US-CERT Feed

Ivanti has released security updates to address vulnerabilities in all supported versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure gateways. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system. 

Users and administrators are encouraged to review the following Ivanti advisory and apply the necessary updates: 

• SA:CVE-2024-21894 (Heap Overflow), CVE-2024-22052 (Null Pointer Dereference), CVE-2024-22053 (Heap Overflow) and CVE-2024-22023 (XML entity expansion or XXE) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

Today, CISA published a new dedicated High-Risk Communities webpage comprised of cybersecurity resources to support civil society communities at heighted risk of digital security threats, including cyber hygiene guidance, a repository of local cyber volunteer programs, and free or discounted tools and services.

Despite their vulnerability to advanced cyber threats, many civil society organizations operate on lean budgets and cannot significantly invest in cybersecurity. CISA’s High-Risk Communities webpage provides resources specifically for civil society organizations, such as:

• Project Upskill, a suite of cyber hygiene guides designed to arm individuals of high-risk organizations with simple steps to meaningfully improve their cyber hygiene.
• Cybersecurity Resources for High-Risk Communities, which offers a wide selection of free or steeply discounted tools and services.
• Cyber Volunteer Resource Center, a repository of cyber volunteer programs across the country that provide free, hands-on cybersecurity support to under-resourced organizations.

For more information on the initiative, read Associate Director Clayton Roman’s blog post, JCDC Working and Collaborating to Build Cyber Defense for Civil Society and High-Risk Communities. Visit Joint Cyber Defense Collaborative to learn more about the planning effort that aided in developing these valuable resources.
 

CISA released one Industrial Control Systems (ICS) advisory on April 2, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-093-01 IOSIX IO-1020 Micro ELD

CISA encourages users and administrators to review the newly released ICS advisory for technical details and mitigations.

CISA and the open source community are responding to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. This activity was assigned CVE-2024-3094. XZ Utils is data compression software and may be present in Linux distributions. The malicious code may allow unauthorized access to affected systems. 

CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA. 

See the following advisory for more information: 

• Red Hat: Urgent security alert for Fedora 41 and Rawhide users 

Cisco released security updates to address vulnerabilities in Cisco IOS, IOS XE, and AP software. A cyber threat actor could exploit some of these vulnerabilities to cause a denial-of-service.

CISA encourages users and administrators to review the following advisories and apply the necessary updates:

• Cisco Event Response: March 2024 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication
• Cisco Access Point Software Secure Boot Bypass Vulnerability
• Cisco Access Point Software Denial of Service Vulnerability

Apple released security updates to address a vulnerability (CVE-2024-1580) in Safari and macOS. A cyber threat actor could exploit this vulnerability to take control of an affected system. 

CISA encourages users and administrators to review the following advisories and apply the necessary updates: 

• Safari 17.4.1
• macOS Sonoma 14.4.1  
• macOS Ventura 13.6.6

CISA released four Industrial Control Systems (ICS) advisories on March 26, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-086-01 Automation-Direct C-MORE EA9 HMI
• ICSA-24-086-02 Rockwell Automation PowerFlex 527
• ICSA-24-086-03 Rockwell Automation Arena Simulation
• ICSA-24-086-04 Rockwell Automation FactoryTalk View ME

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2023-24955 Microsoft SharePoint Server Code Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2023-48788 Fortinet FortiClient EMS SQL Injection Vulnerability
• CVE-2021-44529 Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
• CVE-2019-7256 Nice Linear eMerge E3-Series OS Command Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Secure by Design Alert, Eliminating SQL Injection Vulnerabilities in Software. This Alert was crafted in response to a recent, well-publicized exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations. Additionally, the Alert highlights the prevalence of this class of vulnerability.

Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk.

CISA and the FBI urge senior executives at technology manufacturing companies to mount a formal review of their code to determine its susceptibility to SQLi compromises. If found vulnerable, senior executives should ensure their organizations’ software developers begin immediate implementation of mitigations to eliminate this entire class of defect from all current and future software products.

For more information on recommended principles and best practices to achieve this goal, visit CISA’s Secure by Design page. To catch up on the publications in this series, visit Secure by Design Alerts.