With millions working, learning and collaborating remotely due to COVID-19 challenges, there’s an explosion of remote endpoints running Zoom and other collaboration and productivity applications such as Outlook, Teams, Webex, Slack, Office 365 and more. As remote endpoints are accessing organizations’ critical assets and data, more and more cyberattacks are targeting remote endpoints for exploiting weaknesses and vulnerabilities in collaboration tools like Zoom.
A severe vulnerability exists in Apache Tomcat’s Apache JServ Protocol. The Chinese cyber security company Chaitin Tech discovered the vulnerability, which is named “Ghostcat” and is tracked using CVE-2020-1938. The security issue has received a critical severity rating score of 9.8 based on CVSS v3 Scoring system.
Due to a file inclusion defect in the AJP service (port 8009) that is enabled by default in Tomcat, an attacker can construct a malicious request package for file inclusion operation, and then read the web directory file on the affected Tomcat server. If the system allows users to upload files, an attacker can upload malicious code to the server, and gain the ability to perform remote code execution.
This release of Qualys Patch Management version 1.3 includes new features, highlights as follows.
Patch Scheduling enhancement: “No Patch Window” – When scheduling a patch deployment, instead of having to specify a Patch Window time frame, you can select “None”. This will allow a job to continue to run until all of the Assets in the job are able to perform the deployment, instead of timing out at the end of the Patch Window. This is especially useful in situations where you have an emergency patch that absolutely must be installed as soon as possible. If an Asset is offline when the job is set to run, it will run the job once the Cloud Agent checks in again.
Suppress reboot – You can choose to suppress the reboot notification and subsequent reboot after a patch deployment. This feature allows you to deploy patches, and then use another mechanism to restart the Assets. Any Asset that has the reboot suppressed will still report the Reboot Required flag to the platform.
Create Job in “Enabled” state – Previously, you would create a Deployment Job in a Disabled state, and then Enable the job from the Jobs screens. Now, you can choose to have the Job saved in an Enabled state, reducing the amount of clicks required to start a Job.
Opportunistic Patch Download – When creating a Job, you can now opt to have the Cloud Agent download the patches in the background before the job runs, reducing the amount of time the job takes to complete.
This month’s Microsoft Patch Tuesday addresses 88 vulnerabilities with 21 of them labeled as Critical. Of the 21 Critical vulns, 17 are for scripting engines and browsers, and 3 are potential hypervisor escapes in Hyper-V. The remaining vulnerability is an RCE in the Microsoft Speech API. Microsoft also issued guidance on Bluetooth Low Energy FIDO keys, HoloLens, and Microsoft Exchange. Adobe issues patches today for Flash, ColdFusion, and Campaign.
The rise of sophisticated attacks combined with the security-skills shortage have driven many organizations to go back to basics and review their processes for vulnerability and patch management. The approach is definitely a winning one, given that shrinking and managing the vulnerability surface makes it harder to target and compromise.
Assessing the attack surface requires strengthening key capabilities, such as increasing visibility across the IT landscape and improving the detection, prioritization and remediation of vulnerabilities at scale. Qualys has been boosting these capabilities for its customers over the last two decades.
Read on to learn how Qualys is addressing enterprises’ patch management challenges with integrated breach prevention that includes its new Patch Management cloud application.
Vulnerabilities that vendors have disclosed and issued patches for remain a major source of breaches. Why? Too many organizations take too long to deploy those patches — or never do.
That was the case with WannaCry. The ransomware exploited Windows vulnerability MS17-010, which Microsoft disclosed in mid-March 2017, rating it “Critical” and issuing a patch for it. The attacks began two months later. It was only then that most affected organizations began to install the patch. When the dust cleared, WannaCry had infected 300,000-plus systems, disrupting critical operations globally.
So why does this baffling problem persist?
As is true for most IT and security challenges, the patch management problem and its solution depend on a combination of the technology being used and of the processes in place.
It’s that time of the year when Verizon updates us on the latest trends in the global threat landscape with itsData Breach Investigations Report (DBIR). The findingsin this year’s report are based on data provided by more than 70 sources (including Qualys) about more than 41,000 security incidents, including more than 2,000 confirmed data breaches, across a variety of geographies (over 80 countries) and industries. A privileged observation point indeed.
While the very informative 78-page report touches on a wide range of areas, I’ll focus on three that are particularly relevant for Qualys customers:
Who are hackers’ preferred targets, and why
The importance of reducing both the time it takes to discover security problems, such as vulnerabilities or breaches, and the time it takes to fix them
How lack of visibility, human error and careless misconfigurations heighten organizations’ security risks
Read on to learn more about the evolution (or is it “EVILution”) of the threat landscape in the past year, and find out about recommended actions.
High profile vulnerabilities like Meltdown and Spectre are disclosed, and become headline-grabbing news not just in the technology press, but on general news outlets worldwide.
Even if the vulnerabilities aren’t associated with an attack, the news reports rattle C-level executives, who ask the security team for a plan to address the by now notorious bug, and pronto.
Often, a counter-productive disruption of the normal vulnerability and patch management operations ensues, as those involved scramble to draft a response against the clock in a panic atmosphere, punctuated by confusion and finger-pointing.
“Should I just immediately be jumping and reacting? Should I start deploying patches, and then go from there? I’m going to argue that that’s not always the case,” Gill Langston, a Product Management Director at Qualys, said Wednesday during a presentation at RSA Conference 2018.
In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news — this time involving Microsoft — and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability.
Microsoft patches its Meltdown patch, then patches it again
In an instance of the cure possibly being worse than the disease, a Microsoft patch for Meltdown released in January created a gaping security hole in certain systems in which it was installed.
It took Microsoft two tries to fix the issue, which affects Windows 7 (x64) and Windows Server 2008 R2 (x64) systems. The company thought it had solved the vulnerability (CVE-2018-1038) with a scheduled patch last Tuesday, but then had to rush out an emergency fix two days later.
Security researcher Ulf Frisk, who discovered the vulnerability, called it “way worse” than Meltdown because it “allowed any process to read the complete memory contents at gigabytes per second” and made it possible to write to arbitrary memory as well.
“No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process,” Frisk wrote. “Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required — just standard read and write.”