blogmirnet – Page 12 – My information Resource (blog.mir.net)

Register now for the Microsoft Data and Analytics Forum

Is your data estate ready for the latest innovations in AI? Register for the free Microsoft Data and Analytics Forum to better support your organization and grow professionally with the latest features across data, analytics, governance, and AI. Join us on October 30, 2024, at 8:00 AM Pacific Time to learn how to unify data and analytics and streamline data transformation using Microsoft solutions. At the event you will: Dive deep into real-world customer success stories and learn industry best practices from other organizations using Microsoft analytics tools to drive business growth and efficiency. Gain insight to the latest advancements and innovations across the Microsoft Intelligent Data Platform. Learn about product updates, best practices, and cost-saving programs straight from Microsoft leaders and experts. See the products in action and better understand how to apply these tools to your own business scenarios. Don’t miss out. Register now for the Microsoft Data and Analytics Forum and unify your data and analytics for quick adaptation of new AI capabilities.

Microsoft Data and Analytics Forum
Wednesday, October 30, 2024
8:00 AM-10:00 AM Pacific Time (UTC-7)

Please register here

Multiple Vulnerabilities in Mozilla Products Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.

Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
Mozilla Thunderbird is an email client.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Firefox ESR versions prior to 115.16
Firefox ESR versions prior to 128.3
Thunderbird versions prior to 131
Thunderbird versions prior to 128.3
Firefox versions prior to 131

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):
Technique: Drive-by Compromise (T1189)

Prevent users from exiting full-screen mode in Firefox Focus for Android. A user who enables full-screen mode on a specially crafted web page could potentially be prevented from exiting full screen mode. This may allow spoofing of other sites as the address bar is no longer visible. This bug only affects Firefox Focus for Android. Other versions of Firefox are unaffected. (CVE-2024-9391)
A compromised content process could have allowed for the arbitrary loading of cross-origin pages. (CVE-2024-9392)
Cross-origin access to PDF contents through multipart responses. An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://pdf.js origin. This could allow them to access cross-origin PDF content. This access is limited to “same site” documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. (CVE-2024-9393)
Cross-origin access to JSON contents through multipart responses. An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://devtools origin. This could allow them to access cross-origin JSON content. This access is limited to “same site” documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. (CVE-2024-9394)
Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2024-9401)
Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2024-9402)
Memory safety bugs fixed in Firefox 131 and Thunderbird 131. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2024-9403)

Additional lower severity vulnerabilities include:

Specially crafted filename could be used to obscure download type. A specially crafted filename containing a large number of spaces could obscure the file’s extension when displayed in the download dialog. This bug only affects Firefox for Android. Other versions of Firefox are unaffected. (CVE-2024-9395)
Potential memory corruption may occur when cloning certain objects. It is currently unknown if this issue is exploitable but a condition may arise where the structured clone of certain objects could lead to memory corruption. (CVE-2024-9396)
A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. (CVE-2024-9397)
External protocol handlers could be enumerated via popups. (CVE-2024-9398)
Specially crafted WebTransport requests could lead to denial of service. (CVE-2024-9399)
Potential memory corruption during JIT compilation. (CVE-2024-9400)
Clipboard write permission bypass. An attacker could write data to the user’s clipboard, bypassing the user prompt, during a certain sequence of navigational events. (CVE-2024-8900)

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
- Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
- Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
- Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
- Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
- Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

A Vulnerability in Zimbra Collaboration Could Allow for Remote Code Execution – PATCH NOW

A vulnerability has been discovered in Zimbra Collaboration which could allow for remote code execution. Zimbra is a collaborative software suite that includes an email server and a web client. Successful exploitation of this vulnerability could allow for remote code execution in the context of the Zimbra user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data.

THREAT INTELLIGENCE:
Proof of concept code has been released for CVE-2024-45519.

SYSTEMS AFFECTED:

Zimbra Collaboration versions prior to 9.0.0 Patch 41
Zimbra Collaboration versions prior to 10.0.9
Zimbra Collaboration versions prior to 10.1.1
Zimbra Collaboration versions prior to 8.8.15 Patch 46

RISK:
Government:

Large and medium government entities: Medium
Small government entities: Medium

Businesses:

Large and medium business entities: Medium
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
A vulnerability has been discovered in Zimbra Collaboration which could allow for remote code execution. Details of the vulnerability are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

A SMTP-based vulnerability in the PostJournal service of Zimbra Collaboration Suite could allow an unauthenticated attacker to inject arbitrary commands. This vulnerability arises due to improper sanitization of SMTP input, enabling attackers to craft malicious SMTP messages that execute commands under the Zimbra user context. Successful exploitation can lead to unauthorized access, privilege escalation, RCE, and potential compromise of the affected system’s integrity and confidentiality. (CVE-2024-45519)

Successful exploitation of this vulnerability could allow for remote code execution in the context of the Zimbra user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate updates provided by Zimbra to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
- Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
- Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
- Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
- Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
- Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Zimbra:
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Project Discovery:
https://blog.projectdiscovery.io/zimbra-remote-code-execution/

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45519 Multi-State Information Sharing and Analysis Center (MS-ISAC)

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Chrome prior to 129.0.6668.89/.90 for Windows and Mac
Chrome prior to 129.0.6668.89 for Linux

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Drive-By Compromise (T1189):

Integer overflow in Layout (CVE-2024-7025)
Insufficient data validation in Mojo (CVE-2024-9369)
Inappropriate implementation in V8 (CVE-2024-9370)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
- Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Google:
https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop.html

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7025
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9369
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9370

Microsoft 365 Copilot Training for IT Professionals

Join us at Microsoft Copilot for Microsoft 365 Training for IT Professionals to learn how to use Microsoft Copilot to simplify your everyday tasks. During this 60-minute free event, discover how Microsoft Copilot can help you enhance efficiency, simplify complex tasks, and optimize technical workflows. You’ll be able to: Use Microsoft Copilot to summarize the information in a product spec document for a network security product and create a project plan to implement the product. Use Copilot in PowerPoint to create and customize a business presentation based on the product plan that you created for the new network security product. Use Copilot in Word to modify a technical implementation report for a customer who is planning to install your new network security product. Use Copilot in Outlook to draft an email that provides highlights from the technical implementation report that you created for the customer who is installing your new network security product. Join us at an upcoming event: Tuesday, October 15, 2024, 4:00 – 5:00 PM (GMT-05:00)

Delivery Language: English
Closed Captioning Language: English
Event Delivery: Digital

Register now >

Space is limited. Register for free today.

NICE Publishes Proposed Updates for Three NICE Framework Work Roles and One NICE Framework Competency Area

The NICE Program Office of the National Institute of Standards and Technology (NIST) is pleased to publish proposed changes to three Work Roles and one Competency Area in the NICE Workforce Framework for Cybersecurity (NICE Framework). We welcome and encourage comments from all interested stakeholders. The proposed updates apply to:
Digital Evidence Analysis (Work Role IN-WRL-002 / OPM Code 211)
A thorough review of this existing Work Role in the Investigation Work Role Category was conducted with subject matter experts from the Federal Bureau of Investigation and the Department of Justice. This draft adjusts the Task, Knowledge, and Skill (TKS) statements in this Work Role and further adds an alignment of Knowledge and Skill statements to each of the Tasks.
Insider Threat Analysis (Work Role PD-WRL-005)
This Work Role was initially released with Version 1.0.0 (v.1.0.0) of the NICE Framework Components in March 2024. This update includes minor changes to some TKS statements and, significantly, aligns the Knowledge and Skill statements to each Task statement in this role.
Operational Technology (OT) Cybersecurity Engineering (New WR DD-WRL-009)
This new Work Role in the Design & Development Work Role Category is the first role in the NICE Framework to focus on operational technology (OT).
Cyber Resiliency (Competency Area NF-COM-007)
NICE released 11 new Competency Areas with v.1.0.0 of the components in March 2024. At that time, only the names and descriptions were included. NICE has been working to identify and develop Knowledge and Skill statements for each of the areas. Cyber Resiliency is the first of these to be developed. These proposed updates reflect the NICE Program Office’s commitment to maintaining the NICE Framework’s relevance to current cybersecurity practices through the active input of subject matter experts as well as the broader community of cybersecurity practitioners and educators.

WE WANT TO HEAR FROM YOU!

NICE welcomes comments on the three proposed Work Roles and one Competency Area from all interested parties. Comments received by the November 14 deadline will be acknowledged by email. Comments will be reviewed and adjudicated, and feedback received during this comment period will be used to inform any necessary updates to the relevant proposed Work Roles or Competency Areas. Final updates will be incorporated in the next release of the NICE Framework Components. Take the following steps to share your feedback:

Visit the NICE Framework Resource Center Public Comments page to access and review the proposed update spreadsheets

Submit comments to [email protected] by 11:59 pm ET on November 14, 2024

Join the NICE Framework Users Group to participate in community discussions

Open for Public Comment: Using Hardware-Enabled Security to Ensure 5G System Platform Integrity Now Available

Comment On Our Latest 5G Cybersecurity White Paper

5G technology for broadband cellular networks will significantly improve how humans and machines communicate, operate, and interact in the physical and virtual world. 5G provides increased bandwidth and capacity, and low latency. However, professionals in fields like technology, cybersecurity, and privacy are faced with safeguarding this technology while its development, deployment, and usage are still evolving.

To help, the NIST National Cybersecurity Center of Excellence (NCCoE) has launched the Applying 5G Cybersecurity and Privacy Capabilities white paper series. The series targets technology, cybersecurity, and privacy program managers within commercial mobile network operators, potential private 5G network operators, and organizations using and managing 5G-enabled technology who are concerned with how to identify, understand, assess, and mitigate risk for 5G networks. In the series, we provide recommended practices and illustrate how to implement them. All of the capabilities featured in the white papers have been demonstrated on the NCCoE testbed on commercial-grade 5G equipment.

We are pleased to announce the availability of the third white paper in the series:

Using Hardware-Enabled Security to Ensure 5G System Platform Integrity—This publication provides an overview of employing hardware-enabled security capabilities to provision, measure, attest to, and enforce the integrity of the compute platform to foster trust in a 5G system’s server infrastructure.

Feedback Wanted

We welcome your input and look forward to your comments by October 30, 2024. We invite you to join the 5G Community of Interest (COI) and we’ll notify you when a paper in the series is being released.

Coming Soon: Reallocation of Temporary Identities White Paper

Download and Comment Now

Multiple Vulnerabilities in PHP Could Allow for Remote Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for remote code execution. PHP is a programming language originally designed for use in web-based applications with HTML content. Successful exploitation could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

PHP 8.1 versions prior to 8.1.30
PHP 8.2 versions prior to 8.2.24
PHP 8.3 versions prior to 8.3.12

RISK:

Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for remote code execution. Details of the vulnerabilities are as follows:

Tactic: Execution (TA0041):

Technique: Command and Scripting Interpreter (T1059)

OS Command Injection: The vulnerability allows a remote attacker to send specially crafted HTTP request to the application and execute arbitrary OS commands on the system due to improper input validation in PHP-CGI implementation. (CVE-2024-8926)
Security features bypass: The vulnerability allows a remote attacker to bypass implemented security restriction and gain unauthorized access to the application due to environment variable collision, which can lead to cgi.force_redirect bypass. (CVE-2024-8927)
Insufficient Logging: The vulnerability allows an attacker to alter logs from child processes due to an unspecified error. (CVE-2024-9026)
Input validation error: The vulnerability allows a remote attacker to pass specially crafted input to the application and bypass implemented security restrictions due to insufficient validation of user-supplied input when parsing multipart form data. (CVE-2024-8925)

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate patches provided by PHP to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
- Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
- Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassessbi-annually, or more frequently.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.

Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
- Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
- Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
- Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. (Mitigation M1042: Disable or Remove Feature or Program)
- Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
- Safeguard 2.5: Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassessbi-annually, or more frequently.
- Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassessbi-annually, or more frequently.
- Safeguard 4.1: Establish and Maintain a Secure Configuration Process: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 4.8: Uninstall or Disable Unnecessary Services on Enterprise Assets and Software: Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.
- Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
- Safeguard 18.5: Perform Periodic Internal Penetration Tests: Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.

REFERENCES:

PHP:
https://www.php.net/ChangeLog-8.php

CyberSecurity Help:
https://www.cybersecurity-help.cz/vdb/SB2024092724

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8926
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8927
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9026
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8925

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution – PATCH NOW

OVERVIEW:
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Chrome prior to 129.0.6668.70/.71 for Windows and Mac
Chrome prior to 129.0.6668.70 for Linux

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Drive-By Compromise (T1189):

Use after free in Dawn (CVE-2024-9120)
Inappropriate implementation in V8 (CVE-2024-9121)
Type Confusion in V8 (CVE-2024-9122)
Integer overflow in Skia (CVE-2024-9123)

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
- Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.