US-CERT Feed

Citrix Releases Security Updates for SD-WAN WANOP

US-Cert Current Activity - Thu, 01/23/2020 - 4:20pm
Original release date: January 23, 2020

Citrix has released security updates to address the CVE-2019-19781 vulnerability in Citrix SD-WAN WANOP. An attacker could exploit this vulnerability to take control of an affected system. Citrix has also released an Indicators of Compromise Scanner that aims to identify evidence of successful exploitation of CVE-2019-19781.

The Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends users and administrators review the Citrix Security Bulletin CTX267027 and apply the necessary updates. CISA also recommends users and administrators:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Cisco Releases Security Updates

US-Cert Current Activity - Thu, 01/23/2020 - 11:45am
Original release date: January 23, 2020

Cisco has released updates to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

 

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Increased Emotet Malware Activity

US-Cert Current Activity - Wed, 01/22/2020 - 6:04pm
Original release date: January 22, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a recent increase in targeted Emotet malware attacks. Emotet is a sophisticated Trojan that commonly functions as a downloader or dropper of other malware. Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information. Such an attack could result in proprietary information and financial loss as well as disruption to operations and harm to reputation.

CISA recommends users and administrator adhere to the following best practices to defend against Emotet. See CISA’s Alert on Emotet Malware for detailed guidance.

  • Block email attachments commonly associated with malware (e.g.,.dll and .exe).
  • Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
  • Implement Group Policy Object and firewall rules.
  • Implement an antivirus program and a formalized patch management process.
  • Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
  • Adhere to the principal of least privilege.
  • Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.
  • Segment and segregate networks and functions. 
  • Limit unnecessary lateral communications.

CISA encourages users and administrators to review the following resources for information about defending against Emotet and other malware.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

IC3 Issues Alert on Employment Scams

US-Cert Current Activity - Wed, 01/22/2020 - 10:57am
Original release date: January 22, 2020

The Internet Crime Complaint Center (IC3) has issued an alert warning consumers of fake jobs and hiring scams targeting applicants’ personally identifiable information (PII). Cyber criminals posing as legitimate employers spoof company websites and post fake job openings to lure victims. Cyber criminals will conduct fake interviews and even offer positions to victims before requesting PII such as Social Security numbers and bank account information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the IC3 Alert and CISA’s Tips on Avoiding Social Engineering and Phishing Attacks and Website Security for more information. If you believe you are a victim of cybercrime, file a complaint with IC3 at www.ic3.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Reminder: Safeguard Websites from Cyberattacks

US-Cert Current Activity - Tue, 01/21/2020 - 1:02pm
Original release date: January 21, 2020

Protect personal and organizational public-facing websites from defacement, data breaches, and other types of cyberattacks by following cybersecurity best practices. The Cybersecurity and Information Security Agency (CISA) encourages users and administrators to review CISA’s updated Tip on Website Security and take the necessary steps to protect against website attacks.   

For more information, review:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Samba Releases Security Updates

US-Cert Current Activity - Tue, 01/21/2020 - 11:11am
Original release date: January 21, 2020

The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit one of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Samba Security Announcements for CVE-2019-14902, CVE-2019-14907, and CVE-2019-19344 and apply the necessary updates and workarounds.

 

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

AA20-020A: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP

US-Cert Alerts - Mon, 01/20/2020 - 9:54am
Original release date: January 20, 2020<br/><h3>Summary</h3><p>On January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0 to address CVE-2019-19781. Citrix expects to release updates for other vulnerable versions of Citrix ADC, Gateway, and SD-WAN WANOP appliances through January 24, 2020. (See Mitigations for update schedule).<a href="https://support.citrix.com/article/CTX267027">[1]</a></p> <p>A remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution.<a href="https://support.citrix.com/article/CTX267027">[2]</a> This vulnerability has been detected in exploits in the wild.<a href="https://www.ncsc.gov.uk/news/citrix-alert">[3]</a></p> <p>The Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible once the appropriate firmware update becomes available.</p> <h4>Timeline of Specific Events</h4> <ul> <li>December 17, 2019 – Citrix releases Security Bulletin CTX267027 with mitigations steps.</li> <li>January 8, 2020 – The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#619785: Citrix Application Delivery Controller and Citrix Gateway Web Server Vulnerability, <a href="https://www.kb.cert.org/vuls/id/619785/">[4]</a> and CISA releases a Current Activity entry.<a href="https://www.us-cert.gov/ncas/current-activity/2020/01/08/citrix-application-delivery-controller-and-citrix-gateway">[5]</a></li> <li>January 10, 2020 – The National Security Agency (NSA) releases a Cybersecurity Advisory on CVE-2019-19781.<a href="https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF">[6]</a></li> <li>January 11, 2020 – Citrix releases blog post on CVE-2019-19781 with timeline for fixes.<a href="https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/">[7]</a></li> <li>January 13, 2020 – CISA releases a Current Activity entry describing their utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability.<a href="https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability">[8]</a>&nbsp;</li> <li>January 16, 2020 – Citrix announces that Citrix SD-WAN WANOP appliance is also vulnerable to CVE-2019-19781.</li> <li>January 19, 2020 – Citrix releases firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and blog post on accelerated schedule for fixes.<a href="https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/">[9]</a></li> <li>January 24, 2020 – Citrix expects to release firmware updates for Citrix ADC and Citrix Gateway versions 10.5, 12.1, and 13.0 and Citrix SD-WAN WANOP release 10.2.6 and 11.0.3.</li> </ul> <h3>Technical Details</h3><h4>Impact</h4> <p>On December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.</p> <p>The vulnerability affects the following appliances:</p> <ul> <li>Citrix NetScaler ADC and NetScaler Gateway version 10.5 – all supported builds</li> <li>Citrix ADC and NetScaler Gateway version 11.1 – all supported builds before 11.1.63.15</li> <li>Citrix ADC and NetScaler Gateway version 12.0 – all supported builds before 12.0.63.13</li> <li>Citrix ADC and NetScaler Gateway version 12.1 – all supported builds</li> <li>Citrix ADC and Citrix Gateway version 13.0 – all supported builds</li> <li>Citrix SD-WAN WANOP firmware and appliance models 4000, 4100, 5000, and 5100 – all supported builds. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).</li> </ul> <h4>Detection Measures</h4> <p>CISA has released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.<a href="https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability">[10] </a>CISA encourages administrators to visit CISA’s <a href="https://github.com/cisagov/check-cve-2019-19781">GitHub page</a> to download and run the tool.</p> <p>See the National Security Agency’s Cybersecurity Advisory on CVE-2020-19781 for other detection measures.<a href="https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF">[11]</a></p> <h3>Mitigations</h3><p>CISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available.</p> <p>The fixed builds can be downloaded from Citrix Downloads pages for <a href="https://www.citrix.com/downloads/citrix-adc/">Citrix ADC</a> and <a href="https://www.citrix.com/downloads/citrix-gateway/">Citrix Gateway</a>.</p> <p>Until the appropriate update is accessible, users and administrators should apply Citrix’s interim mitigation steps for CVE-2019-19781.<a href="https://support.citrix.com/article/CTX267679">[12]</a> Verify the successful application of the above mitigations by using the tool in <a href="https://support.citrix.com/article/CTX269180">CTX269180 – CVE-2019-19781 – Verification ToolTest</a>.<strong> Note:</strong> these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments.<a href="https://support.citrix.com/article/CTX267027">[13]</a></p> <p>Refer to table 1 for Citrix’s planned fix schedule.<a href="https://support.citrix.com/article/CTX267027">[14]</a></p> <p><strong>Table 1. Fix schedule for Citrix appliances vulnerable to CVE-2019-19781</strong></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 600px; height: 312px;"> <thead> <tr> <th scope="col"><strong>Vulnerable Appliance</strong></th> <th scope="col"><strong>Firmware Update</strong></th> <th scope="col"><strong>Release Date</strong></th> </tr> <tr> <td scope="col" style="text-align: left;">Citrix ADC and Citrix Gateway version 10.5</td> <td scope="col" style="text-align: left;">Refresh Build 10.5.70.x</td> <td scope="col" style="text-align: left;">January 24, 2020 (Expected)</td> </tr> <tr> <td scope="col" style="text-align: left;">Citrix ADC and Citrix Gateway version 11.1</td> <td scope="col" style="text-align: left;">Refresh Build 11.1.63.15</td> <td scope="col" style="text-align: left;">January 19, 2020</td> </tr> <tr> <td scope="col" style="text-align: left;">Citrix ADC and Citrix Gateway version 12.0</td> <td scope="col" style="text-align: left;">Refresh Build 12.0.63.13</td> <td scope="col" style="text-align: left;">January 19, 2020</td> </tr> <tr> <td scope="col" style="text-align: left;">Citrix ADC and Citrix Gateway version 12.1</td> <td scope="col" style="text-align: left;">Refresh Build 12.1.55.x</td> <td scope="col" style="text-align: left;">January 24, 2020 (Expected)</td> </tr> <tr> <td scope="col" style="text-align: left;">Citrix ADC and Citrix Gateway version 13.0</td> <td scope="col" style="text-align: left;">Refresh Build 13.0.47.x</td> <td scope="col" style="text-align: left;">January 24, 2020 (Expected)</td> </tr> <tr> <td scope="col" style="text-align: left;">Citrix SD-WAN WANOP Release 10.2.6</td> <td scope="col" style="text-align: left;">Citrix ADC Release 11.1.51.615</td> <td scope="col" style="text-align: left;">January 24, 2020 (Expected)</td> </tr> <tr> <td scope="col" style="text-align: left;">Citrix SD-WAN WANOP Release 11.0.3</td> <td scope="col" style="text-align: left;">Citrix ADC Release 11.1.51.615</td> <td scope="col" style="text-align: left;">January 24, 2020 (Expected)</td> </tr> </thead> </table> <p>&nbsp;</p> <p>Administrators should review NSA’s <a href="https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF">Citrix Advisory</a> for other mitigations, such as applying the following defense-in-depth strategy:</p> <p>“Consider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN/TLSVPN is discouraged.”</p> <h3>References</h3> <ul> <li><a href="https://support.citrix.com/article/CTX267027">[1] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway </a></li> <li><a href="https://support.citrix.com/article/CTX267027">[2] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway </a></li> <li><a href="https://www.ncsc.gov.uk/news/citrix-alert">[3] United Kingdom National Cyber Secrity Centre (NCSC) Alert: Actors exploiting Citrix products vulnerability </a></li> <li><a href="https://www.kb.cert.org/vuls/id/619785/">[4] CERT/CC Vulnerability Note VU#619785 </a></li> <li><a href="https://www.us-cert.gov/ncas/current-activity/2020/01/08/citrix-application-delivery-controller-and-citrix-gateway">[5] CISA Current Activity: Citrix Application Delivery Controller and Citrix Gateway Vulnerability </a></li> <li><a href="https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF">[6] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway </a></li> <li><a href="https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/">[7] Citrix blog: Citrix provides update on Citrix ADC, Citrix Gateway vulnerability </a></li> <li><a href="https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability">[8] CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov – check-cve-2019-19781 </a></li> <li><a href="https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/">[9] Citrix Blog: Vulnerability Update: First permanent fixes available, timeline accelerated </a></li> <li><a href="https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability">[10] CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov – check-cve-2019-19781 </a></li> <li><a href="https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF">[11] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway </a></li> <li><a href="https://support.citrix.com/article/CTX267679">[12] Citrix Security Bulletin CTX267679, Mitigation Steps for CVE-2019-19781 </a></li> <li><a href="https://support.citrix.com/article/CTX267027">[13] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway </a></li> <li><a href="https://support.citrix.com/article/CTX267027">[14] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway </a></li> </ul> <h3>Revisions</h3> <ul> <li>January 20, 2020: Initial Version</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://www.us-cert.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>
Categories: US-CERT Feed

Citrix Adds SD-WAN WANOP, Updated Mitigations to CVE-2019-19781 Advisory

US-Cert Current Activity - Fri, 01/17/2020 - 9:34pm
Original release date: January 17, 2020

Citrix has released an article with updates on CVE-2019-19781, a vulnerability affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway. This vulnerability also affects Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3. The article includes updated mitigations for Citrix ADC and Citrix Gateway Release 12.1 build 50.28. An attacker could exploit CVE-2019-19781 to take control of an affected system. Citrix plans to begin releasing security updates for affected software starting January 20, 2020.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Microsoft Releases Security Advisory on Internet Explorer Vulnerability

US-Cert Current Activity - Fri, 01/17/2020 - 8:55pm
Original release date: January 17, 2020

Microsoft has released a security advisory to address a critical vulnerability in Internet Explorer. A remote attacker could exploit this vulnerability to take control of an affected system. According to the advisory, “Microsoft is aware of limited targeted attacks.”

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s Advisory ADV20001 for more information, implement workarounds, and apply updates when available. Consider using Microsoft Edge or an alternate browser until patches are made available.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Google Releases Security Updates for Chrome

US-Cert Current Activity - Fri, 01/17/2020 - 10:52am
Original release date: January 17, 2020

Google has released Chrome version 79.0.3945.130 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

 

 

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Oracle Releases January 2020 Security Bulletin

US-Cert Current Activity - Tue, 01/14/2020 - 5:01pm
Original release date: January 14, 2020

Oracle has released its Critical Patch Update for January 2020 containing 334 new security patches to address vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Oracle January 2020 Critical Patch Update and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Adobe Releases Security Updates

US-Cert Current Activity - Tue, 01/14/2020 - 4:57pm
Original release date: January 14, 2020

Adobe has released security updates to address vulnerabilities in Illustrator CC and Experience Manager. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletins APSB20-03 and APSB20-01 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

VMware Releases Security Update

US-Cert Current Activity - Tue, 01/14/2020 - 4:53pm
Original release date: January 14, 2020

VMware has released a security update to address a vulnerability in VMware Tools. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0002 and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Intel Releases Security Updates

US-Cert Current Activity - Tue, 01/14/2020 - 3:41pm
Original release date: January 14, 2020

Intel has released security updates to address vulnerabilities in multiple products. An authenticated attacker with local access could exploit some of these vulnerabilities to gain escalation of privileges.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Microsoft Releases January 2020 Security Updates

US-Cert Current Activity - Tue, 01/14/2020 - 3:32pm
Original release date: January 14, 2020

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s January 2020 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

CISA Releases Emergency Directive and Activity Alert on Critical Microsoft Vulnerabilities

US-Cert Current Activity - Tue, 01/14/2020 - 2:08pm
Original release date: January 14, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) has released an Emergency Directive and Activity Alert addressing critical vulnerabilities affecting Windows CryptoAPI and Windows Remote Desktop Protocol (RDP) server and client. A remote attacker could exploit these vulnerabilities to decrypt, modify, or inject data on user connections.

Although Emergency Directive 20-02 applies only to certain Executive Branch departments and agencies, CISA strongly recommends state and local governments, the private sector, and others also patch these critical vulnerabilities as soon as possible. Review the following resources for more information:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

AA20-014A: Critical Vulnerabilities in Microsoft Windows Operating Systems

US-Cert Alerts - Tue, 01/14/2020 - 12:46pm
Original release date: January 14, 2020
Summary

New vulnerabilities are continually emerging, but the best defense against attackers exploiting patched vulnerabilities is simple: keep software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.

On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI and Windows Remote Desktop Protocol (RDP) server and client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:

  • CryptoAPI spoofing vulnerability – CVE-2020-0601: This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.
  • Multiple Windows RDP vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611: These vulnerabilities affect Windows Server 2012 and newer. In addition, CVE-2020-0611 affects Windows 7 and newer. These vulnerabilities—in the Windows Remote Desktop client and RDP Gateway Server—allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.

The Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of these vulnerabilities. However, because patches have been publicly released, the underlying vulnerabilities can be reverse-engineered to create exploits that target unpatched systems.

CISA strongly recommends organizations install these critical patches as soon as possible—prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected information technology/operational technology (IT/OT) assets.

Technical DetailsCryptoAPI Spoofing Vulnerability – CVE-2020-0601

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates ECC certificates.

According to Microsoft, “an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.” Additionally, “a successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”[1]

A cyber attacker could exploit CVE-2020-0601 to obtain sensitive information, such as financial information, or run malware on a targeted system; for example:

  • A maliciously crafted certificate could appear to be issued for a hostname that did not authorize it, preventing a browser that relies on Windows CryptoAPI from validating its authenticity and issuing warnings. If the certificate impersonates a user’s bank website, their financial information could be exposed.
  • Signed malware can bypass protections (e.g., antivirus) that only run applications with valid signatures. Malicious files, emails, and executables can appear legitimate to unpatched users.

The Microsoft Security Advisory for CVE-2020-0601 addresses this vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

Detection Measures

The National Security Agency (NSA) provides detection measures for CVE-2020-0601 in their Cybersecurity Advisory: Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers.[2]

Windows Remote Desktop Server Vulnerabilities – CVE-2020-0609/CVE-2020-0610

According to Microsoft, “A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction.”[3],[4]

CVE-2020-0609/CVE-2020-0610:

  • Affects all supported Windows Server versions (Server 2012 and newer; support for Server 2008 ends January 14, 2020);
  • Occurs pre-authentication; and
  • Requires no user interaction to perform.

The Microsoft Security Advisories for CVE-2020-0609 and CVE-2020-0610 address these vulnerabilities.

Windows Remote Desktop Client vulnerability – CVE-2020-0611

According to Microsoft, “A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client.”[5]

CVE-2020-0611 requires the user to connect to a malicious server via social engineering, DNS poisoning, a man-in the-middle attack, or by the attacker compromising a legitimate server.

The Microsoft Security Advisory for CVE-2020-0611 addresses this vulnerability.

Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

  • Temporary or permanent loss of sensitive or proprietary information,
  • Disruption to regular operations,
  • Financial losses relating to restoring systems and files, and
  • Potential harm to an organization’s reputation.

 

Mitigations

CISA strongly recommends organizations read the Microsoft January 2020 Release Notes page for more information and apply critical patches as soon as possible—prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected IT/OT assets.

General Guidance

  • Review Guide to Enterprise Patch Management Technologies, NIST Special Publication 800-40 Revision 3. Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. This publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in performing patch management. It provides an overview of enterprise patch management technologies, and also briefly discusses metrics for measuring the technologies’ effectiveness.
  • Review CISA Insights publications. Informed by U.S. cyber intelligence and real-world events, each CISA Insight provides background information on particular cyber threats and the vulnerabilities they exploit, as well as a ready-made set of mitigation activities that non-federal partners can implement. Printable materials can be found by visiting: https://www.cisa.gov/publication/cisa-insights-publications.
  • Review CISA’s Cyber Essentials. CISA’s Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices. Essentials are the starting point to cyber readiness. To download the guide, visit: https://www.cisa.gov/publication/cisa-cyber-essentials.
References Revisions
  • January 14, 2020: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

CISA Releases Test for Citrix ADC and Gateway Vulnerability

US-Cert Current Activity - Mon, 01/13/2020 - 2:03pm
Original release date: January 13, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) has released a utility that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix Gateway software is susceptible to the CVE-2019-19781 vulnerability. According to Citrix Security Bulletin CTX267027, beginning on January 20, 2020, Citrix will be releasing new versions of Citrix ADC and Citrix Gateway that will patch CVE-2019-19781.

CISA strongly advises affected organizations to review CERT/CC’s Vulnerability Note VU#619785 and Citrix Security Bulletin CTX267027 and apply the mitigations until Citrix releases new versions of the software.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability

US-Cert Alerts - Fri, 01/10/2020 - 6:45am
Original release date: January 10, 2020
Summary

Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix a remote code execution (RCE) vulnerability, known as CVE-2019-11510, can become compromised in an attack. [1]

Although Pulse Secure [2] disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510. [3] [4] [5]

CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes. [6]

Timelines of Specific Events
  • April 24, 2019 – Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.
  • May 28, 2019 – Large commercial vendors get reports of vulnerable VPN through HackerOne.
  • July 31, 2019 – Full RCE use of exploit demonstrated using the admin session hash to get complete shell.
  • August 8, 2019 – Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation.
  • August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade.
  • October 7, 2019 – The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors.
  • October 16, 2019 – The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.
  • January 2020 – Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware.   
Technical DetailsImpact

A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Affected versions:

  • Pulse Connect Secure 9.0R1 - 9.0R3.3
  • Pulse Connect Secure 8.3R1 - 8.3R7
  • Pulse Connect Secure 8.2R1 - 8.2R12
  • Pulse Connect Secure 8.1R1 - 8.1R15
  • Pulse Policy Secure 9.0R1 - 9.0R3.1
  • Pulse Policy Secure 5.4R1 - 5.4R7
  • Pulse Policy Secure 5.3R1 - 5.3R12
  • Pulse Policy Secure 5.2R1 - 5.2R12
  • Pulse Policy Secure 5.1R1 - 5.1R15
Mitigations

This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates.

CISA strongly urges users and administrators to upgrade to the corresponding fixes. [7]

References Revisions
  • January 10, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Juniper Networks Releases Security Updates

US-Cert Current Activity - Thu, 01/09/2020 - 10:56am
Original release date: January 9, 2020

Juniper Networks has released security updates to address multiple vulnerabilities in various Juniper products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
 
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Security Advisories webpage and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Pages