Subscribe: US-CERT Cyber Security Alerts and Tips
http://www.us-cert.gov/channels/userdocs.rdf
Added By: Feedage Forager Feedage Grade A rated
Language: English
Tags:
cisco  client  date march  https inspection  https  inspection  original release  product  release date  security  vulnerability 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: US-CERT Cyber Security Alerts and Tips

US-CERT: The United States Computer Emergency Readiness Team





 



Cisco Releases Security Updates

Wed, 22 Mar 2017 22:02:41 +0000

Original release date: March 22, 2017

Cisco has released security updates to address vulnerabilities in its IOS, IOS XE, and IOx Software. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system or cause a denial-of-service condition.

Users and administrators are encouraged to review the following Cisco Security Advisories and apply the necessary updates:

 


This product is provided subject to this Notification and this Privacy & Use policy.





Vulnerabilities Identified in Network Time Protocol Daemon (ntpd)

Wed, 22 Mar 2017 17:20:27 +0000

Original release date: March 22, 2017

The Network Time Foundation's NTP Project has has released version ntp-4.2.8p10 to address multiple vulnerabilities in ntpd. Exploitation of some of these vulnerabilities may allow a remote attacker to cause a denial-of-service condition.

US-CERT encourages users and administrators to review the NTP Security Notice Page for vulnerability and mitigation details.


This product is provided subject to this Notification and this Privacy & Use policy.





Cisco Releases Security Updates

Tue, 21 Mar 2017 15:57:06 +0000

Original release date: March 21, 2017

Cisco has released security updates to address vulnerabilities in its IOS and IOS XE Software. Exploitation of one of these vulnerabilities could allow a remote attacker to cause a denial of service condition.

Users and administrators are encouraged to review the following Cisco Security Advisories and apply the necessary updates:


This product is provided subject to this Notification and this Privacy & Use policy.





SB17-079: Vulnerability Summary for the Week of March 13, 2017

Mon, 20 Mar 2017 13:37:11 +0000

Original release date: March 20, 2017 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.  High VulnerabilitiesPrimaryVendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch Infoadobe -- flash_playerAdobe Flash Player versions 24.0.0.221 and earlier have an exploitable buffer overflow / underflow vulnerability in the Primetime TVSDK that supports customizing ad information. Successful exploitation could lead to arbitrary code execution.2017-03-1410.0CVE-2017-2997BIDCONFIRMadobe -- flash_playerAdobe Flash Player versions 24.0.0.221 and earlier have an exploitable memory corruption vulnerability in the Primetime TVSDK API functionality related to timeline interactions. Successful exploitation could lead to arbitrary code execution.2017-03-1410.0CVE-2017-2998BIDCONFIRMadobe -- flash_playerAdobe Flash Player versions 24.0.0.221 and earlier have an exploitable memory corruption vulnerability in the Primetime TVSDK functionality related to hosting playback surface. Successful exploitation could lead to arbitrary code execution.2017-03-1410.0CVE-2017-2999BIDCONFIRMadobe -- flash_playerAdobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability related to garbage collection in the ActionScript 2 VM. Successful exploitation could lead to arbitrary code execution.2017-03-1410.0CVE-2017-3001BIDCONFIRMadobe -- flash_playerAdobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability in the ActionScript2 TextField object related to the variable property. Successful exploitation could lead to arbitrary code execution.2017-03-1410.0CVE-2017-3002BIDCONFIRMadobe -- flash_playerAdobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability related to an interaction between the privacy user interface and the ActionScript 2 Camera object. Successful exploitation could lead to arbitrary code execution.2017-03-1410.0CVE-2017-3003BIDCONFIRMalienvault -- ossimThe logcheck function in session.inc in AlienVault OSSIM before 5.3.1, when an action has been created, and USM before 5.3.1 allows remote attackers to bypass authentication and consequently obtain sensitive information, modify the application, or execute arbitrary code as root via an "AV Report Scheduler" HTTP User-Agent header.2017-03-157.5CVE-2016-7955BUGTRAQMISCCONFIRMapache -- strutsThe Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string[...]



IRS Warns of Last-Minute Tax Scams

Sat, 18 Mar 2017 03:21:10 +0000

Original release date: March 17, 2017

The Internal Revenue Service (IRS) has released an alert warning of phishing email scams targeting last-minute tax filers. The alert describes common features of these cyber crimes and includes recommendations to protect against them: strengthen passwords, recognize phishing attempts, and forward suspicious emails to phishing@irs.gov.

Tax payers and tax professionals are encouraged to review the IRS alert and US-CERT's advice on Avoiding Social Engineering and Phishing Attacks.


This product is provided subject to this Notification and this Privacy & Use policy.





Mozilla Releases Security Updates

Sat, 18 Mar 2017 00:54:28 +0000

Original release date: March 17, 2017

Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. Exploitation of this vulnerability may allow an attacker to take control of an affected system.

US-CERT encourages users and administrators to review the Mozilla Security Advisory for Firefox and Firefox ESR and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.





Microsoft Ending Support for Windows Vista

Fri, 17 Mar 2017 04:45:45 +0000

Original release date: March 17, 2017

All software products have a lifecycle. After April 11, 2017, Microsoft is ending support for the Windows Vista operating system. After this date, this product will no longer receive:

  • Security updates,
  • Non-security hotfixes,
  • Free or paid assisted support options, or
  • Online technical content updates from Microsoft.

Computers running the Windows Vista operating system will continue to work even after support ends. However, using unsupported software may increase the risks of viruses and other security threats.

Users and administrators are encouraged to upgrade to a currently supported operating system. For more information, see Microsoft's Vista support and product lifecycle articles.

US-CERT does not endorse or support any particular product or vendor.


This product is provided subject to this Notification and this Privacy & Use policy.





Microsoft SMBv1 Vulnerability

Thu, 16 Mar 2017 22:12:41 +0000

Original release date: March 16, 2017

Microsoft has released a security update to address a vulnerability in implementations of Server Message Block 1.0 (SMBv1). Exploitation of this vulnerability could allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review Microsoft Security Bulletin MS17-010 and apply the update. For more information, see the Information Assurance Advisory and US-CERT's SMB Security Best Practices guidance.


This product is provided subject to this Notification and this Privacy & Use policy.





TA17-075A: HTTPS Interception Weakens TLS Security

Thu, 16 Mar 2017 12:40:42 +0000

Original release date: March 16, 2017 Systems Affected All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected. Overview Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. The CERT Coordination Center (CERT/CC) explored the tradeoffs of using HTTPS interception in a blog post called The Risks of SSL Inspection [1].Organizations that have performed a risk assessment and determined that HTTPS inspection is a requirement should ensure their HTTPS inspection products are performing correct transport layer security (TLS) certificate validation. Products that do not properly ensure secure TLS communications and do not convey error messages to the user may further weaken the end-to-end protections that HTTPS aims to provide. Description TLS and its predecessor, Secure Sockets Layer (SSL), are important Internet protocols that encrypt communications over the Internet between the client and server. These protocols (and protocols that make use of TLS and SSL, such as HTTPS) use certificates to establish an identity chain showing that the connection is with a legitimate server verified by a trusted third-party certificate authority.HTTPS inspection works by intercepting the HTTPS network traffic and performing a man-in-the-middle (MiTM) attack on the connection. In MiTM attacks, sensitive client data can be transmitted to a malicious party spoofing the intended server. In order to perform HTTPS inspection without presenting client warnings, administrators must install trusted certificates on client devices. Browsers and other client applications use this certificate to validate encrypted connections created by the HTTPS inspection product. In addition to the problem of not being able to verify a web server’s certificate, the protocols and ciphers that an HTTPS inspection product negotiates with web servers may also be invisible to a client. The problem with this architecture is that the client systems have no way of independently validating the HTTPS connection. The client can only verify the connection between itself and the HTTPS interception product. Clients must rely on the HTTPS validation performed by the HTTPS interception product.A recent report, The Security Impact of HTTPS Interception [2], highlighted several security concerns with HTTPS inspection products and outlined survey results of these issues. Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data, allowing the possibility of a MiTM attack. Furthermore, certificate-chain verification errors are infrequently forwarded to the client, leading a client to believe that operations were performed as intended with the correct server. This report provided a method to allow servers to detect clients that are having their traffic manipulated by HTTPS inspection products. The website badssl.com [3] is a resource where clients can verify whether their HTTPS inspection products are properly verifying certificate chains. Clients can also use this site to verify whether their HTTPS inspection products are enabling connections to websites that a browser or other client would otherwise reject. For example, an HTTPS inspection product may allow deprecated protocol versions or weak ciphers to be used between itself and a web server. Because client systems may connect to the HTTPS inspection product using strong cryptography, the user will be unaware of any weakness on the other side of the HTTPS inspection. Impact Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations. Failure to perform proper validation or adequat[...]



Cisco Releases Security Updates

Thu, 16 Mar 2017 00:26:05 +0000

Original release date: March 15, 2017

Cisco has released several updates to address vulnerabilities affecting multiple products. A remote attacker could exploit these vulnerabilities to take control of an affected system.

Users and administrators are encouraged to review the following Cisco Security Advisories and apply the necessary updates:


This product is provided subject to this Notification and this Privacy & Use policy.