March 16, 2024 - Red N Security

Hello all,

Patch Tuesday came and as expected, was not as bad as prior months. Yet there are still plenty of things to address, so make sure you check what is needed in your environment. This week we have interesting reports about Apple developing a USB worm and an aversion to coffee – er Java. McDonald’s has two mentions, McEvent and Ice-cream-gate. JetBrains and Rapid7 are openly sparring about a recent TeamCity vulnerability disclosure, and our US government is rather concerned about Chinese spying. Read on for more details and other items of note and interest.

The volume of news and other can appear overwhelming, the best strategy is to read the Notable Callouts below and then skim the full list of linked news item titles https://red-n-security.com/?p=1181 for things that pertain to you or your environment or simply interest you, and then selecting them for more information. So, let’s get to it. And don’t forget, our site, https://red-n-security.com also has searchable archives of past newsletters.

Notable Callouts:

Apple is in the news for a second week. The red-fruit company released security updates on Patch Tuesday, including two zero-days. However, as many users found, macOS 14.4 rendered their USB hubs and printers inoperable. Additional reports say that Oracle’s Java is having problems with the update as well. If you depend on such peripherals, or Java, I’d suggest holding off on the update until Apple fixes it.
AMD and Intel both released updates to address vulnerabilities. AMD specifically addressed a flaw known as GhostRace and a few other bugs. Intel addressed just shy of a dozen items, among the most severe is a Local Privilege Escalation (LPE) involving BIOS and for an interface on 4th Generation Intel Xeon processors.
Cisco is also in the news for a second week, this time for “high-severity denial-of-service and elevation of privilege vulnerabilities in IOS RX software”. The vulnerabilities affect 8000 series routers and Network Convergence System (NCS) 540 series and 5700 series routers. To mitigate, patch all to at least version 7.10.1 of Internetworking Operating System XR.
Fortinet, ever present in vulnerability news, released patches for a number of vulnerabilities, at least two of which are rated critical. Fortinet urges customers to “upgrade to the newly patched FortiClientEMS 7.2.3 or above, or to FortiClientEMS 7.0.11 or above.” One of the bugs is rated a near maximum severity issue. So far there are no indications of exploitation in the wild, so patch ASAP as the details and PoC are expected to land this coming week. In a related article…
Siemens Ruggedcom devices received the gift of 11 new advisories describing a total of 214 vulnerabilities this past week. It is related because the Fortigate NGFW is integrated with Siemens’ Ruggedcom switches and routers. Therefore, any Fortigate vulnerabilities become Siemen’s vulnerabilities by extension. If that weren’t enough, three vulnerabilities were disclosed in Sinteso EN and Cerberus PRO EN fire protection systems. One of the items is critical with a maximum CVSS score of 10, due to allowing unauthenticated Remote code execution (RCE) as root. If you don’t want your fire protection systems compromised, update immediately!
LockBit ransomware criminal Mikhail Vasiliev, described as one of the most prolific ransomware operators, was sentenced to nearly 4 years of prison in Canada, with the US also planning to prosecute this unsavory person with additional charges and incarceration time. Maybe Canada can keep him in a prison North of the arctic circle. Chalk one up for the good guys, one less evil villain doing cyber-harm.
McEvent this past week McDonald’s, yes the fast food chain, had a near global system outage. Their IT reports that it was not related to a malicious incident. I guess we’ll need to wait to see if they release a post-mortem. In a somewhat related event…
Ice cream-gate US lawmakers are crafting legislation that will require McDonald’s and other establishment’s ice cream machines to be able to be repaired by whomever is capable, vs. having proprietary vendor lock-in. I guess one too many government officials went through the drive-through only to be told that the ice-cream machine was down. The frustration of this equipment failure prompted Rashiq Zahid to create a website that tracks this phenomenon, it is https://mcbroken.com. As of this writing, 13.68% of the frozen treat machines are reported thawed.
Microsoft (and others, think Adobe and more) released Patch Tuesday updates this past week. Depending on who is tracking, either 59 or 61 Microsoft vulnerabilities received patches. Unlike most of the preceding year, this time there were no zero-day disclosures. However, there are at least two high-severity bugs in this batch that should be prioritized. As with most Microsoft patches, test first if you’re able, and have a back-out plan.
Microsoft Exchange online has displayed an issue banner for at least a week stating that they are having deliverability issues due to being on some block-lists. However, many of those affected have found that if they either create or correct their SPF, DMARC, and DKIM email records, emails subsequently pass through when they were blocked prior. Major email vendors are beginning to enforce these email security controls, so it would behoove any email administrator to ensure that they are in place and correct.

In Ransomware, Malware, and Vulnerabilities News:

JetBrains makers of TeamCity, used by developers worldwide, is in a very public dispute with security company Rapid7. The former accuses the latter of giving insufficient time between a patch being made available to publishing the vulnerability details and a PoC. JetBrains asserts that the result has been huge amounts of compromised TeamCity instances. While I understand the maxim of “publish or perish”, in my opinion, especially in the cybersecurity world, reputable companies should default to security over notoriety.
US Government will likely soon pass legislation that demands that “any company controlled by a ‘foreign adversary’ to be divested within 180 days”. This has broad reaching implications. And what defines ‘foreign adversary’? This is going to be a sticky wicket for technology professionals, and for legal eagles if this wording remains unchanged.
Chinese state secrets law will soon “require business entities in China to identify and disclose to the government “work secrets,” or non-classified information that the Chinese Communist Party (CCP) deems relevant to its national security”. No, that’s not in the least ambiguous, is it? No wonder the US wants divestment of companies of “foreign adversaries”.

In Other News Events of Note and Interest:

Las Vegas Sphere is a marvel of technology. This massive orb (you have to see it in person to grasp the scale) received a nice writeup that is fascinating to read.
Citrix has recently (this month) changed their pricing model and partners are none too happy, some are reporting that monthly prices will double. More to come, I’m sure.
Windows Updates appear to be causing some issues, so ensure you check them out prior to mass-deploying to your fleets of devices.

In Cyber Insurance News:

Generative AI is going to reshape how the cyber landscape is architected and insured, according to Lloyd’s of London.

McDonald’s world-wide outage brought up a salient point, are we too dependent on our technology? Many of their restaurants had to turn customers away due to not being able to process electronic payments, or even cash payments! I guess the answer in their case would be that they were too dependent. Which brings up, what would your business do if the technology was down for a day, a couple of days, or longer? Do you have a Business Continuity Plan (BCP) that covers such a contingency? If not, now is the time to work one up, not when you are in the thick of it scrambling to service customers.

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

Cyber Insurance News