Bear Security – Security News for Week of May 8th, 2021
These are the stories that relate to our careers, clients, and businesses in the cybersecurity world for the Week of May 8th, 2021. Watch this in video form over on YouTube, or you can listen on the go with the Bear Security podcast.
Biden Administration to Order New Cybersecurity Standards
NPR is reporting that the Biden administration is putting the final touches on an executive order intended to help the U.S. defend itself against cybersecurity attacks such as the one leveled against SolarWinds. The executive order is intended to help modernize cybersecurity, reduce risk, and require notification of breaches and attacks. The order also seeks to make something similar to the National Transportation Safety Board, also known as the NTSB, but for cybersecurity incidents which would help piece together and investigate attacks, so we can learn from, and build our defenses.
The executive order is still in the works so things still may be added or removed. If one thing is for sure, we collectively have a lot of work to do, to improve security at all levels of society, and if you manage or oversee a security program, encourage your engineers and analysts to not only share threat information but also be part of the greater information security community.
Read the full story at NPR (Also, support NPR!)
Dell Vulnerability Goes Back 12 Years
Dell has announced a vulnerability in their client platform software that affects millions of computers that has gone undetected since 2009. An advisory published by Dell on Tuesday, advises that the dbutil_2_3.sys driver, which often comes pre-installed or can remain after a firmware update, contains an insufficient access control vulnerability which can lead to escalation of privilege, denial of service, or even information disclosure. Dell reports the driver file was used in firmware update tools including Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, or Dell Platform Tags.
Dell has provided a patched version that can be installed. Though it may be best that unless you need these tools on your system, to ultimately uninstall them. With the rise of supply chain attacks in recent years, it was a matter of time before something like this came along, and tools like this should only be used for their intended purpose, and then uninstalled. A good practice for businesses would be to clean wipe any system received from an OEM and only install what is necessary, to lessen your attack surface.
Pulse Secure Zero-Days Finally Patched
SC Magazine reported on Monday that Pulse Secure released a patch for several vulnerabilities, including a critical zero-day that hackers have used to access the networks of U.S. Defense contractors and at least 5 government agencies. The vulnerability was disclosed last week but had already been actively exploited at the time of disclosure. Pulse Secure has been working closely with the Cybersecurity Infrastructure Security Agency (CISA), FireEye, as well as Stroz Friedberg to investigate and respond quickly to the identified malicious activity. Given that the vulnerability has been actively exploited prior to disclosure, a breach should be assumed and investigations should be conducted to ensure your network has not been breached. Customers are also encouraged to use the Pulse Connect Secure Integrity Tool to check for evidence of malicious activity on the device.
Cisco SD-WAN vManage, HyperFlex HX, Cisco Small Business 100, 300, and 500 Series WAPs, and SD-WAN vEdge Vulnerabilities
Bleeping Computer is reporting that Cisco has fixed critical vulnerabilities in SD-WAN vManage and HyperFlex HX software. These vulnerabilities allow a malicious attacker to create rogue admin accounts and execute commands with root privileges. In addition to these critical vulnerabilities, Cisco has also released updates to address high and medium severity vulnerabilities in Cisco Small Business 100, 300, and 500 series wireless access points and SD-WAN vEdge software that allow remote arbitrary code execution, privilege escalation, trigger denial of service conditions, and more.
Cisco’s Product Security Incident Response Team said they are not currently aware of any active exploitation of these vulnerabilities in the wild.
In addition to these vulnerabilities, Cisco also reported two vulnerabilities that allow command injection and Denial of Service against their Adaptive Security Appliance software and Firepower Threat Defense Software. Patches are available with no workarounds.
Apple Releases Patches for More WebKit Vulnerabilities
If you were hoping you could take a break from updating your Apple devices, you’ll have to hold off another week. The Verge is reporting that Apple has released a series of updates for Apple iOS, iPadOS, MacOS, and WatchOS that address critical vulnerabilities that allow a malicious actor to gain full control of your device. These fixes are an extension of the first round back in February which also addressed the same component WebKit. WebKit is Apple’s framework that renders most of the web content you see on your device.
Even if you use a third-party browser, it’s still a good idea to get these updates installed, since WebKit is a standard framework available to applications, any application may use it for accessing the web.
Google Android Addresses Over 40 Vulnerabilities in May Security Update
Android users also have an important security update of their own. Google’s latest security bulletin outlines over 40 vulnerability updates in the May 2021 security patch which was released on Wednesday. The most severe of these vulnerabilities could allow remote code execution on your device, though to accomplish that, it must be done within the context of an existing application installed that has been given full rights to your device. The fixes include ones for the media framework, kernel, and addresses ones in AMLogic, ARM, MediaTek, Unisoc, and Qualcomm components.
Android users are often at the mercy of their mobile carriers to receive patches, so it may be a few days or even weeks before you see the security patch available for your device. In the meantime, only download applications from trusted vendors in the Google Play Store or app store of your trusting, avoid visiting untrusted websites or links from untrusted resources, and limit the privileges you give any applications.
DigitalOcean Experiences a Data Breach of Customer Billing Data
TechCrunch is reporting that DigitalOcean customers received an email on April 26th, that it has confirmed an unauthorized exposure of details associated with the billing profile on some customers’ accounts. The company said access happened during a two-week window between April 9th and 22nd and has since fixed the flaw. Information accessed included customer names, addresses, last four digits of their payment card, expiry date, and name of the card-issuing bank. DigitalOcean has so far not disclosed what the flaw was, how it was discovered, and which authorities have been informed, but they claim only 1% of accounts were affected.
NIST Taking Comments on HIPAA Security Rule Guidance
If you deal in the Health Insurance Portability and Accountability Act, known as HIPAA, the National Institute of Standards and Technology wants to hear from you. HealthITSecurity.com is reporting that NIST recently announced plans to update its guidance for implementing the HIPAA Security Rule, and they are looking for comment from industry stakeholders on the proposed changes, including insight into real-world application. The guidance was last updated back in 2008. Comments are being accepted through June 15, 2021.