Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Massive Patchday
Whether you know it as 'Patch Tuesday' (in the Western Hemisphere) or 'Patch Wednesday' (for those in the Eastern Hemisphere, closer to the Date Line), today was a massive day for patch releases, with Miscrosoft, the Mozilla Firefox project, Citrix and Adobe all releasing security updates. Enterprise security teams will doubtless be busy testing patches before rolling them out; individual users, crying "Full speed ahead and damn the torpedoes!" will be running Windows Update and checking for updates on other products before rebooting.
| Vendor | Product | Update Reference |
|
|---|---|---|---|
| Microsoft |
Windows 10 versions 20H2, 21H1, 21H2, 22H2 |
KB5022834 | |
|
KB5011836 | ||
| Windows 11 version 22H2 |
KB5022845 |
||
| Mozilla | Firefox 110 |
Security Advisory 2023-05 |
|
| Firefox ESR 102.8 |
Security Advisory 2023-06 |
||
| Citrix |
Citrix Workspace app for Linux | Security Bulletin for CVE-2023-24486 | |
| Citrix Workspace app for Windows | Security Bulletin for CVE-2023-24484 & CVE-2023-24485 | ||
| Citrix Virtual Apps and Desktops | Security Bulletin for CVE-2023-24483 | ||
| Adobe | After Effects |
APSB23-02 | |
| Connect | APSB23-05 | ||
| FrameMaker | APSB23-06 | ||
| Bridge | APSB23-09 | ||
| Photoshop | APSB23-11 | ||
| InDesign | APSB23-12 | ||
| Premiere Rush |
APSB23-14 | ||
| Animate | APSB23-15 | ||
| Substance 3D Stager |
APSB23-16 |
You know what to do. . .
CISA Adds Four Known Exploited Vulnerabilities
Meanwhile the Cybersecurity & Infrastructure Security Agency has added four new vulnerabilities to its catalogue of known exploited vulnerabilities (https://www.cisa.gov/known-exploited-vulnerabilities-catalog).
The additions are:
- CVE-2023-21715, a MS Office security feature bypass vulnerability which allows an attacker to trick an authenticated user into letting an Office macro run from an untrusted file
- CVE-2023-22376, a vulnerability in the Windows Common Log File System Driver which allows privilege escalation attacks
- CVE-2023-23529, a type confusion vulnerability in Apple WebKit (present in multiple products) which may allow remote code execution
- CVE-2023-21823, a privilege escalation vulnerability in Microsoft Windows Graphic Component
Check with the relevant vendors for patches.
CISA, CISA Adds Four Known Exploited Vulnerabilities to Catalog, alert, 14 February 2023. Available online at https://www.cisa.gov/uscert/ncas/current-activity/2023/02/14/cisa-adds-four-known-exploited-vulnerabilities-catalog.
Another ICS Security Wakeup Call
A new report from Forescout's Vedere Labs research group provides yet another example of the lagging state of security for Industrial Control Systems (ICS), also referred to as Operational Technology (OT). These systems, which are used in industries ranging from manufacturing and mining to power generation and wastewater treatment, have traditionally been based on unintelligent devices connected via specialized and obscure protocols. However, those unintelligent devices are now based on embedded systems processors which run off-the-shelf operating systems and understand TCP/IP protocols so that they can connect to business systems. Programmable Logic Controllers (PLC's) are a good example - when introduced back in 1968 these were based on simple dedicated logic, but today they use industry-standard processors and embedded OS's such as Android and Linux.
ICS networks are often segmented into 'zones' linked by 'conduits', which are firewall-like controls that understand ICS/SCADA protocols and which form a security perimeter for each zone. PLC's are often used for this purpose, and because ICS security research has focused on compromising such devices and controlling the connected actuators, researchers have not fully considered post-exploitation techniques such as lateral pivoting between zones. That is what Vedere Labs set out to investigate.
The report presents:
- Two new vulnerabilities in Schneider Electric Modicon PLC's, which allow remote code execution and authentication bypass
- An overview of lateral movement techniques using control devices
- A realistic attack scenario which could physically damage a movable bridge
- In-depth discussion and demonstration of remote code execution and laterial movement proof-of-concept using the exploits above
- Conclusions and suggested mitigation techniques
The 41-page report is dense, but makes interesting reading, especially for those with some engineering background. Readers in critical infrastructure enterprises should take note.
Wetzels, Jos, Deep Lateral Movement in OT Networks: When Is a Perimeter Not a Perimeter?, technical report, 13 February 2023. Available online at https://www.forescout.com/resources/l1-lateral-movement-report/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.