NIST: Defining IoT Cybersecurity Requirements

 Defining IoT Cybersecurity Requirements: Draft
Guidance for Federal Agencies and IoT Device Manufacturers (SP 800-213, NISTIRs
8259B/C/D)

An
incredible variety and volume of Internet of Things (IoT) devices are being
produced. IoT devices are ever more frequently becoming integral elements of
federal information systems. The NIST Cybersecurity for
IoT Team
is releasing public drafts of four documents providing
guidance for federal agencies and IoT device manufacturers on defining IoT
cybersecurity requirements, including supporting non-technical requirements, so
that federal organizations can procure and integrate IoT securely and continue
to meet their FISMA obligations. These four new documents expand the range of
guidance for IoT cybersecurity. The initial foundation documents in this series
are:

  • NISTIR 8259,
    Foundational
    Cybersecurity Activities for IoT Device Manufacturers
  • NISTIR 8259A,
    IoT Device Cybersecurity
    Capability Core Baseline

The
new 800-series Special Publication (SP) and the three new documents in the
NISTIR 8259 series that are being released as drafts for comment provide
guidance to federal agencies and IoT device manufacturers, complementing the
guidance in the initial foundational documents:

  • Draft NIST SP 800-213, IoT Device Cybersecurity
    Guidance for the Federal Government: Establishing IoT Device Cybersecurity
    Requirements
    , has background and recommendations to
    help federal agencies consider how an IoT device they plan to acquire can
    integrate into a federal information system. IoT devices and their support
    for security controls are presented in the context of organizational and
    system risk management. SP 800-213 provides guidance on considering system
    security from the device perspective. This allows for the identification
    of IoT device cybersecurity requirements—the abilities and actions a
    federal agency will expect from an IoT device and its manufacturer and/or
    third parties, respectively.
  • Draft NISTIR
    8259B
    , IoT Non-Technical Supporting Capability Core Baseline
    , complements the NISTIR 8259A device cybersecurity
    core baseline by detailing additional, non-technical supporting activities
    typically needed from manufacturers and/or associated third parties. This
    non-technical baseline collects and makes explicit supporting capabilities
    like documentation, training, customer feedback, etc.
  • Draft NISTIR 8259C, Creating a Profile Using the
    IoT Core Baseline and Non-Technical Baseline
    ,
    describes a process, usable by any organization, that starts with the core
    baselines provided in NISTIRs 8259A and 8259B and explains how to
    integrate those baselines with organization- or application-specific
    requirements (e.g., industry standards, regulatory guidance) to develop a
    IoT cybersecurity profile suitable for specific IoT device customers or
    applications. The process in NISTIR 8259C guides organizations needing to
    define a more detailed set of capabilities responding to the concerns of a
    specific sector, based on some authoritative source such as a standard or
    other guidance, and could be used by organizations seeking to procure IoT
    technology or by manufacturers looking to match their products to customer
    requirements.
  • Draft NISTIR 8259D, Profile Using the IoT Core
    Baseline and Non-Technical Baseline for the Federal Government
    ,
    provides a worked example result of applying the NISTIR 8259C process,
    focused on the federal government customer space, where the requirements
    of the FISMA process and the SP 800-53 security and privacy controls
    catalog are the essential guidance. NISTIR 8259D provides a
    device-centric, cybersecurity-oriented profile of the NISTIR 8259A and
    8259B core baselines, calibrated against the FISMA low baseline described
    in NIST SP 800-53B as an example of the criteria for minimal securability
    for federal use cases.

NIST
appreciates all comments, concerns and identification of areas needing
clarification. Ongoing discussion with the stakeholder community is welcome as
we work to improve the cybersecurity of IoT devices. Community input is specifically sought
regarding the mapping of specific reference document content to the items in
Table 1 of NISTIR 8259B and Tables 1 and 2 of NISTIR 9258D, to populate the
fourth column, “IoT Reference Examples” column. Table 1 in NISTIR 8259A can be
used as a model for these informative reference mappings.

A public comment period for these documents is open through
February 12, 2021.
See the publications’ details (linked above)
for copies of the drafts and instructions for submitting comments.

Comments,
questions, and other concerns should be sent to [email protected].

NOTE:
A call for patent claims is included in each document.  For
additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications

Publication
details:

Draft
SP 800-213, https://csrc.nist.gov/publications/detail/sp/800-213/draft

Draft
NISTIR 8259B, https://csrc.nist.gov/publications/detail/nistir/8259b/draft

Draft
NISTIR 8259C, https://csrc.nist.gov/publications/detail/nistir/8259c/draft

Draft
NISTIR 8259D, https://csrc.nist.gov/publications/detail/nistir/8259d/draft

NISTIR
8259, https://csrc.nist.gov/publications/detail/nistir/8259/final

NISTIR
8259A, https://csrc.nist.gov/publications/detail/nistir/8259a/final

 

NIST
Cybersecurity for IoT Program:
https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program

ITL
Patent Policy:
https://www.nist.gov/itl/information-technology-laboratory-itl-patent-policy-inclusion-patents-itl-publications

More Microsoft Security Blogs

Title: Microsoft Information Protection and Microsoft Azure Purview:
Better Together

URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-information-protection-and-microsoft-azure-purview/ba-p/1957481
Overview: Data is growing exponentially. Organizations are under pressure to
turn that data into insights, while also meeting regulatory compliance
requirements. But to truly get the insights you need – while keeping up with
compliance requirements like the General Data Protection Requirement (GDPR) –
you need to know what data you have, where it resides, and how to govern it.
For most organizations, this creates arduous ongoing challenges. 

Title: Deliver productive and seamless users experiences with Azure
Active Directory

URL: https://www.microsoft.com/security/blog/2020/12/07/deliver-productive-and-seamless-users-experiences-with-azure-active-directory/
Overview: Learn how identity has become the new security perimeter and how an
identity-based framework reduces risk and improves productivity.

Title: Microsoft Defender for Endpoint on iOS is generally available
URL: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-on-ios-is-generally-available/ba-p/1962420
Overview: Today, we’re excited to announce that Microsoft has reached a new
milestone in our cross-platform security commitment with the general
availability of our iOS offering for Microsoft Defender for Endpoint, which
adds to the already existing Defender offerings on macOS, Linux, and Android.

Title: What’s New: 80 out of the box hunting queries!
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-80-out-of-the-box-hunting-queries/ba-p/1892067
Overview: Threat hunting is a powerful way for the SOC to reduce organizational
risk, but it’s commonly portrayed and seen as a complex and mysterious art form
for deep experts only, which can be counterproductive. Sophisticated
cybercriminals burrow their way into network caverns, avoiding detection for
weeks or even months, as they gather information and escalate privileges. If
you wait until these advanced persistent threats (APT) become visible, it can
be costly and time-consuming to address. In today’s cybersecurity landscape, SOC
analysts need controls and integrated toolsets to search, filter, and pivot
through their telemetry to derive relevant insights faster. 

Title: Digital Defense integrates with Microsoft to detect attacks missed
by traditional endpoint security

URL: https://www.microsoft.com/security/blog/2020/12/08/digital-defense-integrates-with-microsoft-to-detect-attacks-missed-by-traditional-endpoint-security/
Overview: Cybercriminals have ramped up their initial compromises through
phishing and pharming attacks using a variety of tools and tactics that, while
numerous, are simple and can often go undetected.

Title: How to setup a Canarytoken and receive incident alerts on Azure
Sentinel

URL: https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-setup-a-canarytoken-and-receive-incident-alerts-on-azure/ba-p/1964076
Overview: With Azure Sentinel you can receive all sorts of security telemetry,
events, alerts, and incidents from many different and unique sources. Those
sources can be firewall logs, security events, audit logs from identity and cloud
platforms. In addition, you can create digital trip wires and send that data to
Azure Sentinel. Ross Bevington first explained this concept for Azure Sentinel
in “Creating
digital tripwires with custom threat intelligence feeds for Azure Sentinel”
.
Today you can walkthrough and expand your threat detection capabilities in
Azure Sentinel using Honey Tokens or in this case Canarytokens.

Title: Bring threat intelligence from Sixgill using TAXII Data Connector
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/bring-threat-intelligence-from-sixgill-using-taxii-data/ba-p/1965440
Overview: As discussed in the blog Bring your threat intelligence to Azure Sentinel, Azure
Sentinel provides various ways to import threat intelligence into the ThreatIntelligenceIndicator
log analytics table from where it can be used in various parts of the product
like hunting, investigation, analytics, workbooks etc.

Microsoft Security Blogs

 Microsoft latest security blogs, including some with more information
about recent attacks.

Title: Announcing EDR in block mode general availability
URL: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-edr-in-block-mode-general-availability/ba-p/1972064
Overview: We’re very excited to announce today that endpoint detection and
response (EDR) in block mode is generally available.

Title: EDR in block mode stops IcedID cold
URL: https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/
Overview: Endpoint detection and response (EDR) in block mode in Microsoft
Defender for Endpoint turns EDR detections into real-time blocking of threats.
Learn how it stopped an IcedID attack.

Title: Building a Zero Trust business plan
URL: https://www.microsoft.com/security/blog/2020/12/09/building-a-zero-trust-business-plan/
Overview: These past six months have been a remarkable time of transformation
for many IT organizations. With the forced shift to remote work, IT
professionals have had to act quickly to ensure people continue working
productively from home—in some cases bringing entire organizations online over
a weekend. While most started by scaling existing approaches, many
organizations…

Title: Widespread malware campaign seeks to silently inject ads into
search results, affects multiple browsers

URL: https://www.microsoft.com/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/
Overview: A persistent malware campaign has been actively distributing Adrozek,
an evolved browser modifier malware at scale since at least May 2020. At its
peak in August, the threat was observed on over 30,000 devices every day. The
malware is designed to inject ads into search engine results pages and affects
multiple browsers.

Title: New cloud-native breadth threat protection capabilities in Azure
Defender
URL: https://www.microsoft.com/security/blog/2020/12/10/new-cloud-native-breadth-threat-protection-capabilities-in-azure-defender/
Overview: As the world adapts to working remotely, the threat landscape is
constantly evolving, and security teams struggle to protect workloads with
multiple solutions that are often not well integrated nor comprehensive enough.
This results in serious threats avoiding detection, as well as security teams
suffering from alert fatigue. Azure Defender helps security professionals with
an…

Title: Additional email data in advanced hunting
URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/additional-email-data-in-advanced-hunting/ba-p/1985849
Overview: We’re thrilled to share new enhancements to the advanced hunting data
for Office 365 in Microsoft 365 Defender. Following your feedback we’ve added
new columns and optimized existing columns to provide more email attributes you
can hunt across. These additions are now available in public preview.

Title: Siemens USA CISO: 3 essentials to look for in a cloud provider
URL: https://www.microsoft.com/security/blog/2020/12/14/siemens-usa-ciso-3-essentials-to-look-for-in-a-cloud-provider/
Overview: Learn why Kurt John of Siemens USA sees continued migration to the
cloud as inevitable across industries.

Title: Ensuring customers are protected from Solorigate
URL: https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/
Overview: Microsoft is monitoring a dynamic threat environment surrounding the
discovery of a sophisticated attack that included compromised binaries from a
legitimate software. These binaries, which are related to the SolarWinds Orion
Platform, could be used by attackers to remotely access devices. On Sunday, December
13, Microsoft released detections that alerted customers to the presence of…

 

SolarWinds Post-Compromise Hunting with Azure Sentinel

 Microsoft
recently blogged about the Recent Nation-State Cyber Attacks that has impacted high
value targets both across the government and private sector. This attack is
also known as Solorigate or Sunburst. This threat actor is believed to be highly
sophisticated and motivated. Relevant security data required for hunting and
investigating such a complex attack is produced in multiple locations – cloud,
on-premises and across multiple security tools and product logs.  Being
able to analyze all the data from a single point makes it easier to spot trends
and attacks. Azure Sentinel has made it easy to collect data from multiple data
sources across different environments both on-premises and cloud with the goal of
connecting that data together more easily. This blog post contains guidance and
generic approaches to hunt for attacker activity (TTPs) in data that is
available by default in Azure Sentinel or can be onboarded to Azure Sentinel.

The
goal of this article is post-compromise investigation strategies and is focused
on TTPs and not focused on specific IOCs.  Azure Sentinel customers are
encouraged to review advisories and IOC’s shared by Microsoft MSRC and security
partners to search on specific IOC’s in their environment using Azure Sentinel. 
Links to these IOC’s are listed in the reference section at the end.

Link to article:

URL: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095

Hackers Exploiting VMWare

This week,
the NSA released an announcement saying, “Russian state- sponsored malicious
cyber actors are exploiting a vulnerability in VMware Access and VMware
Identity Manager2 products, allowing the actors access to protected data and
abusing federated authentication.” This vulnerability is tracked as
CVE-2020-4006 (7.2 CVSS score) which was issued on 23 November 2020 but updated
recently with VMWare’s patch release on 3 December 2020.

The issue can be
tracked as VMWare’s advisory VMSA-2020-0027.2. The advisory lists the
impacted products as: VMware Workspace One Access (Access), VMware Workspace
One Access Connector (Access Connector), VMware Identity Manager (vIDM),
VMware Identity Manager Connector (vIDM Connector), VMware Cloud Foundation,
and vRealize Suite Lifecycle Manager.

Exploitation is
via command injection which leads to installation of a web shell allowing
further malicious activity. The exploitation however, requires both password
knowledge and access. Strong passwords and having the web-based management
interface inaccessible from the internet mitigate the issue. Although
patching is the recommended solution, workarounds such as disabling the
configurator service can put a temporary fix in place until patching can be
accomplished.

The release notes that detection
methods are unlikely to identify this exploit since the compromise activity
occurs exclusively inside a TLS tunnel for the web -interface. Indicators in
systems logs can suggest a compromise may have occurred, such an
indicator can look like an exit statement followed by a 3-digit number like
“exit 123”.

The VMWare advisory also provided direct reference to their
knowledge base in a matrix addressing all the impacted products, patches,
versions, workarounds, etc.

This article has
highlighted two things that will likely never change. First, you need to stay
patched and current it’s the best way to be proactive and prevent a compromise
in any system. Second, the human factor will always be vulnerable – be it
spear-fishing or brute force attacks on weak user passwords. Do everything
you can to educate and when that fails, clean and disable bad links and enforce
policy that deters users from making bad choices. You’ve read these countless times before here… but
we can’t tell you anymore. Go do it.

Sources:

CSA_VMWARE ACCESS_U_OO_195076_20.PDF (defense.gov) 

VMSA-2020-0027.2 (vmware.com)

NSA Warns Russian Hacker Exploiting VMware Bug to Breach Corporate Networks (thehackernews.com)

Turla Backdoor, and Dropbox

ESET researchers have
recently released information on the discovery of a new backdoor dubbed Crutch that uses Dropbox to exfiltrate
stolen files. Crutch has been seen as
early as 2015 and is believed to be a second-stage backdoor that is deployed
after a victim has already been compromised. Researchers have seen the Skipper implant and the PowerShell Empire post-exploitation
agent used as initial infection vectors. Until July 2019, Crutch v3 used an architecture based on
manual input of commands through Dropbox that are then run on the victim’s
machine. It included a monitor for removable drives that looked for files with certain extensions, such as .pdf, .rtf, .doc, and .docx,
then compressed and staged the
files for exfiltration. These files were then uploaded to a hard-coded Dropbox account controlled
by the attackers. Persistence was maintained by using
hijacked browser processes in Chrome, Firefox,
or OneDrive. In one
instance, the Crutch operator even left a little taunt
for the victim,
running the command “mkdir %temp%Illbeback”.

In July of 2019, researchers discovered a newer version of Crutch that was auto- mated rather than
having the operator run commands manually. The

persistence mechanism changed to using a Microsoft
Outlook component, Finder, 
rather than the browser processes. The drive monitor also got a makeover
and could now monitor local drives as well as removable drives. Interesting
files are still compressed, encrypted, and staged for exfiltration. Instead of
the operator manually uploading them to Dropbox, however,
Crutch v4 now uploads the files
automatically using the Windows version of the wget
utility.

ESET researchers
have attributed Crutch to the
Russians peaking APT group Turla.
They discovered several strong links between a 2016 version of the Crutch dropper and a Turla tool called Gazer. For instance,
both samples were found on the same machine within
a 5-day period, PDB paths were almost identical, and they both used the exact
same RC4 key to decrypt their payloads.

“Given these
elements and that Turla malware
families are not known to be shared among different groups, we believe that Crutch is a malware family that is part
of the Turla arsenal,” says the ESET
release. Crutch was also discovered
on the network of the Ministry of Foreign Affairs in an undisclosed European
Union country, which also aligns with Turla’s
previous strategies targeting gov- ernments, embassies, and military
organizations.

Sources:

Turla’s ‘Crutch’ Backdoor Leverages Dropbox in Espionage Attacks | Threatpost

Turla Crutch: Keeping the “back door” open | WeLiveSecurity

Experts Uncover ‘Crutch’ Russian Malware Used in APT Attacks for 5 Years (thehackernews.com)

OpenClinic Application Health Care Security ISSUE

 It’s
been a while since credit card and social security numbers were enough to
supply the criminal market with stolen data. In the last few years there has
been a marked increase in the amount of healthcare data up for sale thanks to
some major data breaches and the notoriously poor security of smaller
healthcare providers.

While it may be improving, there
are still plenty of unpatched systems out there. Even worse, there are some providers using applications that are largely unsupported. A recent
announcement from researchers at Bishop Fox is proof of
that.

An open source application called OpenClinic, used for health records
management, was found to have four major 0-day vulnerabilities. The most
critical vulnerability is a missing
authentication check where a patient does not have
to sign in to
view test results. This would allow an attacker to directly access patient
data with only the path to the file.

The other three
bugs require authentication. A cross-site scripting vulnerability allows an
attacker to “embed a malicious payload within a medical record’s address
field.” With administrator privileges an attacker could upload malicious
files to an endpoint on the server, allowing them to execute arbitrary code.

There is also
a path traversal vulnerability that allows files to be stored outside of
designated directories. All versions of OpenClinic are vulnerable to all four
bugs. The last update to the application was in 2016.

The Bishop Fox team attempted to contact the developers for OpenClinic
three times
but received
no response. After
90 days (per their disclosure policy), they
published their findings. OpenClinic appears to no longer be supported and the
changelog suggests that releases were few and far between to begin
with.

Unfortunately, a
quick Google search suggests that there are few providers out there still using
the software in some capacity. The exposed records are old, but exposed
nonetheless. The best option for anyone still using the application is to find
an alternative as soon as possible.


Sources:

    ·      Electronic Medical Records Cracked Open by Unpatched OpenClinic Bugs | Threatpost

·      Zero-day vulnerabilities in healthcare records application OpenClinic could expose patients’ test results | The Daily Swig (portswigger.net)

·        What is OpenClinic?  (sourceforge.net)

Man in the Middle of Your Email

 Cybercriminals stole $15 million from a U.S. company by inserting themselves in email correspondence relating to legitimate business fund transfers. The tactic is called Business Email Compromise (BEC) and is one of the most financially damaging online crimes according to the FBI. BEC is a lucrative scam because we rely on email to conduct financial business transactions, such as wire transfers. The traditional BEC scam process contains four steps: identifying a target, grooming that target, exchanging information with the victim, and then completing the wire transfer of funds. This scenario requires attackers to convince the victim that they are conducting a legitimate business transaction when they are dealing with a fraud.

Although the traditional BEC scam can be successful, most businesses have implemented training to spot these types of efforts. These scams can be thwarted by diligent targets easily, which is why this BEC campaign allowed business transactions to be negotiated by senior executives. Mitiga, the incident response company investigating the occurrence, said the threat actors spent weeks trying to compromise the chosen email accounts. They collected information from the victim’s inbox before setting up email for-warding rules to ensure that if they lost access to the account, they would still receive messages from the compromised account. The attackers also created Microsoft Office 365 email domains, with slight alterations to the domain names, to impersonate both parties of the trans-action when needed and registered these domains with GoDaddy as businesses. They monitored the inboxes for a month gathering information from senior executives about planned financial business transactions, then they took over the conversation at the opportune moment to provide altered wire transfer information using the fake domains.

The attackers still needed to make sure that the executives and financial officers at the company did not see the transaction as suspicious and flag it for investigation as the bank could still block the transfer of funds going to the wrong account. To hide transaction emails from the concerned parties, the attacker set up email filtering rules from the inbox to move emails from specific addresses to a hidden folder. The filtering of communications concerning the money transfer from the legitimate inbox owner lasted for two weeks, which was sufficient time for the attackers to successfully move the funds to a foreign bank account.

Microsoft and law enforcement agencies are investigating the incidents. Still, there is little hope of reclaiming the lost funds once transferred outside US jurisdiction. Mitiga said they have seen a dramatic in-crease in BEC attacks this year. The Mitiga CEO, Tal Mozes, said that BEC attacks are up 63%, mostly originating from African countries and targeting U.S. businesses.

Sources:

https://www.zdnet.com/article/15-million-business-email-scam-exposed-in-the-us/

https://www.bleepingcomputer.com/news/security/the-anatomy-of-a-15-million-cyber-heist-on-a-us-company/

https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise

Windows Zero-day Issue

 If you Google “Win10 zero-day”, you’ll likely find a number of results. Today’s zero-day is one that involves both Google Chrome and Microsoft Windows and is actively exploited. It has been disclosed with a proof of concept but is still not patched by Microsoft!

The Windows security issue, tracked as CVE-2020-17087, is reported to impact every version of the Windows OS from Windows 7 to the current Windows 10. Google’s Project Zero security team discovered the flaw, notified Microsoft, and provided seven days to patch before Google would disclose the details. Some argue this is a short time before disclosure but Project Zero researchers Ben Hawkes and Tavis Ormandy defended their timeline saying: “We think there’s defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonable [sic] un-likely”. That’s probably true, as the researchers knew the chained exploit required another vulnerability: CVE-2020-15999, a Chrome browser-based bug which was patched 20 October 2020. These are likely the same reasons why Microsoft can be so calm regarding the vulnerability, as the fix is pushed off until next patch Tuesday on 10 November 2020.

The previously patched Chrome browser bug, CVE-2020-15999, is a heap buffer overflow vulnerability in the “Load_SBit_Png” function of the FreeType 2 library. This is used for font rendering in multiple applications, one of which is Google Chrome. Google’s own security researcher on the Project Zero team, Sergei Glazunov, is credited with the discovery. The attack would be accomplished using social engineering to lure a user to browse a website hosting a specially crafted malicious font file. Glazunov has published a proof-of-concept font file. The Microsoft Windows unpatched bug, CVE-2020-17087, is a buffer overflow vulnerability in the Windows Kernel Cryptography Driver, cng.sys, and the way it processes input/output control. Mateusz Jurczyk, another Project Zero security researcher who discovered the issue, says the bug is the result of a 16-bit integer truncation. A proof of concept was included as an attachment to the Google Project Zero issue tracker entry and has been tested on Windows 10 1903 (64-bit).

As far as the observations in the wild, this chained attack is being used for targeted attacks according to Shane Huntley, Director of Google’s Threat Analysis Group. Microsoft also acknowledged their bug has only been spotted in conjunction with the Chrome vulnerability, which has been patched in Chrome and other Chromium-based browsers.

Sources

        https://bugs.chromium.org/p/project-zero/issues/detail?id=2104

        https://threatpost.com/unpatched-windows-zero-day-exploited-sandbox-escape/160828/

Cisco Devices Vulnerable

 Cisco is warning of attacks actively exploiting the CVE-2020-3118 vulnerability found to affect carrier-grade routers running the Cisco IOS XR Software. The issue resides in the implementation of the Cisco Discovery Protocol for Cisco IOS XR Software and could allow an unauthenticated attacker to execute arbitrary code on the device. While Cisco has released a patch for this vulnerability back in February of 2020, new research has shown that the use of this vulnerability is prevalent among nation-state actors in gaining access to an organization.

This vulnerability is due to improper validation of string input from select fields in the Cisco Discovery Protocol messages. The Cisco Discovery Protocol is a Layer 2 protocol that is used to share information about Cisco equipment, including the operating system and IP address. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected de-vice. A successful exploit could allow the attacker to cause a stack overflow, which could enable the attacker to execute arbitrary code with administrative privileges on an affected device. The affected Cisco routing platforms include the Network Convergence System (NCS) 540, NCS 560, NCS 5500, 8000, and ASR 9000 series routers. The vulnerability also affects third-party white box routers and Cisco products with the Cisco Discovery Protocol enabled both on at least one interface and globally. Those devices include ASR 9000 Series Aggregation Services Routers, Carrier Routing System (CRS), IOS XRv 9000 Router, as well as the NCS 1000 Series, 5000 Series, and 6000 Series routers.

In October 2020, the Cisco Product Security Incident Response Team (PSIRT) released an updated advisory that detailed reports of an attempted exploitation of this vulnerability in the wild. In addition, the U.S. National Security Agency (NSA) included the CVE-2020-3118 vulnerability among 25 security vulnerabilities currently targeted or exploited by Chinese state-sponsored threat actors. “The findings of this research are significant as Layer 2 protocols are the under-pinning for all networks, and as an attack surface are an under-researched area and yet are the foundation for the practice of network segmentation,” VP of Research at Armis, Ben Seri said.

As stated, Cisco fixed the CVE-2020-3118 vulnerability back in February of 2020. System administrators should look to see if any of their devices are susceptible to this vulnerability and update them immediately. Cisco also provides administrators with workarounds if they are not able to immediately patch these devices.

Sources

https://www.bleepingcomputer.com/news/security/cisco-warns-of-attacks-targeting-high-severity-router-vulnerability/

https://securityaffairs.co/wordpress/109816/hacking/cisco-cve-2020-3118-flaw-attacks.html