SysAdmin 24x7

Let's Encrypt Our cross-signed DST Root CA X3 expired today. If you are hitting an error, check out fixes in our community forum. We're seeing higher than normal renewals, so you may experience a slowdown in getting your certificates. -------------------- Help thread for DST Root CA X3 expiration (September 2021) If you have any questions about whether you need to do anything special for the upcoming DST Root CA X3 expiration in September 2021, please post them here. A staff member may split out some conversations into their own threads. Update 30 September 2021, 17:34 UTC Yesterday, the R3 signed by DST Root CA X3 intermediate expired as planned. If you experience problems related to certificate chaining you should first review your configuration and make sure your server/website/device is sending the correct chain with the updated R3 intermediate signed by ISRG Root X1. It is unlikely that you need to force renewal to resolve issues related to R3 signed by DST Root CA X3 expiring. This thread and many more on the community offer advice to review and resolve this problem. Earlier today, the DST Root CA X3 expired as planned. Most problems related to DST Root CA X3 expiring will not be solved by force renewal. Please search the forum and this this thread for help to resolve the problems you are experiencing before opening a new thread. https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190

Múltiples vulnerabilidades en HP Security Manager Fecha de publicación: 30/09/2021 Importancia: 5 - Crítica Recursos afectados: HP Security Manager, versiones anteriores a 3.6.1. Descripción: HP ha publicado 4 vulnerabilidades, 1 crítica y 3 altas en HP Security Manager que podrían permitir a un atacante la ejecución remota de código o una denegación de servicio. https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-hp-security-manager

Researchers discover bypass 'bug' in iPhone Apple Pay, Visa to make contactless payments. https://appleinsider.com/articles/21/09/30/apple-pay-bug-could-allow-attackers-to-bypass-lock-screen-make-payments

Facebook open-sources tool to find Android app security flaws. https://www.bleepingcomputer.com/news/security/facebook-open-sources-tool-to-find-android-app-security-flaws/

Red Hat OpenShift Container Platform CVE-2021-25741 CVSS v3 Base Score 8.8 Description A flaw was found in kubernetes. An authorized user can exploit this by creating pods with crafted subpath volume mounts to access files and directories outside of the volume, including on the host node's filesystem. Mitigation OpenShift Container Platform runs with SELinux in enforcing mode, which reduces the impact of this vulnerability, but does not completely prevent it from being exploited. Affected Packages and Issued Red Hat Security Errata Red Hat OpenShift Container Platform 4.8 openshift Fixed RHSA-2021:3631 28 de septiembre de 2021 Red Hat OpenShift Container Platform 3.11 atomic-openshift Affected Red Hat OpenShift Container Platform 4.6 Fixed RHSA-2021:3642 29 de septiembre de 2021 https://access.redhat.com/security/cve/CVE-2021-25741

CISA and NSA Release Guidance on Selecting and Hardening VPNs ⚠️ Hardening VPN 101: 1) Configure strong cryptography, 2) Run only necessary features, 3) Monitor access to/from VPN. https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF

New Azure Active Directory password brute-forcing flaw has no fix https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/

Security Notification - Command Injection Vulnerability in Some Hikvision products SN No.: HSRC-202109-01 Edit: Hikvision Security Response Center (HSRC) https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/security-notification-command-injection-vulnerability-in-some-hikvision-products/

Microsoft: Nobelium uses custom malware to backdoor Windows domains https://www.bleepingcomputer.com/news/security/microsoft-nobelium-uses-custom-malware-to-backdoor-windows-domains/

FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/

Microsoft Warns of 'FoggyWeb' Malware Targeting AD FS Servers https://www.darkreading.com/threat-intelligence/microsoft-warns-of-foggyweb-malware-targeting-ad-fs-servers

Opera browser patches My Flow remote code execution vulnerability. https://portswigger.net/daily-swig/opera-browser-patches-my-flow-remote-code-execution-vulnerability

Expert found RCE flaw in Visual Studio Code Remote Development Extension Researchers from the Italian cybersecurity firm Shielder found a remote code execution vulnerability in Visual Studio Code Remote Development Extension. Visual Studio Code Remote Development allows users to adopt a container, remote machine, or the Windows Subsystem for Linux (WSL) as a full-featured development environment. https://securityaffairs.co/wordpress/122638/hacking/rce-visual-studio-code-remote-development-extension.html

New security feature in September 2021 Cumulative Update for Exchange Server https://techcommunity.microsoft.com/t5/exchange-team-blog/new-security-feature-in-september-2021-cumulative-update-for/ba-p/2783155

Basic Authentication and Exchange Online – September 2021 Update By The Exchange Team Published Sep 23 2021 In February 2021, we announced some changes to our plan for turning off Basic Authentication in Exchange Online. In summary, we announced we were postponing disabling Basic Auth for protocols in active use by your tenant until further notice, but that we would continue to disable Basic Auth for all protocols not being used. The overall scope of the program was also extended to include Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH and OAB. Today, we are announcing that, effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage (with the exception of SMTP Auth, which can still be re-enabled after that). https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210

More than 130,000 malicious IP addresses were blocked during Census 2021: AWS. https://www.zdnet.com/article/more-than-130000-malicious-ip-addresses-were-blocked-during-census-2021-aws/

Phishing and malware actors abuse Google Forms for credentials, data exfiltration. Earlier this year as we researched malware use of Transport Layer Security-based communications to conceal command and control traffic and downloads, we found a disproportionate amount of traffic going to Google cloud services. Among the destinations we found in telemetry were a host of Google Forms pages. https://news.sophos.com/en-us/2021/09/23/phishing-and-malware-actors-abuse-google-forms-for-credentials-data-exfiltration/

How to block sites from requesting Idle Detection API permissions in Chrome. Google introduced a controversial API in Google Chrome 94 this month. Called Idle Detection API, it allows sites to query the device to find out whether it is idle or in active use. A device enters idle state if it is not used actively for a period; the API can request the idle state of components or events, such as the keyboard, mouse or screensaver. https://www.ghacks.net/2021/09/27/how-to-block-sites-from-requesting-idle-detection-api-permissions-in-chrome/

German Federal Office for Information Security is launching an investigation into the cybersecurity of certain Chinese mobile phones. https://securityaffairs.co/wordpress/122604/intelligence/bsi-investigates-chinese-mobile-phones.html

Múltiples vulnerabilidades en productos de Netgear Fecha de publicación: 27/09/2021 Importancia: 5 - Crítica Descripción: NETGEAR ha reportado 25 vulnerabilidades, todas ellas de severidad crítica, que podrían permitir a un atacante comprometer los productos afectados. Solución: Actualizar a la versión de firmware más reciente desde la página web de soporte de NETGEAR https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-productos-netgear-16