Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild. 

SYSTEMS AFFECTED:

  • Android OS patch levels prior to 2024-10-05 

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution in the context of the logged on user. Following the MITRE ATT&CK framework, exploitation of the most severe of these vulnerabilities can be classified as follows:

Tactic: Execution (TA0002)

Technique: Exploitation for Client Execution (T1203):

  • A vulnerability in System that could allow for remote code execution. (CVE-2024-40673)
  • Multiple vulnerabilities in Framework that could allow for elevation of privilege. (CVE-2024-0044, CVE-2024-40676)
  • Multiple vulnerabilities in System that could allow for elevation of privilege. (CVE-2024-40672, CVE-2024-40677)

Details of lower-severity vulnerabilities are as follows:

  • A vulnerability in Framework that could allow for denial of service. (CVE-2024-40675)
  • A vulnerability in System that could allow for denial of service. (CVE-2024-40674)
  • Multiple vulnerabilities in Imagination Technologies. (CVE-2024-34732, CVE-2024-34733, CVE-2024-34748, CVE-2024-40649, CVE-2024-40651, CVE-2024-40669, CVE-2024-40670)
  • Multiple vulnerabilities in MediaTek components. (CVE-2024-20100, CVE-2024-20101, CVE-2024-20103, CVE-2024-20090, CVE-2024-20092, CVE-2024-20091, CVE-2024-20093, CVE-2024-20094)
  • Multiple vulnerabilities in Qualcomm components. (CVE-2024-33049, CVE-2024-33069, CVE-2024-38399)
  • A vulnerability in Qualcomm closed-source components. (CVE-2024-23369) 

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights. 

RECOMMENDATIONS:
We recommend the following actions be taken: 

  • Apply appropriate patches provided by Google to vulnerable systems, immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
       
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources. (M1017: User Training)
     
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.
    • Safeguard 13.10 : Perform Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway. 

REFERENCES:

Google:
https://source.android.com/docs/security/bulletin/2024-10-01

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0044
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20100
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20101
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20103
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23369
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34748
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38399
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40649
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40669
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40670
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40672
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40673
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40674
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40675
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40676
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40677 

Submit Comments | Draft Report: Attribute Validation Services for Identity Management

In this digital age, the accurate identification of individuals is paramount to ensuring security, privacy, and trust in online interactions. Whether it’s for accessing medical records, applying for benefits, or engaging in other high-stakes transactions, the need to confirm the identity and attributes of individuals is crucial. The draft NIST report Attribute Validation Services for Identity Management delves into the architecture, security, privacy, and operational considerations surrounding Attribute Validation Services (AVS), offering considerations for government agencies seeking to implement these critical services.

At its core, an attribute is a “quality or characteristic ascribed to someone or something,” such as a person’s date of birth, residential address, or Social Security Number. Attributes are essential in confirming an individual’s identity or their eligibility to access certain services or information. An AVS validates these attributes against reliable data sources to confirm their accuracy; this validation process plays a pivotal role in secure identity proofing, access control, and fraud prevention.

The draft NIST report Attribute Validation Services for Identity Management positions AVS as a cornerstone of secure, privacy-preserving digital identity management. Whether through traditional query-based models or emerging technology such as cryptographically verifiable attributes, AVSs can offer a reliable way to validate user attributes, reduce fraud, and improve access control. For government agencies, the report provides a foundation for building AVS solutions that enhance security while ensuring equity and privacy.

The public comment period is open through 11:59 pm Eastern Time on Friday, November 8, 2024. Comments may be submitted to [email protected].

Learn More

Trinity Ransomware

The United States Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) released this Threat Actor Profile regarding a relatively new threat actor identified as Trinity Ransomware. Even though the analysis is focused on the Healthcare and Public Health (HPH) Sector, all agencies and organizations are encouraged to review the information contained in the Threat Actor Profile.
Trinity ransomware is a relatively new threat actor, known for employing a double extortion strategy. This method involves exfiltrating sensitive data before encrypting files, thereby increasing pressure on victims to pay the ransom. This ransomware uses the ChaCha20 encryption algorithm, and encrypted files are tagged with the .trinitylock file extension. Trinity operates a victim support site for decryption assistance and a leak site that displays their victims. It also shares similarities with two other ransomware groups—2023Lock and Venus—suggesting possible connections or collaborations among these threat actors. The group’s tactics and techniques are sophisticated, making them a significant threat to the US HPH. HC3 is aware of at least one healthcare entity in the United States that has fallen victim to Trinity ransomware recently.
This HC3 Threat Actor Profile provides an overview, likely tactics, techniques, and procedures, indicators of compromise, and recommended mitigations. This advisory is being provided to assist all agencies and organizations in guarding against the persistent malicious actions of cyber criminals.

New Chinese APT, Salt Typhoon, Targets ISPs

A suspected Chinese (PRC) state-sponsored cyber threat group known as Salt Typhoon was recently identified accessing multiple United States internet service providers (ISPs) to conduct cyber espionage. This cyberattack is just the latest in a series of campaigns sponsored by the Chinese government. Salt Typhoon’s actions are part of a larger Chinese strategy to conduct cyber operations to gain access to other countries’ infrastructure for espionage and potential disruption. These attacks on ISPs are particularly concerning as they can be used to compromise sensitive communications, establish a foothold for future cyberattacks, and impact national security.
Previously, PRC state-sponsored cyber threat group Volt Typhoon was observed exploiting a zero-day vulnerability in Versa Director, a software platform used by ISPs and managed service providers (MSPs) to manage SD-WAN infrastructure. The Federal Bureau of Investigation (FBI) issued a joint cybersecurity advisory listing the group’s tactics, techniques, and procedures (TTPs). The advisory confirmed that Volt Typhoon compromised the IT environments of multiple critical infrastructure organizations, including those in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors.
The FBI recently disrupted a portion of botnet infrastructure used by another PRC state-sponsored cyber threat group, Flax Typhoon. The botnet infrastructure contained hundreds of US-based small-office or home-office (SOHO) routers. The group commonly exploits vulnerabilities in networking appliances from companies such as Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco to gain initial access. Salt Typhoon and Flax Typhoon likely use similar techniques for initial infections. One source indicated that Salt Typhoon may also be recognized as GhostEmperor and FamousSparrow, which historically targets government entities and telecommunications in Southeast Asia using a rootkit named Demodex.
APT40 TTP Activity Flowchart. Image Source: CISA
Current and former US intelligence officials have expressed serious concern regarding the bold nature and persistent use of cyber operations to infiltrate critical infrastructure networks. FBI Director Christopher Wray stated that the cyber threat posed by the Chinese government is immense. Analysts assess that there are strong indicators that recent Salt Typhoon activity may be linked to China’s Ministry of State Security, particularly APT40 (also known as Gingham Typhoon), a group known for its expertise in intelligence collection. Based on recent federal agency alerts regarding PRC state-sponsored cyber campaigns, China has escalated from surveillance-only goals toward installing offensive capabilities to disrupt critical US civilian and military infrastructure.
Recommendations
Critical infrastructure administrators are encouraged to review analyses of recent state-sponsored cyber threat activity and apply recommendations to prevent victimization.
Keep systems up to date and apply patches after appropriate testing. Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs).
Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from information technology (IT) environments.

Report cyber incidents to the FBI’s IC3

Threat Actors Use Session Hijacking to Hunt for Cookies

As the implementation of multi-factor authentication (MFA) becomes prevalent, there is a growing surge in attempts to bypass, breach, and hijack its security measures. Threat actors have increasingly utilized session hijacking in attempts to bypass MFA checkpoints. In this attack, threat actors steal session cookies to take over a live user session. Threat actors can import these harvested session cookies into their browser to resume an active session without entering credentials or passing through MFA checkpoints.
Adversary-in-the-Middle (AitM), Browser-in-the-Middle (BitM) attacks and infostealing malware  are prevalent session hijacking methods. During AitM attacks, threat actors set up a reverse proxy that captures HTTP requests sent from the victim’s browser to a genuine website after a victim visits a malicious domain. BitM’s technique involves tricking users into remotely controlling the threat actor’s browser, which allows threat actors to steal the user’s credentials and access confidential information saved on their device. Infostealers, commonly distributed through phishing attacks, are popular for harvesting session cookies. Unlike AitM and BitM attacks that typically target one account, infostealers can gather multiple credentials and session information and are not limited to active sessions.
Session hijacking attacks have become more prevalent, especially in ransomware operations, where threat actors utilize infostealers to compromise accounts. Threat actors have also previously compromised Google’s MultiLogin, allowing them to revive expired session tokens. While some browsers, such as Google Chrome, have taken steps to protect session cookies, threat actors have already claimed to have found methods to bypass these new security features.
Recommendations
Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats. Facilitate user awareness training to include these types of phishing-based techniques. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools.

Guidance on Principles of OT Cybersecurity for Critical Infrastructure Organizations

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)—in partnership with the Cybersecurity and Infrastructure Security Agency (CISA), United States government, and international partners—released the Principles of Operational Technology Cybersecurity guide. This guidance provides critical information on how to create and maintain a safe, secure operational technology (OT) environment.
The six principles outlined in this guide are intended to aid organizations in identifying how business decisions may adversely impact the cybersecurity of OT and the specific risks associated with those decisions. Filtering decisions that impact the security of OT will enhance the comprehensive decision-making that promotes security and business continuity.
CISA encourages critical infrastructure organizations review the best practices and implement recommended actions which can help ensure the proper cybersecurity controls are in place to reduce residual risk in OT decisions.
For more information on OT cybersecurity, review CISA’s Industrial Control Systems page and the Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems  Joint Cybersecurity Advisory to help critical infrastructure organizations manage and enhance their OT cybersecurity.

Register now for the Microsoft Data and Analytics Forum

Is your data estate ready for the latest innovations in AI? Register for the free Microsoft Data and Analytics Forum to better support your organization and grow professionally with the latest features across data, analytics, governance, and AI. Join us on October 30, 2024, at 8:00 AM Pacific Time to learn how to unify data and analytics and streamline data transformation using Microsoft solutions. At the event you will: Dive deep into real-world customer success stories and learn industry best practices from other organizations using Microsoft analytics tools to drive business growth and efficiency. Gain insight to the latest advancements and innovations across the Microsoft Intelligent Data Platform. Learn about product updates, best practices, and cost-saving programs straight from Microsoft leaders and experts. See the products in action and better understand how to apply these tools to your own business scenarios. Don’t miss out. Register now for the Microsoft Data and Analytics Forum and unify your data and analytics for quick adaptation of new AI capabilities.
 
Microsoft Data and Analytics Forum
Wednesday, October 30, 2024
8:00 AM-10:00 AM Pacific Time (UTC-7)

Please register here

Multiple Vulnerabilities in Mozilla Products Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.

  • Mozilla Firefox is a web browser used to access the Internet.
  • Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
  • Mozilla Thunderbird is an email client.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Firefox ESR versions prior to 115.16
  • Firefox ESR versions prior to 128.3
  • Thunderbird versions prior to 131
  • Thunderbird versions prior to 128.3
  • Firefox versions prior to 131

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium 

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):
Technique: Drive-by Compromise (T1189)

  • Prevent users from exiting full-screen mode in Firefox Focus for Android. A user who enables full-screen mode on a specially crafted web page could potentially be prevented from exiting full screen mode. This may allow spoofing of other sites as the address bar is no longer visible. This bug only affects Firefox Focus for Android. Other versions of Firefox are unaffected. (CVE-2024-9391)
  • A compromised content process could have allowed for the arbitrary loading of cross-origin pages. (CVE-2024-9392)
  • Cross-origin access to PDF contents through multipart responses. An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://pdf.js origin. This could allow them to access cross-origin PDF content. This access is limited to “same site” documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. (CVE-2024-9393)
  • Cross-origin access to JSON contents through multipart responses. An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://devtools origin. This could allow them to access cross-origin JSON content. This access is limited to “same site” documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. (CVE-2024-9394)
  • Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2024-9401)
  • Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2024-9402)
  • Memory safety bugs fixed in Firefox 131 and Thunderbird 131. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2024-9403)

Additional lower severity vulnerabilities include: 

  • Specially crafted filename could be used to obscure download type. A specially crafted filename containing a large number of spaces could obscure the file’s extension when displayed in the download dialog. This bug only affects Firefox for Android. Other versions of Firefox are unaffected. (CVE-2024-9395)
  • Potential memory corruption may occur when cloning certain objects. It is currently unknown if this issue is exploitable but a condition may arise where the structured clone of certain objects could lead to memory corruption. (CVE-2024-9396)
  • A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. (CVE-2024-9397)
  • External protocol handlers could be enumerated via popups. (CVE-2024-9398)
  • Specially crafted WebTransport requests could lead to denial of service. (CVE-2024-9399)
  • Potential memory corruption during JIT compilation. (CVE-2024-9400)
  • Clipboard write permission bypass. An attacker could write data to the user’s clipboard, bypassing the user prompt, during a certain sequence of navigational events. (CVE-2024-8900)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
       
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
       
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
       
  • Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
    • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
    • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
    • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
       
  • Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
    • Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
    • Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
    • Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
       
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
    • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
       
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
    • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Mozilla:
https://www.mozilla.org/en-US/security/advisories/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-50/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-49/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-47/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-46/
 
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9391
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9392
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9393
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9394
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9395
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9396
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9397
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9398
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9399
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9400
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9401
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9402
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9403

A Vulnerability in Zimbra Collaboration Could Allow for Remote Code Execution – PATCH NOW

A vulnerability has been discovered in Zimbra Collaboration which could allow for remote code execution. Zimbra is a collaborative software suite that includes an email server and a web client. Successful exploitation of this vulnerability could allow for remote code execution in the context of the Zimbra user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data.

THREAT INTELLIGENCE:
Proof of concept code has been released for CVE-2024-45519.

SYSTEMS AFFECTED:

  • Zimbra Collaboration versions prior to 9.0.0 Patch 41
  • Zimbra Collaboration versions prior to 10.0.9
  • Zimbra Collaboration versions prior to 10.1.1
  • Zimbra Collaboration versions prior to 8.8.15 Patch 46

RISK:
Government:

  • Large and medium government entities: Medium
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: Medium
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
A vulnerability has been discovered in Zimbra Collaboration which could allow for remote code execution.  Details of the vulnerability are as follows:

TacticInitial Access (TA0001):

TechniqueExploit Public-Facing Application (T1190):

  • A SMTP-based vulnerability in the PostJournal service of Zimbra Collaboration Suite could allow an unauthenticated attacker to inject arbitrary commands. This vulnerability arises due to improper sanitization of SMTP input, enabling attackers to craft malicious SMTP messages that execute commands under the Zimbra user context. Successful exploitation can lead to unauthorized access, privilege escalation, RCE, and potential compromise of the affected system’s integrity and confidentiality. (CVE-2024-45519)

Successful exploitation of this vulnerability could allow for remote code execution in the context of the Zimbra user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by Zimbra to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
    • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
  • Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
    • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
  • Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
    • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Zimbra:
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Project Discovery:
https://blog.projectdiscovery.io/zimbra-remote-code-execution/

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45519 Multi-State Information Sharing and Analysis Center (MS-ISAC)

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Chrome prior to 129.0.6668.89/.90 for Windows and Mac
  • Chrome prior to 129.0.6668.89 for Linux

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

TacticInitial Access (TA0001):

TechniqueDrive-By Compromise (T1189):

  • Integer overflow in Layout (CVE-2024-7025)
  • Insufficient data validation in Mojo (CVE-2024-9369)
  • Inappropriate implementation in V8 (CVE-2024-9370)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
    • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
    • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
    • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
    • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Google:
https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop.html

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7025
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9369
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9370