Oct 12 2023

Adobe, Cisco IOS, Skype, WordPad, and HTTP/2 Rapid Reset Flaws Actively Exploited: CISA Warns

Category: Security vulnerabilitiesdisc7 @ 9:25 am

The US cybersecurity organization CISA has updated its Known Exploited Vulnerabilities catalog to include five new security flaws that are currently being actively exploited.

This means that attackers are using these vulnerabilities to gain unauthorized access to computer systems, steal sensitive data, or cause damage to critical infrastructure.

It is crucial for organizations to be aware of these vulnerabilities and take immediate steps to mitigate the risk of exploitation.

Earlier this year, several vulnerabilities were reported in popular software applications such as Acrobat, Cisco IOS, WordPad, Skype, and HTTP/2 Rapid Reset.

As a precautionary measure, businesses are advised by CISA to be wary of these vulnerabilities and take necessary steps to secure their systems against potential cyber-attacks.

Malicious cyber actors often exploit these vulnerabilities as they are commonly found in the federal enterprise, posing significant threats to their security.

Five Actively Exploited Flaws

  • CVE-2023-21608 Adobe Acrobat and Reader Use-After-Free Vulnerability

A Use After Free vulnerability in Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier), and 20.005.30418 (and earlier) might lead to arbitrary code execution in the context of the current user.

This vulnerability can only be exploited if the victim opens a malicious file that involves user involvement. Adobe patched the vulnerability in January 2023, and the PoC exploit code for this issue is available.

An authenticated, remote attacker with administrative access to a group member or a key server could exploit a vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software.

A successful exploit might give the attacker complete control of the targeted system and the ability to run arbitrary code, or it could force the target system to reload, resulting in a DoS attack. Cisco fixed the flaw at the end of September.

  • CVE-2023-41763 Microsoft Skype for Business Privilege Escalation Vulnerability

An elevation of privilege vulnerability in Skype for Business is identified as CVE-2023-41763.

“An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker”, Microsoft warns.

The attacker may obtain certain private, sensitive data, and in some situations, the information that was revealed could provide the attacker access to internal networks. Microsoft patched the flaw in its October Patch Tuesday release.

  • CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability

This is an information disclosure vulnerability in Microsoft WordPad. Because of the flaw, NTLM hashes can be revealed under certain circumstances. 

To exploit the issue, an attacker would need to be able to get into the system, but if a footing is gained, the adversary could then launch a specially crafted application and seize control of an affected machine.

“The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file,” Microsoft said.

Microsoft patched the flaw in its October Patch Tuesday release.

The HTTP/2 protocol flaw CVE-2023-44487 has recently been utilized to execute massive DDoS attacks against several targets. The HTTP/2 protocol’s handling of request cancellations or resets is the source of the issue.

When a client makes a reset for an HTTP/2 request, it consumes server resources by canceling the relevant stream. 

However, the client can start a new stream right away after initiating a reset. The quick opening and closing of HTTP/2 streams brings on the denial of service.

This vulnerability may affect many web platforms because HTTP/2 has been implemented into so many of them.

CISA urges all organizations to prioritize promptly repairing Catalogue vulnerabilities as part of their vulnerability management procedures to reduce their exposure to attacks.

Cybersecurity and Infrastructure Security Agency (CISA) TIPS

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cybersecurity and Infrastructure Security Agency


Oct 03 2021

The Biden administration will work with 30 countries to curb global cybercrime

Category: Cyber crimeDISC @ 1:39 pm

U.S. President Joe Biden announced that the US will work with 30 countries to curb cybercrime and dismantle ransomware gangs that are targeting organizations worldwide.

“This month, the United States will bring together 30 countries to accelerate our cooperation in combatting cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically,” announced President Biden.

The Biden Administration announced that it will work with representatives of 30 countries to accelerate the cooperation among states and international law enforcement agencies in fighting cyber criminal activities. Biden also announced a special effort in building a coalition of nations to advocate for and invest in trusted 5G technology and to secure its supply chains.

The coalition also aims at managing both the risks and opportunities associated with the adoption of emerging technologies like quantum computing and artificial intelligence.

The wave of ransomware attacks that hit US organizations in the first half of 2021 and that were carried out by Russian gangs like REvil and Darkside worried US authorities and was discussed by Presidents Biden and Putin during a phone call in July.

CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation

CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation by [United States Government Accountability  Office]

Cybersecurity Awareness Month 2021 Toolkit: Key messaging, articles, social media, and more to promote Cybersecurity Awareness Month 2021 

Cybersecurity Awareness Month 2021 Toolkit: Key messaging, articles, social media, and more to promote Cybersecurity Awareness Month 2021 by [Cybersecurity and Infrastructure Security Agency]

Tags: Biden administration, Cybersecurity and Infrastructure Security Agency, Cybersecurity Awareness Month 2021 Toolkit, Cybersecurity for Our Nation


Aug 02 2021

CISA launches US federal vulnerability disclosure platform

Category: cyber securityDISC @ 8:15 am

“Through this crowdsourcing platform, Federal Civilian Executive Branch (FCEB) agencies will now be able to coordinate with the security research community in a streamlined fashion and those reporting incidents enjoy a single, usable website to facilitate submission of findings. The platform encourages collaboration and information sharing between the public and private sectors by allowing uniquely skilled researchers to submit vulnerability reports, which agencies will use to understand and address vulnerabilities that were previously unidentified,” Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA, explained.

The VDP platform

Binding Operational Directive 20-01, released in September 2020, mandates that all FCEB agencies must develop and publish a vulnerability disclosure policy.

At the moment, this newly established VDP platform collects eleven vulnerability disclosure programs, published by the:

  • Federal Communications Commission (FCC)
  • Department of Homeland Security (DHS)
  • National Labor Relations Board (NLRB)
  • Federal Retirement Thrift Investment Board (FRTIB)
  • Millennium Challenge Corporation (MCC)
  • Department of Agriculture (USDA)
  • Department of Labor (DOL)
  • Privacy and Civil Liberties Oversight Board (PCLOB)
  • Equal Employment Opportunity Commission (EEOC)
  • Occupational Safety and Health Review Commission (OSHRC)
  • Court Services and Offender Supervision Agency (CSOSA)

This newly established VDP platform is run by BugCrowd, a bug bounty and vulnerability disclosure company, and EnDyna, a government contractor that provides science and technology-based solutions to several US federal agencies.

CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation by [United States Government Accountability  Office]

Tags: CISA, Cybersecurity and Infrastructure Security Agency