NewsBites Volume XXV – Issue 59

Top of the News

2023-07-26

Ivanti Releases Fixes for Vulnerability Exploited in Attack on Norwegian Government Systems

Ivanti has released fixes to address a critical authentication bypass vulnerability that affects all supported versions of its endpoint management platform. Ivanti has acknowledged that the flaw is being actively exploited and urges users to update to the most recent versions of Ivanti Endpoint Manager Mobile. The flaw was exploited in a cyberattack that affected networks at a dozen Norwegian government ministries. The US Cybersecurity and Infrastructure Security Agency (CISA) added the Ivanti flaw to its Known Exploited Vulnerabilities catalog on July 25.

Editor's Note

CVE-2023-35078, remote authentication bypass, gets a (perfect) CVSS score of 10. This flaw affects all the supported as well as older unsupported versions of Ivanti EPMM (formerly MobileIron Core). The reason you may not have heard the connection to the attack on the Norwegian government sites is that information was being held back until the patch had been released from Ivanti. Ivanti is also actively engaging with customers to get the patch applied as well as help investigate compromises where needed. If you're an Ivanti site, make sure that not only are you running a supported patched version but also that you're following their latest security guidance.

Lee Neely

Ivanti’s Endpoint Manager Mobile (formerly MobileIron) has a 37% market share in the mobile device management market. That’s a sizeable target market for evil-doers. Heed the vendor advice, download and install the patch now.

Curtis Dukes

SEC: Publicly Traded Companies Have Four Days to Report Material Cyber Incidents

The US Securities and Exchange Commission (SEC) has issued a final rule that requires publicly traded companies to report material cyber incidents within four days. Exceptions can be made if the US Attorney General determines that disclosure of the incident would pose a threat to national security. In addition, in 2022, the SEC proposed requiring companies to have a cybersecurity expert on their board of directors. The SEC has now backed off from that requirement, instead “requir[ing] registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K.”

Ubuntu Privilege Elevation Vulnerabilities Affect 40 Percent of Users

Researchers at Wiz have detected two privilege elevation vulnerabilities in the OverlayFS module in Ubuntu. One of the vulnerabilities involved inadequate permission checks; the second involves a race condition in the Linux kernel management subsystem. The issues affect 40 percent of Ubuntu cloud workloads.

The Rest of the Week's News

2023-07-26

Python Security Commits

According to a paper authored by researchers from George Mason University and Dougherty Valley High School, Python security commits are often “silent,” meaning they lack CVE identifiers, which hinders the ability of developers who are not security experts from updating to fixed versions of commits. In the paper, the researchers “construct the first security commit dataset in Python, namely PySecDB … and propose a new graph representation named CommitCPG and a multi-attributed graph learning model named SCOPY to identify the security commit candidates through both sequential and structural code semantics.”

Editor's Note

It never helps to hide security flaws. I think this is a great effort to bring to light some of the flaws being patched silently, and looking forward how PySecDB will evolve.

Johannes Ullrich

Great to see a high school researcher involved in bringing this forward!

John Pescatore

Having a structure and framework for consistently identifying security fixes will help downstream users of your code understand what's being addressed as part of ongoing supply chain risk management activities. While PySecDB is only available for non-commercial research or personal use, it moves the bar in the right direction.

Lee Neely

Critical Privilege Elevation Vulnerability Affects MikroTik Routers

A critical privilege elevation in RouterOS affects as many as 900,000 MikroTik routers. The flaw could be exploited to gain complete control of the devices and from there, gain entry to organizations’ networks. MikroTik has released updates to address the vulnerable versions of RouterOS. Users are urges to upgrade to RouterOS stable version 6.49.7 or newer and MikroTik RouterOS long-term version 6.49.8 or newer.

MOVEit Victim Organizations Now Total More Than 500

More than 500 organizations are now believed to have been affected by the MOVEit file transfer software vulnerability. One of the more recently disclosed victims is Maximus, a US government services contractor. Maximus disclosed the incident in a July 26 form 8-K filing with the US Securities and Exchange Commission (SEC), noting that the breach affected personal data belonging to between eight and 11 million individuals. Accounting company Deloitte has also confirmed that it is a victim of a MOVEit-enabled attack.

TSA Updates Pipeline Cybersecurity Rules

The US Transportation Safety Administration (TSA) has published updated cybersecurity requirements for owners and operators of oil and natural gas pipelines. The original security directive was issued in 2021 and was updated a year ago.

Cardiac Monitoring Products and Software Affected by Cybersecurity Incident

CardioComm Solutions, a provider of heart-monitoring technologies, has disclosed “a cybersecurity incident on the Company’s servers.” Earlier this week, CardioComm said its services were experiencing downtime, which has affected several products, including HeartCheck CardiBeat, a handheld electrocardiogram monitor, and the company’s Global Cardio 3 and Home Flex software.

Update Now Available for Zimbra Vulnerability

Zimbra has released an update to address a vulnerability in Zimbra Collaboration Suite Version 8.8.15 that can be exploited to conduct reflected cross-site scripting attacks. When the flaw was first disclosed earlier this month, Zimbra advised users to implement a manual fix until the patch became available