Eleven Critical Flaws in Microsoft Software Must Be Patched, Including One Under Active Exploit; Known Control Web Panel Flaw Now Under Active Exploit; If You Haven’t Patched Fortinet SSL VPN, You May Have Already Been Compromised

As part of patch Tuesday, I wanted to highlight some embargoed research that ties into this update. The Unit42 group from Palo Alto created an interesting kit that produced a wide-ranging number of vulnerabilities, some of which were fixed in this update. If you're interested in finding vulnerabilities in software, I highly recommend you take a look at a talk called “Select Bugs From Binary Where Pattern like CVE-1337-Days”. We may see more easily found, exploited, and patched bugs, which could have short-term consequences and long-term benefits.

Moses Frost

I’d like to see Microsoft consistently report on when Windows and Windows app (like Exchange, SharePoint, etc.) vulnerabilities are patched in their cloud-based, app as a service offerings. 2021 data said 2/3 of Exchange customers were using cloud-based Exchange service. If you are in the 1/3 still doing on prem and not able to patch rapidly, buy your CIO a cup of coffee and show her or him the numbers.

John Pescatore

Today, Jan 13, is National Blame Somebody Else Day, and while blaming Microsoft may seem appropriate, it's not going to help if it felt like these came late. It was probably the holiday messing with our internal clocks. So, yeah, 93 flaws, 11 critical, 1 actively exploited. Icing on the cake - CVE-2023-21674, the one being exploited, is also a zero-day privilege escalation flaw, so you're likely on the hook for immediate remediation. There is also another printer subsystem update as well as a SharePoint Server bug allowing unauthenticated remote connections. Note the SharePoint fix also needs you to deploy an update to the SharePoint server. If you didn't get the update lined up for your regular patch window, get on it. Yes, this is a three-day weekend in the US, you should be able to blow this update out to your commodity systems, allowing you to focus on more specialized systems. Aside from isolated/air-gapped use cases, ask why you are still running your own SharePoint servers. The time has come to make sure you're leveraging standardized services which are hosted so you can focus on systems needed for your mission objectives.

Lee Neely

This is an attack on “CentOS Web Panel,” which is a very analogous project to the classic “Webmin” interfaces. None of these interfaces should be directly exposed to the Internet, but just like other internal management stations are, you can imagine these are as well. This one is tragically bad, as it’s an unauthenticated attack. Hopefully, these systems are not connected to internal networks. I would state that a VPN, SSH, or other secured connectivity method should be used. However, I suspect most of our readers are aware of this. Instead, what I will say is a cursory look on the internet does not suggest an extremely wide-scale deployment of this software exposed to the internet. We have yet to encounter this system on the Enterprise penetration tests we’ve been on.

Moses Frost

If you're using the Centos Web Panel 7, apply the update from October. This flaw has a CVSS score of 9.8. Seriously, you can run OS level commands because of how the input is handled, making it pretty easy to exploit.

Lee Neely

Hard to find actual data, but successful exploits against VPNs seem to happen disproportionately at US government agencies. Some is likely that they are targeted more, but OIG reports often point out poor patching performance on obvious targets like VPNs with published vulnerabilities.

John Pescatore

Make sure you're incorporating all the IOCs in your threat hunting, and verify you've updated your Fortinet SSL-VPN's to the fixed FortiOS. The threat actor is working very hard to avoid detection, manipulating log files, shutting down logging and IPS services. The only workaround is disabling the SSL-VPN, which is likely unrealistic, even with all-hands on-deck. (no telecommuting.)

Lee Neely

Every so often you need an incident to get attention (and funding) to fix broken systems. Let’s hope that this was all it took to get this system moved out of the 20th century. Some news suggests that the outage was due to not following procedures. But often there are reasons people do not follow procedures, for example if they are unpractical or if they just do not have the time/staffing required to follow procedures.

Johannes Ullrich

Ah, self-inflicted wounds: Squirrels chewing through wires, untrimmed tree branches shorting out electricity distribution lines have been the cause of some of the largest power outages. Bad router or switch updates have been the cause of the biggest telecommunications outages. But, I can’t remember once any large outage being blamed on a security patch pushed out too quickly.

John Pescatore

One hopes this incident will similar regulatory review to the SouthWest issue earlier this year. Both underscore the need to have adequate staffing and updated applications/services, with automated failover. Ideally environments for regression testing and dynamic scaling. We've all been there when a "simple" change causes an unexpected outage. This would be a good time to check to make sure that critical systems are not only properly resourced but also have appropriate lifecycle plans which factor in the current workloads and demands.

Lee Neely

While attention will be on the aging infrastructure used by the FAA, one has to ask how the file(s) got corrupted in the first place and found their way to both the primary and backup NOTAMS. A review and changes to the procedures for updating, testing, and pushing these system files to the operational network is warranted.

Curtis Dukes

It was disappointing to see the number of people, many of them in the cybersecurity field, that jumped to the conclusion this outage was the result of a cyberattack. This type of overhyping of issues only leads to the undermining of the credibility of the cybersecurity industry. We need to do better in providing commentary on issues, not all IT incidents are cyber attacks.

Brian Honan

One would like to know whether the decision to ground the fleet in the event of the failure of this application was planned or (more likely) ad hoc. In the presence of a plan there was surely a cheaper, both economically and politically, remedy.

William Hugh Murray

There are really only two options here - either limit physical access, or purchase replacement units which have the improved secure boot (with an immutable root of trust) which resolve this flaw. As exploiting the flaw requires physical tampering, you could consider tamper indicators, but make sure you are checking them. Consider the costs of physical restrictions, with monitoring, versus replacements.

Lee Neely

These bugs are probably the worst-case scenarios for everyone involved. Very few organizations will be replacing their PLCs universally. Given this, organizations must accept that it's a risk whenever someone touches those PLCs. It will be curious if we ever read about an insider attack with these controllers.

Moses Frost

This vulnerability serves as a reminder that organizations regularly review all aspects of their information security program. In this case both physical and personnel security processes are a primary focus for defensive actions based on this vulnerability.

Curtis Dukes

Cisco last sold these devices in 2016. Maybe they built them too well given how many of them still appear to be in use. Every device you buy comes with an expiration date and you need to plan and budget for timely replacements. I just wish the expiration date would be clearly visible on the device.

Johannes Ullrich

These are end-of-life products. Disablement of remote management and blocking access to ports 443 and 60443 are the only partial workarounds, the real fix is to replace these. With a CVSS score of 9.0, maybe do it quickly? I know, they are on your list, and you bought replacements which arrived, excellent! Deploy them, in the off chance you missed lining up replacements, leverage this information to justify rapid action.

Lee Neely

These devices should be called “Cisco in name only.” The Small Business routers that are the constant front-page news here are part of the Small Business Unit for Cisco. Cisco IOS is not running on any of these units, and these units probably keep their internal Product Security Team (PSIRT) busy. The problem I see is that they carry the Cisco brand but have obvious security issues. Why we keep seeing C Memory Corruption bugs on web Interfaces is beyond me. As these units are sold to small companies, the worst part is that they will probably not be patched. Whenever I talk to a small business owner, I urge them into a cloud-managed system that auto updates. Pick one in that Prosumer / Small business space and have the manufacturer keep it up to date with a cloud-controlled system. It’s not the most ideal, but in the long run probably cheaper than paying for ransomware.

Moses Frost

Both Packet Capture (PCAP) and event logs are important data sources for forensic teams investigating a cyber breach. While some cybersecurity professionals might question maintaining PCAP data for a minimum 72 hours, it’s a reasonable balance between storage requirements and equipping the cyber defender.

Curtis Dukes

This only applies to the logs, not the data or content on systems that generated those logs. This means keep logs on centralized logging infrastructure, so you don't miss retention requirements with lifecycle activities of the systems generating logs. This ties back to directives contained in the May 2021 Cyber Security Executive Order (EO 14028).

Lee Neely

Enterprises should consider similar retention rules to facilitate both routine management and necessary forensics.

William Hugh Murray

CVE-2022-41080 - an Exchange privilege escalation flaw from last year, can be combined with CVE-2022-41082 to achieve arbitrary code execution. CVE-2023-211674 is the same Windows ALPC privilege escalation flaw addressed in the Jan 10 Windows update we discussed previously. Good news, the patches for these are out, go deploy them. Bad news - you're still hanging onto those on-premises Exchange servers.

Lee Neely

To prevent massive backlogs, Royal Mail is asking customers to not post international items until further notice. They also subscription to service update emails so users can remain informed. The Royal Mail Label/Marking system used for international items was taken out by LockBit ransomware. It is not clear if this was the genuine LockBit, or another actor using the leaked LockBit 3.0 ransomware builder, which could mean the data is not decryptable. To add to the impact, Royal Mail is also involved in a dispute with the Communication Workers Union, over pay and conditions, and is threatening another strike; I bring this up as a scenario to consider in your BCP efforts. Understand where your fallback plan can fail and decide what you're going to do if it happens now, rather than later, to include management buy-in.

Lee Neely

Yay, DMPS is effectively back online. One expects the teacher workdays planned for next week will also be IT heads-down finish the cleanup days as well. DMPS also changed the dates of the semester to compensate for the days they cancelled classes. Make sure that if you're impacted by cancelled classes at your school, you check for any changes in schedule, including semester and holiday schedule.

Lee Neely

More than a decade ago, school systems nationally migrated to online information sharing and reporting for both parents and students. Couple that with a limited IT and cybersecurity budget and they are an easy target for cybercriminals—principally ransomware gangs. The FY2022 State and Local Cybersecurity Grant Program provides an opportunity for funding to implement a cybersecurity plan within school districts.

Curtis Dukes