Latest cyber threats, vulnerabilities, data breaches and security updates
Thursday August 16, 2018:
Cisco security advisories

Cisco has released security updates for several products to include Web Security Appliance (WSA), Unified Communications Manager IM & Presence Service and Adaptive Security Appliance (ASA).

The High severity vulnerabilities fixed include (with summary of each): 
  • Web Security Appliance Web Proxy Memory Exhaustion Denial-of-Service Vulnerability (CVE-2018-0410): "The vulnerability exists because the affected software improperly manages memory resources for TCP connections to a targeted device. An attacker could exploit this vulnerability by establishing a high number of TCP connections to the data interface of an affected device via IPv4 or IPv6. A successful exploit could allow the attacker to exhaust system memory, which could cause the system to stop processing new connections and result in a DoS condition."
  • Unified Communications Manager IM & Presence Service Denial-of-Service Vulnerability (CVE-2018-0409): "The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a malicious IPv4 or IPv6 packet to an affected device on TCP port 7400. An exploit could allow the attacker to overread a buffer, resulting in a crash and restart of the XCP Router service."
  • Adaptive Security Appliance Web Services Denial-of-Service Vulnerability (CVE-2018-0296): "The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic."
A number of other Medium severity vulnerabilities were also addressed in Cisco's Security Advisories and Alerts.

One of those released Thursday impact Cisco's IP Phone and Wireless IP Phone products (DOS vulnerability CVE-2018-0325).

Another Linux kernel vulnerability (CVE-2016-5195 disclosed in Oct 2016) impacts multiple Cisco products. 

Wednesday August 15, 2018:
Microsoft August patch updates

Microsoft issued the August 2018 Security Updates that include over 60 unique vulnerability fixes, 19 of them rated critical and two zero days actively exploited.

The updates address multiple Microsoft products to include, but not limited to: Windows, Internet Explorer, Edge, Office, Office Services and Web Apps, ChakraCore, Visual Studio, Exchange, SQL Server, .NET Framework and Adobe Flash Player.

One of the zero-day vulnerabilities is a Windows Shell remote code execution vulnerability (CVE-2018-8414):

"An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges."

The second zero-day is a Windows Kernel information disclosure vulnerability (CVE-2018-8341):

"An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system."

Admins should also take note to patch a buffer flow engine vulnerability in SQL Server version 2016 and 2017 (CVE-2018-8273) and a memory corruption vulnerability in Exchange server (CVE-2018-8302).

See the Security Update Guide and August summary release notes for more details on all patches.

Adobe fixes vulnerabilities in multiple products 

Adobe issued security updates to address vulnerabilities in multiple products. 

Adobe has released security updates (APSB18-25) address multiple vulnerabilities that impact Adobe Flash Player for Windows, macOS, Linux and Chrome OS.

Adobe Flash Player and earlier versions are affected and should be upgraded.  

Also, an update for Creative Cloud Desktop Application (APSB18-20) resolves an insecure library loading vulnerability in the installer that could lead to privilege escalation (CVE-2018-5003).

Additional updates include those for Adobe Experience Manager (APSB18-26) and Adobe Acrobat and Reader (APSB18-29).

The Acrobat Reader update fixes two critical vulnerabilities (CVE-2018-12808 and CVE-2018-12799). 

Adobe says that successful exploitation could lead to arbitrary code execution in the context of the current user. 

Samba security updates

Samba released security updates that address four vulnerabilities: CVE-2018-10858, CVE-2018-10918, CVE-2018-10919, CVE-2018-1139, and CVE-2018-1140.

Tuesday August 14, 2018:
TLS 1.3 is officially standard

TLS 1.3 has officially become standard last week, offering improved privacy, security and performance to the internet security protocol. 

The Internet Engineering Task Force (IETF) made version 1.3 of the Transport Layer Security (TLS) protocol official August 10th, more than four years after the protocol was first drafted in April of 2014. 

Securely sending information over the internet is foundational and critical for online commerce, healthcare and other sensitive transactions. 

The primary goal of the TLS protocol is to allow secure channel between communicating applications or peers over the internet. TLS is designed to prevent eavesdropping, tampering and message forgery. 

The IETF describes some of the improvements to TLS 1.3

"In contrast to TLS 1.2, TLS 1.3 provides additional privacy for data exchanges by encrypting more of the negotiation handshake to protect it from eavesdroppers. This enhancement helps protect the identities of the participants and impede traffic analysis. TLS 1.3 also enables forward secrecy by default which means that the compromise of long term secrets used in the protocol does not allow the decryption of data communicated while those long term secrets were in use. As a result, current communications will remain secure even if future communications are compromised."

See the full RFC 8446 standard to include much more details on the protocol and enhancements.

Oracle Database security alert

Oracle has released a Security Alert Advisory for an 
Oracle Database vulnerability (CVE-2018-3110) in versions and on Windows. 

The vulnerability carries a very high CVSS v3 base score of 9.9 (10 being the highest).

According to Oracle, an exploit of this vulnerability "can result in complete compromise of the Oracle Database and shell access to the underlying server. CVE-2018-3110 also affects Oracle Database version on Windows as well as Oracle Database on Linux and Unix, however patches for those versions and platforms were included in the July 2018 CPU." 

Oracle recommends system admins patch without delay. 

Monday August 13, 2018:
Researcher discovers macOS 0-day vulnerability

A security researcher was able to demonstrate in last week's Defcon conference how a vulnerability (CVE-2017-7150) in recent versions of macOS 
could be exploited and lead to a "synthetic" mouse-click cyber attack. 

According to Patrick Wardle, Chief Research Officer of Digita Security, he found the vulnerability could allow unprivileged code to interact with any UI component, to include "protected" security dialogues. 

Wardle stumbled upon the Apple zero-day bug by "tweaking just two lines of code," according to Threatpost

In other words, hackers could mimic or virtually mouse-click a security prompt for kernel access on systems running Apple’s latest High Sierra OS. Apple had previously blocked such methods that could be abused by hackers and malware in order to synthetically approve security prompts. 

An excerpt of the threat

"Armed with the bug, it was trivial to programmatically bypass Apple's touted 'User-Approved Kext' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And as Apple's patch was incomplete (surprise surprise) we'll drop an 0day that (still) allows unprivileged code to post synthetic events and bypass various security mechanisms on a fully patched macOS box!"

Wardle also mentioned that Apple’s next version of macOS, Mojave, will block all synthetic events. Although this feature could impact legitimate application functionality that uses such events. 

Saturday August 11, 2018:
Many organizations lacking adoption of key CIS controls

A recent survey conducted by Tripwire revealed organizations are not fully adopting security controls from key benchmarks, such as the 
Center for Internet Security (CIS)

CIS established the "top 20" set of critical security controls to help organizations prioritize and protect their organization and data from known cyber attack vectors.

The recent survey was sent out to 306 IT security pros in July 2018 and showed some surprising results, to include: 
  • Two-thirds of organizations do not use hardening standards/benchmarks (e.g., CIS or Defense Information Systems Agency (DISA)) for secure baselines of systems. 
  • More than half of respondents said it take up to weeks/months or longer to detect new devices in their network. 
  • Forty percent of organizations are not scanning for vulnerabilities on a weekly or more frequent schedule. 
  • Half of organizations aren't running authenticated scans. 
  • Over half or organizations said they aren't collecting and centrally storing security logs from critical systems. 
  • Forty-one percent of their organizations don't use multi-factor authentication for privileged access. 

Some security experts even say that adoption of just the first five controls (revealed below) could have prevented or reduced risk of 85% of cyber attacks. 

The first five CIS controls: 
  1. Control 1 –  Inventory and Control of Hardware Assets
  2. Control 2 – Inventory and Control of Software Assets
  3. Control 3 – Continuous Vulnerability Management
  4. Control 4 – Controlled Use of Administrative Privileges
  5. Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Also check out SANS CIS Security controls download and mappings to other security frameworks and regulatory obligations.

IT organizations should look for solutions and processes that integrate with CIS security controls automatically.