Solar Winds Hotfix for Hardcoded Credentials Issue; New Log4Shell Campaign; Chrome Fixes Ninth Zero-Day of 2024

Should be obvious that this must be patched quickly. Hardcoded credentials tend to leak shortly after the patch is released (if not before).

Johannes Ullrich

It's 2024, hardcoded credentials need to be ancient history. Make sure your SQA processes screen for them. The update, WHD 12.8.3 HF2, addresses two issues CVE-2024-28987, WHD hard coded credential vulnerability, CVSS score 9.1 and CVE-2024-28986, WHD Java deserialization RCE vulnerability, CVSS score 9.8, previously fixed in WHD 12.8.3 HF1. The hard coded credential flaw can be exploited by unauthenticated users, the Java deserialization flaw requires an authenticated user. Some good news: HF2 includes the fixes from HF1. The hotfix requires installation of three jar files and manually editing the tomcat_server_template.xml file.

Lee Neely

Hardcoded credentials are like catnip to cybercriminals; they are on the prowl and looking to exploit. Given the recent uptick in examples of this sort of exploit and its own recent software security issues, it's a bit surprising that the company didn't fix this before it became a problem. Bottom line: apply the hotfix now.

Curtis Dukes

One more example, as if any were needed, of why a safety first culture, secure by design, is so important to the modern enterprise.

William Hugh Murray

We are observing very consistent scans for Log4j/Log4Shell issues in our honeypots.

Johannes Ullrich

We all acknowledged that it would take a long time to patch Log4J/Log4Shell, but were we thinking it'd still be in play almost three years later? There is a cliche about the old tricks still working. Anyway, beyond passing the IOCs from Security Labs to your team, make sure that you're still scanning for vulnerable Log4J, and applying updates when they are released. Make sure mitigations are still in place for those high-impact systems and applications which are difficult to get updated as well as having conversations about both fixed versions and deployment schedules.

Lee Neely

The lesson here is that, not only is patching an inefficient way to achieve quality, for some widely used software, it is futile.

William Hugh Murray

Since Microsoft has committed again to 'Security is Job 1,' it is time for Windows patching to happen as frequently and as transparently as browser and mobile OS patching. I think what is needed to make that happen largely overlaps with OS restrictions that are needed to force app developers to 'Secure By Design' anyway.

John Pescatore

With this vulnerability Google exceeds its 2023 total of eight zero-days. The update is easy: quit your browser and restart. As a reminder, as a good security practice, reboot your system on a weekly basis.

Curtis Dukes

Seems like we just updated Chrome yesterday. The what's-new page for Chrome 128 highlights Google Lens and Gemini chat. Google Lens was introduced in 2017 but has been enhanced to search videos, livestreams, or images youÕre watching. Gemini, also available at gemini.google.com, should fall under your current GenAI usage. Consider the activity setting under Gemini Apps (myactivity.google.com) which governs the use or review of your data by Google.

Lee Neely

The size of the fine is pretty low compared to what this incident has already cost the company - changing their name probably cost more! But, the settlement should drive them to change the lax processes that lead to both incidents - stronger authentication to prevent email chain hijacking and better app/penetration testing to discover pre-production that any legitimate SSN can be used to create fraudulent accounts.

John Pescatore

Of the two attacks, the first (BEC) is relatable; the second is more concerning as they automatically linked accounts based on stolen SSN's to legitimate ones. FI's often link your accounts based on your SSN, which provides a single access point to all your accounts, but also includes some of the same risk. Ask your FI what controls are in place when linking account, determine if the linking uses an implied or direct permission, and if more than just the SSN is used to associate the accounts.

Lee Neely

These rules are about the operations of the aircraft, not the security of passenger facing systems. With increased connectivity, and an increase in the number of reported cyber-attacks in the airline industry, the FAA is proposing changes to manufacture of aircraft, engines and propeller systems to mitigate these threats which include field loadable software, maintenance laptops, airport/airline/public networks, wireless and cellular communication, USB, Satellite and GPS navigation systems. Proposed designs would need to provide isolation or protection from unauthorized access, prevent unauthorized changes, and mechanisms/processes to ensure cyber protections are maintained.

Lee Neely

The FAA has been very successful in its safety mission. After elevators, it has made aviation the second safest form of transportation. These rules simply extend to software the procedures that have been so successful for hardware.

William Hugh Murray

Some excellent research by Quarkslab. What's strange is that the same hardware backdoor key exists in other vendor products. It feels a bit like a well-placed supply chain attack.

Curtis Dukes

Many MIFARE Classic cards are FM11RF08S or FM11RF08 cards which have this backdoor, which dates back to 2007, as do the FM11FR32 and FM1208-10 cards available from the same manufacturer. Double check the version of MIFARE Classic cards you're using, they may be the affected product. If you're using these cards, they are prevalent in hotels in the US, Europe and India, you're going to want to assess your risks.

Lee Neely

Whether or not RFID applications are secure by design, cloning is harder than it looks. Attacks are extremely local and do not scale. This is one of those issues where intuition does not serve us well.

William Hugh Murray

CVE-2024-28000, CVSS score of 9.8, allows an unauthenticated user to spoof the username and get admin access. This is due to a user simulation module which had easily guessable non-salted hash. This doesn't impact Windows based WordPress installations as the function relied on a PHP method not implemented in Windows. Make sure you're on LiteSpeed 6.4 or higher. Also make sure that you don't already have a cache service from your provider which could negate the need for this plugin. Wordfence has rules to block this attack and reports blocking nearly 59,000 attacks in the last 24 hours.

Lee Neely

Yep, another WordPress plug-in vulnerability. For once, windows-based WordPress installations are not at risk to this vulnerability. For everyone else that uses this plug-in, prioritize this download and install the patch.

Curtis Dukes

The OpenSSH flaw is the same unauthenticated RCE flaw Qualys disclosed on July 1st. Cisco has been releasing updates across their product line for any which use the vulnerable OpenSSH; you should already have a cadence of deploying these. There are no workarounds for the out-of-bounds write vulnerability (CVE-2024-20375); you need to deploy the update. (Unified CM and CM SME version 12.5(1)SU9, 14SU4 or 15SU1.) There are no reports of exploitation or published POCs. Make sure you're leveraging the capabilities of a VoIP-aware firewall in-line with your SIP traffic.

Lee Neely

These CVEs CVSS scores range from 7.1 to 8.1 and given that both your Confluence and Jira servers are impacted, not to mention Crowd and Bamboo, spend more time getting the update scheduled rather than arguing over severity, particularly if any of those are Internet facing. This is a good time to revisit using hosted (cloud) versus on-premises Atlassian services.

Lee Neely