Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft 365 Virtual Training Day from Microsoft Learn. Join us at Manage Microsoft Teams Collaboration Communications Systems to learn how to plan, design, configure, and manage a Teams Collaboration Communications System. You’ll explore the many Teams services, features, and capabilities that simplify collaboration and boost productivity. Note: Participants should have a prior understanding of the basics of Teams as well as networking, telecommunications, audio-visual and meeting-room technologies, and identity and access management. You will have the opportunity to: Learn how to plan, design, and manage Teams Collaboration Communications Systems. Find out how to configure and manage Microsoft Teams Phone, Microsoft Teams Rooms, and Microsoft Teams meetings. Understand how to manage and monitor services through the Teams admin center, Teams Rooms Pro portal, Microsoft Call Quality Dashboard, and Microsoft Teams PowerShell. Learn more about Teams-certified devices and calling plans. Join us at an upcoming two-part Manage Microsoft Teams Collaboration Communications Systems event: Delivery Language: English Closed Captioning Language(s): English
This Technical Note describes the product agnostic remote access reference architectures and presents three remote access example solutions the NCCoE plans to demonstrate as part of the Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitigating Cyber Risk in Water and Wastewater Systems project. The Technical Note presents a traditional on-premises remote access reference architecture and two example solutions: one for medium to large water and wastewater systems (WWS) and one for very small to small WWS. A cloud-based remote access reference architecture and example solution are also described.
The NCCoE first plans to address the remote access scenario and describing architectures and example solutions which allow authorized access to a water or wastewater utility’s Operational Technology (OT) assets. Subsequent publications will address the other identified risk scenarios and solutions.
Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
THREAT INTELLEGENCE: There are no reports that these vulnerabilities are being exploited in the wild
SYSTEMS AFFECTED:
Firefox versions prior to 128
Firefox ESR versions prior to 115.13
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY: Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution. Details of the most critical vulnerabilities are as follows:
Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than 8192 ints in private shader memory on mac OS. (CVE-2024-6600)
A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. (CVE-2024-6601)
A mismatch between allocator and deallocator could have lead to memory corruption. (CVE-2024-6602)
In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory corruption. (CVE-2024-6603)
Clipboard code failed to check the index on an array access. This could have lead to an out-of-bounds read. (CVE-2024-6606)
It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a <select> element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions. (CVE-2024-6607)
It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. (CVE-2024-6608)
When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. (CVE-2024-6609)
Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode. (CVE-2024-6610)
A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. (CVE-2024-6611)
CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. This caused a DNS prefetch which leaked that a CSP violation happened. (CVE-2024-6612)
The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. (CVE-2024-6613)
The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. (CVE-2024-6614)
Memory safety bugs present in Firefox 127. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2024-6615)
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
Apply the stable channel update provided by Mozilla to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5:Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft 365 Virtual Training Day from Microsoft Learn. Join us at Prepare Your Organization for Microsoft Copilot for Microsoft 365 to learn how to implement AI to help ignite creativity, enhance productivity, and strengthen computing and collaboration skills. You’ll learn about the capabilities of Copilot, including how it works, how to configure it, and how to set it up for more powerful searches. You’ll also explore how Copilot works with Microsoft Graph—and your existing Microsoft 365 apps—to provide intelligent, real-time assistance. You will have the opportunity to: Understand the key components of Copilot for Microsoft 365 and how it works. Learn how to extend Copilot with plugins. Get guidance on completing the necessary Copilot technical and business requirements to prepare for implementation. Learn how to assign Copilot licenses, prepare your organization’s Microsoft 365 data for Copilot searches, and create a Copilot Center of Excellence. Join us at an upcoming Prepare Your Organization for Microsoft Copilot for Microsoft 365 event:
Delivery Language: English Closed Captioning Language(s): English
The Cybersecurity and Infrastructure Security Agency (CISA) has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) to release an advisory outlining a People’s Republic of China (PRC) state-sponsored cyber threat group’s activity. The following organizations also collaborated with ASD’s ACSC on the guidance:
The National Security Agency (NSA) The Federal Bureau of Investigation (FBI) The United Kingdom’s National Cyber Security Centre (NCSC-UK) The Canadian Centre for Cyber Security (CCCS) The New Zealand National Cyber Security Centre (NCSC-NZ) The German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV) The Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC) Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA)
The advisory is based on current ACSC-led incident response investigations and shared understanding of a PRC state-sponsored cyber threat group, APT40—also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk in industry reporting.
APT 40 has previously targeted organizations in various countries, including Australia and the United States. Notably, APT 40 possesses the ability to quickly transform and adapt vulnerability proofs of concept (POCs) for targeting, reconnaissance, and exploitation operations. APT 40 identifies new exploits within widely used public software such as Log4J, Atlassian Confluence, and Microsoft Exchange to target the infrastructure of the associated vulnerability.
CISA urges all organizations and software manufacturers to review the advisory to help identify, prevent, and remediate APT 40 intrusions. Software vendors are also urged to incorporate Secure by Design principles into their practices to limit the impact of threat actor techniques and to strengthen the security posture of their products for their customers.
For more information on PRC state-sponsored threat actor activity, see CISA’s People’s Republic of China Cyber Threat. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage.
A vulnerability has been discovered in OpenSSH that could allow for remote code execution. OpenSSH is a suite of secure networking utilities based on the SSH protocol and is crucial for secure communication over unsecured networks. It is widely used in enterprise environments for remote server management, secure file transfers, and various DevOps practices. Successful exploitation of this vulnerability could allow for remote code execution in the context of the unprivileged user running the sshd server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
THREAT INTELLIGENCE: There are no reports of this vulnerability being exploited in the wild.
SYSTEMS AFFECTED:
OpenSSH versions 8.7 and 8.8 and corresponding portable versions
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY: A vulnerability has been discovered in OpenSSH, which could allow for remote code execution. Details of the vulnerability include:
CVE-2024-6409: A signal handler race condition vulnerability was found in OpenSSH’s server (sshd) where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function.
Successful exploitation of this vulnerability could allow for remote code execution in the context of the unprivileged user running the sshd server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
RECOMMENDATIONS: We recommend the following actions be taken:
Apply appropriate mitigations provided by OpenSSH or affected Linux vendor to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. (M1035: Limit Access to Resource Over Network)
Use intrusion detection signatures to block traffic at network boundaries. (M1031: Network Intrusion Prevention)
Safeguard 13.3: Deploy a Network Intrusion Detection Solution: Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
Safeguard 13.8: Deploy a Network Intrusion Prevention Solution: Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 13.10: Performing Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
Date/Time: Wednesday, July 10, 2024 | 10:00–11:30 AM ET
Description
Join the NIST NCCoE for a webinar to discuss guidance and considerations for trusted IoT onboarding to help organizations safeguard both their IoT devices and their networks.
The NCCoE, in collaboration with 11 product and service providers, has produced five builds demonstrating network-layer onboarding and two builds demonstrating the factory provisioning process. The configurations offer secure ways to provision devices to a network using their network credentials.
Meet the NCCoE IoT Onboarding team and their industry collaborators
Learn about the latest updates to Draft NIST SP 1800-36, Trusted IoT Device Network-Layer Onboarding and Lifecycle Management, and how it can be used to help organizations protect both their IoT devices and their networks
Hear from the project’s collaborators about example technology solutions using Wi-Fi Easy Connect, BRSKI, and Thread
Engage in a Q&A period with the project team and industry experts
Gain resources and additional information for implementation
Speakers
Tim McBride, Deputy Director, NIST NCCoE
Paul Watrobski, Principal Investigator, NIST NCCoE
Brecht Wyseur, Senior Product Manager and Product Strategy, Kudelski IoT
Nick Allott, CEO, NquiringMinds
Steve Clark, Security Technologist, WISeKey
Dan Harkins, Fellow, HPE Aruba
Andy Dolan, Senior Security Engineer, CableLabs
Craig Pratt, Lead Software Engineer, CableLabs
Darshak Thakore, Principal Architect, CableLabs
Contact Us
If you have any questions about this event, please reach out to the team at iot-onboarding@nist.gov.
To receive the latest project news and updates, consider joining the NCCoE IoT Onboarding Community of Interest (COI). You can sign up by completing the COI form or by emailing the team declaring your interest.