Wilford  Pagac

Wilford Pagac

1596811440

Attackers Exploiting High-Severity Network Security Flaw, Cisco Warns

Attackers are exploiting a high-severity vulnerability in Cisco’s network security software products, which is used by Fortune 500 companies.

Cisco is warning that a high-severity flaw in its network security software is being actively exploited – allowing remote, unauthenticated attackers to access sensitive data.

Patches for the vulnerability (CVE-2020-3452) in question, which ranks 7.5 out of 10 on the CVSS scale, were released last Wednesday. However, attackers have since been targeting vulnerable versions of the software, where the patches have not yet been applied.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code and active exploitation of the vulnerability that is described in this advisory,” according to Cisco.

The flaw specifically exists in the web services interface of Firepower Threat Defense (FTD) software, which is part of Cisco’s suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.

The potential threat surface is vast: Researchers with Rapid7 recently found 85,000 internet-accessible ASA/FTD devices. Worse, 398 of those are spread across 17 percent of the Fortune 500, researchers said.

The flaw stems from a lack of proper input validation of URLs in HTTP requests processed by affected devices. Specifically, the flaw allows attackers to conduct directory traversal attacks, which is an HTTP attack enabling bad actors to access restricted directories and execute commands outside of the web server’s root directory.

Soon after patches were released, proof-of-concept (POC) exploit code was released Wednesday for the flaw by security researcher Ahmed Aboul-Ela.

A potential attacker can view more sensitive files within the web services file system: The web services files may have information such as WebVPN configuration, bookmarks, web cookies, partial web content and HTTP URLs.

Cisco said the vulnerability affects products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software, with a vulnerable AnyConnect or WebVPN configuration: “The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features,” according to its advisory. However, “this vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.”

cisco vulnerability patch

Credit: Rapid7

Researchers with Rapid7 say that since the patch was issued, only about 10 percent of Cisco ASA/FTD devices detected as internet-facing have been rebooted – which is a “likely indicator they’ve been patched.” Only 27 of the 398 detected in Fortune 500 companies appear to have been rebooted.

Researchers encourage immediate patching of vulnerable ASA/FTD installations “to prevent attackers from obtaining sensitive information from these devices which may be used in targeted attacks.”

“Cisco has provided fixes for all supported versions of ASA and FTD components,” said researchers. “Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, along with Cisco FTD Release 6.2.2 have reached the end of software maintenance and organizations will have to upgrade to a later, supported version to fix this vulnerability.”

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable_” brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ETfor this** FREE _**live webinar.

#vulnerabilities #web security #adaptive security appliance (asa) software #cisco #firepower threat defense (ftd) software #network security #patch

What is GEEK

Buddha Community

Attackers Exploiting High-Severity Network Security Flaw, Cisco Warns
Mitchel  Carter

Mitchel Carter

1603072800

Cisco Fixes High-Severity Webex, Security Camera Flaws

Cisco has issued patches for high-severity vulnerabilities plaguing its popular Webex video-conferencing system, its video surveillance IP cameras and its Identity Services Engine network administration product.

Overall, Cisco on Wednesday issued the three high-severity flaws along with 11 medium-severity vulnerabilities.

The most severe of these is a flaw (CVE-2020-3544) in Cisco’s Video Surveillance 8000 Series IP Cameras, which ranks 8.8 out of 10 on the CVSS scale.

“A vulnerability in the Cisco Discovery Protocol [CDP] implementation for Cisco Video Surveillance 8000 Series IP Cameras could allow an unauthenticated, adjacent attacker to execute arbitrary code on an affected device or cause the device to reload,” according to Cisco’s security advisory.

The CDP is a network-discovery tool that helps network administrators identify neighboring Cisco devices. The vulnerability is due to missing checks when an IP camera processes a CDP packet.

To exploit the flaw, an attacker does not need to be authenticated. However, the person must be in the same broadcast domain as the affected device — because CDP is a Layer 2 protocol, attackers must be Layer 2-adjacent.

“An attacker could exploit this vulnerability by sending a malicious [CDP] packet to an affected device,” according to Cisco. “A successful exploit could allow the attacker to execute code on the affected IP camera or cause it to reload unexpectedly, resulting in a denial of service (DoS) condition.”

The vulnerability affects cameras running a firmware release earlier than Release 1.0.9-5 that have the CDP enabled, said Cisco. Of note, Cisco Video Surveillance 8000 Series IP Cameras are no longer being sold as of July 24; however, vulnerability and security support does not end until July 24, 2023.

Webex Bug

Cisco also patched a high-severity flaw affecting its Webex platform. This issue is severe given the troves of workforces turning to video conferencing systems during the pandemic – however, it is significantly complex to exploit, as an attacker would need to be both authenticated (needing valid credentials on the Windows system) and local.

The vulnerability stems from the incorrect handling of directory paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file in a specific location on the targeted system, which would then execute when the vulnerable application launches.

“A successful exploit could allow the attacker to execute arbitrary code on the targeted system with the privileges of another user’s account,” according to Cisco.

The flaw (CVE-2020-3535) affects Cisco Webex Teams for Windows releases 3.0.13464.0 through 3.0.16040.0; it does not affect Webex Teams for Android, Mac or iPhone and iPad.

#vulnerabilities #web security #cisco #cisco discovery protocol #cisco webex #cisco’s video surveillance 8000 series ip cameras #cve-2020-3467 #cve-2020-3535 #cve-2020-3544 #high severity flaw #identity services engine #patches #security camera #security vulnerabilities

Wilford  Pagac

Wilford Pagac

1596811440

Attackers Exploiting High-Severity Network Security Flaw, Cisco Warns

Attackers are exploiting a high-severity vulnerability in Cisco’s network security software products, which is used by Fortune 500 companies.

Cisco is warning that a high-severity flaw in its network security software is being actively exploited – allowing remote, unauthenticated attackers to access sensitive data.

Patches for the vulnerability (CVE-2020-3452) in question, which ranks 7.5 out of 10 on the CVSS scale, were released last Wednesday. However, attackers have since been targeting vulnerable versions of the software, where the patches have not yet been applied.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code and active exploitation of the vulnerability that is described in this advisory,” according to Cisco.

The flaw specifically exists in the web services interface of Firepower Threat Defense (FTD) software, which is part of Cisco’s suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.

The potential threat surface is vast: Researchers with Rapid7 recently found 85,000 internet-accessible ASA/FTD devices. Worse, 398 of those are spread across 17 percent of the Fortune 500, researchers said.

The flaw stems from a lack of proper input validation of URLs in HTTP requests processed by affected devices. Specifically, the flaw allows attackers to conduct directory traversal attacks, which is an HTTP attack enabling bad actors to access restricted directories and execute commands outside of the web server’s root directory.

Soon after patches were released, proof-of-concept (POC) exploit code was released Wednesday for the flaw by security researcher Ahmed Aboul-Ela.

A potential attacker can view more sensitive files within the web services file system: The web services files may have information such as WebVPN configuration, bookmarks, web cookies, partial web content and HTTP URLs.

Cisco said the vulnerability affects products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software, with a vulnerable AnyConnect or WebVPN configuration: “The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features,” according to its advisory. However, “this vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.”

cisco vulnerability patch

Credit: Rapid7

Researchers with Rapid7 say that since the patch was issued, only about 10 percent of Cisco ASA/FTD devices detected as internet-facing have been rebooted – which is a “likely indicator they’ve been patched.” Only 27 of the 398 detected in Fortune 500 companies appear to have been rebooted.

Researchers encourage immediate patching of vulnerable ASA/FTD installations “to prevent attackers from obtaining sensitive information from these devices which may be used in targeted attacks.”

“Cisco has provided fixes for all supported versions of ASA and FTD components,” said researchers. “Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, along with Cisco FTD Release 6.2.2 have reached the end of software maintenance and organizations will have to upgrade to a later, supported version to fix this vulnerability.”

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable_” brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ETfor this** FREE _**live webinar.

#vulnerabilities #web security #adaptive security appliance (asa) software #cisco #firepower threat defense (ftd) software #network security #patch

Justyn  Ortiz

Justyn Ortiz

1603472400

Cisco Warns of Severe DoS Flaws in Network Security Software

Cisco has stomped out a slew of high-severity vulnerabilities across its lineup of network-security products. The most severe flaws can be exploited by an unauthenticated, remote attacker to launch a passel of malicious attacks — from denial of service (DoS) to cross-site request forgery (CSRF).

The vulnerabilities exist in Cisco’s Firepower Threat Defense (FTD) software, which is part of its suite of network-security and traffic-management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network-security devices.

“The Cisco Product Security Incident Response Team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,” according to Cisco in an update released on Wednesday.

The most severe of these flaws includes a vulnerability in Cisco Firepower Chassis Manager (FCM), which exists in the Firepower Extensible Operating System (FXOS) and provides management capabilities.

The flaw (CVE-2020-3456) ranks 8.8 out of 10 on the CVSS scale, and stems from insufficient CSRF protections in the FCM interface. It could be exploited to enable CSRF — which means that when attackers are authenticated on the server, they also have control over the client.

“An attacker could exploit this vulnerability by persuading a targeted user to click a malicious link,” according to Cisco. “A successful exploit could allow the attacker to send arbitrary requests that could take unauthorized actions on behalf of the targeted user.”

Cisco FXOS Software is affected when it is running on Firepower 2100 Series Appliances (when running ASA Software in non-appliance mode), Firepower 4100 Series Appliances and Firepower 9300 Series Appliances.

Four other high-severity vulnerabilities across Cisco’s Firepower brand could be exploited by an unauthenticated, remote attacker to cripple affected devices with a DoS condition. These include a flaw in Firepower’s Management Center Software (CVE-2020-3499), Cisco Firepower 2100 Series firewalls (CVE-2020-3562), Cisco Firepower 4110 appliances (CVE-2020-3571) and Cisco Firepower Threat Defense Software (CVE-2020-3563 and CVE-2020-3563).

Cisco also patched multiple DoS flaws in its Adaptive Security Appliance software, including ones tied to CVE-2020-3304CVE-2020-3529CVE-2020-3528CVE-2020-3554CVE-2020-3572and CVE-2020-3373 that could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly.

Another flaw of note, in the web services interface of Cisco Adaptive Security Appliance and Firepower Threat Defense, could allow an unauthenticated, remote attacker to upload arbitrary-sized files to specific folders on an affected device, which could lead to an unexpected device reload.

The flaw stems from the software not efficiently handling the writing of large files to specific folders on the local file system.

The new security alerts come a day after Cisco sent out an advisory warning that a flaw (CVE-2020-3118) the Cisco Discovery Protocol implementation for Cisco IOS XR Software was being actively exploited by attackers. The bug, which could be exploited by unauthenticated, adjacent attackers, could allow them to execute arbitrary code or cause a reload on an affected device.

#vulnerabilities #web security #adaptive security appliance #bugs #cisco #cross-site request forgery #csrf #cve-2020-3456 #cve-2020-3499 #cve-2020-3562 #cve-2020-3563 #cve-2020-3571 #denial of service #dos #firepower threat defense #patches #security vulnerabilities

Ron  Cartwright

Ron Cartwright

1602968400

Election Systems Under Attack via Microsoft Zerologon Exploits

U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft’s severe privilege-escalation flaw, dubbed “Zerologon,” to target elections support systems.

Days after Microsoft sounded the alarm that an Iranian nation-state actor was actively exploiting the flaw (CVE-2020-1472), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.

The advisory details how attackers are chaining together various vulnerabilities and exploits – including using VPN vulnerabilities to gain initial access and then Zerologon as a post-exploitation method – to compromise government networks.

“This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal and territorial (SLTT) government networks,” according to the security advisory. “Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.”

With the U.S. November presidential elections around the corner – and cybercriminal activity subsequently ramping up to target election infrastructure and presidential campaigns – election security is top of mind. While the CISA and FBI’s advisory did not detail what type of elections systems were targeted, it did note that there is no evidence to support that the “integrity of elections data has been compromised.”

Microsoft released a patch for the Zerologon vulnerability as part of its August 11, 2020 Patch Tuesday security updates. Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.

Despite a patch being issued, many companies have not yet applied the patches to their systems – and cybercriminals are taking advantage of that in a recent slew of government-targeted attacks.

The CISA and FBI warned that various APT actors are commonly using a Fortinet vulnerability to gain initial access to companies. That flaw (CVE-2018-13379) is a path-traversal glitch in Fortinet’s FortiOS Secure Socket Layer (SSL) virtual private network (VPN) solution. While the flaw was patched in April 2019, exploitation details were publicized in August 2019, opening the door for attackers to exploit the error.

Other initial vulnerabilities being targeted in the attacks include ones in Citrix NetScaler (CVE-2019-19781), MobileIron (CVE-2020-15505), Pulse Secure (CVE-2019-11510), Palo Alto Networks (CVE-2020-2021) and F5 BIG-IP (CVE-2020-5902).

After exploiting an initial flaw, attackers are then leveraging the Zerologon flaw to escalate privileges, researchers said. They then use legitimate credentials to log in via VPN or remote-access services, in order to maintain persistence.

#critical infrastructure #vulnerabilities #web security #alert #apts #chaining #cisa #citrix netscaler #cve-2018-13379 #cve-2019-11510 #cve-2019-19781 #cve-2020-1472 #cve-2020-15505 #cve-2020-2021 #cve-2020-5902 #election security #election systems #exploit chain #f5 big-ip #fbi #government attacks #microsoft #mobileiron #palo alto networks #pulse secure #vpn #warning #zerologon

Wilford  Pagac

Wilford Pagac

1596877200

Critical Cisco Flaw Fixed in Data Center Network Manager

The flaw could allow a remote, unauthenticated attacker to bypass authentication on vulnerable devices.

Cisco is warning of several critical and high-severity flaws in its Data Center Network Manager (DCNM) for managing network platforms and switches.

DCNM is a platform for managing Cisco data centers that run Cisco’s NX-OS — the network operating system used by Cisco’s Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches. The flaws exist in the REST API of DCNM — and the most serious of these could allow an unauthenticated, remote attacker to bypass authentication, and ultimately execute arbitrary actions with administrative privileges on a vulnerable device.

The critical flaw (CVE-2020-3382), which was found during internal security testing, rates 9.8 out of 10 on the CVSS scale, making it critical in severity. While the flaw is serious, the Cisco Product Security Incident Response Team said it is not aware of any public announcements or malicious exploits of the vulnerability.

“The vulnerability exists because different installations share a static encryption key,” said Cisco, in a security update on Wednesday. “An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges.”

This vulnerability affects all deployment modes of all Cisco DCNM appliances that were installed using .ova or .iso installers, and affects Cisco DCNM software releases 11.0(1), 11.1(1), 11.2(1), and 11.3(1).

“Cisco has confirmed that this vulnerability does not affect Cisco DCNM instances that were installed on customer-provided operating systems using the DCNM installer for Windows or Linux,” said Cisco. “Cisco has also confirmed that this vulnerability does not affect Cisco DCNM software releases 7.x and 10.x.”

Cisco has released software updates that address the vulnerability, though there are no workarounds that address the flaw.

Cisco also patched five high-severity flaws in DCNM, including two command-injection flaws (CVE-2020-3377 and CVE-2020-3384 ) that could allow an authenticated, remote attacker to inject arbitrary commands on affected devices; a path traversal issue (CVE-2020-3383) that could enable an authenticated, remote attacker to conduct directory traversal attacks on vulnerable devices; an improper authorization flaw (CVE-2020-3386), allowing an authenticated, remote attacker with a low-privileged account to bypass authorization on the API of an affected device; and an authentication bypass glitch (CVE-2020-3376) allowing an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions on an affected device.

DCNM came in the spotlight earlier this year when three critical vulnerabilities (CVE-2019-15975, CVE-2019-15976, CVE-2019-15977) were discovered in the tool in January. Two critical flaws were also found last year in DCNM, which could allow attackers to take control of impacted systems.

Cisco on Wednesday also patched a critical vulnerability (CVE-2020-3374) in the web-based management interface of its SD-WAN vManage Network Management system (the centralized management platform). This flaw could allow a remote attacker to bypass authorization, enabling them to access sensitive information, modify the system configuration, or impact the availability of the affected system – but the attacker would need to be authenticated to exploit the flaw.

#vulnerabilities #web security #cisco #critical cisco flaw #cve-2020-3382 #data center network manager #dcnm #fix #patch #rest api #security #vulnerability