Security Intelligence FeedWe’ve got your back, even when you don’t know it.

On 25 March 2021, OpenSSL released its  version 1.1.1k to fix two security issues. The flaws, tracked as CVE-2021-3450 and CVE 2021-3449, affect a variety of recent OpenSSL versions and apply to specific configurations.

Details

• The first vulnerability, CVE-2021-3450, only affects niche non-standard configurations (with X509_V_FLAG_X509_STRICT mode) in versions of OpenSSL 1.1.1h and newer.
• The second, CVE-2021-3449, affects all OpenSSL 1.1.1 versions when OpenSSL TLS servers are running default configurations (with TLSv1.2 and renegotiation enabled). OpenSSL TLS clients are not impacted by this issue.
• At the time of writing, Ubuntu, WindRiver, Launchpad.net, Debian, and AlpineLinux announced that they are applying the patches for these issues.

Why it’s important

• There is a high risk associated with OpenSSL vulnerabilities as threat actors often exploit them for malicious purposes.
• OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet.
• Malicious actors could abuse the flaw detailed in the CVE-2021-3449 to cause a denial-of-service (DOS) by sending maliciously-crafted data to the server.
• The issue is likely to affect servers using OpenSSL on the Internet, including web and mail servers. If network appliances use OpenSSL and are exposed to the Internet, they too would be vulnerable.
• All end-user facing software running any version of 1.1.1 with renegotiation enabled may be vulnerable.

Mitigation

• We recommend monitoring for updates and guidance from operating system, distribution, appliance, software vendors and service providers, and applying updates as they become available.
• In order to determine if OpenSSL is running and the version, we recommend administrators run “openssl version” command on their appliances (terminal).
• Follow OpenSSL guidance on updating and configuring the implementations.
• TLS1.3 is supported in up-to-date major web browsers. Consider disabling TLS1.2, where possible.
• Update OpenSSL libraries to version 1.1.1k along with operating system patches to keep the server secure.
  Note: A reboot is required as patching without a reboot leaves vulnerable code in memory, and the patched version on disk and the server remains vulnerable.

References: OpenSSL

CISCO published a firmware release 1.0.01.02 fixing multiple vulnerabilities in its Small Business VPN routers.

Details

• CISCO fixed multiple vulnerabilities in its Small Business RV-series routers, as well as some in its  Internetworking Operating System (IOS) XR software.
• The most critical of these flaws affect the Cisco RV160, RV160W, RV260, RV260P, and RV260W VPN routers with firmware release earlier than 1.0.01.02. They could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.
• Note, some of the older CISCO VPN routers won’t have an update available, as they are no longer supported.

Why it’s important

• CISCO is not aware of any attempts to abuse these flaws for malicious purposes, but as the details are now public, exploitation by malicious actors may be on a way.
• We recommend reviewing the list of products affected and applying updates using guidance in the References section below.

References:

CISCO, ThreatPost, ZDNet

Security researchers report on a malicious campaign spreading via 6-year old remote command execution (RCE) vulnerabilities in ElasticSearch and Jenkins.
 

Details

• The first flaw, tracked as CVE-2015-1427, is an RCE in Groovy scripting engine affecting ElasticSearch before 1.3.8 and 1.4.x before 1.4.3.
• The second flaw is a Jenkins script console RCE vulnerability. The CVE was misidentified in the campaign report, but is likely a CVE-2015-8103 in Jenkins before 1.638 and LTS before 1.625.2.
• Groovy, a scripting language used by default in Elasticsearch versions prior to 2.x and multiple Jenkins versions, enables dynamic scripting which makes default installations in older versions unsecure.

 
Why it’s important

• Threat actors often take advantage of open-source installation used in victim environment as these tools often get overlooked by IT teams and often stay unpatched.
• Use the latest version of ElasticSearch and Jenkins and follow vendor best practices for securely configuring your installations.
• Ensure your ElasticSearch and Jenkins are not default installations and do not allow users to access the data over the internet.

References ElasticSearch, Jenkins, NetLab360

On 2 March 2021, Microsoft released emergency security updates for Microsoft Exchange servers to fix four vulnerabilities  actively exploited by a state-sponsored threat actor.

 
Details

• The same week, Microsoft and several government organizations published reports on a widespread exploitation of the  flaws in an attack chain now dubbed ProxyLogon.
• On 8 March, Microsoft released additional updates for some older (and unsupported) Cumulative Updates (CUs) as a temporary measure to help protect more vulnerable machines.
• At the time of reporting, several examples of working proof-of-concept (POC) code have been released publicly, as well as reports on the exploitation of these flaws by multiple threat actors.

 
Why it’s important

• We recommend reviewing the list of products affected to determine if you are running a vulnerable Microsoft Exchange server.
• Any organization running an instance of vulnerable Microsoft Exchange that is exposed to the internet would likely have had attempts to breach their system.
• ·If you running a vulnerable version, disable remote access to the Exchange server and review product logs for evidence of exploitation.
• If any evidence of compromise is uncovered, additional analysis should be performed, and the system should be rebuilt from a clean back-up.
• Otherwise, apply the patches and ensure your Microsoft Exchange Server is securely configured.

 
References: Microsoft, CISA

On 24 February 2021, Cisco fixed a critical vulnerability in their Application Centric Infrastructure (ACI) Multi-Site Orchestrator (MSO).  This vulnerability ranked ranked 10 out of 10 on the Common Vulnerability Scoring System (CVSS) scale.

Details

• The flaw, tracked as CVE-2021-1388, is in the Cisco ACI Multi-Site Orchestrator (MSO) – Cisco Systems’ inter-site policy manager software.
• The flaw impacts only Cisco ACI MSO 3.0 versions installed on the Application Services Engine and could allow a remote attacker to bypass authentication on an affected device.
• According to Cisco, a malicious actor could use the flaw to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.

Why it’s important

• Although Cisco is not aware of any attempts to abuse the flaw for malicious purposes, its maximum severity signifies the ease of exploitation and may attract malicious actors to take advantage of the flaw in the near future.
• We recommend reviewing the list of products affected and applying updates using guidance in the References section below.
• In order to leverage this flaw, a threat actor needs to access the API.  Restricting API access to known systems is a great defense-in-depth strategy that can limit exposure to these types of vulnerabilities.

References:

Cisco Security Advisory