Security Intelligence FeedWe’ve got your back, even when you don’t know it.

Our analysts are on top of the latest developments in cyber security. This feed is our way to share our findings and research to help you better understand the ever-changing security landscape while continuing to give you the peace of mind that Covalence is always protecting you.

Get the RSS Follow us on Twitter

Multiple Vulnerabilities in IoT and OT Devices Require Patching

On 29 April 2021, Microsoft released a report on 25 critical memory allocation flaws in internet-of-things (IoT) and operational technology (OT) devices that are commonly connected to industrial, medical, and enterprise networks. 

 


Details

  • Separately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory with a list of affected devices and recommendations on applying the security patches.
  • The flaws, collectively dubbed “BadAlloc”, exist in standard functions used in real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.
  • The memory allocation implementations in the affected devices are missing proper input validations. This could allow threat actors to perform a heap overflow, execute malicious code or cause a denial-of-service (DoS) condition.
  • The most severe of the flaws has been assigned a CVSS v3 score of 9.8.

Why it’s important

  • The listed devices serve as an easy entry to a network, if left unpatched and/or poorly implemented.
  • We recommend applying the vendor patches and reviewing CISA mitigations.
  • The fixes are currently in progress by the affected vendors, including Amazon, ARM, Cesanta, Google Cloud, Samsung, Texas Instruments and Tencent.
  • Check CISA advisory for a complete list of vulnerable products, as well as the patches currently available.

References: CISA

Apple Updates Include Actively-exploited Flaw

On 26 April 2021, Apple released security updates for macOS Big Sur, Catalina, and Mojave. The Big Sur update fixes 60 security vulnerabilities, including one with reports of active exploitation prior to being patched. We recommend updating the affected devices as soon as possible.


Details

  • A logic flaw in macOS’ policy subsystems, tracked as CVE-2021-30657, causes misclassification of quarantined items, such as malicious applications. As a result, these apps, even if unsigned (and unnotarized), could be allowed to run with no warnings from macOS.
  • The flaw allows a bypass of macOS’ core security mechanisms – file quarantine, Gatekeeper, and notarization requirements.
  • The researchers who discovered the vulnerability suggest that it was likely introduced in macOS 10.15.
  • One known malware, Shlayer, has been employing this flaw since January 2021 by distributing an exploit via compromised websites or poisoned search engine results.

Why it’s important

  • We recommend updating your devices as soon as possible as actively-exploited flaws present high risk to unpatched devices.
  • If you don’t have automatic updates enabled, go to the Settings-> General->Software Update.
  • The flaw requires user interaction to exploit it, and this is a good reminder for users not to click on any links from unknown sources.

References: Apple

Apple Fixes Actively Exploited Flaw In Multiple Products

On 26 March 2021, Apple released security updates in multiple products to address a vulnerability that may have been “actively exploited” prior to being patched.


Details

  • The flaw, tracked as CVE-2021-1879, is a cross-site scripting vulnerability in the WebKit browser engine used by the Safari browser on Apple devices.
  • Updates are available for iPhone, iPad, iPod, and Apple Watch devices.
  • Malicious actors could launch universal cross-site scripting attacks after tricking targets into opening maliciously-crafted web content on their devices.
  • An attacker could then either serve malware or steal victim’s credentials using a malicious page.

Why it’s important

  • Update your device as soon as possible as actively exploited flaws present high risk to unpatched devices.
  • If you don’t have automatic updates enabled, on iOS and iPadOS, go to the Settings-> General->Software Update.

References: Apple

Google Fixes Multiple Vulnerabilities in Chrome

On 30 March 2021, Google released Chrome version 89.0.4389.114 for Windows, Mac and Linux. The updates address several high-severity vulnerabilities and will be rolling out in the next few days/weeks.


Details

  • The flaws are tracked as CVE-2021-21194, CVE-2021-21195, CVE-2021-21196, CVE-2021-21197, CVE-2021-21198, and CVE-2021-21199.
  • The most severe of the flaws could allow for arbitrary code execution in the context of the browser.
  • Malicious actors could exploit the flaws by tricking a user to visit a specially-crafted web page.
  • Depending on the privileges associated with the application, an attacker could view, change, or delete data.
  • If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Why it’s important

  • There is a high risk associated with browser vulnerabilities as threat actors often exploit them for malicious purposes.
  • If you are using a vulnerable version of Chrome, update to the latest version as soon as it becomes available.
  • Windows, Mac and Linux desktop users can upgrade by going to Settings->Help->About Google Chrome.
  • Ensure that your organization has the least privilege access control implemented to restrict access rights to only those resources that are appropriate for a user.

References: Google Chrome Release

OpenSSL Fixes a Security Issue Affecting Several Vendors and Services

On 25 March 2021, OpenSSL released its  version 1.1.1k to fix two security issues. The flaws, tracked as CVE-2021-3450 and CVE 2021-3449, affect a variety of recent OpenSSL versions and apply to specific configurations.


Details

  • The first vulnerability, CVE-2021-3450, only affects niche non-standard configurations (with X509_V_FLAG_X509_STRICT mode) in versions of OpenSSL 1.1.1h and newer.
  • The second, CVE-2021-3449, affects all OpenSSL 1.1.1 versions when OpenSSL TLS servers are running default configurations (with TLSv1.2 and renegotiation enabled). OpenSSL TLS clients are not impacted by this issue.
  • At the time of writing, Ubuntu, WindRiver, Debian, and AlpineLinux announced that they are applying the patches for these issues.

 

Why it’s important

  • There is a high risk associated with OpenSSL vulnerabilities as threat actors often exploit them for malicious purposes.
  • OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet.
  • Malicious actors could abuse the flaw detailed in the CVE-2021-3449 to cause a denial-of-service (DOS) by sending maliciously-crafted data to the server.
  • The issue is likely to affect servers using OpenSSL on the Internet, including web and mail servers. If network appliances use OpenSSL and are exposed to the Internet, they too would be vulnerable.
  • All end-user facing software running any version of 1.1.1 with renegotiation enabled may be vulnerable.

 

Mitigation

  • We recommend monitoring for updates and guidance from operating system, distribution, appliance, software vendors and service providers, and applying updates as they become available.
  • In order to determine if OpenSSL is running and the version, we recommend administrators run “openssl version” command on their appliances (terminal).
  • Follow OpenSSL guidance on updating and configuring the implementations.
  • TLS1.3 is supported in up-to-date major web browsers. Consider disabling TLS1.2, where possible.
  • Update OpenSSL libraries to version 1.1.1k along with operating system patches to keep the server secure.
    Note: A reboot is required as patching without a reboot leaves vulnerable code in memory, and the patched version on disk and the server remains vulnerable.

 

References: OpenSSL