Friction Affliction: How to Balance Security With User Experience

There’s a fine line between protecting against suspicious, malicious, or unwanted activity and making users jump through hoops to prove themselves.

(Image: fotogestoeber via Adobe Stock)

As “defenders,” security professionals are laser-focused on protecting our organizations from the ongoing risks and threats they constantly face.

But sometimes this comes at the expense of something incredibly important: user experience. Why is this so important? For one, when confronted with untenable restrictions and difficult processes, people tend to find ways to work around that friction – which worsens the organization’s security posture.

Increased friction also results in user frustration and the tendency to give up more quickly. For an online business, for example, this might result in fewer purchases, lowering its revenue and profit.

While we never want to compromise the security posture of the organizations we defend, we can often improve usability – i.e., reduce user friction – without increasing risk. Here are a few suggestions.

Recognize Known Good Users
It’s no secret that passwords do not, in and of themselves, provide an adequate level of security. Enter multifactor authentication (MFA), which challenges users to prove who they are via several authentication steps. MFA is sometimes required by regulation or policy, but also to increase account security at login and other important times.

If, on the other hand, we recognize a user, why should we trouble them to prove who they are? Reliably recognizing known good users makes it easier to recognize unknown or malicious users. This helps us focus on what we’re supposed to be focused on when it comes to authentication, rather than rigid, draconian rules and policies that merely inconvenience legitimate, paying customers.

Recognize the Clues Legitimate Users Leave Behind
One way we can recognize known legitimate users is by paying attention to the clues they give us and leveraging technologies, such as fraud prevention and adaptive authentication tech, that allow us to act on those clues. We can bucket these clues into three main categories: the data associated with a device, the data associated with the user’s environment, and the data associated with how that person behaves and interacts with our site.

As we begin to collect and analyze data from a large number of users coming from a variety of devices and environments with differing behavioral profiles, we begin to learn a lot about expected patterns of behavior and departures from those patterns. When a user is behaving as we would expect a legitimate user to, we can dial back on challenging them, thus providing them a smoother online experience.

Recognize the Clues Cyberattackers and Fraudsters Leave Behind
Just as legitimate users leave clues, so do cybercriminals. If we’ve done a good job learning how legitimate users usually behave, we can leverage that knowledge to understand how attackers and fraudsters typically behave. This helps us block and/or challenge their sessions and transactions, ultimately saving money by reducing the organization’s loss to fraud. In other words, whereas we want to reduce friction for legitimate users, we want to drastically increase friction for attackers and fraudsters – we don’t want to let them operate within our applications.

Security teams often get an unfair rap as the “department of no.” But part of managing risk often means turning down or modifying proposals that introduce too much of it into the organization. Implementing a safe and effective means to reduce friction without adversely affecting security and increasing risk is the key to increasing customer satisfaction, the organization’s bottom line, and confidence in the security team.

Josh (Twitter: @ananalytical) is currently Director of Product Management at F5. Previously, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

5 Steps to Solving Modern Scalability Problems

Achieve Continuous Testing with Intelligent Test Automation, Powered by AI

More Webcasts

White Papers

[Infographic] Cloud Security Now

2020: The Year in Security

More White Papers

Reports

The ROI Of SD-WAN: Not Just A Numbers Game

2020 State of DevOps Report

More Reports

The post Friction Affliction: How to Balance Security With User Experience appeared first on Malware Devil.

https://malwaredevil.com/2021/01/06/friction-affliction-how-to-balance-security-with-user-experience/?utm_source=rss&utm_medium=rss&utm_campaign=friction-affliction-how-to-balance-security-with-user-experience

The State of Data Security – Chris Brown – ESW #212

A casual and candid conversation on database security. Talking through the current data trends including the transition to the cloud and what this means for the database security practitioner. What pitfalls and tools can be used to help simplify and maximize the security professional’s transition to a fully monitored data environment solving for Cloud/Hybrid cloud and traditional on-premise.

This segment is sponsored by Imperva.

Visit https://securityweekly.com/imperva to learn more about them!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw212

The post The State of Data Security – Chris Brown – ESW #212 appeared first on Malware Devil.

https://malwaredevil.com/2021/01/06/the-state-of-data-security-chris-brown-esw-212/?utm_source=rss&utm_medium=rss&utm_campaign=the-state-of-data-security-chris-brown-esw-212

Veracode in AWS Marketplace, ZScaler SUNBURST Assessment, & SolarWinds Fallout – ESW #212

This week, Tyler Shields joins us for his first episode as Co-Host, and John Strand returns! In the Enterprise News, Two data security companies merge, Veracode’s products are now available in the AWS Marketplace, Zscaler launches a program for organizations dealing with the SolarWinds attack, SolarWinds is being sued in a class action lawsuit, funding announcements from Weaveworks, iBoss and Venafi!

Timestamps:

5:18 – Announcing Veracode in AWS Marketplace
5:45 – Weaveworks Raises $36 Million in Series C Funding
15:17 – SolarWinds sued in class action lawsuit over Orion software hack
19:45 – Zscaler Launches Security Assessment Program for Organizations Navigating SolarWinds Cyberattack

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw212

The post Veracode in AWS Marketplace, ZScaler SUNBURST Assessment, & SolarWinds Fallout – ESW #212 appeared first on Malware Devil.

https://malwaredevil.com/2021/01/06/veracode-in-aws-marketplace-zscaler-sunburst-assessment-solarwinds-fallout-esw-212/?utm_source=rss&utm_medium=rss&utm_campaign=veracode-in-aws-marketplace-zscaler-sunburst-assessment-solarwinds-fallout-esw-212

Customer Story | Oregon Youth Corrections Education Program Enables Connected Classrooms in Google for Education

Oregon Youth Corrections Education Program Partners With ManagedMethods To Provide Safe & Secure Education Continuity To Troubled Students Eden Nelson is a Lead Systems Administrator and Developer for the Cascade Technology Alliance. The Alliance is a consortium of education technology departments that serves over 50 school districts, private and charter schools, and public and non-profit […]

The post Customer Story | Oregon Youth Corrections Education Program Enables Connected Classrooms in Google for Education appeared first on ManagedMethods.

The post Customer Story | Oregon Youth Corrections Education Program Enables Connected Classrooms in Google for Education appeared first on Security Boulevard.

Read More

The post Customer Story | Oregon Youth Corrections Education Program Enables Connected Classrooms in Google for Education appeared first on Malware Devil.

https://malwaredevil.com/2021/01/06/customer-story-oregon-youth-corrections-education-program-enables-connected-classrooms-in-google-for-education/?utm_source=rss&utm_medium=rss&utm_campaign=customer-story-oregon-youth-corrections-education-program-enables-connected-classrooms-in-google-for-education

Behind-the-Scenes of Virtual Banking

In today’s digital world, we no longer have to go to a branch office or ATM machine to do the majority of our banking. For the most part, consumers can manage all bank transactions from the comfort of their home on mobile devices, especially during the COVID-19 pandemic. However, virtual banking has the potential to be so much more than just cashing checks. Many organizations around the world offer financially empowering services such as budgeting and saving plans to meet specific goals for their customers, like buying a house or car. However, there is quite a bit of work that goes on behind the scenes that dictates the success of such ventures, particularly from an identity standpoint.

Virtual Banking Industry Growth

The global digital banking platform market is on track to reach $9 billion by 2026. The concept of the virtual bank is largely credited with beginning in Hong Kong, rapidly expanding to the rest of Asia and then the rest of the world. Every institution, from established global banks like HSBC to start ups like Mox, are getting into the game and rightfully so. Virtual banking is quickly growing globally due to the profitability of the business model. Zero infrastructure is needed to build or maintain branch offices as every service and transaction is conducted via devices like phones and tablets.

This model has indeed been quite profitable for many organizations around the globe, such as PT Bank Tabungan Pensiunan Nasional Tbk (BTPN), one of Indonesia’s largest banks. BTPN was tasked with the challenge of reaching a population of over 250 million scattered over 17,000 islands. Virtually, of course. Creating branch offices on various islands was not financially feasible, so the organization virtually launched its Jenius application to serve its disparate consumer base. The bank quickly reached two million subscribers much faster than it had anticipated. As a result, BTPN has become much more profitable. Also, its flexible new system allows BTPN to introduce new services such as its recently released Wow application, which caters to small business owners.

Identity is Key in Digital Banking Experience 

Some of the challenges during the shift to virtual banking include the need for a technology solution that allows for secure and quick onboarding of new customers and businesses that delivers an exceptional digital experience throughout the customer lifecycle. Due to these factors, digital identity plays a critical role in the success of virtual banking. Banks need to understand who their users are, which devices they are using and what their preferences are in order to offer consumer-friendly, personalized services. Plus, all of this needs to be accomplished in a secure and frictionless manner, minimizing the number of clicks and logins, while also connecting to downstream apps and services like credit cards and loan offerings.

The Future of Digital Banking

Mobile technology has opened the door for innovation in banking and personal finance management. For example, with AI-enabled apps, banks can offer consumer analytics, reminders and personalized advice. It is important to understand though, that none of this would be possible without the backend identity management solutions to support these mobile banking apps and services. With new passwordless authentication advancements such as biometric authentication, consumers can now access their banking information from anywhere with just the tap of their finger, while multifactor authentication (MFA) also remains a key element for logging into important financial apps and accounts. Looking ahead, brick-and-mortar banks are not going away anytime soon, but it’s clear that banks must adapt to consumer expectations quickly to keep from being outpaced in our rapidly digitizing world. 

The post Behind-the-Scenes of Virtual Banking appeared first on Security Boulevard.

Read More

The post Behind-the-Scenes of Virtual Banking appeared first on Malware Devil.

https://malwaredevil.com/2021/01/06/behind-the-scenes-of-virtual-banking/?utm_source=rss&utm_medium=rss&utm_campaign=behind-the-scenes-of-virtual-banking

ESB-2020.3260.2 – UPDATE [Win][UNIX/Linux][Appliance] F5 products: Execute arbitrary code/commands – Remote with user interaction

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.3260.2
                     SCP vulnerability CVE-2020-15778
                              6 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BIG-IP
                   BIG-IQ Centralized Management
                   Traffix SDC
Publisher:         F5 Networks
Operating System:  Network Appliance
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-15778  

Original Bulletin: 
   https://support.f5.com/csp/article/K04305530

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than F5 Networks. It is recommended that 
         administrators running OpenSSH check for an updated version of the software for their 
         operating system.

Revision History:  January    6 2021: Additional vulnerable versions added by vendor 
                   September 24 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K04305530: SCP vulnerability CVE-2020-15778

Original Publication Date: 24 Sep, 2020
Latest   Publication Date: 06 Jan, 2021

Security Advisory Description

scp in OpenSSH through 8.3p1 allows command injection in scp.c remote function,
as demonstrated by backtick characters in the destination argument. NOTE: the
vendor reportedly has stated that they intentionally omit validation of
"anomalous argument transfers" because that could "stand a great chance of
breaking existing workflows." (CVE-2020-15778)

Impact

This flaw is found in the SCP program shipped with the openssh-clients package.
An attacker having the ability to SCP files to a remote server could run
arbitrary commands on the remote server by including a command as a part of the
filename being copied on the server. This command runs with the user
permissions used to copy the files on the remote server. The most serious
threats from this vulnerability are to data confidentiality and integrity, as
well as to system availability.

Security Advisory Status

F5 Product Development has assigned ID 937433 (BIG-IP), ID 937037 (BIG-IQ)
and CPF-25210 (Traffix) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.

+---------------------+------+----------+----------+--------+------+----------+
|                     |      |Versions  |Fixes     |        |CVSSv3|Vulnerable|
|Product              |Branch|known to  |introduced|Severity|score^|component |
|                     |      |be        |in        |        |1     |or feature|
|                     |      |vulnerable|          |        |      |          |
+---------------------+------+----------+----------+--------+------+----------+
|                     |16.x  |16.0.0 -  |None      |        |      |          |
|                     |      |16.0.1    |          |        |      |          |
|                     +------+----------+----------+        |      |          |
|                     |15.x  |15.1.0 -  |None      |        |      |          |
|                     |      |15.1.2    |          |        |      |          |
|BIG-IP (LTM, AAM,    +------+----------+----------+        |      |          |
|Advanced WAF, AFM,   |14.x  |14.1.0 -  |None      |        |      |SCP (a    |
|Analytics, APM, ASM, |      |14.1.3    |          |        |      |component |
|DDHD, DNS, FPS, GTM, +------+----------+----------+High    |7.8   |of        |
|Link Controller, PEM,|13.x  |13.1.0 -  |None      |        |      |OpenSSH)  |
|SSLO)                |      |13.1.3    |          |        |      |          |
|                     +------+----------+----------+        |      |          |
|                     |12.x  |12.1.0 -  |None      |        |      |          |
|                     |      |12.1.5    |          |        |      |          |
|                     +------+----------+----------+        |      |          |
|                     |11.x  |11.6.1 -  |None      |        |      |          |
|                     |      |11.6.5    |          |        |      |          |
+---------------------+------+----------+----------+--------+------+----------+
|                     |7.x   |7.0.0 -   |None      |        |      |          |
|                     |      |7.1.0     |          |        |      |SCP (a    |
|BIG-IQ Centralized   +------+----------+----------+        |      |component |
|Management           |6.x   |6.0.0 -   |None      |High    |7.8   |of        |
|                     |      |6.1.0     |          |        |      |OpenSSH)  |
|                     +------+----------+----------+        |      |          |
|                     |5.x   |5.4.0     |None      |        |      |          |
+---------------------+------+----------+----------+--------+------+----------+
|                     |      |          |          |        |      |SCP (a    |
|Traffix SDC          |5.x   |5.1.0     |None      |High    |7.8   |component |
|                     |      |          |          |        |      |of        |
|                     |      |          |          |        |      |OpenSSH)  |
+---------------------+------+----------+----------+--------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you can restrict SCP access to the BIG-IP
Configuration utility (Traffic Management User Interface/TMUI) to only trusted
administrators through local or network firewalls and block SCP access by
changing the Port Lockdown setting to Allow None for each self IP in the
system. If you must open any ports, you should use the Allow Custom option,
taking care to disallow SSH access. For more information, refer to the
following articles:

  o K13092: Overview of securing access to the BIG-IP system
  o K13309: Restricting access to the Configuration utility by source IP
    address (11.x - 16.x)
  o K17333: Overview of port lockdown behavior (12.x - 16.x)

Supplemental Information

o K41942608: Overview of security advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
  o K15106: Managing BIG-IQ product hotfixes
  o K15113: BIG-IQ hotfix and point release matrix
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX/UJruNLKJtyKPYoAQjvhg/9GbMu3EyIq5JTRyVuUV4VB8No10A+0/H5
LbMOlZxgtcIRjQXe21Dp6dDkBTGN4vnd8QgsZZVYe2bBPIsmVtA4myCgQDVULpOi
0Vkrnql3T5HyRXyD2tSwWUFlcjQkMOLf4xYogudKCPuSLvVimyvY6QkI0XvHGz3f
gdnJPHurrGDndNYQiAO07dtGgc144YgyQkNJkOGxa83YDag/EPE5GUMQNyftt+tT
Z6LtW1Ku3C2yyVGHAmcKBBpHcoe0r66+9+w5MTuEA7r3KXTTvTBP7SJfvHz6NkpD
3pNU/OP4i12nCdRzK3sxYaqci6BThUQLy6x4lmffQetZ9cf6o2Q/Zc5lbMY8aPQ4
wJd8XeojBTb4gyiwfCqKF2SBvKZP2rknjWXZeRHX1rSzuTN2kp1crnAansZsbeAk
eNCfOff8AuKOc/2WXD2XiN70UQ8692+IfR0c5/vSxc0lxK9H4MZGD8JVGRsHlXnR
T6/loHQXiPC/7CGGg0DUnbXHUMATGuwHRO8zYOSxLwSxAVxwym+wCblhrwJ78aiT
9YO6pML8zntORU01m+WWq6Xjcuo6ompcdObU/PereTsFtA4eQMMDh8mqE9Rcetdn
ceGTeUHEOQdXJp2NZcIAUIkwA3LxjJ1DXHsiV3e9e0fEl2+h2C+FTqYD/gn+n+tl
QtG0Wo3OtmU=
=7BM9
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3260.2 – UPDATE [Win][UNIX/Linux][Appliance] F5 products: Execute arbitrary code/commands – Remote with user interaction appeared first on Malware Devil.

https://malwaredevil.com/2021/01/06/esb-2020-3260-2-update-winunix-linuxappliance-f5-products-execute-arbitrary-code-commands-remote-with-user-interaction/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3260-2-update-winunix-linuxappliance-f5-products-execute-arbitrary-code-commands-remote-with-user-interaction

ESB-2021.0041 – [Ubuntu] p11-kit: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0041
                    USN-4677-1: p11-kit vulnerabilities
                              6 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           p11-kit
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-29363 CVE-2020-29362 CVE-2020-29361

Reference:         ESB-2021.0032
                   ESB-2021.0015

Original Bulletin: 
   https://ubuntu.com/security/notices/USN-4677-1

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-4677-1: p11-kit vulnerabilities
05 January 2021

Several security issues were fixed in p11-kit.
Releases

  o Ubuntu 20.10
  o Ubuntu 20.04 LTS
  o Ubuntu 18.04 LTS
  o Ubuntu 16.04 LTS

Packages

  o p11-kit - p11-glue utilities

Details

David Cook discovered that p11-kit incorrectly handled certain memory
operations. An attacker could use this issue to cause p11-kit to crash,
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 20.10

  o libp11-kit0 - 0.23.21-2ubuntu0.1
  o p11-kit - 0.23.21-2ubuntu0.1
  o p11-kit-modules - 0.23.21-2ubuntu0.1

Ubuntu 20.04

  o libp11-kit0 - 0.23.20-1ubuntu0.1
  o p11-kit - 0.23.20-1ubuntu0.1
  o p11-kit-modules - 0.23.20-1ubuntu0.1

Ubuntu 18.04

  o libp11-kit0 - 0.23.9-2ubuntu0.1
  o p11-kit - 0.23.9-2ubuntu0.1
  o p11-kit-modules - 0.23.9-2ubuntu0.1

Ubuntu 16.04

  o libp11-kit0 - 0.23.2-5~ubuntu16.04.2
  o p11-kit - 0.23.2-5~ubuntu16.04.2
  o p11-kit-modules - 0.23.2-5~ubuntu16.04.2

In general, a standard system update will make all the necessary changes.

References

  o CVE-2020-29362
  o CVE-2020-29363
  o CVE-2020-29361

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX/UIXeNLKJtyKPYoAQgsORAApKm823gvwj+dW0xeH9U+B1QcItSj62+b
i+PorKGhHndQNMkJv5jtmDBJ6U9698LajprQ0lFI4ezT7Q12oU0EfMPajM2pO8Rl
MTbR6MCtilN6WQVHzTQknkNr5IevJv4aPLw8NUsTEktANIDJHpYexLPiZf17AT41
d+oGqa29F8oq9/u6x8pbISkZM3pP+6D/u2hxJNelsvjfh95Dwj8R5Vv28p6E6c+w
Dy7jHhzWgqXMBMpw1Qo78YDl1U5CTKahwIi0RPfQLRj4raIbW/rcieKWj9hXlh0P
o02J5KuHAeO7L6gkg6XyeL/Nz32Sw3yt6DuBSU8R5JZgY6McHbTOmZ7ybxVjyeOA
0u2qZ2dwgSCqw9RJKrkKg9PFehupdetfRL9PFidXmUftC4JfbGNDb4yqp1Xd78Q/
QY75mnvWw7hpoYJEhapCcUsgtkZwNo8a0/MyE3BOvuVmkBKEZjIbIl6yJtACzyhJ
Rpw0fTJbXLLGx6AnTPoP59WkFlUDtXCRO9B4CMMgqA52zepOIQIlGhrcFLY761eL
gp+39tBp2AT/ia2NbCBFtrg9sv4GR8spPxF2sloBpHt7OrfzEWnoIcl8aGmG+HL7
h64fzwaKeTgmdFrVxu7a4urikBfxnh5dEYd6c0UCtyKIRvc3zEVEtL+UuTdPm2JN
zdeIbeHRLr8=
=mdj/
-----END PGP SIGNATURE-----

Read More

The post ESB-2021.0041 – [Ubuntu] p11-kit: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/01/06/esb-2021-0041-ubuntu-p11-kit-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-0041-ubuntu-p11-kit-multiple-vulnerabilities

ESB-2020.3515.2 – UPDATE [Win][UNIX/Linux][Appliance] BIG-IP: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.3515.2
                OpenSSH client vulnerability CVE-2020-14145
                              6 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BIG-IP
Publisher:         F5 Networks
Operating System:  Network Appliance
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Provide Misleading Information -- Remote/Unauthenticated
                   Read-only Data Access          -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2020-14145  

Original Bulletin: 
   https://support.f5.com/csp/article/K48050136

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than F5 Networks. It is recommended that 
         administrators running BIG-IP check for an updated version of the 
         software for their operating system.

Revision History:  January  6 2021: Additional vulnerable versions added by vendor
                   October 14 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K48050136: OpenSSH client vulnerability CVE-2020-14145

Original Publication Date: 14 Oct, 2020
Latest   Publication Date: 06 Jan, 2021

Security Advisory Description

The client side in OpenSSH 5.7 through 8.3 has an Observable Discrepancy
leading to an information leak in the algorithm negotiation. This allows
man-in-the-middle attackers to target initial connection attempts (where no
host key for the server has been cached by the client). (CVE-2020-14145)

Impact

SSH sessions may be vulnerable to a man-in-the-middle attack.

Security Advisory Status

F5 Product Development has assigned ID 950605 (BIG-IP)  to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |16.x  |16.0.0 -  |None      |          |      |          |
|                   |      |16.0.1    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |15.x  |15.1.0 -  |None      |          |      |          |
|                   |      |15.1.2    |          |          |      |          |
|BIG-IP (LTM, AAM,  +------+----------+----------+          |      |          |
|Advanced WAF, AFM, |14.x  |14.1.0 -  |None      |          |      |          |
|Analytics, APM,    |      |14.1.3    |          |          |      |OpenSSH   |
|ASM, DDHD, DNS,    +------+----------+----------+Medium    |5.3   |Client    |
|FPS, GTM, Link     |13.x  |13.1.0 -  |None      |          |      |          |
|Controller, PEM,   |      |13.1.3    |          |          |      |          |
|SSLO)              +------+----------+----------+          |      |          |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

Connect only to SSH servers with known and trusted host keys.

Supplemental Information

o K41942608: Overview of security advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
  o K15106: Managing BIG-IQ product hotfixes
  o K15113: BIG-IQ hotfix and point release matrix
  o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
    systems (11.4.x and later)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX/ULC+NLKJtyKPYoAQii5A/+PP1nz/hD/Ww+gjv916Afkm59ov9FXqSV
dG+nTZF7/8LjewyPuwD9G6xkgCRPbI4EulNZ+TXMybpJwk2cgL3zM2Ag2+n2uXiu
RXicDeUDNOqd62hywxYbZJTk0PnrD5qAufK6catTjEf7bhMFv7UzODqi/C6S0eZL
JkGJFTr2Ha6kUHSlmZGRWo/tNhzOSGAAawBX+uDVcUOWbcaMOG0tMILCkc1AjCHj
t11Fazy/7EBjKrZf2R4NWWOoktZC3EkSmR+tZ2mNHqoyaZnrnj5fow2I33X7tpw6
8KDtg69y0+q3YtWTT4RLgyJ6+hVQpLqDoXa6BL/XCCTvKPVHpSC2R7dZZj3DMaw7
hOl5sAt4EJqoS6WedSRAntmtDjuEeDBj8eY5I9MZd3wWwDoNCK/ixZvJySGQnczr
YD/F9Jg7mDUWXSzEt+d6L5bExlaYKv16TL49crsn3wqI9l/SOd311loVhaMCBDkN
1tUpIZ2V1ZGZlI8KaH9aPo9TPB+5n/vyX4sRWUGqn2Vor+EYQhYeAgavinBArG4S
opvJZy6YFsc7WLHvmauXpDzFFZJ4dtfvHRwy7pNDTsi9BJqsnSi8DhY6ObsVATq/
L4oMRcoZCXXO4ZgN5ezA8ugM6v+LGmtjsHolWH0EJxr7OrgFclMVjYpLNM4Dl1xD
aHQd8f/jOvE=
=CzSg
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3515.2 – UPDATE [Win][UNIX/Linux][Appliance] BIG-IP: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/01/06/esb-2020-3515-2-update-winunix-linuxappliance-big-ip-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3515-2-update-winunix-linuxappliance-big-ip-multiple-vulnerabilities

ESB-2021.0047 – [Appliance] GE Reason RT43X Clocks: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0047
             Advisory (icsa-21-005-03) GE Reason RT43X Clocks
                              6 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           GE Reason RT43X Clocks
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-25197 CVE-2020-25193 

Original Bulletin: 
   https://us-cert.cisa.gov/ics/advisories/icsa-21-005-03

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS Advisory (ICSA-21-005-03)

GE Reason RT43X Clocks

Original release date: January 05, 2021

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 9.8
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: GE
  o Equipment: Reason RT43X Clocks
  o Vulnerabilities: Code Injection, Use of Hard-coded Cryptographic Key

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated
remote attacker to execute arbitrary code on the system or intercept and
decrypt encrypted traffic.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

GE reports the vulnerabilities affect the following GNSS clocks:

  o RT430, RT431 & RT434: All firmware versions prior to Version 08A06

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER CONTROL OF GENERATION OF (CODE INJECTION) CWE-94

A code injection vulnerability exists in one of the webpages that could allow
an authenticated remote attacker to execute arbitrary code on the system.

CVE-2020-25197 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).

3.2.2 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321

By having access to the hard-coded cryptographic key, attackers would be able
to intercept and decrypt encrypted traffic through an HTTPS connection.

CVE-2020-25193 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Communications, Critical Manufacturing,
    Energy, Healthcare and Public Health, Transportation Systems, Water and
    Wastewater Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Tom Westenberg of Thales UK reported these vulnerabilities to GE.

4. MITIGATIONS

GE strongly recommends users of Reason RT43X products update their units to
firmware Version 08A06 or greater to resolve these issues. The firmware update
addresses both vulnerabilities as described in the Reason RT43X 08A06 Release
Notes.

GE recommends users evaluate current risk and implement appropriate network
security mitigation measures as follows. The following mitigation actions do
not ensure complete security but should be considered until the affected time
synchronization product is upgraded:

  o Use strong network and physical security protection to prevent an attacker
    from reaching the local network where Reason RT43X clocks are normally
    installed.
  o Block TCP/IP Ports 80 and 443 to block the HTTP/HTTPS access to web
    interface with Reason RT43X products, avoiding all the vulnerabilities.
    This TCP/IP port blocking should be limited to the Ethernet port interface
    where the Reason RT43X clock is connected (e.g., using Access Control List
    (ACL)). Otherwise, other HTTP/HTTPS applications may be affected.
  o Minimize network exposure for all control system devices and/or systems and
    ensure they are not accessible from the Internet.
  o Analyze security events to early detect unexpected traffic/communication.

Please see GE publication GES-2020-006 (login required) for more details on
these issues.

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.cisa.gov . Several recommended practices are
available for reading and download, including Improving Industrial Control
Systems Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX/UJBONLKJtyKPYoAQjbQBAArS7JQPUtkLJX/v4wEpUqCfAdVvAX9nRH
HMwavHbhYOBkzj8Kp91zrVOBENY7FWlfOtY7ITXnje7w1aU3g62WmZU9JBiWBJKZ
7sxW+pd61aUiT0VN2V5NRMmV4LOMjG3MjErA5W1U+AsqD0TVDb5RbtH7V6030rrC
wOeLIqI7rGOIAi2108yLyc8mv/CtyK8auKLOjBiGVedpvcQfalr1dZMaL0FNRXds
5Z8cw4hfCYT7Nwj5gkoBRTHGktjfuCBmwzrbcLKH8gSxnmkFc4g6AAkDrmOTXf0L
IVpbple6DIqqqEMVmSSyS8IafOh619GRm7HtXnMkoTZW5ACRn+CnImULpJz1KEKu
1a11amDVtvTvID4BG4ZrvUTerz5e5qFAPymMyBunhtHbTKvl2zEF++ubo93/EGHn
q5jjsM4nGBsINK+xUxtPDX9ieUz2cRM/XTvBOARBoy4idWHQXNwSdfIQL3k6cmeM
IPpgpC1n3qOMWH6bjVa0pCoVeFGGqE3mjxaI/zstpeVA+RKlQlvWAt9PvTAskfFU
9iGQon5VNCTHXCgDsph5Mq0fTv35Exn081ybdyJvto1J9gHnFA1DpOF7mZwKyb1q
oNpv+5G2zCYJzct9E3DVfOSPH58fgfClkIpFTIVnX4RBy5iTazOh6I1X98e/8nTe
d60bWsxg6Fo=
=P3rO
-----END PGP SIGNATURE-----

Read More

The post ESB-2021.0047 – [Appliance] GE Reason RT43X Clocks: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/01/06/esb-2021-0047-appliance-ge-reason-rt43x-clocks-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-0047-appliance-ge-reason-rt43x-clocks-multiple-vulnerabilities

ESB-2021.0046 – [Win] Red Lion Crimson 3.1: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0046
              Advisory (icsa-21-005-04) Red Lion Crimson 3.1
                              6 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Lion Crimson 3.1
Publisher:         ICS-CERT
Operating System:  Windows
Impact/Access:     Modify Arbitrary Files   -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-27285 CVE-2020-27283 CVE-2020-27279

Original Bulletin: 
   https://us-cert.cisa.gov/ics/advisories/icsa-21-005-04

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS Advisory (ICSA-21-005-04)

Red Lion Crimson 3.1

Original release date: January 05, 2021

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 7.5
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Red Lion
  o Equipment: Crimson 3.1
  o Vulnerabilities: NULL Pointer Dereference, Missing Authentication for
    Critical Function, Improper Resource Shutdown or Release

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to
create a denial-of-service condition, read and modify the database, and leak
memory data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Crimson 3.1 for the DA10D Protocol Converter are
affected:

  o Crimson 3.1: Build versions prior to 3119.001

3.2 VULNERABILITY OVERVIEW

3.2.1 NULL POINTER DEREFERENCE CWE-476

A NULL pointer deference vulnerability has been identified in the protocol
converter. An attacker could send a specially crafted packet that could reboot
the device.

CVE-2020-27279 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).

3.2.2 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The default configuration of the affected product allows a user to be able to
read and modify the database without authentication.

CVE-2020-27285 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:L/A:N ).

3.2.3 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404

An attacker could send a specially crafted message that could leak arbitrary
memory locations.

CVE-2020-27283 has been assigned to this vulnerability. A CVSS v3 base score of
4.3 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Marco Balduzzi, Ryan Flores, Philippe Lin, Charles Perine, Ryan Flores, Rainer
Vosseler working with Trend Micro Zero Day Initiative reported these
vulnerabilities to CISA.

4. MITIGATIONS

Red Lion recommends users update to build 3119.001 or later .

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.cisa.gov . Several recommended practices are
available for reading and download, including Improving Industrial Control
Systems Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX/UI6ONLKJtyKPYoAQjidg/+J96p7t3r3e7wwjRrfhyClF4s325a74/E
FsIJAudpJVeOnMRkp2C+Ey0mv+grWTziBk3GUWfzB+KnaI8HMIXPhu862Xmjf2KP
njWE7kJp2ZPEpR3hk2ieP8h8RmqPoWyQPYY4fhsgtkCK5Zvgmp1cWRyh/BbLcDz8
9a5vldy7ytslZhKOrxtGLF6furHp7hhWbcn5GQPAzgAS3gn9GmY2t9+IWxkIgujF
2QEzAplmEvsVyuS3sr1buMF+rXiWPlqL/NewL+71nFHGwMbQ7ob2wGYn6AKVCbpF
hl/dhJZvjsjC/GcH9cfOY4c+SnH5b0FCmZ8EguD7EWxGoOgwQHFYwwYRo3Z/PUlb
cMDJzJGG+Wk0Csdq0XQnl/s4/ZKOXEVA2QssdzWn1YbPfLyWW/xzjPx3hwkWRtK1
LD6A+DySYpmV+XadhvGfeK1oHWPfSkoSMS5G/6cpAg/TV+5DK8JdIPxmpDBASQ6c
MW22R1y4rKE+3GmZUzWwj5dFiWDVFCfVdwXFAm0d0PYNpQ/ObqC2P8Muy9LWEkEJ
ORl7mUVWKjodR/wuCMgbBa3fI/lobh6qPciMlrnEjHwnpb1UNsjiQW+rSsTPm/cz
Ex4XWXyT414+ObSEwCniliiE9V2an9Y5YkA0/n5tRUZE0UpvNQzFoe1yBKgCQB13
DJ6yrCIIEc8=
=RU28
-----END PGP SIGNATURE-----

Read More

The post ESB-2021.0046 – [Win] Red Lion Crimson 3.1: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/01/06/esb-2021-0046-win-red-lion-crimson-3-1-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-0046-win-red-lion-crimson-3-1-multiple-vulnerabilities

ESB-2021.0045 – [Win] Delta Electronics DOPSoft: Execute arbitrary code/commands – Existing account

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0045
            Advisory (icsa-21-005-05) Delta Electronics DOPSoft
                              6 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Delta Electronics DOPSoft
Publisher:         ICS-CERT
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-27277 CVE-2020-27275 

Original Bulletin: 
   https://us-cert.cisa.gov/ics/advisories/icsa-21-005-05

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS Advisory (ICSA-21-005-05)

Delta Electronics DOPSoft

Original release date: January 05, 2021

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 7.8
  o ATTENTION: Low skill level to exploit
  o Vendor: Delta Electronics
  o Equipment: DOPSoft
  o Vulnerabilities: Out-of-bounds Write, Untrusted Pointer Dereference

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow arbitrary code
execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of DOPSoft, a software that supports the DOP-100 series
HMI screens, are affected:

  o DOPSoft Version 4.0.8.21 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

The affected product is vulnerable to an out-of-bounds write while processing
project files, which may allow an attacker to execute arbitrary code.

CVE-2020-27275 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/C:H/
I:H/A:H ).

3.2.2 UNTRUSTED POINTER DEREFERENCE CWE-822

The affected product has a null pointer dereference issue while processing
project files, which may allow an attacker to execute arbitrary code.

CVE-2020-27277 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/C:H/
I:H/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Kimiya, working with Trend Micro's Zero Day Initiative, reported these
vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics has released an updated version DOPSoft, and recommends users
install this update on all affected systems. Delta Electronics recommends the
following mitigations:

  o Update to the latest version of DOPSoft v4.00.10.17 or higher.
  o Use DOPSoft v4.00.10.17 to open old project files (*.dpa) then save as new
    files. Following that, use the new saved project files and discard the old
    ones.
  o Restrict interaction of the application with trusted files.

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.cisa.gov . Several recommended practices are
available for reading and download, including Improving Industrial Control
Systems Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These
vulnerabilities are not exploitable remotely.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX/UIzeNLKJtyKPYoAQgaPQ/9FGKBW5fRi7P8UENCbhtNFE4Et4MnpXvm
fprIfjBG+a7/mqgiXDkRuedQBs1iLlMBCO/u3ncPcSpil+2g2pBkgHz2jxOyrzrG
0ngTI2XfusYozyMMEuqVRWsK6m+UjbNWEhY+g4A1xDdCRdh9x/TPI5ZAhU2PAtqO
5cxGT7l780D90TWUvT/TMXWUs8KNSyyQMIo6vSPTEfRwkI9GcyalAQyW/XbG7EWr
hFxKftO3m3zVJv6fHW2FSUzMSOTtJ6HrerRMOIi7XyNbGe3v/bYPISSgI+/rYz/m
mL24goclI9fWzM7VG1QTJtLl6tmiayjeGOAzxzWyDmxsbOUr29iPIbH7ZSLOcnxM
ha8h218rQdzS3CGI2naNVacPYKD0tz7BGXP96MIAGkDZEGlLcNvDzYDK+zhXS9Yq
uFWrGdaNju/tKuS6PnqokC4G2BhaJik6xWyUVldjhfPD/EqVIQ4hwozQZRgFu1KB
w8b0BDTS016ZouD4Iwmu0t1H4lfmyVwQiPvLPN1V5HBF57nQfTgFSHP6mATEpqHB
6XtVJJdhpHCOcUxpSrFVOLVkNNYvQjUIIxZz1MvdIQAcyW4aKbVCTSHnUqxpWW6a
I6xEUNb796pU30OpUjROUaNLEpkfktg3SJSnjQWLQ5KUR6HL0y9K1dUa3gId8A7/
ZMN0pavNR3c=
=8DYb
-----END PGP SIGNATURE-----

Read More

The post ESB-2021.0045 – [Win] Delta Electronics DOPSoft: Execute arbitrary code/commands – Existing account appeared first on Malware Devil.

https://malwaredevil.com/2021/01/06/esb-2021-0045-win-delta-electronics-dopsoft-execute-arbitrary-code-commands-existing-account/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-0045-win-delta-electronics-dopsoft-execute-arbitrary-code-commands-existing-account

The IronLens January Threat Intelligence Brief

The SolarWinds/SUNBURST attack dominated threat intelligence activity last month and continues to unfold. For more information about SolarWinds, please see this blog post on IronNet’s website.

The post The IronLens January Threat Intelligence Brief appeared first on Security Boulevard.

Read More

The post The IronLens January Threat Intelligence Brief appeared first on Malware Devil.

https://malwaredevil.com/2021/01/06/the-ironlens-january-threat-intelligence-brief-2/?utm_source=rss&utm_medium=rss&utm_campaign=the-ironlens-january-threat-intelligence-brief-2

The IronLens January Threat Intelligence Brief

The SolarWinds/SUNBURST attack dominated threat intelligence activity last month and continues to unfold. For more information about SolarWinds, please see this blog post on IronNet’s website.

The post The IronLens January Threat Intelligence Brief appeared first on Security Boulevard.

Read More

The post The IronLens January Threat Intelligence Brief appeared first on Malware Devil.

https://malwaredevil.com/2021/01/06/the-ironlens-january-threat-intelligence-brief/?utm_source=rss&utm_medium=rss&utm_campaign=the-ironlens-january-threat-intelligence-brief

Hamas May Be Threat to 8chan, QAnon Online

In October 2020, KrebsOnSecurity looked at how a web of sites connected to conspiracy theory movements QAnon and 8chan were being kept online by DDoS-Guard, a dodgy Russian firm that also hosts the official site for the terrorist group Hamas. New research shows DDoS-Guard relies on data centers provided by a U.S.-based publicly traded company, which experts say could be exposed to civil and criminal liabilities as a result of DDoS-Guard’s business with Hamas.

The post Hamas May Be Threat to 8chan, QAnon Online appeared first on Security Boulevard.

Read More

The post Hamas May Be Threat to 8chan, QAnon Online appeared first on Malware Devil.

https://malwaredevil.com/2021/01/05/hamas-may-be-threat-to-8chan-qanon-online-2/?utm_source=rss&utm_medium=rss&utm_campaign=hamas-may-be-threat-to-8chan-qanon-online-2

SolarWinds Breach is the Rule, Not an Exception

A new article about the philosopher Wittgenstein’s passion for reading crime stories has an important insight into both the man and his methods: That a crime has been committed, [The Maltese Falcon author] Hammett knew, does not necessarily mean that a plan has been carried out. Plotting and scheming are things people usually do in … Continue reading SolarWinds Breach is the Rule, Not an Exception →

The post SolarWinds Breach is the Rule, Not an Exception appeared first on Security Boulevard.

Read More

The post SolarWinds Breach is the Rule, Not an Exception appeared first on Malware Devil.

https://malwaredevil.com/2021/01/05/solarwinds-breach-is-the-rule-not-an-exception/?utm_source=rss&utm_medium=rss&utm_campaign=solarwinds-breach-is-the-rule-not-an-exception

Summing Up 2020 for Security Operations Pros, Siemplify … and Everyone: A Year Like No Other

Well, no one saw that coming. For humanity, the global pandemic has altered every aspect of the way we interact…

The post Summing Up 2020 for Security Operations Pros, Siemplify … and Everyone: A Year Like No Other appeared first on Siemplify.

The post Summing Up 2020 for Security Operations Pros, Siemplify … and Everyone: A Year Like No Other appeared first on Security Boulevard.

Read More

The post Summing Up 2020 for Security Operations Pros, Siemplify … and Everyone: A Year Like No Other appeared first on Malware Devil.

https://malwaredevil.com/2021/01/05/summing-up-2020-for-security-operations-pros-siemplify-and-everyone-a-year-like-no-other/?utm_source=rss&utm_medium=rss&utm_campaign=summing-up-2020-for-security-operations-pros-siemplify-and-everyone-a-year-like-no-other

PCI DSS: SSL Certificate Management Requirements | Keyfactor

For IT and security teams, compliance ranks at the top of the priority list. If you’re responsible for handling key and certificate management in your organization, you know this all too well. 

PCI DSS is one of the most common and widely adopted compliance mandates. Basically, if your organization accepts credit or debit as a form of payment, then PCI DSS applies to you. The good news is that most of the 12 PCI DSS requirements are just common sense security controls you should already have in place. 

In this blog, we’ll cover PCI DSS, how it has changed, and how to map PCI DSS SSL certificate requirements against your key and certificate management practices.

The post PCI DSS: SSL Certificate Management Requirements | Keyfactor appeared first on Security Boulevard.

Read More

The post PCI DSS: SSL Certificate Management Requirements | Keyfactor appeared first on Malware Devil.

https://malwaredevil.com/2021/01/05/pci-dss-ssl-certificate-management-requirements-keyfactor/?utm_source=rss&utm_medium=rss&utm_campaign=pci-dss-ssl-certificate-management-requirements-keyfactor

Bogus CSS Injection Leads to Stolen Credit Card Details

A client recently reported their customers were receiving antivirus warnings when trying to access and purchase products from a Magento ecommerce website. This is almost always a telltale sign that something is amiss, and so I began my investigation.

Malware in Database Tables

As is pretty common with Magento credit card swiper investigations, my initial scans came up clean. Attackers are writing new pieces of malware like it’s going out of style, so there are very frequently new injections to track down and remove.

Continue reading Bogus CSS Injection Leads to Stolen Credit Card Details at Sucuri Blog.

The post Bogus CSS Injection Leads to Stolen Credit Card Details appeared first on Security Boulevard.

Read More

The post Bogus CSS Injection Leads to Stolen Credit Card Details appeared first on Malware Devil.

https://malwaredevil.com/2021/01/05/bogus-css-injection-leads-to-stolen-credit-card-details/?utm_source=rss&utm_medium=rss&utm_campaign=bogus-css-injection-leads-to-stolen-credit-card-details

Contextualizing Microsoft’s Source Code Exposure in the SolarWinds Attacks

In the middle of December, IT management software provider SolarWinds revealed in a security advisory that it had fallen victim to a sophisticated supply chain attack. The offensive involved the placement of a backdoor known as SUNBURST into versions 2019.4 HF 5, 2020.2 with no hotfix installed and 2020.2 HF 1 of the company’s Orion Platform software. If executed, SUNBURST allowed an attacker to compromise the server running the Orion build.

The post Contextualizing Microsoft’s Source Code Exposure in the SolarWinds Attacks appeared first on Security Boulevard.

Read More

The post Contextualizing Microsoft’s Source Code Exposure in the SolarWinds Attacks appeared first on Malware Devil.

https://malwaredevil.com/2021/01/05/contextualizing-microsofts-source-code-exposure-in-the-solarwinds-attacks-2/?utm_source=rss&utm_medium=rss&utm_campaign=contextualizing-microsofts-source-code-exposure-in-the-solarwinds-attacks-2

Contextualizing Microsoft’s Source Code Exposure in the SolarWinds Attacks

In the middle of December, IT management software provider SolarWinds revealed in a security advisory that it had fallen victim to a sophisticated supply chain attack. The offensive involved the placement of a backdoor known as SUNBURST into versions 2019.4 HF 5, 2020.2 with no hotfix installed and 2020.2 HF 1 of the company’s Orion Platform software. If executed, SUNBURST allowed an attacker to compromise the server running the Orion build.

The post Contextualizing Microsoft’s Source Code Exposure in the SolarWinds Attacks appeared first on Security Boulevard.

Read More

The post Contextualizing Microsoft’s Source Code Exposure in the SolarWinds Attacks appeared first on Malware Devil.

https://malwaredevil.com/2021/01/05/contextualizing-microsofts-source-code-exposure-in-the-solarwinds-attacks/?utm_source=rss&utm_medium=rss&utm_campaign=contextualizing-microsofts-source-code-exposure-in-the-solarwinds-attacks