Cisco CSLU Critical Flaw Added to KEV; Oracle Faces Class Action Suit; Ivanti Buffer Overflow Exploited for RCE

Last week, we detected the use of the exploit against some of our honeypots. The exploit is trivial, and the password used has been known for several months. The exploit had likely been used in more limited attacks well before we detected the use against our honeypots.

Johannes Ullrich

CVE-2024-20439 has a CVSS score of 9.8, and allows an attacker to login using a static administrative credential. Johannes discovered this flaw is being chained with an exploit of CVE-2024-20440, CSLU information disclosure vulnerability, to access log files and API credentials. The fix (there are no workarounds) is to deploy the fixed version of CSLU you're licensed for. This is a free update.

Lee Neely

Six months is long enough for any organization to patch for a known hardcoded credential flaw. So, if adding the vulnerability to the KEV spurs organizations to action, so be it. If I were on the company risk committee, I would be asking what took you so long.

Curtis Dukes

Are these Cisco Licensing Systems exposed to the internet? I've never seen one exposed, so I'm curious to know who runs this on the internet as if it's a router. Nothing should surprise me anymore, however.

Moses Frost

Oracle's legal team had to expect and advise that a lawsuit would be forthcoming. For them not to be transparent about the breach and offer assurances is baffling to most security professionals. The court will decide if Oracle Cloud exhibited a standard of reasonableness in its implementation of security controls. It's likely its cloud users will decide well before then.

Curtis Dukes

One would expect that cloud providers rely on customer trust to support their business. We will see if the delayed and incomplete disclosure will adversely affect Oracle's cloud business. On the other hand, cloud customers are unlikely to face compliance scrutiny and may just shrug it off as something they accept for the convenience of outsourcing the breach to a cloud provider.

Johannes Ullrich

I am sure Oracle is struggling with transparency versus reputation damage. I attended a talk Wednesday where we came to the conclusion that reputation damage is no longer a factor. For example, remember the Target breach right before the holiday shopping season? It was followed by their best season to date. It's going to take time, and we all need to learn that full transparency about what happened coupled with strong forensic, remediation, and support for affected parties, is essential.

Lee Neely

Over 100 years ago, Supreme Court Justice Louis Brandeis said 'Sunlight is the best disinfectant.' Whether Oracle is culpable of any wrongdoing or not, this lack of communication alone should be weighted in decisions to use Oracle Cloud services.

John Pescatore

Not getting involved in this one. I'll wait for the lawsuit to see what shakes out. All I can say is that you want to enshrine confidence in your platform if you're trying to attract customers.

Moses Frost

I am a great believer in the adversarial process for getting at the truth. Even if Oracle were more forthcoming, I would still not be satisfied that I really knew what happened absent a trial.

William Hugh Murray

Never underestimate the creativity of an attacker. The flaw was considered unexploitable just because the company was initially unable to detect the flaw and couldn't imagine it being exploited.

Johannes Ullrich

CVE-2024-22457, stack-based buffer overflow, has a CVSS score of 9.0. Ivanti released an update for Ivanti Connect Secure in February, and updates to Policy Secure and ZTA Gateways are planned for April 21st and 19th respectively. The ZTA Gateway fix will be automatically applied. Pulse Secure 9.1 is no longer being fixed and was end-of-support on 12/31/24. You will need to migrate to a different VPN solution.

Lee Neely

While the altruistic goals of openSNP to support research are laudable, in today's threat climate where genetic data is not always used as envisioned, this sharing model is insufficient to protect this data.

Lee Neely

Bravo!

William Hugh Murray

If you're still storing secrets in your repositories and you're an enterprise customer, look at GitHub's Secret Protection and Code Security products. Secret Protection is free for public repositories. Even so, minimize the secrets you're storing, so they aren't there to protect or discover in the first place.

Lee Neely

The attacks are coming from legitimate Cloud Service Providers, resulting in this traffic being blended with legitimate traffic, making it nearly impossible to detect. This is a place Protective DNS (PDNS) will shine. Make sure that you're leveraging your threat feeds to identify and block flux domains, look for DNS records with really low TTL values, and implement alerts for network or DNS activity related to fast flux patterns.

Lee Neely

It feels like this advisory comes about 15 to 20 years late. I always consider fast-flux the first 'cloud' as it preceded most cloud providers but established many ideas around what later became a large industry.

Johannes Ullrich

Fast Flux IP Addressing is nothing new or novel. It is important to note that many parts of IT have been using it for web scraping for years.

Moses Frost

"There is no more corrupting lie than a problem poorly named." If one cannot use threat, attack, technique, vulnerability, consequence, and risk in a consistent and mutually exclusive way, one is not sufficiently fluent in their native tongue to be of use in this complicated field.

William Hugh Murray

The key quote from Peter John Kyle, UK Secretary of State for Science, Innovation and Technology is "Resilience is not improving at the rate necessary to keep pace with the threat and this can have serious real-world impacts." When lives are at risk, regulatory and criminal sanctions have to be part of the mix. One key issue: I'd like to see more focus on forcing faster adoption of phishing-resistant Multi-Factor Authentication; it is long past time for reusable passwords to be treated like lead in gasoline or red dye #2 in foods.

John Pescatore

Further to John Pescatore's point, one asserts that there is no more essential or efficient cyber security measure than strong authentication. It seems clear that voluntary adoption is not working. It is time for strong sanctions.

William Hugh Murray

The plan is to not only update the NIS 2018 regulations but also future-proof critical services from cyber threats. To give it some teeth, this legislation allows the government to levy fines of £100,000 ($129,000) or 10 percent of turnover for each day a breach continues. With the recent UK attack rate, increasing the posture of critical systems is needed, and leveraging the CSR should help support proposals for improvements you wish to implement.

Lee Neely

The EU's European Commission (EC) has announced their presentation of a new European Internal Security Strategy dubbed "ProtectEU," including an increased focus on cyber and hybrid threats. Among many listed objectives are a number of cybersecurity goals including: "[Creating] a Roadmap on lawful and effective access to data for law enforcement ... [creating] a Technology Roadmap on encryption, and an impact assessment with a view to updating the EU's data retention rules ... implement[ing] the CER and NIS2 Directives ... [and introducing] a new Cybersecurity Act, and new measures to secure cloud and telecom services and developing technological sovereignty," as well as prioritizing intelligence and information exchange within the EU and with trusted countries. The EC's goals echo recent efforts by the UK and Sweden to legislate government access to encrypted data.

Curtis Dukes

This comprehensive approach seeks to raise the bar across the board, both for law enforcement and users. PQC/E2EE are important to safeguard user information and should be baked into service delivery plans. Hopefully, law makers will learn that there is no such thing as an encryption back door with controllable use.

Lee Neely

Nation states are finally realizing that strong encryption is essential. On the other hand, they have always resisted it because it increases the cost of both intelligence and law enforcement. Try as they may, they cannot have it both ways. Any mechanism designed to reduce their cost will inevitably be exploited by others.

William Hugh Murray

While you're checking for endpoints running the current drivers, also check your Canon printers for updated firmware. In February Canon announced firmware updates for their imageCLASS MF and LBP series printerss to address CVE-2024-12647, CVE-2024-12648 and CVE-2024-12649 flaws which could be leveraged to execute arbitrary code or create DoS attacks.

Lee Neely

Organizations in general are slow to update their printer drivers, especially small office/home offices. It remains to be seen if this RCE vulnerability gets weaponized and causes mischief.

Curtis Dukes

Printers are appliances. While they have many features and capabilities, they are essentially single purpose devices. They should be easier to secure than general purpose computers except that so many implementations begin with a general purpose operating system. They are so vulnerable to mischief that nice people do not expose them to the Internet.

William Hugh Murray