Key Takeaways

Cyble researchers investigated vulnerabilities in five ICS/OT products this week and identified Mitsubishi Electric, TEM, and Delta Electronics products as top priorities for security teams.

TEM has been unresponsive to reports of vulnerabilities in Opera Plus FM Family Transmitters, version 35.45, so users are urged to take mitigation steps.

Mitsubishi Electric has no plans to fix vulnerabilities in MELSEC iQ-F FX5-OPC communication units and instead recommended mitigation steps.

Overview

Cyble researchers have identified vulnerabilities in three products used in critical infrastructure environments that merit high-priority attention from security teams.

Cyble’s weekly industrial control system/operational technology (ICS/OT) vulnerability report for Oct. 1-7 investigated 10 vulnerabilities in five ICS/OT products and identified products from Mitsubishi Electric, TEM, and Delta Electronics as top priorities for patching and mitigation.

TEM Opera Plus FM Family Transmitter Vulnerabilities

An attacker could target Opera Plus FM Family Transmitters (CVE-2024-41987 and CVE-2024-41988) by missing authentication for critical function and cross-site request forgery (CSRF) vulnerabilities, as a proof of concept (PoC) is publicly available.

CISA issued an advisory on the vulnerabilities on Oct. 3, 2024, and CVE records were created the same day. CISA notes that TEM has been unresponsive to requests to work with the agency on the vulnerability; the PoC developer, Gjoko Krstic, also reported a lack of response from the company.

The transmitters are used globally in the communications sector; version 35.45 is affected.

CISA recommends the following mitigations:

Minimize network exposure for all control system devices and systems, ensuring they are not internet-accessible.

Place control system networks and remote devices behind firewalls and isolate them from business networks.

When remote access is required, use more secure methods such as VPNs, even though VPNs may have vulnerabilities and should be updated to the most current version. Connected devices must also be secure.

Mitsubishi Electric MELSEC iQ-F FX5-OPC

Mitsubishi Electric’s MELSEC iQ-F FX5-OPC communication units are affected by a NULL pointer dereference vulnerability (CVE-2024-0727) that malicious actors could exploit to create denial-of-service (DoS) conditions by getting a legitimate user to import a specially crafted PKCS#12 format certificate. The issue is caused by an OpenSSL vulnerability that the company detailed in an Oct. 1 advisory.

Mitsubishi Electric has no plans to fix the vulnerability and instead recommends the following mitigations:

Use within a LAN and block access from untrusted networks and hosts through firewalls.

Restrict physical access to the product and computers and network devices located within the same network.

Use a firewall or VPN to prevent unauthorized access when Internet access is required.

Use the IP filter function to block access from untrusted hosts. For details on the IP filter function, refer to the following manual: MELSEC iQ-F FX5 OPC UA Module User’s Manual “4.4 IP Filter”

Do not import untrusted certificates.

Delta Electronics DIAEnergie

SQL Injection vulnerabilities (CVE-2024-43699 and CVE-2024-42417) in Delta Electronics’ DIAEnergie industrial energy management system could allow an unauthenticated attacker to exploit the issue to obtain records contained in the targeted product.

Versions v1.10.01.008 and prior are affected, and Delta Electronics recommends that users upgrade to v1.10.01.009.

Optigo Networks and Subnet Solutions

Optigo Networks (CVE-2024-41925 and CVE-2024-45367) and Subnet Solutions PowerSYSTEM Center (CVE-2020-28168, CVE-2021-3749, and CVE-2023-45857) products were also the focus of recent security advisories. Cyble recommended patching the Optigo ONS-S8 Spectra Aggregation Switch vulnerabilities last week.

Recommendations and Mitigations

Cyble also offered general security guidelines for ICS and OT environments:

Keep track of security, patch advisories, and alerts issued by vendors and state authorities.

Follow a risk-based vulnerability management approach to reduce the risk of exploitation of assets and implement a Zero-Trust Policy.

Threat Intelligence Analysts should support the organizational patch management process by continuously monitoring and notifying critical vulnerabilities published in the KEV Catalog of CISA, actively exploited in the wild, or identified in mass exploitation attempts on the internet.

Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

Implement proper network segmentation to prevent attackers from performing discovery and lateral movement and minimize exposure of critical assets.

Regular audits, vulnerability assessments, and pen-testing exercises are vital in finding security loopholes that attackers may exploit.

Continuous monitoring and logging can help in detecting network anomalies early.

Utilize Software Bill of Materials (SBOM) to gain more visibility into individual components, libraries, and their associated vulnerabilities.

Install physical controls to prevent unauthorized personnel from accessing your devices, components, peripheral equipment, and networks.

Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

The post Cyble Urges ICS Vulnerability Fixes for TEM, Mitsubishi, and Delta Electronics appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory report on vulnerabilities disclosed in multiple Ivanti products. These products include Ivanti Endpoint Manager Mobile (EPMM), Ivanti Cloud Service Application (CSA), Ivanti Velocity License Server, Ivanti Connect Secure, Policy Secure, and Ivanti Avalanche.

The official advisory from Ivanti specifically addresses various vulnerabilities affecting the Ivanti Cloud Service Application (CSA). It highlights that a limited number of customers using CSA versions 4.6 patches 518 and earlier have been exploited when certain vulnerabilities—CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381—are chained with CVE-2024-8963.

The recent advisory from Ivanti has indicated a range of vulnerabilities across their product lines, all requiring urgent attention.

Details of Ivanti Vulnerabilities

CVE-2024-7612, classified as high severity with a score of 8.8, affects Ivanti EPMM (Core) versions 12.1.0.3 and earlier. This vulnerability involves incorrect permission assignment, allowing local authenticated attackers to access or modify sensitive configuration files without proper authorization. If exploited, this could lead to severe security breaches.

Another vulnerability, CVE-2024-9379, has been categorized as medium severity with a CVSS score of 6.5. This SQL injection vulnerability affects Ivanti CSA (Cloud Services Appliance) versions 5.0.1 and earlier, allowing remote authenticated attackers with admin privileges to execute arbitrary SQL statements through the admin web console.

Furthermore, CVE-2024-9380, an OS command injection vulnerability also affecting Ivanti CSA, is rated high with a score of 7.2. This flaw enables remote authenticated attackers to gain unauthorized access and execute commands on the operating system via the admin web console.

Additionally, CVE-2024-37404 is a critical vulnerability with a CVSS score of 9.1, impacting both Ivanti Connect Secure and Policy Secure. This flaw allows a remote authenticated attacker to achieve remote code execution due to improper input validation in the admin portal of vulnerable versions.

The vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog signify the need for immediate action. When vulnerabilities appear on this list, it indicates that threat actors could exploit them to target unsuspecting victims. Attackers can utilize these vulnerabilities for data breaches, ransomware attacks, and privilege escalation, posing risks to organizations.

Recommendations and Mitigations

To mitigate these risks effectively, organizations must take proactive measures. Some of the mitigation strategies include: 

Regularly update all software and hardware systems with the latest patches released by the vendor to significantly reduce the risk of exploitation.

Create a routine schedule for patch applications, ensuring that critical patches are prioritized to maintain system security.

Include inventory management, patch assessment, testing, deployment, and verification.

Automate the process wherever possible to enhance efficiency and consistency.

Divide networks into distinct segments to isolate critical assets from less secure areas.

Reduce the attack surface by minimizing potential vulnerabilities. 

Outline procedures for detecting, responding to, and recovering from security incidents.

Regularly test and update the plan to ensure its effectiveness and alignment with current threats. 

Implement comprehensive monitoring to detect and analyze suspicious activities.

Use Security Information and Event Management (SIEM) systems for aggregating and correlating logs for real-time threat detection and response.

Conclusion

By adopting these strategies, organizations can reduce their vulnerability to exploitation and enhance their overall security posture. The proactive measures highlighted in this advisory are essential for protecting sensitive information and maintaining system integrity in an increasingly hostile internet. Immediate action is required to mitigate the risks posed by these vulnerabilities and ensure that organizational assets are safeguarded against potential threats.

The post CISA Issues Urgent Advisory on Critical Vulnerabilities in Ivanti Products appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

Qualcomm has shared its October 2024 Security Bulletin, highlighting multiple vulnerabilities. Google’s Threat Analysis Group has also denoted the exploitation of a critical vulnerability, CVE-2024-43047, in targeted attacks. The vulnerability revolves around the FASTRPC driver, which plays an important role in device communication processes. Exploitation of this vulnerability can lead to severe security breaches, potentially allowing unauthorized access to sensitive data.

Considering this, original equipment manufacturers (OEMs) have received patches designed to rectify this flaw, and they are strongly encouraged to implement these updates without delay. Users concerned about the implications of this vulnerability should contact their device manufacturers for specific patch details and guidance.

Google has publicly acknowledged the contributions of various researchers who have been instrumental in identifying and reporting several critical security flaws. Among these notable contributions is CVE-2024-33066, identified by Claroty Research in partnership with Trend Micro. This collaboration highlights the importance of teamwork in discovering and mitigating potential threats.

Another key vulnerability, CVE-2024-21455, was reported by Seth Jenkins from Google Project Zero, demonstrating the ongoing commitment of researchers to enhance security measures across various platforms. Additionally, Xiling Gong identified CVE-2024-38399, further contributing to the collective knowledge needed to protect users against cybersecurity threats.

Most prominently, CVE-2024-43047 was brought to light by a team that included Seth Jenkins, Conghui Wang, and the Amnesty International Security Lab.

 Overview of Vulnerabilities and Patches

Recent vulnerability assessments have revealed a concerning mix of high- and moderate-impact vulnerabilities across proprietary and open-source software. Understanding the nature and severity of these vulnerabilities is critical for grasping their potential impact on device security.

Among the high-impact vulnerabilities, CVE-2024-33066, associated with the WLAN Resource Manager, stands out. This critical flaw was reported on September 6, 2023, and has been assigned a CVSS score of 9.8, indicating its severe nature. Another vulnerability is CVE-2024-21455, related to the DSP Service. Reported on June 11, 2024, it carries a high-security rating with a CVSS score of 8.0.

Moderate impact vulnerabilities have also been identified, including CVE-2024-23375, which relates to the Radio Interface Layer. This issue was flagged on November 27, 2023, and is rated medium with a CVSS score of 5.5. Another moderate vulnerability, CVE-2024-38425, related to performance, was reported on January 23, 2024.

A detailed analysis of critical vulnerabilities reveals specific challenges that need to be addressed. For instance, CVE-2024-33064 involves a buffer over-read in WLAN host communication, which could allow for information disclosure during data transmission. Another vulnerability, CVE-2024-33069, is characterized as a “Use After Free” issue that can lead to a transient denial of service, disrupting communication between devices. Additionally, CVE-2024-38399 highlights a similar “Use After Free” vulnerability in graphics processing, which can result in memory corruption and negatively impact device functionality.

Moreover, vulnerabilities related to multimedia and power management integrated circuits (ICs) require attention, as they pose risks to device integrity and user privacy.

Conclusion

The ongoing battle against cybersecurity threats requires a collective effort from researchers, manufacturers, and users alike. As demonstrated by the vulnerabilities highlighted in the latest report from Google’s Threat Analysis Group, proactive measures and timely patch implementations are key to maintaining secure systems.

Recommendations and Mitigations

Users should stay informed about vulnerabilities affecting their devices.

Regular updates and patch installations are crucial for mitigating risks associated with known vulnerabilities.

Engaging with device manufacturers for patch information is essential.

Timely updates can significantly reduce the potential for exploitation.

Manufacturers must prioritize the deployment of patches.

Quick implementation of security measures protects end-users.

Prompt action also upholds manufacturers’ reputations in a security-conscious market.

The post OEMs Are Urged to Address Vulnerabilities in Device Communication appeared first on Cyble.

Blog – Cyble – ​Read More

We’ve previously covered what to do if you receive an unexpected one-time login code for one of your accounts (spoiler alert: it’s probably a hacking attempt, and it’s time to consider getting reliable protection for all your devices).

But sometimes the situation is different: you get a two-factor authentication code for a service where you’ve never had an account. In this post, we’ll discuss why this might happen, and how to react to such messages.

Why you might receive a code for an unknown account

There are two basic explanations for receiving one-time login codes for an account you’re certain doesn’t belong to you.

The first and most likely explanation: before you got your current phone number, it belonged to someone else. When they canceled their service, the number went back into circulation and eventually landed with you. This is called “phone number recycling” — a standard practice for mobile service providers.

Thus, the previous owner of your number registered an account using it. And now, either they’re trying to log in, or someone else is attempting to hack their account. As a result, one-time login codes are being sent to the number (which now belongs to you).

The less likely scenario is that someone is unintentionally trying to register an account using your phone number. Perhaps they mistyped their own number, or simply entered a random sequence of digits that happened to be yours.

What to do

No matter which of the above scenarios may have occurred, the good news is it’s not your problem. You don’t need to do anything and there’s nothing to worry about — unless you plan on creating an account with that service. If you do, you might run into a problem: your number is already associated with an existing (albeit abandoned) account. In that case, contact the service’s support team and explain the situation, and ask them to detach the unknown account from your number while mentioning that you’re a potential new customer.

If support can’t or won’t help, there’s nothing you can do except get an extra SIM card and link your account to the new number.

What NOT to do

Now, let’s talk about what you absolutely should not do: under no circumstances should you attempt to use the one-time codes you receive to access an account that doesn’t belong to you. Curiosity killed the cat, and in this case it could have serious consequences.

Accessing someone else’s account isn’t just unethical; it’s illegal in most jurisdictions. For example, in the U.S., the very strict Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030), covers this. Germany has a Section 202 of its Criminal Code (StGB $ 202), and the list goes on for most if not all countries worldwide. Although the probability of facing legal consequences for accessing someone else’s account may not be high, it’s not worth the risk.

Keep in mind that this probability increases significantly if the account is linked to illegal activity. In that case, law enforcement might take a keen interest in anyone who accesses the account, and sooner or later you could find yourself facing some very uncomfortable questions.

So, the best course of action when receiving a text message with a one-time login code for an account that doesn’t belong to you is to simply ignore it. And to avoid any unnecessary trouble, absolutely do not try to log in to someone else’s account.

Kaspersky official blog – ​Read More

The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings.  

October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities.   

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.  

CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability.  

The security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability. 

The other vulnerability that was exploited in the wild in this week’s security update is CVE-2024-43573, a platform spoofing vulnerability in Windows MSHTML. Platform spoofing vulnerabilities usually allow an adversary to gain unauthorized access to an environment by disguising themselves as a trusted source.  

CVE-2024-43583, an elevation of privilege vulnerability in Winlogon, has also been publicly disclosed, according to Microsoft, but has not yet been exploited in the wild. This vulnerability could allow an attacker to obtain SYSTEM-level privilege. In addition to applying the patch, Microsoft also recommends users enable a Microsoft first-party Input Method Editor (IME) on their devices to prevent adversaries from being able to exploit third-party IMEs during the sign-in process. 

October’s Patch Tuesday also includes three critical vulnerabilities that could all lead to remote code execution. 

CVE-2024-43468 is the most serious of this bunch, with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability in Microsoft Configuration Manager to execute commands on the targeted server or underlying database. 

Another remote code execution vulnerability, CVE-2024-43488, exists in the Visual Studio Code extension for Arduino, an open-source platform for building and managing single-board microcontrollers and microcontroller kits. A missing authentication protocol could allow an adversary to execute remote code over the network.  

Microsoft stated that the company has already mitigated this vulnerability and users do not need to take any additional steps. This extension has also been deprecated and can no longer be downloaded from the internet. 

Lastly, CVE-2024-43582 exists in the Windows Remote Desktop Protocol server and could allow an attacker to execute code on the server side with the same permissions as the RPC service. An adversary could exploit this vulnerability by sending malformed packets to an RPC host. However, exploitation also requires that the adversary win a race condition first.  

Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited: 

CVE-2024-43502: Elevation of privilege vulnerability in Windows Kernel CVE-2024-43509 and CVE-2024-43556: Elevation of privilege vulnerabilities in Windows Graphics Component     CVE-2024-43560: Elevation of privilege vulnerability in Windows Storage Port CVE-2024-43581 and CVE-2024-43615: Remote code execution vulnerability in Microsoft OpenSSH for Windows  CVE-2024-43609: Spoofing vulnerability in Microsoft Office 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64083 – 64086, 64089, 64090, 64111 and 64112. There are also Snort 3 rules 301034 – 301036 and 301041.

Cisco Talos Blog – ​Read More