concerning of these appears to be CVE-2020-1380, which is a weaknesses in Internet Explorer that could result in system compromise just by browsing with IE to a hacked or malicious website. Microsoft’s advisory says this flaw is currently being exploited in active attacks.

The other flaw enjoying active exploitation is CVE-2020-1464, which is a “spoofing” bug in virtually supported version of Windows that allows an attacker to bypass Windows security features and load improperly signed files.

Trend Micro’s Zero Day Initiative points to another fix — CVE-2020-1472 — which involves a critical issue in Windows Server versions that could let an unauthenticated attacker gain administrative access to a Windows domain controller and run an application of their choosing. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.

“It’s rare to see a Critical-rated elevation of privilege bug, but this one deserves it,” said ZDI’S Dustin Childs. “What’s worse is that there is not a full fix available.”

Perhaps the most “elite” vulnerability addressed this month earned the distinction of being named CVE-2020-1337, and refers to a security hole in the Windows Print Spooler service that could allow an attacker or malware to escalate their privileges on a system if they were already logged on as a regular (non-administrator) user.

Satnam Narang at Tenable notes that CVE-2020-1337 is a patch bypass for CVE-2020-1048, another Windows Print Spooler vulnerability that was patched in May 2020. Narang said researchers found that the patch for CVE-2020-1048 was incomplete and presented their findings for CVE-2020-1337 at the Black Hat security conference earlier this month. More information on CVE-2020-1337, including a video demonstration of a proof-of-concept exploit, is available here.

Adobe has graciously given us another month’s respite from patching Flash Player flaws, but it did release critical security updates for its Acrobat and PDF Reader products. More information on those updates is available here.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re less likely to pull your hair out when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And as ever, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Exploits for vBulletin zero-day released, attacks are ongoing

The fix for CVE-2019-16759, a remote code execution vulnerability in vBulletin that was patched in September 2019, is incomplete, security researcher Amir Etemadieh has discovered.

The discovery and his publishing of PoC and full exploits spurred attackers to launch attacks:

Several other admins confirmed that they’ve been hit.

Risk mitigation and prevention

Etemadieh explained how he discovered that the patch for CVE-2019-16759 was flawed in a blog post published on Sunday.

It’s a quality write-up and contains a one-line PoC exploit and full exploits written Bash, Python and Ruby, as well as instructions on how to implement a fix until a more complete patch is released (in short, forum admins were advised to temporarily disable PHP widgets).

“Tenable Research has tested the proof of concept from Etemadieh and confirmed successful exploitation using the latest version of vBulletin,” Tenable research engineer Satnam Narang confirmed .

Internet Brands, the makers of vBulletin, have not been notified of this discovery prior to the publication, so they’ve scrambled to fix the flaw again.

New patches have been made available on Monday, for versions 5.6.2, 5.6.1 and 5.6.0 of vBulletin Connect, and they disable the PHP Module widget. The upcoming v5.6.3 will contain the patch.

“All older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible,” they advised, and noted that vBulletin Cloud sites are not affected by this issue.

vBulletin is the most popular internet forum software in use today and also powers many dark web forums. vBulletin flaws, especially when they allow remote code execution without authentication, are usually speedily leveraged by attackers, so admins are advised to implement the patches ASAP.

Critical flaw opens Palo Alto Networks firewalls and VPN appliances to attack, patch ASAP!

Palo Alto Networks has patched a critical and easily exploitable vulnerability (CVE-2020-2021) affecting PAN-OS, the custom operating system running on its next generation firewalls and enterprise VPN appliances, and is urging users to update to a fixed version as soon as possible.

The US Cyber Command has echoed the call for immediate action, saying that nation-state-backed attackers are likely to try to exploit it soon.

About the vulnerability (CVE-2020-2021)

CVE-2020-2021 is an authentication bypass vulnerability that could allow unauthenticated, remote attackers to gain access to and control of the vulnerable devices, change their settings, change access control policies, turn them off, etc.

Affected PAN-OS versions include versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). Version 7.1 is not affected.

Also, the vulnerability is exploitable only if:

  • The device is configured to use SAML authentication with single sign-on (SSO) for access management, and
  • The “Validate Identity Provider Certificate” option is disabled (unchecked) in the SAML Identity Provider Server Profile

CVE-2020-2021

“Resources that can be protected by SAML-based single sign-on (SSO) authentication are GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, and Prisma Access,” Palo Alto Networks shared.

While the aforementioned configuration settings are not part of default configurations, it seems that finding vulnerable devices should not be much of a problem for attackers.

“It appears that notable organizations providing SSO, two-factor authentication, and identity services recommend this [vulnerable] configuration or may only work using this configuration,” noted Tenable researcher Satnam Narang.

“These providers include Okta, SecureAuth, SafeNet Trusted Access, Duo, Trusona via Azure AD, Azure AD and Centrify.

Even the PAN-OS 9.1 user guide instructs admins to disable the “Validate Identity Provider Certificate” option that when setting up Duo integration:

Palo Alto Networks says that there is currently no indication of the vulnerability being under active attack.

But given that SSL VPN flaws in various enterprise solutions have been heavily exploited in the last year or so – both by cybercriminals and nation-state attackers – it is expected that this one will be as soon as a working exploit is developed.

What to do?

As mentioned before, implementing the security updates is the best solution.

Enterprise admins are advised to upgrade to PAN-OS versions 9.1.3, 9.0.9 or 8.1.15 if possible. Palo Alto Networks has provided instructions for doing that in a way that doesn’t break the authentication capability for users.

If updating is not possible, the risk can be temporarily mitigated by using a different authentication method and disabling SAML authentication.

Admins can check for indicators of compromise in a variety of logs (authentication logs, User-ID logs, GlobalProtect Logs, etc.)

Microsoft Patch Tuesday, June 2020 Edition

Microsoft today released software patches to plug at least 129 security holes in its Windows operating systems and supported software, by some accounts a record number of fixes in one go for the software giant. None of the bugs addressed this month are known to have been exploited or detailed prior to today, but there are a few vulnerabilities that deserve special attention — particularly for enterprises and employees working remotely.

June marks the fourth month in a row that Microsoft has issued fixes to address more than 100 security flaws in its products. Eleven of the updates address problems Microsoft deems “critical,” meaning they could be exploited by malware or malcontents to seize complete, remote control over vulnerable systems without any help from users.

A chief concern among the panoply of patches is a trio of vulnerabilities in the Windows file-sharing technology (a.k.a. Microsoft Server Message Block or “SMB” service). Perhaps most troubling of these (CVE-2020-1301) is a remote code execution bug in SMB capabilities built into Windows 7 and Windows 2008 systems — both operating systems that Microsoft stopped supporting with security updates in January 2020. One mitigating factor with this flaw is that an attacker would need to be already authenticated on the network to exploit it, according to security experts at Tenable.

The SMB fixes follow closely on news that proof-of-concept code was published this week that would allow anyone to exploit a critical SMB flaw Microsoft patched for Windows 10 systems in March (CVE-2020-0796). Unlike this month’s critical SMB bugs, CVE-2020-0796 does not require the attacker to be authenticated to the target’s network. And with countless company employees now working remotely, Windows 10 users who have not yet applied updates from March or later could be dangerously exposed right now.

Microsoft Office and Excel get several updates this month. Two different flaws in Excel (CVE-2020-1225 and CVE-2020-1226) could be used to remotely commandeer a computer running Office just by getting a user to open a booby-trapped document. Another weakness (CVE-2020-1229) in most versions of Office may be exploited to bypass security features in Office simply by previewing a malicious document in the preview pane. This flaw also impacts Office for Mac, although updates are not yet available for that platform.

After months of giving us a welcome break from patching, Adobe has issued an update for its Flash Player program that fixes a single, albeit critical security problem. Adobe says it is not aware of any active exploits against the Flash flaw. Mercifully, Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Adobe is slated to retire Flash Player later this year. Adobe also released security updates for its Experience Manager and Framemaker products.

Windows 7 users should be aware by now that while a fair number of flaws addressed this month by Microsoft affect Windows 7 systems, this operating system is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for a wonky Windows update to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files. So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Further reading:

AskWoody and Martin Brinkmann on Patch Tuesday fixes and potential pitfalls

Trend Micro’s Zero Day Initiative June 2020 patch lowdown

U.S-CERT on Active Exploitation of CVE-2020-0796

The importance of effective vulnerability remediation prioritization

Too many organizations have yet to find a good formula for prioritizing which vulnerabilities should be remediated immediately and which can wait.

According to the results of a recent Tenable research aimed at discovering why some flaws go unpatched for months and years, vulnerabilities with exploits show roughly the same persistence as those with no available exploit.

“Defenders are still operating as though all vulnerabilities have the same likelihood of exploitation,” says Lamine Aouad, Staff Research Engineer at Tenable.

prioritization vulnerability remediation

Other findings

The research has also revealed that:

  • In organizations that have remediated at least one instance of a vulnerability, nearly one-third of all detected vulnerabilities remain open after a year, and over one-quarter are never remediated – and the percentages are similar for vulnerabilities with exploits
  • It takes organizations a median of 29 days to assess the existence of a vulnerability in their environment and a median of 40 days to remediate all instances of it
  • The most persistent vulnerabilities are:
    • Client-side vulnerabilities
    • Vulnerabilities in difficult-to-update/upgrade software
    • Vulnerabilities with larger affected software lists

vulnerability remediation prioritization

“The more operating systems and product versions a vulnerability affects, the harder it is to fix, leading to persistence. A larger list of CPEs would also reflect a bigger volume of assets in many cases and consequently a higher difficulty to remediate comprehensively by just sheer volume,” Aouad told Help Net Security.

“CVE-2018-8353, CVE-2018-8355 and CVE-2018-8373 are remote memory-corruption vulnerabilities, affecting multiple versions of Internet Explorer, which could allow remote attackers to execute arbitrary code. Their persistence is most likely related to the list of CPEs or affected software configurations.”

Only 5.5 percent of organizations remediate more vulnerabilities than they discover during a given timeframe, Tenable found.

Whether for the lack of resources, effective remediation processes, or simply the staggering amount of newly disclosed vulnerabilities, most organizations cannot keep up with the flow of vulnerabilities they assess in their environment.

Finding the right approach to vulnerability remediation prioritization

Effective vulnerability remediation prioritization is important, but using vulnerabilities’ CVSS scores as the basis for making decisions is not a good choice, as it does not reflect the risk a vulnerability poses to the organization.

CVSS scores can be one element of an effective prioritization formula, but organizations must also take into consideration factors such as whether a vulnerability:

  • Is actively exploited
  • Is prevalent in their environment and widely present in other organizations’ environments
  • Affects critical assets within their environment
  • Is targeted via existing attacker toolkits, etc.

Microsoft Patch Tuesday, May 2020 Edition

Microsoft today issued software updates to plug at least 111 security holes in Windows and Windows-based programs. None of the vulnerabilities were labeled as being publicly exploited or detailed prior to today, but as always if you’re running Windows on any of your machines it’s time once again to prepare to get your patches on.

May marks the third month in a row that Microsoft has pushed out fixes for more than 110 security flaws in its operating system and related software. At least 16 of the bugs are labeled “Critical,” meaning ne’er-do-wells can exploit them to install malware or seize remote control over vulnerable systems with little or no help from users.

But focusing solely on Microsoft’s severity ratings may obscure the seriousness of the flaws being addressed this month. Todd Schell, senior product manager at security vendor Ivanti, notes that if one looks at the “exploitability assessment” tied to each patch — i.e., how likely Microsoft considers each can and will be exploited for nefarious purposes — it makes sense to pay just as much attention to the vulnerabilities Microsoft has labeled with the lesser severity rating of “Important.”

Virtually all of the non-critical flaws in this month’s batch earned Microsoft’s “Important” rating.

“What is interesting and often overlooked is seven of the ten [fixes] at higher risk of exploit are only rated as Important,” Schell said. “It is not uncommon to look to the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are rated as Important vs Critical.”

For example, Satnam Narang from Tenable notes that two remote code execution flaws in Microsoft Color Management (CVE-2020-1117) and Windows Media Foundation (CVE-2020-1126) could be exploited by tricking a user into opening a malicious email attachment or visiting a website that contains code designed to exploit the vulnerabilities. However, Microsoft rates these vulnerabilities as “Exploitation Less Likely,” according to their Exploitability Index.

In contrast, three elevation of privilege vulnerabilities that received a rating of “Exploitation More Likely” were also patched, Narang notes. These include a pair of “Important” flaws in Win32k (CVE-2020-1054, CVE-2020-1143) and one in the Windows Graphics Component (CVE-2020-1135). Elevation of Privilege vulnerabilities are used by attackers once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges. There are at least 56 of these types of fixes in the May release.

Schell says if your organization’s plan for prioritizing the deployment of this month’s patches stops at vendor severity or even CVSS scores above a certain level you may want to reassess your metrics.

“Look to other risk metrics like Publicly Disclosed, Exploited (obviously), and Exploitability Assessment (Microsoft specific) to expand your prioritization process,” he advised.

As it usually does each month on Patch Tuesday, Adobe also has issued updates for some of its products. An update for Adobe Acrobat and Reader covers two dozen critical and important vulnerabilities. There are no security fixes for Adobe’s Flash Player in this month’s release.

Just a friendly reminder that while many of the vulnerabilities fixed in today’s Microsoft patch batch affect Windows 7 operating systems — including all three of the zero-day flaws — this OS is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s time to think about upgrading to something newer. That something might be a PC with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a reliable lookout for buggy Microsoft updates each month.

Further reading:

SANS Internet Storm Center breakdown by vulnerability and severity

Microsoft’s Security Update catalog

BleepingComputer on May 2020 Patch Tuesday

Using Cisco IP phones? Fix these critical vulnerabilities

Cisco has released another batch of fixes for a number of its products. Among the vulnerabilities fixed are critical flaws affecting a variety of Cisco IP phones and Cisco UCS Director and Cisco UCS Director Express for Big Data, its unified infrastructure management solutions for data center operations.

Cisco IP phones vulnerabilities

The critical vulnerabilities

Jacob Baines, a research engineer with Tenable, unearthed two critical flaws affecting the Cisco Wireless IP Phone 8821. Cisco then tested other IP phones and found several series that were affected, as well.

CVE-2020-3161 affects the web server and CVE-2016-1421 the web application for Cisco IP Phones. Both may allow an unauthenticated remote attacker to trigger a stack-based buffer overflow by sending a crafted HTTP request, which could ultimately lead to a DoS condition or may allow the attacker to execute code with root privileges.

If you’re wondering why the CVE of the latter vulnerability indicates that it was reported in 2016, it’s because it (partly) was.

“During Tenable’s original analysis, they noted the similarity of this vulnerability to [a previously discovered bug]. However, Cisco’s advisory described the vulnerability as requiring authentication, DoS only, and the Wireless IP Phone 8821 wasn’t listed on the affected list. After disclosing to Cisco, they informed Tenable that the described bug was CVE-2016-1421 and subsequently updated their disclosure,” Tenable explained.

Admins are advised to check whether the IP phones in use in their enterprise and upgrade the firmware if they are. There are no workarounds for the flaws, but exploitation risk can be mitigated by disabling web access. Web access is disabled by default on Cisco IP phones, but some enterprises might have enabled it.

Baines has published Denial of Service PoCs for both flaws on Tenable’s GitHub repository.

Cisco has also provided fixes for nine authentication bypass vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data.

Only one of these is deemed to be critical. Exploiting one or several of these can allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device.

Admins are advised to upgrade to UCS Director Release 6.7.4.0 and UCS Director Express for Big Data Release 3.7.4.0 to plug the security holes.

The flaws were discovered by infosec specialist Steven Seeley of Source Incite, who promised to provide more details about the vulnerabilities soon.

The high-risk vulnerabilities

Two DoS flaws have been plugged in Cisco Wireless LAN Controllers, one in Cisco Aironet Series Access Points, and one in the Cisco IoT Field Network Director.

A code execution flaw in Cisco Webex Network Recording Player and Cisco Webex Player requires victim action to be exploited, and so does a CSRF flaw in Cisco Mobility Express Software.

Finally, a path traversal vulnerability in Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to read arbitrary files in the system.

Microsoft Patch Tuesday, April 2020 Edition

Microsoft today released updates to fix 113 security vulnerabilities in its various Windows operating systems and related software. Those include at least three flaws that are actively being exploited, as well as two others which were publicly detailed prior to today, potentially giving attackers a head start in figuring out how to exploit the bugs.

Nineteen of the weaknesses fixed on this Patch Tuesday were assigned Microsoft’s most-dire “critical” rating, meaning malware or miscreants could exploit them to gain complete, remote control over vulnerable computers without any help from users.

Near the top of the heap is CVE-2020-1020, a remotely exploitable bug in the Adobe Font Manager library that was first detailed in late March when Microsoft said it had seen the flaw being used in active attacks.

The Adobe Font Manager library is the source of yet another zero-day flaw — CVE-2020-0938 — although experts at security vendor Tenable say there is currently no confirmation that the two are related to the same set of in-the-wild attacks. Both flaws could be exploited by getting a Windows users to open a booby-trapped document or viewing one in the Windows Preview Pane.

The other zero-day flaw (CVE-2020-1027) affects Windows 7 and Windows 10 systems, and earned a slightly less dire “important” rating from Microsoft because it’s an “elevation of privilege” bug that requires the attacker to be locally authenticated.

Many security news sites are reporting that Microsoft addressed a total of four zero-day flaws this month, but it appears the advisory for a critical Internet Explorer flaw (CVE-2020-0968) has been revised to indicate Microsoft has not yet received reports of it being used in active attacks. However, the advisory says this IE bug is likely to be exploited soon.

Researchers at security firm Recorded Future zeroed in on CVE-2020-0796, a critical vulnerability dubbed “SMBGhost” that was rumored to exist in last month’s Patch Tuesday but for which an out-of-band patch wasn’t released until March 12. The problem resides in a file-sharing component of Windows, and could be exploited merely by sending the victim machine specially-crafted data packets. Proof-of-concept code showing how to exploit the bug was released April 1, but so far there are no indications this method has been incorporated into malware or active attacks.

Recorded Future’s Allan Liska notes that one reason these past few months have seen so many patches from Microsoft is the company recently hired “SandboxEscaper,” a nickname used by the security researcher responsible for releasing more than a half-dozen zero-day flaws against Microsoft products last year.

“SandboxEscaper has made several contributions to this month’s Patch Tuesday,” Liska said. “This is great news for Microsoft and the security community at large.”

Once again, Adobe has blessed us with a respite from updating its Flash Player program with security fixes. I look forward to the end of this year, when the company has promised to sunset this buggy and insecure program once and for all. Adobe did release security updates for its ColdFusion, After Effects and Digital Editions software.

Speaking of buggy software platforms, Oracle has released a quarterly patch update to fix more than 400 security flaws across multiple products, including its Java SE program. If you’ve got Java installed and you need/want to keep it installed, please make sure it’s up-to-date.

Now for my obligatory disclaimers. Just a friendly reminder that while many of the vulnerabilities fixed in today’s Microsoft patch batch affect Windows 7 operating systems — including all three of the zero-day flaws — this OS is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s to think about upgrading to something newer. That something might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a close eye on buggy Microsoft updates each month.

Further reading:

Qualys breakdown on April 2020 Patch Tuesday

SANS Internet Storm Center on Patch Tuesday

PPP Daemon flaw opens Linux distros, networking devices to takeover attacks

A vulnerability (CVE-2020-8597) in the Point-to-Point Protocol Daemon (pppd) software, which comes installed on many Linux-based and Unix-like operating systems and networking devices, can be exploited by unauthenticated attackers to achieve code execution on – and takeover of – a targeted system.

CVE-2020-8597

The vulnerability affects Debian GNU/Linux, NetBSD, Red Hat, Ubuntu, OpenWRT, TP-LINK and Cisco offerings, and other software/products.

About the vulnerability (CVE-2020-8597)

Pppd is a daemon that is used to manage PPP session establishment and session termination between two nodes on Unix-like operating systems.

CVE-2020-8597 is a buffer overflow vulnerability that arose due to a flaw in Extensible Authentication Protocol (EAP) packet processing in eap_request and eap_response subroutines.

It can be exploited remotely, without authentication, by simply sending an unsolicited, specially crafted EAP packet to a vulnerable ppp client or server.

The flaw was discovered and responsibly disclosed by Ilja Van Sprundel, Director of Penetration Testing at IOActive.

It affects pppd versions 2.4.2 through 2.4.8 and has been patched in early February.

“PPP is the protocol used for establishing internet links over dial-up modems, DSL connections, and many other types of point-to-point links including Virtual Private Networks (VPN) such as Point to Point Tunneling Protocol (PPTP). The pppd software can also authenticate a network connected peer and/or supply authentication information to the peer using multiple authentication protocols including EAP,” IOActive explained in a security advisory.

“Due to a flaw in the Extensible Authentication Protocol (EAP) packet processing in the Point-to-Point Protocol Daemon (pppd), an unauthenticated remote attacker may be able to cause a stack buffer overflow, which may allow arbitrary code execution on the target system. This vulnerability is due to an error in validating the size of the input before copying the supplied data into memory. As the validation of the data size is incorrect, arbitrary data can be copied into memory and cause memory corruption possibly leading to execution of unwanted code.”

What now?

“Update your software with the latest available patches provided by your software vendor,” IOActive advises. “It is incorrect to assume that pppd is not vulnerable if EAP is not enabled or EAP has not been negotiated by a remote peer using a secret or passphrase. This is due to the fact that an authenticated attacker may still be able to send unsolicited EAP packet to trigger the buffer overflow.”

CERT/CC’s advisory provides up-to-date information about affected products by various vendors and links to those vendors advisories, which then link to fixes (when they are made available).

Tenable says that there are still no working PoCs for this vulnerability, but that they soon might be.

“One appears to be a work-in-progress, while another claims that a PoC will be released for this vulnerability ‘in a week or two when things die down.’”

Photos: RSA Conference 2020, part 2

RSA Conference 2020 is underway at the Moscone Center in San Francisco. Check out our microsite for the conference for all the most important news. Part one of the photos is available here.

Here are a few photos from the event, featured vendors include: Tenable, Ping Identity, PKWARE, eSentire, Deloitte, Securonix, and Futurex.

photo gallery RSA Conference 2020

photo gallery RSA Conference 2020

photo gallery RSA Conference 2020

photo gallery RSA Conference 2020

photo gallery RSA Conference 2020

photo gallery RSA Conference 2020

photo gallery RSA Conference 2020