AusCERT - Security Bulletins

Subscribe to AusCERT - Security Bulletins hírcsatorna
Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 2 óra 41 perc
2022. november 11.

ESB-2022.5802 - [Appliance] Siemens SINUMERIK ONE and SINUMERIK MC: CVSS (Max): 9.3

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5802 Advisory (icsa-22-314-04) Siemens SINUMERIK ONE and SINUMERIK MC 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens SINUMERIK ONE Siemens SINUMERIK MC Publisher: ICS-CERT Operating System: Network Appliance Resolution: Mitigation CVE Names: CVE-2022-38465 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-314-04 Comment: CVSS (Max): 9.3 CVE-2022-38465 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-314-04) Siemens SINUMERIK ONE and SINUMERIK MC Original release date: November 10, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.3 o ATTENTION: Low attack complexity o Vendor: Siemens o Equipment: SINUMERIK ONE and SINUMERIK MC o Vulnerability: Insufficiently Protected Credentials 2. RISK EVALUATION Successful exploitation of this vulnerability could allow attackers to discover the private key of a given CPU product family via an offline attack against a single CPU from the family. Attackers could then use this knowledge to extract confidential configuration data from projects. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of SINUMERIK CNC systems are affected: o SINUMERIK ONE All Versions o SINUMERIK MC All Versions 3.2 VULNERABILITY OVERVIEW 3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522 All versions of Siemens SINUMERIK ONE and SINUMERIK MC use an insecure method to store authentication credentials, which are therefore susceptible to being retrieved. CVE-2022-38465 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:N/S:C/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported this vulnerability to CISA. 4. MITIGATIONS Siemens identified the following specific workarounds and mitigations that customers can apply to reduce the risk: o Expose the communication between the S7-1500 CPU and the HMI of the affected products only to trusted network environments. o Protect access to the TIA Portal project and SINUMERIK NCU (including related memory cards) from unauthorized actors. As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following the recommendations in the product manuals. For more information, see Siemens security advisory SSA-568428 in HTML or CSAF. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23HiMkNZI30y1K9AQjy1Q//dLJvTtMjZnriBxPewXjWM1lHdBoIjTew 1YigHj+a2EIgVlHit/Ho6jhjN/cjDant+bye35KLreO6G7LKbJNzfIcgsm7bO0eR kBMQSVNiwV6ExjboQEmAjhz3Bzcz+XnPV0P5xiC1l+uv10W1uwrMfQuddoxdC19X jdz77Mdl0aU5ZZsc/oJbci/ZVig91WaAkHsUclAGnj++ZCC/n43TXGk/28ZMfxWM JwhZZnqjLYl6N9sTrHsXaliqvW1vNfqGQDiI/vj8e9Esj0DcQMe4vVLCn/d9PpOG yjUj1KPIDnsJYSNDqJ1Aaf2LsLazndTygolf+D5iGxbvszkR5Fp0SVeOFzp9aL0g V6VRMqCb5C/tYjpnoejuNNVSbZWA9MgzxpD4fSHOn2hPwc9VccFZc7y1Ib0ZmLJ5 38L72BwGQPsQN3AFBkGBwS8lh60ZRsxy4ezbk6Oh0hm+kr65MDyZrSySqTkiXrfV fxPuHIa2I9m+EzT++TZrKfCMkIwwe6lar1gQO58zxj5rdZhxWI0gtH6y5epryxpn pHv8muq3t9KlzW9fXqrofmS6IEAlh+KA+po2o5a8ZDwByvOUMY5ewtJDTvQERYuy 5DtWqtSvytxyQeNPJszGN+ssPpgqnfsqiNZedHTEcBOps+kTrFA151T/y9noOCcF WTiqzi+Ccx8= =nSLd -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.5801 - [Appliance] Siemens SCALANCE W1750D: CVSS (Max): 7.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5801 Advisory (icsa-22-314-10) Siemens SCALANCE W1750D 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens SCALANCE W1750D Publisher: ICS-CERT Operating System: Network Appliance Resolution: Mitigation CVE Names: CVE-2022-37896 CVE-2022-37895 CVE-2022-37894 CVE-2022-37893 CVE-2022-37892 CVE-2022-37891 CVE-2022-37890 CVE-2022-37889 CVE-2022-37888 CVE-2022-37887 CVE-2022-37886 CVE-2022-37885 CVE-2002-20001 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-314-10 Comment: CVSS (Max): 7.8 CVE-2022-37885 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-314-10) Siemens SCALANCE W1750D Original release date: November 10, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Siemens o Equipment: SCALANCE W1750D o Vulnerabilities: Uncontrolled Resource Consumption, Buffer Copy without Checking Size of Input, Improper Neutralization of Input During Web Page Generation, Improper Neutralization of Special Elements used in a Command, Improper Input Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to inject commands or exploit buffer overflow vulnerabilities, which could lead to denial of service, unauthenticated remote code execution. or stored XSS. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports these vulnerabilities affect the following versions of SCALANCE W1750D, which is a brand-labeled access point device from Aruba: o SCALANCE W1750D (JP) (6GK5750-2HX01-1AD0): All versions o SCALANCE W1750D (ROW) (6GK5750-2HX01-1AA0): All versions o SCALANCE W1750D (USA) (6GK5750-2HX01-1AB0): All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400 The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers (not actual public keys) and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client requires few CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE. CVE-2002-20001 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:N/I:N/A:H ). 3.2.2 CLASSIC BUFFER OVERFLOW CWE-120 A buffer overflow vulnerability in an underlying service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI UDP port (8211). CVE-2022-37885 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:H/I:H/A:H ). 3.2.3 CLASSIC BUFFER OVERFLOW CWE-120 A buffer overflow vulnerability in an underlying service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI UDP port (8211). CVE-2022-37886 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:H/I:H/A:H ). 3.2.4 CLASSIC BUFFER OVERFLOW CWE-120 A buffer overflow vulnerability in an underlying service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI UDP port (8211). CVE-2022-37887 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:H/I:H/A:H ). 3.2.5 CLASSIC BUFFER OVERFLOW CWE-120 A buffer overflow vulnerability in an underlying service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI UDP port (8211). CVE-2022-37888 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:H/I:H/A:H ). 3.2.6 CLASSIC BUFFER OVERFLOW CWE-120 A buffer overflow vulnerability in an underlying service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI UDP port (8211). CVE-2022-37889 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:H/I:H/A:H ). 3.2.7 CLASSIC BUFFER OVERFLOW CWE-120 An unauthenticated buffer overflow vulnerability exists within the web management interface. Successful exploitation could result in the execution of arbitrary commands on the underlying operating system. CVE-2022-37890 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:H/I:H/A:H ). 3.2.8 CLASSIC BUFFER OVERFLOW CWE-120 An unauthenticated buffer overflow vulnerability exists within the web management interface. Successful exploitation could result in the execution of arbitrary commands on the underlying operating system. CVE-2022-37891 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:H/I:H/A:H ). 3.2.9 CROSS-SITE SCRIPTING CWE-79 A vulnerability in the web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. CVE-2022-37892 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/ UI:R/S:C/C:L/I:L/A:N ). 3.2.10 CROSS-SITE SCRIPTING CWE-79 A vulnerability in the web management interface could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. CVE-2022-37896 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:R/S:C/C:L/I:L/A:N ). 3.2.11 COMMAND INJECTION CWE-77 An authenticated command injection vulnerability exists in the command line interface. Successful exploitation of this vulnerability could result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. CVE-2022-37893 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/ UI:N/S:U/C:H/I:H/A:H ). 3.2.12 IMPROPER INPUT VALIDATION CWE-20 An unauthenticated denial of service (DoS) vulnerability exists in the handling of certain SSID strings. Successful exploitation of this vulnerability could result in the ability to interrupt the normal operation of the affected Access Point. CVE-2022-37894 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:N/ UI:N/S:U/C:N/I:N/A:H ). 3.2.13 IMPROPER INPUT VALIDATION CWE-20 An authenticated denial of service (DoS) vulnerability exists in the web management interface. Successful exploitation of this vulnerability could result in the ability to interrupt the normal operation of the affected Access Point. CVE-2022-37895 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:H/ UI:N/S:U/C:N/I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens identified the following specific workarounds and mitigations to reduce risk: o CVE-2022-37885, CVE-2022-37886, CVE-2022-37887, CVE-2022-37888, and CVE-2022-37889: Enable CPSec via the cluster-security command. o CVE-2022-37890, CVE-2022-37891, CVE-2022-37892, CVE-2022-37895, and CVE-2022-37896: Restrict the web-based management interface to a dedicated layer 2 segment/VLAN and/or control the interface by firewall policies at layer 3 and above. o CVE-2022-37893: Restrict the command line interface to a dedicated layer 2 segment/VLAN and/or control the interface by firewall policies at layer 3 and above. As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at the Siemens website . For more information, see the associated Siemens security advisory SSA-506569 in HTML and CSAF . Siemens SCALANCE W1750D is a brand-labeled device from Aruba. For more information regarding these vulnerabilities, see the Aruba security advisory ARUBA-PSA-2022-014 . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have a low attack complexity. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23DLckNZI30y1K9AQg5dw/9FaPKY/zQ0bAErTwzyrTj21hQsZMyYVLd BB9AdRtfn0dT1aFYNAxAy/6yHE1+HPyqCGtuNANZmUekCR6hmqV+xl/ZhUX3zmMG gkWfCEP5VhSVGAqhMZ3ctts8PfGfbtSRSwrR4f3obL24yiN07sk1K2NTSfEd/7Sc J3NNbz4yLbE+ixXNiv9lKBLcZ/QN+tweI3IncbYLeJUhxlh7YZVQlyaQINg0moH8 GX7GwnKAxSkfpsqes4Rs9Roz9c+6HyBTVYG3jPNV/8ZRsWvkPZD+C5ih6daRn/4I +qN7MXXL/MBJ0CnBcOxStqQOA0ZRe5AJTJYHrb6RqOYlcseJl0lBdiQzCanaNM37 5d7/wgXd3p1GO54uVFjPK47lpLZmJB3WkXAH+La98PvPTx3iMwRUfvPIadbU1DEf aTw3QWP9oxKJS7k5W47ochGpEimw5pAS0d0PKz03DZD6vIpMx1Twb4YjWHZvwhDw CoOD+b+wLYReMgNQkspWHG56Ll/TYI7+crAevLN++bnrQslZkXC4ZkpSe6BYcFHj eJ0ZLxn/McArhQ2sY1A+N6qrVfxEVrV0HbkCfvgc/6yL46JZxmKYHXY1rEYMDp7s rcEbsasKUOXz+LG5KT2eFcQvxqywGs4kx+lzKVb3HpQNlRQW55Sq9ilOFsCviRAs EfhnvUfQE0A= =vUad -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.5800 - [Appliance] Siemens Teamcenter Visualization and JT2Go: CVSS (Max): 7.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5800 Advisory (icsa-22-314-09) Siemens Teamcenter Visualization and JT2Go 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens Teamcenter Visualization Siemens JT2Go Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-41664 CVE-2022-41663 CVE-2022-41662 CVE-2022-41661 CVE-2022-41660 CVE-2022-39136 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-314-09 Comment: CVSS (Max): 7.8 CVE-2022-39136 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-314-09) Siemens Teamcenter Visualization and JT2Go Original release date: November 10, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 7.8 o ATTENTION: Low attack complexity o Vendor: Siemens o Equipment: Teamcenter Visualization and JT2Go o Vulnerabilities: Heap-based Buffer Overflow, Out-of-bounds Write, Out-of-bounds Read, Use After Free, Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following software from Siemens is affected: o JT2Go: All versions prior to V14.1.0.4 o Teamcenter Visualization V13.3: All versions (only affected by CVE-2022-39136) o Teamcenter Visualization V13.3: All versions prior to V13.3.0.7 o Teamcenter Visualization V14.0: All versions prior to V14.0.0.3 o Teamcenter Visualization V14.1: All versions prior to V14.1.0.4 3.2 VULNERABILITY OVERVIEW 3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122 The affected application is vulnerable to fixed-length heap-based buffer while parsing specially crafted TIF files. An attacker could leverage this vulnerability to execute code in the context of the current process. CVE-2022-39136 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/ C:H/I:H/A:H ) 3.2.2 OUT-OF-BOUNDS WRITE CWE-787 The affected products contain an out-of-bounds write vulnerability when parsing a CGM file. An attacker could leverage this vulnerability to execute code in the context of the current process. CVE-2022-41660 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/ C:H/I:H/A:H ) 3.2.3 OUT-OF-BOUNDS READ CWE-125 The affected products contain an out-of-bounds read vulnerability when parsing a CGM file. An attacker could leverage this vulnerability to execute code in the context of the current process. CVE-2022-41661 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/ C:H/I:H/A:H ). 3.2.4 OUT-OF-BOUNDS READ CWE-125 The affected products contain an out-of-bounds read vulnerability when parsing a CGM file. An attacker could leverage this vulnerability to execute code in the context of the current process. CVE-2022-41662 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/ C:H/I:H/A:H ) 3.2.5 USE AFTER FREE CWE-416 The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process. CVE-2022-41663 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/ C:H/I:H/A:H ). 3.2.6 STACK-BASED BUFFER OVERFLOW CWE-121 The affected application contains a stack-based buffer overflow vulnerability potentially triggered while parsing specially crafted PDF files. This could allow an attacker to execute code in the context of the current process. CVE-2022-41664 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Nafiez and Michael Heinzl reported these vulnerabilities to Siemens. 4. MITIGATIONS Siemens released updates for the following products and recommends updating to the latest versions: o JT2Go: Update to V14.1.0.4 or later version. o Teamcenter Visualization V14.1: Update to V14.1.0.4 or later version. o Teamcenter Visualization V14.0: U pdate to V14.0.0.3 or later version. o Teamcenter Visualization V13.3: Update to V13.3.0.7 or later version. o Teamcenter Visualization V13.3: Currently no fix is available for CVE-2022-39136. Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: o Do not open untrusted CGM, TIF, or PDF files in JT2Go and Teamcenter Visualization. As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' Operational Guidelines for Industrial Security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage . For further inquiries on security vulnerabilities in Siemens products and solutions, users can contact the Siemens ProductCERT . For more information see the associated Siemens security advisory SSA-120378 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23DJskNZI30y1K9AQgj1g//UyHB6OQ5qMqXgGgxJrZo2gZjouV1uC5N BJm937XmjJgdR+tkLLpnhPRRCmothzCY8kQzZnPsk8o5uNin0HYenOof51a8sIbP nTedsaMtMo48VKNCdRCn4fFMm03yWWk+QiZJ4r6Buu6XBWbQLMNiRLqi7lI+VZBN X+Dm+Zp7c1zysdK7gubkAf67ie398zux8xR7Cbr8O847uOii6yfrq6Uiltex+kht xtOS9D+tmnYNXyGvy5MdZ1zAc1uxwmfOYltj/YSl2P1tNy3iPxQAfF9Ubbfzbi/X Vvd6hii7ZcnaWP1P15quLvBk8BjiLkDT8lv89Uqzofo8XYcqnjdFT9WKJaxtzPeK BTfXnngFJRuQlZZ+G1sM0SIgf8NT6gtv9NHIOD06OPHZOdpx93Mho5sfDuJaAkr8 6g5Coe32UEikrLrEgIHyuz5MJLUA2ijh9hrGrHWX/JEHSfWlIFGqaZdKpYafM6yE pYHaPRIP1/eVAVd//t6eQW551iygxL/MB+qHwV3Uq6H2LVEUdEBbs0F0W0kvv/NM lbZ2v7Tq9/4t4euQKtOIJM+RfqgaJRlzIsiJiAuKlqRkUh8+RgyDzJjBSszdv41r RJC17no3KfnyZuUORrjC5A6Sgq6z5El2PojJIhtq4mDzLlBaoPKduTJaCt7zRaFU 8lbe4/0APL8= =aVGZ -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.5799 - [Appliance] Siemens QMS Automotive: CVSS (Max): 7.6

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5799 ICS Advisory (ICSA-22-314-06) Siemens QMS Automotive 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens QMS Automotive Publisher: ICS-CERT Operating System: Network Appliance Resolution: Mitigation CVE Names: CVE-2022-43958 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-314-06 Comment: CVSS (Max): 7.6 CVE-2022-43958 (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-314-06) Siemens QMS Automotive Original release date: November 10, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 7.6 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Siemens o Equipment: QMS Automotive o Vulnerability: Cleartext Storage of Sensitive Information in Memory 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to read credentials and impersonate authorized users. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Siemens QMS Automotive, a quality management system, are affected: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN MEMORY CWE-316 All versions of Siemens QMS Automotive contain a vulnerability that stores user credentials in plaintext inside the user database. This could allow an attacker to read credentials from memory. CVE-2022-43958 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:L/UI:N/S:U/ C:H/I:H/A:L ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported this vulnerability to CISA. 4. MITIGATIONS Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: o Enable encryption for user passwords. As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and to follow the recommendations in the product manuals. For more information, see Siemens Security Advisory SSA-587547 in HTML or CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23DHckNZI30y1K9AQic1xAArf1Fjjjqrd29F+Ll78WEDL+3EQNVWvdk +SSMQdjy7jD9Uv47pR/VzOsQKoGN+XHrX3CZzqf5Ydv++YGJs0sINDjLdFYV5eqF QB9cvZrfrv9ZZ+Y9zl8qgY0O+XphtANqEP3YNUcCKwoh5ZSDvFiC0jh2+bly41Lw 7kNILiIbx9S4OR4cOjvVJ/fe5PD+SdkSYg3JMPpahAcETBHraXVwZ16nBTVTIcCX AXeH5bayr2cMAKnl35B6za5WHthcdpkTuk8mADrN9Ft3oruo0tz7IusF1U7+qT20 HVPl+H9y9l9pmAKgI7CppzwDiBmff44VQkTMdIqS4gbCksb2HyutONRbTj+tmcB4 4L82gDv2ApuwDp4lW80tvzQ0xMML/YdjUtVa3Iy9X0FJmO10ZgTIgZVotLi+cH6m IC5dYuHOuYj2i7UJiorSZNbvi+XL1UAjl8o3XrkJp/5fPK3ibNlx4dKrnZKe1D9e +oms3FtznGA/yOsnX4vKm9CYaG/EoLM/XPk+u3SygKfy2xWSuf6JxNDpZzSGrEHt /Q54UskydPG62h/PG/PsIVNJOqjaAgHPkgUlg0BWjfdMuIkendZR4eCZtuLy1eDm MRfMTRUIpIxMtn3XYVCTmhyUfyZDsLw8wthyjFHS/SgIIsuCGkugQjEvsGe29MjK 5WH8WgCo94Q= =XpAL -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.5798 - [Appliance] Siemens RUGGEDCOM ROS: CVSS (Max): 5.3

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5798 ICS Advisory (ICSA-22-314-05) Siemens RUGGEDCOM ROS 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens RUGGEDCOM ROS Publisher: ICS-CERT Operating System: Network Appliance Resolution: Mitigation CVE Names: CVE-2022-39158 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-314-05 Comment: CVSS (Max): 5.3 CVE-2022-39158 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-314-05) Siemens RUGGEDCOM ROS Original release date: November 10, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 5.3 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Siemens o Equipment: RUGGEDCOM ROS o Vulnerability: Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of this vulnerability could cause a denial-of-service condition where the affected web servers wait for the completion of each request, occupying all available HTTP connections. The web server recovers by itself once the attack ends. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports this vulnerability affects the following RUGGEDCOM ROS switches and serial-to-Ethernet devices: o RUGGEDCOM ROS i800 V4.X: All versions o RUGGEDCOM ROS i801 V4.X: All versions o RUGGEDCOM ROS i802 V4.X: All versions o RUGGEDCOM ROS i803 V4.X: All versions o RUGGEDCOM ROS RMC30 V4.X: All versions o RUGGEDCOM ROS RMC8388 V4.X: All versions o RUGGEDCOM ROS RP110 V4.X: All versions o RUGGEDCOM ROS RS1600 V4.X: All versions o RUGGEDCOM ROS RS1600F V4.X: All versions o RUGGEDCOM ROS RS1600T V4.X: All versions o RUGGEDCOM ROS RS400 V4.X: All versions o RUGGEDCOM ROS RS401 V4.X: All versions o RUGGEDCOM ROS RS416Pv2 V4.X: All versions o RUGGEDCOM ROS RS416v2 V4.X: All versions o RUGGEDCOM ROS RS8000 V4.X: All versions o RUGGEDCOM ROS RS8000A V4.X: All versions o RUGGEDCOM ROS RS8000H V4.X: All versions o RUGGEDCOM ROS RS8000T V4.X: All versions o RUGGEDCOM ROS RS900 (32M) V4.X: All versions o RUGGEDCOM ROS RS900 V4.X: All versions o RUGGEDCOM ROS RS900G (32M) V4.X: All versions o RUGGEDCOM ROS RS900G V4.X: All versions o RUGGEDCOM ROS RS900GP V4.X: All versions o RUGGEDCOM ROS RS900L V4.X: All versions o RUGGEDCOM ROS RS900M V4.X: All versions o RUGGEDCOM ROS RS900W V4.X: All versions o RUGGEDCOM ROS RS910 V4.X: All versions o RUGGEDCOM ROS RS910L V4.X: All versions o RUGGEDCOM ROS RS910W V4.X: All versions o RUGGEDCOM ROS RS920L V4.X: All versions o RUGGEDCOM ROS RS920W V4.X: All versions o RUGGEDCOM ROS RS930L V4.X: All versions o RUGGEDCOM ROS RS930W V4.X: All versions o RUGGEDCOM ROS RS940G V4.X: All versions o RUGGEDCOM ROS RSG2100 (32M) V4.X: All versions o RUGGEDCOM ROS RSG2100 V4.X: All versions o RUGGEDCOM ROS RSG2100P V4.X: All versions o RUGGEDCOM ROS RSG2200 V4.X: All versions o RUGGEDCOM ROS RSG2288 V4.X: All versions o RUGGEDCOM ROS RSG2300 V4.X: All versions o RUGGEDCOM ROS RSG2300P V4.X: All versions o RUGGEDCOM ROS RSG2488 V4.X: All versions o RUGGEDCOM ROS RSG920P V4.X: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400 Affected Siemens RUGGEDCOM ROS devices improperly handle partial HTTP requests, which makes them vulnerable to slowloris attacks. This could allow a remote attacker to create a denial-of-service condition that persists until the attack ends. CVE-2022-39158 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated. the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:N/S:U/C:N/I:N/A:L ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens identified the following specific workarounds and mitigations users can apply to reduce risk: o Deactivate the webserver if not required and if deactivation is supported by the product. o Restrict access to port 80/TCP and 443/TCP to only trusted IP addresses. As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security , and to follow the recommendations in the product manuals. Siemens provides additional information on industrial security on the Siemens website . For further inquiries on security vulnerabilities in Siemens' products and solutions, users should contact Siemens ProductCERT . For more information see the associated Siemens security advisory SSA-787941 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability is exploitable remotely. This vulnerability has a low attack complexity. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23C+MkNZI30y1K9AQhyhQ//VlgQYuP5dv6Fve+c9Y7EAc6dfVgv1npB ahLPX1WTp0o9cYa0XcYsTGj8g0fpPguZUuazRPEs6p3PMY8dzbPCw25+sHPqL+GW SUE2Eu1Fx4y8ITecHsaToySYe1Bz/8k9VXhK4S90Gh7n13rkBA5I1H2JukNFaVsW 7yqW1q1RZ70Cfo76TF5Y06PSvnceqlCFkQyn9DKkz6XMGnLJ3Fr9I4JwuPHRE621 rtq6KC6NBdy5I+zPXcT/Ke2XhZ1C+TuxYpLj5Y0wmxfAHeqsAyP/2p85tWUUkWj7 8QJP9DQdanDLXrHz9iczF1ZO/7OZGHL7W8mGT22ixcIzu8SSCtN7ZWXpF7vBljt6 h81MM5GibQAGazNefD3vCdi1oLUJOGzQjFbGDXj/lGlM5g3QtCZggf1qafwWFRkv n2oAscix27wwwFK0K2GjQFKqPNEY9b806UKbbU6nXssH3okr7v2of70jrG6hebGG O2sDWx88OwCjtWaq1JyZm39QL9MaZ1cJFiqr2sanBdaH4/7tk7Cy9iBvh9L4xU6Y fLaPIeZhsxeKBSa8IX/ozrES79SNynhRZePmbOlKLroAIDetXH70MkxzpVYJwkv/ 989SrfDmSOzTn4sOjSDzzZsG7zwcsBOe37kYQMPV6BE0x4UfzYiUvzZ1rC0bqXNo PGIjTicVWhU= =P3w6 -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.5797 - [Appliance] Omron NJ/NX-series Controllers and Software: CVSS (Max): 9.4

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5797 ICS Advisory (ICSA-22-314-08) Omron NJ/NX-series Machine Automation Controllers 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Omron NJ/NX-series Controllers and Software Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-34151 CVE-2022-33208 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-314-08 Comment: CVSS (Max): 9.4 CVE-2022-34151 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-314-08 ) Omron NJ/NX-series Machine Automation Controllers Original release date: November 10, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.4 o ATTENTION: Exploitable remotely/low attack complexity/public exploits are available o Vendor: Omron o Equipment: NJ/NX-series Controllers and Software o Vulnerabilities: Hard-coded Credentials, Authentication Bypass by Capture-replay 2. RISK EVALUATION Successful exploitation of these vulnerabilities may allow an attacker to bypass authentication in the communications connection process to login and operate the controller products without authorization. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of NJ/NX-series, a machine automation controller, are affected: o NX7-series Machine Automation Controller (All Models): Versions 1.28 and prior o NX1-series Machine Automation Controller (All Models): Versions 1.48 and prior o NJ-series Machine Automation Controller (All Models): Versions 1.48 and prior o Automation Software Sysmac Studio (All Models): Versions 1.49 and prior o NA-series Programable Terminal (NA5-15W, NA5-12W, NA5-9W, NA5-7W): Runtime versions 1.15 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798 Use of hard-coded credentials vulnerability exists in machine automation controller NJ series models v1.48 and earlier, machine automation controller NX7 series models v1.28 and earlier, machine automation controller NX1 series models v1.48 and earlier, automation software Sysmac Studio models v1.49 and earlier, and programmable terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models with runtime v1.15 and earlier; this may allow a remote attacker who successfully obtained the user credentials by analyzing the affected product to access the controller. CVE-2022-34151 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:H/A:H ). 3.2.2 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294 An attacker who can capture and analyze communication between the affected controllers and either automation software Sysmac Studio and/or a programmable terminal (PT) can obtain sensitive information that would allow the attacker to bypass authentication and access the controller. CVE-2022-33208 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:U/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Reid Wightman of Dragos reported these vulnerabilities to CISA. 4. MITIGATIONS Omron recommends the following: o NX7-series Machine Automation Controller: Update to version 1.29 or higher o NX1-series Machine Automation Controller: Update to version 1.50 or higher o NJ-series Machine Automation Controller (NJ501-1300, NJ501-1400, NJ501-1500): Update to version 1.49 or higher o NJ-series Machine Automation Controller (All other models): Update to version 1.50 or higher o Automation Software Sysmac Studio: Update to version 1.50 or higher o NA-series Programable Terminal: Update to runtime version 1.16 or higher For information on how to obtain and update firmware for the countermeasure version of the product, contact Omron sales office or distributors . Users can update the Sysmac Studio to the latest versions using the installed Omron Automation Software AutoUpdate tool. Omron recommends customers take the following mitigation measures to minimize the risk of exploitation of this vulnerability: Enable antivirus protection o Protect any PC with access to the control system against malware by ensuring the installation and maintenance of up-to-date commercial grade antivirus software protection. Implement security measures to prevent unauthorized access: o Minimize connection of control systems and equipment to open networks preventing untrusted devices from accessing them. o Implement firewalls by shutting down unused communications ports, limiting communications between hosts, and isolate affected systems from the IT network. o Use a virtual private network (VPN) for remote access to control systems and equipment. o Use strong passwords and change passwords frequently. o Install physical controls that only permit authorized personnel access to control systems and equipment. o Scan USB drives or similar devices for viruses and malware to ensure the devices are safe before connecting them to systems and devices. o When possible, enforce multifactor authentication (MFA) on all devices with remote access to control systems and equipment. Protect data input and output: o Perform process validation, such as backup validation or range checks, to cope with unintentional modification of input/output data to control systems and devices. Use data recovery: o Conduct periodical data backups and maintenance to prepare for potential data loss. For more information see Omron's advisory: OMSR-2022-001 This vulnerability and countermeasures correspond to the those reported in the CISA ICS Alert: APT Cyber Tools Targeting ICS/SCADA Devices . CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23C7ckNZI30y1K9AQjglQ/+OtizB/wBClre4rktludohFmbURUl+qeT IOfp1A1pYGIvGEnlHZ1bAOMcf0JAZtT57Ng9MqPKivtr2lkbipVQ/P7OQPd+CrFk aYEzUbOiLUb5bSAg8cMqu6aB1S3HT//ver/wTdIN0G6ms1HdWcAa49IdNp0aCTRp CBqA7fHAm2RzRiWZXOMKYnWaHbFgd6P0Hbz3Lch+zCVdbDbcb+aZJ5zSozZGeu6Z Wbiu5GfFTFelM1rPRJHwL2ZzQzlDUVPZykYKpATf0aAFn6vYDWTCcFGeZ/ZxJVzb s+uWWYAYpqwrpuU09oXlToPj8zCmVJ8mWqKQpi8IbvlBQBElSmNzoqXCeTaPDph4 popER3e3zi/vHlLtdIpzYtZ/ewAgLLA4NkkeuE4Xc55RhTGhgf5STC0zP4F2/df7 WXyN5PLrw/1VPV5VJWOuqH1wgCzS9dQrUtXm+WpDKjnD0Ej/7WqhAgMgQhdtvYwN PyH3FWSfdT0Ae0exetJPYWCKOc7Ajntm2Ter0z9guLh3aIwUV4IXvYsXpnT0j7kr 8wVdP9BE04rTXPRVY730AuG92QxArI5Fmj/W2mwWb5SwCZ8q8Xhssur+odKiCVIQ F3fVBfRSi4XFW8miy+EaSLqhM6IIF+MV5pVgOUC9YYNVV5bBJ8Kh99M4Y8rL8otX Ecn11NupbEE= =rUwu -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.5796 - [Appliance] Omron NJ/NX-series Machine Automation Controllers: CVSS (Max): 8.3

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5796 ICS Advisory (ICSA-22-314-07) Omron NJ/NX-series Machine Automation Controllers 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Omron NJ/NX-series Machine Automation Controllers Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-33971 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-314-07 Comment: CVSS (Max): 8.3 CVE-2022-33971 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-314-07) Omron NJ/NX-series Machine Automation Controllers Original release date: November 10, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 8.3 o ATTENTION: Exploitable remotely, public exploits are available o Vendor: Omron o Equipment: NJ/NX-series Machine Automation Controllers o Vulnerability: Active Debug Code 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to obtain unauthorized access to the device and cause the device to be in an "out of service" state or execute a malicious program on the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products of the NJ/NX-series Machine Automation Controllers are affected: o NX7-series Machine Automation Controller (All Models): Versions 1.28 and prior o NX1-series Machine Automation Controller (All Models): Versions 1.48 and prior o NJ-series Machine Automation Controller (All Models): Versions 1.48 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 ACTIVE DEBUG CODE CWE-489 An attacker who can analyze the communication of the affected product and perform capture-replay can find unintended entry points into the affected product and cause a denial-of-service condition or execute a malicious program. CVE-2022-33971 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Reid Wightman of Dragos reported this vulnerability to CISA. 4. MITIGATIONS Omron recommends updating versions of NJ/NX-series machine automation controllers to address this vulnerability. These updates are available to users by contacting their Omron or distributors : o NX7-series Machine Automation Controller (All Models): Versions 1.29 or higher o NX1-series Machine Automation Controller (All Models): Versions 1.50 or higher o NJ-series Machine Automation Controller (NJ501-1300, NJ501-1400, NJ501-1500): Versions 1.49 or higher o NJ-series Machine Automation Controller (All other Models): Versions 1.50 or higher Omron recommends users take the following mitigation measures to minimize the risk of exploitation of this vulnerability: Enable antivirus protection: o Protect any PC with access to the control system against malware by ensuring the installation and maintenance of up-to-date commercial grade antivirus software protection. Implement security measures to prevent unauthorized access: o Minimize connection of control systems and equipment to open networks preventing untrusted devices from accessing them. o Implement firewalls by shutting down unused communications ports, limiting communications between hosts, and isolate affected systems from the IT network. o Use a virtual private network (VPN) for remote access to control systems and equipment. o Use strong passwords and change passwords frequently. o Install physical controls that only permit authorized personnel access to control systems and equipment. o Scan USB drives or similar devices for viruses and malware to ensure the devices are safe before connecting them to systems and devices. o When possible, enforce multifactor authentication (MFA) on all devices with remote access to control systems and equipment. Protect data input and output: o Perform process validation, such as backup validation or range checks, to cope with unintentional modification of input/output data to control systems and devices. Use data recovery: o Conduct periodical data backups and maintenance to prepare for potential data loss. For more information see Omron's advisory: OMSR-2022-002 This vulnerability and countermeasures correspond to the those reported in the CISA ICS Alert: APT Cyber Tools Targeting ICS/SCADA Devices . CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. This vulnerability has a high attack complexity. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23C5skNZI30y1K9AQgRHRAAgUfpwV6Q1VtohhSLc4iR876akrmscz35 clxeCbA6p7DGOImQnphYXu/XZLAMoTy4K4VuUUm6uAuyMHfRZHHWGtkkRHXstKhm sKoptkyHS2Bhr82qOxnZg2Hmw32XGSYI/w6O4hrNvTJcek4+RNHMa0zWAOPh1vf7 Mwc/FrT0x5mdajRZUTnvbU+Ucz9NM078T5VLftEfaJ3IPZ/rQHY6ufdPl2lz/6rc cMFzWqzEokuFxqZPPbsFAOLuCjnOrWVq2c09RZkszRuEKMQ6EIWKITaaCUJmPuUh xH/vqGnzqwo5WwGow2xL+zQN9mvSY7aD6uVwBkiBNzn+JywCJ1I7R0gmmwZTwqJh KXGduWgcrDXprwOvA29XLd4shq+savZTvc/iuQFK4gAcwip/m5U7giXZTuU54Zks u+LISHdx41iVn0nAGzMQeocHgQ6GLW1OPPe/f4ET5hLXeVjZTxhDUlmaYvrRyl6m 1tuPe1882s1vDbPXsNc3c9JZ73McnGbcCP0v1xCvz1+pSub9AcmchlXsfeR4e0Yo N8R1RAdnaNP73ItNfT0sCMkelnd0w3vBmN3jfL+GgGK4+MxtSPvbRaKDrzZF7lwe hpWdiXItZU+BQd2HUh4XpgbOnFhJb0UEAyDnpIBxDlq/dj2UD6VBHel9W73oMX0Q RRYWxyfVb8U= =kmP6 -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.5795 - [Appliance] Siemens SINEC NMS: CVSS (Max): 6.6

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5795 ICS Advisory (ICSA-22-314-03) Siemens SINEC Network Management System Logback Component 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens SINEC NMS Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2021-42550 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-314-03 Comment: CVSS (Max): 6.6 CVE-2021-42550 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-314-03) Siemens SINEC Network Management System Logback Component Original release date: November 10, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 6.6 o ATTENTION: Exploitable remotely o Vendor: Siemens o Equipment: SINEC NMS o Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow attackers with write access to the logback configuration file to execute arbitrary code on the system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Siemens SINEC NMS, a network management system, are affected: o All versions prior to v1.0.3 3.2 VULNERABILITY OVERVIEW 3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 In Siemens SINEC NMS logback version 1.2.7 and prior, an attacker with the required privileges to edit configuration files could craft malicious packages allowing the execution arbitrary code loaded from LDAP servers. CVE-2021-42550 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:H/UI:N/S:U/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Energy o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported this vulnerability to CISA. 4. MITIGATIONS Siemens recommends updating to version 1.0.3 or later. Siemens identified the following workaround and mitigation customers can apply to reduce risk: o Restrict the write access to the logback configuration file (logback.xml) to trusted personnel. As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following the recommendations in the product manuals. For more information, see Siemens Security Advisory SSA-371761 in HTML or CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23C38kNZI30y1K9AQgtug//SNYQr07Io/Qs9U/7wE530PwZiBrDQyh7 DD7SGMS4blmsS+XwpGn/lWp27X4aQa0iCswseHIT4tytZF7/N6PCIiMcOF3gtK7X pbQGQOPfs83MWXi5LkjQktiQpzdrSlvEmqyeMFwARGaJIjJLLe3V298v8cwBsWj1 ycTfnm8K8tcbV0XTRQ+ZReoWB7MHR558EX9ywDaoPK6FyQkg1fQHcyt+utRJo525 GqmyBceA8Z/21JwFktIQZYiNrjFxcWQa6L40sMf1yHB34sXvyOWTFKXLB3vWiyWI Bw7toYorZpizZ1I7BXdC70uhekynhbv7tU4H00EekH4pavmjI2VUnwvssZU/pMpV 8SUi519wR5RJHJqIkBTQU04RPPBMpybBgGLW/UGKgcgsIAUDw0eHIvfUZpvGxnix 8FvJkqkh0fbVdpiQXvluAfUfTwN+7fTlKoJQ5kTJHMHUTmkKp6qMGFJznY7s6efi O47moxQ8tCJ3RwRiftfSrFq4E8QbU+laSCkYxRX3PFnbx9pUMW+NQWjyFkRTkUGP S4hwyUTFFgo23KEFwA20r6W/sx8HuYW8HCZZvprHlpuvNxiyKwLOawkbM/IGr6ir Uw4yhg5Ks2DnJAmfz3ZUY9ygCOOhrf4doNHCjU6F992OH5PQZatZULa6ReArPgQK LaRWd9tHEgg= =T1OC -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.5794 - [Appliance] SIMATIC Industrial Controllers and Software: CVSS (Max): 6.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5794 ICS Advisory (ICSA-22-314-02) Siemens Web Server Login Page of Industrial Controllers 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SIMATIC Industrial Controllers and Software Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-30694 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-314-02 Comment: CVSS (Max): 6.5 CVE-2022-30694 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-314-02) Siemens Web Server Login Page of Industrial Controllers Original release date: November 10, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 6.5 o ATTENTION: Exploitable Remotely/low Attack Complexity o Vendor: Siemens o Equipment: SIMATIC Industrial Controllers and Software o Vulnerability: Cross-Site Request Forgery (CSRF) 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to track the activity of other users. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The web server login pages of the following Siemens devices are affected: o SIMATIC Drive Controller family: All versions. o SIMATIC ET 200pro IM154-8 PN/DP CPU (6ES7154-8AB01-0AB0): All versions prior to V3.2.19. o SIMATIC ET 200pro IM154-8F PN/DP CPU (6ES7154-8FB01-0AB0): All versions prior to V3.2.19. o SIMATIC ET 200pro IM154-8FX PN/DP CPU (6ES7154-8FX00-0AB0): All versions prior to V3.2.19. o SIMATIC ET 200S IM151-8 PN/DP CPU (6ES7151-8AB01-0AB0): All versions prior to V3.2.19. o SIMATIC ET 200S IM151-8F PN/DP CPU (6ES7151-8FB01-0AB0): All versions prior to V3.2.19. o SIMATIC PC Station: All versions V2.1 and later. o SIMATIC S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0): All versions prior to V3.3.19. o SIMATIC S7-300 CPU 315-2 PN/DP (6ES7315-2EH14-0AB0): All versions prior to V3.2.19. o SIMATIC S7-300 CPU 315F-2 PN/DP (6ES7315-2FJ14-0AB0): All versions prior to V3.2.19. o SIMATIC S7-300 CPU 315T-3 PN/DP (6ES7315-7TJ10-0AB0): All versions prior to V3.2.19. o SIMATIC S7-300 CPU 317-2 PN/DP (6ES7317-2EK14-0AB0): All versions prior to V3.2.19. o SIMATIC S7-300 CPU 317F-2 PN/DP (6ES7317-2FK14-0AB0): All versions prior to V3.2.19. o SIMATIC S7-300 CPU 317T-3 PN/DP (6ES7317-7TK10-0AB0): All versions prior to V3.2.19. o SIMATIC S7-300 CPU 317TF-3 PN/DP (6ES7317-7UL10-0AB0): All versions prior to V3.2.19. o SIMATIC S7-300 CPU 319-3 PN/DP (6ES7318-3EL01-0AB0): All versions prior to V3.2.19. o SIMATIC S7-300 CPU 319F-3 PN/DP (6ES7318-3FL01-0AB0): All versions prior to V3.2.19. o SIMATIC S7-400 PN/DP V6 CPU family (incl. SIPLUS variants): All versions. o SIMATIC S7-400 PN/DP V7 CPU family (incl. SIPLUS variants): All versions. o SIMATIC S7-1200 CPU family (incl. SIPLUS variants): All versions. o SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants): All versions. o SIMATIC S7-1500 Software Controller: All versions. o SIMATIC S7-PLCSIM Advanced: All versions. o SIMATIC WinCC Runtime Advanced: All versions. o SINUMERIK ONE: All versions. o SIPLUS ET 200S IM151-8 PN/DP CPU (6AG1151-8AB01-7AB0): All versions prior to V3.2.19. o SIPLUS ET 200S IM151-8F PN/DP CPU (6AG1151-8FB01-2AB0): All versions prior to V3.2.19. o SIPLUS S7-300 CPU 314C-2 PN/DP (6AG1314-6EH04-7AB0): All versions prior to V3.3.19. o SIPLUS S7-300 CPU 315-2 PN/DP (6AG1315-2EH14-7AB0): All versions prior to V3.2.19. o SIPLUS S7-300 CPU 315F-2 PN/DP (6AG1315-2FJ14-2AB0): All versions prior to V3.2.19. o SIPLUS S7-300 CPU 317-2 PN/DP (6AG1317-2EK14-7AB0): All versions prior to V3.2.19. o SIPLUS S7-300 CPU 317F-2 PN/DP (6AG1317-2FK14-2AB0): All versions prior to V3.2.19. 3.2 VULNERABILITY OVERVIEW 3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352 The login endpoint /FormLogin in affected web services does not apply proper origin checking. This could allow authenticated remote attackers to track the activities of other users via a login cross-site request forgery attack. CVE-2022-30694 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated. the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/ UI:R/S:U/C:H/I:N/A:N ) 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER K Narahari from Sectrio reported these vulnerabilities to Siemens. 4. MITIGATIONS Siemens has released updates for the following products and recommends updating to the latest versions: o SIMATIC ET 200pro IM154-8 PN/DP CPU (6ES7154-8AB01-0AB0): Update to V3.2.19 or later. o SIMATIC ET 200pro IM154-8F PN/DP CPU (6ES7154-8FB01-0AB0): Update to V3.2.19 or later. o SIMATIC ET 200pro IM154-8FX PN/DP CPU (6ES7154-8FX00-0AB0): Update to V3.2.19 or later. o SIMATIC ET 200S IM151-8 PN/DP CPU (6ES7151-8AB01-0AB0): Update to V3.2.19 or later. o SIMATIC ET 200S IM151-8F PN/DP CPU (6ES7151-8FB01-0AB0): Update to V3.2.19 or later. o SIMATIC S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0): Update to V3.3.19 or later. o SIMATIC S7-300 CPU 315-2 PN/DP (6ES7315-2EH14-0AB0): Update to V3.2.19 or later. o SIMATIC S7-300 CPU 315F-2 PN/DP (6ES7315-2FJ14-0AB0): Update to V3.2.19 or later. o SIMATIC S7-300 CPU 315T-3 PN/DP (6ES7315-7TJ10-0AB0): Update to V3.2.19 or later. o SIMATIC S7-300 CPU 317-2 PN/DP (6ES7317-2EK14-0AB0): Update to V3.2.19 or later. o SIMATIC S7-300 CPU 317F-2 PN/DP (6ES7317-2FK14-0AB0): Update to V3.2.19 or later. o SIMATIC S7-300 CPU 317T-3 PN/DP (6ES7317-7TK10-0AB0): Update to V3.2.19 or later. o SIMATIC S7-300 CPU 317TF-3 PN/DP (6ES7317-7UL10-0AB0): Update to V3.2.19 or later. o SIMATIC S7-300 CPU 319-3 PN/DP (6ES7318-3EL01-0AB0): Update to V3.2.19 or later. o SIMATIC S7-300 CPU 319F-3 PN/DP (6ES7318-3FL01-0AB0): Update to V3.2.19 or later. o SIPLUS ET 200S IM151-8 PN/DP CPU (6AG1151-8AB01-7AB0): Update to V3.2.19 or later. o SIPLUS ET 200S IM151-8F PN/DP CPU (6AG1151-8FB01-2AB0): Update to V3.2.19 or later. o SIPLUS S7-300 CPU 314C-2 PN/DP (6AG1314-6EH04-7AB0): Update to V3.3.19 or later. o SIPLUS S7-300 CPU 315-2 PN/DP (6AG1315-2EH14-7AB0): Update to V3.2.19 or later. o SIPLUS S7-300 CPU 315F-2 PN/DP (6AG1315-2FJ14-2AB0): Update to V3.2.19 or later. o SIPLUS S7-300 CPU 317-2 PN/DP (6AG1317-2EK14-7AB0): Update to V3.2.19 or later. o SIPLUS S7-300 CPU 317F-2 PN/DP (6AG1317-2FK14-2AB0): Update to V3.2.19 or later. Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: o Do not access the product's web service via URLs coming from untrusted sources. o Disable the web server if possible. o SIMATIC PC Station (Specifically): Disable the web server. Note that this feature is disabled by default. As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' Operational Guidelines for Industrial Security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage . For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact Siemens ProductCERT . For more information see Siemens Security Advisory SSA-478960 in HTML or CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23C1ckNZI30y1K9AQjLAw/+KCSltHb1Qx8PcuNBY2BylgmUPEMKt4kU 8dJvw5PmjrrdMepWQa/cD0A6c9eEuh2NFECzmOrwN9fRYBXyEH/5dpBWdjt/QvH+ FN/EN3qG0sMsc2CpMBiTyPN3w0d1H7mW8vs68xh43nErzPX9ds8CpVYbOztOAoGV iCGUHjyHynfpM+tbL3QhFAweSXrVlRKqPszcPlFgTJhV6Jx5hnhT/FKMafLGCwcy ppO4iN72anEAV6secxnH33h7b7CrTmQKVUn0J4VUBJiR7EDwIapEQyLnfoaSm+sa HKfau5Gn83rVZyzF1H3cHYtIHXOjK9uYkD/qvdmzb9GCZTnmZ2GaxfHpeRxgYP2T YfuD1xb/fp4stURhEZd1FiQEUO5S3SAkQIArbDzKUbpeTSjEhCBGfQJTuEfGj/y0 cHR0ezcNNqeEA36wpzbQr0GglYeySMl63lHr3t8Gs1N95iLOibvLRuhidHyELr/B 56jZMYDw3MFreKI+S46zJNhbW5qwujNdO/Gc7FW4AlA4S8mW6XbB0vklfPgCXusQ 3CndOXcJfpz8bjtB9jteuQCZHg58+1CuM06iDKVr7MR3RpQS3qDWgPVm16RLcq1L Ev2TCDYBSghSJu0M/o5Gpy6Im/swKeVsEVCnyBf4AHQq7A4ktGOdz3mhbIN5yor/ 9ppmZtw0E5k= =IJ2T -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.5477.5 - UPDATE [Appliance] F5 Products: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5477.5 K44030142: OpenSSL vulnerabilities CVE-2022-3786 and CVE-2022-3602 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 Products Publisher: F5 Networks Operating System: Network Appliance Resolution: None CVE Names: CVE-2022-3786 CVE-2022-3602 Original Bulletin: https://support.f5.com/csp/article/K44030142 Comment: CVSS (Max): 7.5 CVE-2022-3786 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Revision History: November 11 2022: Updated Subject to include CVSS Score November 10 2022: F5 updated severity of the vulnerability November 3 2022: Vendor updated bulletin November 2 2022: F5 updated advisory with CVE details and product vulnerability details November 1 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K44030142: OpenSSL vulnerabilities CVE-2022-3786 and CVE-2022-3602 Original Publication Date: 29 Oct, 2022 Latest Publication Date: 10 Nov, 2022 Security Advisory Description o CVE-2022-3786 A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). o CVE-2022-3602 A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Note: For more details about CVE-2022-3786 and CVE-2022-3602, refer to OpenSSL Security Advisory [01 November 2022]. Impact For products with None in the Versions known to be vulnerable column, there is no impact. For products with ** in the various columns, F5 will update this article after confirming the required information. F5 Support has no additional information about this issue. Security Advisory Status To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following tables. You can also use iHealth to diagnose a vulnerability for BIG-IP and BIG-IQ systems. For more information about using iHealth, refer to K27404821: Using F5 iHealth to diagnose vulnerabilities. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. In this section o BIG-IP and BIG-IQ o F5OS o NGINX o Other products BIG-IP and BIG-IQ BIG-IP is Not vulnerable because OpenSSL 3.x is not included in BIG-IP releases. To see the OpenSSL versions that run on BIG-IP systems, refer to K11398383: BIG-IP third-party software matrix. If the preceding article does not apply to your version, follow the links in the article to the third-party software article for your BIG-IP release. Note: After a fix is introduced for a given minor branch, that fix applies to all subsequent maintenance and point releases for that branch, and no additional fixes for that branch will be listed in the table. For example, when a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to K51812227: Understanding security advisory versioning. +------------+------+--------------+----------+----------+------+-------------+ | | |Versions known|Fixes | |CVSSv3|Vulnerable | |Product |Branch|to be |introduced|Severity |score^|component or | | | |vulnerable^1 |in | |2 |feature | +------------+------+--------------+----------+----------+------+-------------+ |BIG-IP (all |All |None |Not |Not |None |None | |modules) | | |applicable|vulnerable| | | +------------+------+--------------+----------+----------+------+-------------+ |BIG-IP SPK |1.x |** |** |** |** |** | +------------+------+--------------+----------+----------+------+-------------+ |BIG-IQ | | |Not |Not | | | |Centralized |All |None |applicable|vulnerable|None |None | |Management | | | | | | | +------------+------+--------------+----------+----------+------+-------------+ ^1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. ^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. **Confirmation of vulnerability or non-vulnerability is not presently available. F5 will update this article with the most current information as soon as it has been confirmed. F5 Support has no additional information on this issue. F5OS +-------+------+----------------+----------+----------+-------+---------------+ | | |Versions known |Fixes | |CVSSv3 |Vulnerable | |Product|Branch|to be vulnerable|introduced|Severity |score^2|component or | | | |^1 |in | | |feature | +-------+------+----------------+----------+----------+-------+---------------+ |F5OS-A |All |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------+------+----------------+----------+----------+-------+---------------+ |F5OS-C |All |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------+------+----------------+----------+----------+-------+---------------+ ^1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. ^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. NGINX +---------+------+---------------+----------+----------+------+---------------+ | | |Versions known |Fixes | |CVSSv3|Vulnerable | |Product |Branch|to be |introduced|Severity |score^|component or | | | |vulnerable^1 |in | |2 |feature | +---------+------+---------------+----------+----------+------+---------------+ |NGINX | | |Not |Not | | | |(all |All |None |applicable|vulnerable|None |None | |products)| | | | | | | +---------+------+---------------+----------+----------+------+---------------+ ^1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. ^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Other products +-------+------+----------------+----------+----------+-------+---------------+ | | |Versions known |Fixes | |CVSSv3 |Vulnerable | |Product|Branch|to be vulnerable|introduced|Severity |score^2|component or | | | |^1 |in | | |feature | +-------+------+----------------+----------+----------+-------+---------------+ |Traffix|All |None |Not |Not |None |None | |SDC | | |applicable|vulnerable| | | +-------+------+----------------+----------+----------+-------+---------------+ ^1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. ^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Supplemental Information o K41942608: Overview of security advisory articles o K12201527: Overview of Quarterly Security Notifications o K51812227: Understanding security advisory versioning o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K8986: F5 product support policies o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23ruMkNZI30y1K9AQjmCg//Zi7+XR3Gha6sb4CdhSpK0pGSc24XfOxe R5SEMf6asmIXINgW0c05FGbcLxejN0T0TTbIEURYhZY/i/hds2mLKsXAU/6Rp255 LelwGyyPo95P4QWynkSv9EGTjp9vYF0kBS1g0+k/2+hNFlK3Fi/cBnrKETmLCwPD aP12xWkOo3Qrvc6H2pqk9SKt9iSoWBxi0MktUQhx9eUeNR/xyF1FFvtVGt6zEuZe Do1OkNarcOddilmJbO2Q/EEgjUs2ucbUoaolHj0Lu5RK74hxKFuqh+fE/F6kiavt jJSoVq5Wdcye6dq6PGXdty8rJp6R5c0uh4YbhN1FY/632A8bjDJ/ZBiwkW5U9Fyo GM904wowT/qfjTdP6Yz6cCM5wsTh434fU1yI0BdE2u1L6x3p72/3TkmpTg0jW2V6 YSq22ePtMn9kXP1WgSrgv5gU3geJkBFvwPJkF/PghAgC3TUokiJdD4NnJ7c55uwB extAAaG/UX9uhHGuxPidIc4MBLuyN0CwUV10TDlN2MyRYU5y8vL0sxzzqDwtc36Z 9IiSgdRN7bBwAAJeIb2zMEe4cK/+ygew7pKfEcW//JDprO+K1fo9jMZVN9X+csZp 7UYr9ZgycIh1j4De/aV0Gt6WaDcI7rT88cS6hS1KvjKjZubvdAFljEpgPkjvT+8i KcXKLMphqjk= =Pd50 -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.5474.5 - UPDATE [Win][UNIX/Linux][Appliance] Palo Alto Products: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5474.5 PAN-SA-2022-0006 Impact of OpenSSL 3.0 Vulnerabilities CVE-2022-3786 and CVE-2022-3602 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Palo Alto Products Publisher: Palo Alto Networks Operating System: UNIX variants (UNIX, Linux, OSX) Windows Network Appliance Resolution: None CVE Names: CVE-2022-3786 CVE-2022-3602 Original Bulletin: https://securityadvisories.paloaltonetworks.com/PAN-SA-2022-0006 Comment: CVSS (Max): 7.5 CVE-2022-3786 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Revision History: November 11 2022: Updated Subject to include CVSS Score November 10 2022: Vendor updated bulletin: Final Release November 3 2022: Vendor updated bulletin November 2 2022: Palo Alto updated advisory with CVE details November 1 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Subject: Updated Palo Alto bulletin: PAN-SA-2022-0006 Impact of OpenSSL 3.0 Vulnerabilities CVE-2022-3786 and CVE-2022-3602 From: palo_alto-bulletins@auscert.org.au Palo Alto Networks Security Advisories / PAN-SA-2022-0006 PAN-SA-2022-0006 Impact of OpenSSL 3.0 Vulnerabilities CVE-2022-3786 and CVE-2022-3602 [INFO] Informational JSON Published 2022-10-31 Updated 2022-11-09 Reference PAN-SA-2022-0006 Discovered externally Description The OpenSSL Project has published two high severity vulnerabilities CVE-2022-3786 and CVE-2022-3602 that affect OpenSSL versions 3.0.0 through 3.0.6 on November 1st, 2022. The Palo Alto Networks Product Security Assurance team has evaluated and confirmed that all products and services are not impacted by these vulnerabilities. Product Status Versions Affected Unaffected AutoFocus None all Bridgecrew None all Cloud NGFW None all Cortex Data Lake None all Cortex XDR None all Cortex XDR Agent None all Cortex Xpanse None all Cortex XSOAR None all Enterprise Data Loss Prevention None all Exact Data Matching CLI None all Expanse None all Expedition Migration Tool None all GlobalProtect App None all IoT Security None all Okyo Garde None all Palo Alto Networks App for Splunk None all PAN-OS None all Prisma Access None all Prisma Cloud None all Prisma Cloud Compute None all Prisma SD-WAN (CloudGenix) None all Prisma SD-WAN ION None all SaaS Security None all User-ID Agent None all WildFire Appliance (WF-500) None all WildFire Cloud None all Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products. Solution No software updates are required at this time. NOTE: Cortex XDR Broker VM versions earlier than Cortex XDR Broker VM 17.4.1 contain an affected version of the OpenSSL 3.0 library but are not impacted. There are no scenarios in Cortex XDR Broker VM software that enable successful exploitation of these vulnerabilities. The OpenSSL 3.0 library has been removed from Cortex XDR Broker VM 17.4.1 and later versions for security assurance. Workarounds and Mitigations Customers with a Threat Prevention subscription can block known attacks for CVE-2022-3602 by enabling Threat ID 93212 (Applications and Threats content update 8638). This mitigation reduces the risk of exploitation from known exploits. Frequently Asked Questions Q. How can I find vulnerable versions of OpenSSL in my environment? With Prisma Cloud, security teams can prepare to detect and patch vulnerable systems as soon as the fix is available. Prisma Cloud customers can apply controls to address this vulnerability across multiple stages in the application lifecycle, from the code to the cloud. See https://www.paloaltonetworks.com/blog/prisma-cloud/ prepare-openssl-vulnerability/ for more information. Timeline 2022-11-09 Investigation is complete 2022-11-03 Cortex XDR Broker VM 17.4.1 is released and removes OpenSSL 3.0 for security assurance 2022-11-02 A threat prevention signature is now available for CVE-2022-3602 2022-11-01 Updated advisory to reference the CVEs 2022-10-31 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2022 Palo Alto Networks, Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23g/skNZI30y1K9AQhhaBAAkwDPeBFvfgLG88lIeYR4291/e9tw7FNA moUyVsqjEXxNhTo+EjHF+s+WTZ9+Euk7y8BhyZlhbGRtz0FoQ3l95sxJCN7SGbM+ 1/aSeqeJIcD5SgLtWyFdJoHbIv9L3PKipasqHNEsCB58bq1QP9VPovuGj8oim33g sKVv7gctivHNmDq21jsGoNcLFoLMQqkX/Brw1mvOPP0yZiLGLch4vLiO5A51w29j DI7cVeFYuYDuC73UqHbcz+/lsn6ps8rkv5Qvm/rZz7vJK3nWnNgh2H65/FhngsZU xqXsf+iC6nSAVK3Tf06FfTiNaWWb1Cx6K8OiCP4wMJseF/TQ00zQvZN02G+P3JJZ hORv/qhKzvvDVbROMl9ki/YCTQbYfnrftwaU9IpZw90xGWrkOWBu6OZ9glqU/F7Q pGxQTUL9tKWGwnAGo6MqajqgRlQKbPHacTT3W4dYickAax2p5WYJ8Os1BjS4jZJX vQ3DIcdIWdUr2ThQZWKLGXAJXPDotbEbF1rdjiDRwEQ6ZfHnAsi7FdO4qSWOGG2o jmIZclJkLS2Ajal+FCdHI2ho1V0WQbXrkem6LxjqICvUlOqNwrv5X6MLfgFrjAdJ nyEVeTLuh7cF+Zpvnyz4m7Y4fHoySW12B7zi8ImGJqHuS7Rrk59tY81nEG2QZfIc SDc+DvwCyqU= =7acZ -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.3979.3 - UPDATE [Cisco] Cisco Adaptive Security Appliance Software: CVSS (Max): 4.3

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3979.3 Cisco Adaptive Security Appliance Software Clientless SSL VPN Client-Side Request Smuggling Vulnerability 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Adaptive Security Appliance Software Publisher: Cisco Systems Operating System: Cisco Resolution: Mitigation CVE Names: CVE-2022-20713 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-webvpn-LOeKsNmO Comment: CVSS (Max): 4.3 CVE-2022-20713 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Revision History: November 11 2022: Updated Subject to include CVSS Score November 10 2022: Vendor updated bulletin August 11 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Adaptive Security Appliance and Firepower Threat Defense Software VPN Web Client Services Client-Side Request Smuggling Vulnerability Priority: Medium Advisory ID: cisco-sa-asa-webvpn-LOeKsNmO First Published: 2022 August 10 16:00 GMT Last Updated: 2022 November 9 16:03 GMT Version 2.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwa04262 CVE Names: CVE-2022-20713 CWEs: CWE-444 Summary o A vulnerability in the VPN web client services component of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device. This vulnerability is due to improper validation of input that is passed to the VPN web client services component before being returned to the browser that is in use. An attacker could exploit this vulnerability by persuading a user to visit a website that is designed to pass malicious requests to a device that is running Cisco ASA Software or Cisco FTD Software and has web services endpoints supporting VPN features enabled. A successful exploit could allow the attacker to reflect malicious input from the affected device to the browser that is in use and conduct browser-based attacks, including cross-site scripting attacks. The attacker could not directly impact the affected device. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-webvpn-LOeKsNmO Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco products if they were running a vulnerable release of the following Cisco software: ASA Software with Cisco AnyConnect VPN or Clientless SSL VPN enabled FTD Software with Cisco AnyConnect VPN enabled See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Determine the ASA Software Configuration To determine whether the software has a vulnerable feature enabled, use the show-running-config CLI command. In the following table, the left column lists the Cisco ASA Software features that are vulnerable. The right column indicates the basic configuration for each feature from the show running-config CLI command. If a device is running a vulnerable release and has one of these features enabled, it is vulnerable. Cisco ASA Feature Vulnerable Configuration AnyConnect Internet Key Exchange crypto ikev2 enable client-services port Version 2 Remote Access (with client services) webvpn AnyConnect SSL VPN enable Clientless SSL VPN webvpn enable Determine the FTD Software Configuration To determine whether the software has a vulnerable feature enabled, use the show-running-config CLI command. In the following table, the left column lists the Cisco FTD Software features that are vulnerable. The right column indicates the basic configuration for each feature from the show running-config CLI command. If a device is running a vulnerable release and has one of these features enabled, it is vulnerable. Cisco FTD Feature Vulnerable Configuration AnyConnect Internet Key Exchange crypto ikev2 enable client-services port Version 2 Remote Access (with client services) ^1,2 AnyConnect SSL VPN ^1,2 webvpn enable 1. Remote Access VPN features were introduced in Cisco FTD Software Release 6.2.2. 2. Remote Access VPN features are enabled by using Devices > VPN > Remote Access in Cisco Firepower Management Center (FMC) or by using Device > Remote Access VPN in Cisco Firepower Device Manager (FDM). Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that devices with remote access VPN services that are configured to accept only AnyConnect Internet Key Exchange Version 2 Remote Access VPN with client services disabled are not affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases For information about fixed software releases, see the Details section in the bug ID(s) at the top of this advisory. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank James Kettle of Portswigger.net for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-webvpn-LOeKsNmO Revision History o +---------+-----------------------+----------------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------+----------------+--------+-------------+ | | Added FTD Software as | Title, | | | | | an affected product. | Summary, | | | | | Updated the affected | Vulnerable | | | | | VPN component. | Products, | | | | 2.0 | Clarified affected | Products | Final | 2022-NOV-09 | | | software | Confirmed Not | | | | | configurations. | Vulnerable, | | | | | Removed the | and | | | | | mitigation because it | Workarounds | | | | | no longer applies. | | | | +---------+-----------------------+----------------+--------+-------------+ | 1.0 | Initial public | - | Final | 2022-AUG-10 | | | release. | | | | +---------+-----------------------+----------------+--------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23qeskNZI30y1K9AQhTQw//Xonh/n3SyLFfqNLA2noYYV5IDn/kUI9V mc4f78dV1muApvREjgyE/LV5Fds6FKoOVpAttf9fD+TYIsXSDKa5L0uLO+ApX891 V4ve7S5U/IsvpAGEsfTknXSDXkXjH8Rek3Mj0qd6VM52jRlyeB0zDNEgNeoMb3uC DLPyk9ZiQU92mIXF5XaWpRdmzMVb+NsWMEhL1BEtuV/uz19cN9OUNT8zEt7fVwu4 An7UtiboVoh1Yq72h2jCze/phoJtHsRIcyGDb/JRNQTkbLxlZAqkCMYpqgMVpO4Y jxdt9ay0hMvo4V8tunmxr1nEBHKWhsg4ec086l77mDFt9iiX75Kh9Huy7kY5yfV4 SVBpyrgKIGm6oA4jk1kdGeA2pFPio0hm1BK+ljQM1rwW5NJ+JtJPnWBXgVG2Zkzy EmnAoMmy8qFiACgbMRKvO0MauRt4cK6/B3JWvnhoCUr1qEqU6g3GASwR64pGDFEM ZvLS7vTdrmFuoVOdfNZgCcCZwSOrlAN+1ABIHT9cH9Nb5HcgB3H3nTTE0S3q2hLY nsR3C3tHVgEoWyPZJLgPshhd2HFaI1sRyvYh/ZORgZl7RraYp7IBw/FK3VjesOgD DMeFnfJRNkD00ytxj1t7VdYZaKajcWX5DRaAub336UQx9iFmc8zIuN/swFuu7Sbg C+m0zD8iQIU= =zUkI -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.3950.2 - UPDATE [Win][Mac] Intel Hardware Accelerated Execution Manager (HAXM): CVSS (Max): 8.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3950.2 Intel HAXM Advisory 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Intel Hardware Accelerated Execution Manager (HAXM) Publisher: Intel Operating System: Windows macOS Resolution: Patch/Upgrade CVE Names: CVE-2022-21812 Original Bulletin: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00655.html Revision History: November 11 2022: Vendor Update August 10 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Intel ID: INTEL-SA-00655 Advisory Category: Software Impact of vulnerability : Escalation of Privilege Severity rating : HIGH Original release: 08/09/2022 Last revised: 10/31/2022 Summary: A potential security vulnerability in the Intel Hardware Accelerated Execution Manager (HAXM) software may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability. Vulnerability Details: CVEID: CVE-2022-21812 Description: Improper access control in the Intel(R) HAXM software before version 7.7.1 may allow an authenticated user to potentially enable escalation of privilege via local access. CVSS Base Score: 8.8 High CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Affected Products: Intel HAXM software before version 7.7.1. Recommendation: Intel recommends updating Intel HAXM software to version 7.7.1 or later. Updates are available for download at this location: https://github.com/intel/ haxm/releases Acknowledgements: Intel would like to thank SaifAllah benMassaoud for reporting this issue. Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available. Revision History Revision Date Description 1.0 08/09/2022 Initial Release 1.1 10/31/2022 Updated Acknowledgement - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23oKMkNZI30y1K9AQgw+Q/+PhzOz/j34XwZg82qIMs34rierSv6R8y9 etF4cMgYGVxQ370KDVvi07TCa4cUcaPT2Z3HyEWo7R9Z/B4Ea7CNkWsHTqT57KIP Alo54zZKkHlw+VWUDTecjvwE5IaG/jadHezAiBX0M/0Ua8RuFUzi30zGsUGWdM3h hk00cBU14BdmgxvWINMy/ysbadNFF2nWUnXMhXxv8nQ1hPBRrPwDl/rqw7ox8tkd YezSWPQ99lhiEKbNh9BWC7kEQfhvLbeS0E9ploHYWC0QZqNS8mGVsTNfHc1q79cq 1leCsqRxIRipoupfpCODlvYFSU3QiLanHFoMazxac171pkAvaQG1zNK+V9mOWV1e I/dPenTx5zQbGDiOlL+PCnyRrAmmOaZRm25a+HzMNqisGHl3EOjN9LorJs++Gxwf gOdIQwMimn/+FabJyBHBNB3T7x4rQ3NKN7vn1N543LTGf0WCivBfEPGZOB4FFUfe N7INTRZfb7VkRHaB1N7L7qNb9c+st03xOn/84WirSYPMeTpWfAsa+grRMFZURxZG zmt0aATXlob325m4WJRn7BjbHQg4IgYJFD96ShMZMDzMiPCOuzRk+OIGTzkD7JBj VJho0KZS9fikR2iwVMCyrFw37sbI5E5sQdLOyaKchUTKlhVuyv1dG31lDDpp8B73 lgCrhuEK1IE= =yW72 -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.2922.2 - UPDATE [Win][UNIX/Linux] Intel Processors: CVSS (Max): 6.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.2922.2 Intel Processors MMIO Stale Data Advisory 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Intel Processors Publisher: Intel Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-21166 CVE-2022-21127 CVE-2022-21125 CVE-2022-21123 Original Bulletin: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html Revision History: November 11 2022: Vendor Update June 15 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Intel ID: INTEL-SA-00615 Advisory Category: Hardware Impact of vulnerability : Information Disclosure Severity rating : MEDIUM Original release: 06/14/2022 Last revised: 10/19/2022 Summary: Potential security vulnerabilities in Memory Mapped I/O (MMIO) for some Intel Processors may allow information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities. Vulnerability Details: CVEID: CVE-2022-21123 Description: Incomplete cleanup of multi-core shared buffers for some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access. CVSS Base Score: 6.1 Medium CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVEID: CVE-2022-21125 Description: Incomplete cleanup of microarchitectural fill buffers on some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access. CVSS Base Score: 5.6 Medium CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVEID: CVE-2022-21127 Description: Incomplete cleanup in specific special register read operations for some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access. CVSS Base Score: 5.5 Medium CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVEID: CVE-2022-21166 Description: Incomplete cleanup in specific special register write operations for some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access. CVSS Base Score: 5.5 Medium CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Products: Some Intel Processors, see full list: https://www.intel.com/content/www/us/en/developer/topic-technology/ software-security-guidance/ processors-affected-consolidated-product-cpu-model.html Recommendations: Intel recommends that users of the affected Intel Processors update to the latest version provided by the system manufacturer that addresses these issues. Intel SGX PSW for Windows to version 2.16.100.3 or later: https://registrationcenter.intel.com/en/products/download/3406/ Intel SGX SDK for Windows to version 2.16.100.3 or later: https://registrationcenter.intel.com/en/products/download/3407/ Intel SGX DCAP for Windows to version 1.14.100.3 or later: https://registrationcenter.intel.com/en/products/download/3610/ Intel SGX PSW for Linux to version 2.17.100.3 or later: https://01.org/intel-software-guard-extensions/downloads Intel SGX SDK for Linux to version 2.17.100.3 or later: https://01.org/intel-software-guard-extensions/downloads Intel SGX DCAP for Linux to version 1.14.100.3 or later: https://01.org/intel-software-guard-extensions/downloads To address this issue, an Intel SGX TCB Recovery is planned. Details can be found here . Refer to Intel SGX Attestation Technical Details for more information on the Intel SGX TCB recovery process. Further TCB Recovery Guidance for developers is available Acknowledgements: The following issues were found internally by Intel employees. Intel would like to thank Ke Sun, Alan Miller, Shlomi Alkalay, Robert Jones, Ezra Caltum for reporting CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166. Jason Kilman for reporting CVE-2022-21123, CVE-2022-21127, and Scott Cape and Anthony Wojciechowski for reporting CVE-2022-21127. Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available. Revision History Revision Date Description 1.0 06/14/2022 Initial Release 1.1 06/27/2022 Updated recommendations 1.2 10/19/2022 Updated SGX TCB Recovery plan Link - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23oZckNZI30y1K9AQgKQg//WhDGCVDrmB2wHGB/m0XSe+KpSodswrLt gd9DEMZ/LRscjKWnhHdJeVaS/+29K6PVH3v+ABmzgxGsmfLdf8YC5bW3ZzVud4eg hzF/Wnz3XAZ5RWA9wdicufiPhAi/fwzuTbzrZD0EzyzlA2ZNqiUnuBkyxTlgG1ZQ YMIxOw8tVyvuQ4BF278kbhWFps4DayyuIprFJL+O1KWIYHi9vEsBdUnkq78kRu7K 04/h2WzSd6RJQISWq1q7NOhjI9z2dEhFsCaj9Njbo4U6zac2NAgucNFh4EcrDDrL MnGWCEY3VFon2kW/Z+i7uWF82dNX993s+0WZ8oyP38xbftGLlPxdnODeYUtcd6T4 SSClwKYc5U0en/FyMvBSRvcgkcGQ7jQGCQjcbQosiDOdW2Kashp1jxIDd/oRNIuX X8ZrWe0FIFq0eCfNONQmvEakV14ZHWOo7NJXCt6K3QeqJLCFXTIiWtWL8nDiX90y YnIIo3w+tZntRcmN4dd1k1dR7Vv5KzSd3JL2FiiV93GCxRS4nUUw5TBAQi5e+1Uf qMXVa8r3Qdq9p3hWl9QP99a5dXWYoY2Y6jGaWy9ulSshgEyCOY2pt8Il2VqHrjIQ 70W19XnSuh68cK19LGvBd57Mx/3vpSAWuH7kjM6ufE5YrxlVpBL1AviILwnyn+Nx sRzwPjQemy0= =9Rvw -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.2327.4 - UPDATE [Win][UNIX/Linux] Intel Processors:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.2327.4 3rd Generation Intel Xeon Scalable Processors Advisory 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Intel Processors Publisher: Intel Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2021-33117 Original Bulletin: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00586.html Revision History: November 11 2022: Vendor Update June 14 2022: Updated recommendations May 12 2022: Vendor updated recommendations May 12 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Intel ID: INTEL-SA-00586 Advisory Category: Firmware Impact of vulnerability : Information Disclosure Severity rating : MEDIUM Original release: 05/10/2022 Last revised: 10/19/2022 Summary: A potential security vulnerability in some 3 ^ rd Generation Intel Xeon Scalable Processors may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability. Vulnerability Details: CVEID: CVE-2021-33117 Description: Improper access control for some 3rd Generation Intel(R) Xeon(R) Scalable Processors before BIOS version MR7, may allow a local attacker to potentially enable information disclosure via local access. CVSS Base Score: 6.5 Medium CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Affected Products: +-----------------------------------------+----------+---------------+-------------+------------+ |Product Family |Processor |Vertical |CPU ID |Platform ID | | | |Segment | | | +-----------------------------------------+----------+---------------+-------------+------------+ |3 ^rd Generation Intel Xeon Scalable |06_6AH |Server |606AX |0x87 | |Processors | | | | | +-----------------------------------------+----------+---------------+-------------+------------+ Recommendations: Intel recommends updating affected 3 ^ rd Generation Intel Xeon Scalable Processors to BIOS version MR7 or later. Intel recommends the users to enable the technologies that are used for BIOS to detect early boot code unauthorized modification. Alternatively, Intel recommends following the steps to update the microcode patch located in platform flash designated by firmware interface table (FIT) entry type1. Details on the firmware interface table layout and types can be found at: https://software.intel.com/content/dam/develop/external/us/en/documents/ firmware-interface-table-bios-specification-r1p2p1.pdf Intel is releasing microcode updates, which are available at this GitHub* repository link: https://github.com/otcshare/Intel-Generic-Microcode/blob/main/NDA/repository/ server/production/m_87_606a6_0d000331.inc This CVE requires a Microcode Security Version Number (SVN) update. To address this issue, an Intel SGX TCB Recovery is planned. Details can be found here . Refer to Intel SGX Attestation Technical Details for more information on the Intel SGX TCB recovery process. Further TCB Recovery Guidance for developers is available. . Acknowledgements: This issue was found internally by Intel employees. Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available. Revision History Revision Date Description 1.0 05/10/2022 Initial Release 1.1 05/11/2022 Updated recommendations 1.2 06/13/2022 Updated recommendations 1.3 06/27/2022 Updated recommendations 1.4 10/19/2022 Updated SGX TCB Recovery plan Link - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23o8ckNZI30y1K9AQgQZhAAvRqodd7OCcCRQ5C06A1nyXQV07jO1dwN gJmSZ0Faq9d0dBhtT3bHXHlPuloKPSUyhQFQSRGEUqUxNy6fru1pCWw70/6r0EPF ESzNmaWPHRh9gzuxgWQR2+sUW1Vv8lDHrCXwX+niyXyqTDlAto3mnm69FlPl+du0 h+j+mOA4PNiVXXHhkUL09WwdLPuQSs4/nkhq8I2fC+4VPLg4/kUxkAEZCxShgulV DCTUS+/f2vWrD6gxZn7dZ+9P/V++NudCiidaZlF1y3VFiTnyY+IuVZ9T1bcFG3cf 32IzJQFAZBGJd7vLi2sj8uE2yQwNV6er0Z+ai+0Y5Cx57YzVKXwU+yjDSINm2X5d iRW4r6Fu9F81y8U+cjCzcZKTM3anbpU7VgXbUW9gjFR56Pb5WuGVr2PVXOWSBhgb Srz90mZuctZ8prdhQNZvMcZ7xLwxXxxOitxF2KLzSRumnDiDhMPHSkOS6D0pPBkd 8NcGNydtMWAleMQaof/xZl5RCLxvmT15xIbIa/gRN1UtsSCh5PDH8hcC31biv+Rx N12+jSYfSyhLaJuUceXM+DcfuG+BPiIvO0lckumPhTmNOfde8Nwah/6RzUfIh/8h kk1pSkTmhITHj+5bEB2bOrOiOePCEtgnfadokD9qScF6lE4EpU8pWGatAf5InrW3 RpzDWuUIJ3M= =bUqw -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.2288.3 - UPDATE [Win][UNIX/Linux] Intel Processors: CVSS (Max): 4.9

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.2288.3 IPU - Intel SGX Advisory 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Intel Processors Publisher: Intel Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2022-0005 Original Bulletin: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00614.html Comment: CVSS (Max): 4.9 CVE-2022-0005 (CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N) CVSS Source: Intel Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Revision History: November 11 2022: Vendor Update June 14 2022: Updated recommedations May 12 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Intel ID: INTEL-SA-00614 Advisory Category: Hardware Impact of vulnerability : Information Disclosure Severity rating : MEDIUM Original release: 05/10/2022 Last revised: 10/19/2022 Summary: A potential security vulnerability in the Intel Software Guard Extensions (SGX) Platform may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability. Vulnerability Details: CVEID: CVE-2022-0005 Description: Sensitive information accessible by physical probing of JTAG interface for some Intel(R) Processors with SGX may allow an unprivileged user to potentially enable information disclosure via physical access. CVSS Base Score: 4.9 Medium CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Affected Products: +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |Product Family |Segment |Processor |Stepping |CPUID | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |6 ^th Generation Intel Core Processor Family |Mobile |06_4EH |3 |406E3 | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |1. Intel Xeon E processor family |1. Server Workstation Embedded |06_5EH |3 |506E3 | |2. 6th Generation Intel Core Processor Family |2. Mobile Desktop | | | | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |3 ^rd Gen Intel Xeon Scalable processor family |Server |06_6AH |4, 5, 6 |606AX | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |10 ^th Generation Intel Core Processor Family |Mobile |06_7EH |5 |706E5 | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |8 ^th Generation Intel Core Processor Family | | | | | | |Mobile |06_8EH |9 |806E9 | |7 ^th Generation Intel Core Processor Family | | | | | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |8 ^th Generation Intel Core Processor Family |Mobile |06_8EH |A |806EA | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |8 ^th Generation Intel Core Processors |Mobile |06_8EH |B |806EB | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |8 ^th Generation Intel Core Processors 10 ^th | | | | | |Generation Intel Core Processor Family |Mobile |06_8EH |C |806EC | |Intel Pentium Gold Processor Series | | | | | |Intel Celeron Processor 5000 Series | | | | | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |1, 2. 7 ^th Generation Intel Core Processor Family |1. Desktop Embedded | | | | |3. 8 ^th Generation Intel Core Processor Family |2. Mobile Embedded | | | | |3. Intel Pentium Processor Family |3. Mobile |06_9EH |9 |906E9 | |4. Intel Core X-series Processors |4. Desktop | | | | |5. Intel Xeon E processor family |5. Server Workstation Embedded | | | | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |1. 8 ^th Generation Intel Core Processor Family |1. Mobile | | | | |2. Intel Xeon E processor family |2. Workstation AMT Server |06_9EH |A |906EA | |3. 8 ^th Generation Intel Core Processor Family |3,4. Desktop | | | | |4. 8 ^th Generation Intel Core Processor Family | | | | | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |8 ^th Generation Intel Core Processor Family Intel | | | | | |Pentium Gold Processor Series |Desktop |06_9EH |B |906EB | |Intel Celeron Processor G Series | | | | | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |9 ^th Generation Intel Core Processor Family |Desktop |06_9EH |C |906EC | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |1, 2. 9 ^th Generation Intel Core Processor Family |1. Mobile | | | | |3. Intel Xeon E processor family |2. Desktop |06_9EH |D |906ED | | |3. Workstation AMT Server | | | | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |10th Generation Intel Core Processor Family |Mobile |06_A5H |2 |A0652 | |Intel Xeon W processor family |Workstation | | | | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |10th Generation Intel Core Processor Family | | | | | |Intel Pentium Gold Processor Family |Desktop Workstation |06_A5H |3 |A0653 | |Intel Celeron Processor Family | | | | | |Intel Xeon W processor family | | | | | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |10th Generation Intel Core Processor Family |Desktop Workstation |06_A5H |5 |A0655 | |Intel Xeon W processor family | | | | | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |10th Generation Intel Core Processor Family |Mobile |06_A6H |1 |A0660 | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |10th Generation Intel Core Processor Family |Mobile Desktop |06_A6H |<=1 |A0661 | |Intel Xeon W processor family | | | | | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ |11th Generation Intel Core Processor Family |Desktop |06_A7H |1 |A0671 | +-----------------------------------------------------+-------------------------------------+---------------+------------+------------+ Recommendations: Intel recommends that users of affected Intel Processors update to the latest version firmware provided by the system manufacturer that addresses these issues. Intel has released microcode updates for the affected Intel Processors that are currently supported on the public github repository. Please see details below on access to the microcode: GitHub*: Public Github: https://github.com/intel/ Intel-Linux-Processor-Microcode-Data-Files This CVE requires a Microcode Security Version Number (SVN) update. To address this issue, an Intel SGX TCB Recovery is planned. Details can be found here . Refer to Intel SGX Attestation Technical Details for more information on the Intel SGX TCB recovery process. Further TCB Recovery Guidance for developers is available. Acknowledgements: The following issue was found internally by Intel employees. Intel would like to thank Ilya Alexandrovich for reporting this issue. Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available. Revision History Revision Date Description 1.0 05/10/2022 Initial Release 1.1 06/13/2022 Updated recommendations 1.2 06/27/2022 Updated recommendations 1.3 10/19/2022 Updated SGX TCB Recovery plan Link - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23pj8kNZI30y1K9AQggfRAAl2a8UzaAEDzQvESukuR/HN/5m6dqLHl4 W+cS3+sEuB+wDD1Y5qXkY/75hgCId6+anwl1AWuOEYG6wC94HTIuTBQniIkjt6hg SHEVsG+/6PqQaiblsSmE63KhqV73w1B1PiXiB30nhVUdPEuZQ9aYGDYyujBwBAy2 7Ht6a+4U7Ulut0dN6Gn44bcPySVmAsq9k2j67zrH4lbkT5hzc9qlpXzLMz3n5Y7g njZHdEhed3XGtvHa++PcS2F8yWRrBPC9HLIASs4L//sEov9xtblF3k7ePCwhIHRS fOO0sYCHOaUgOge2TVS5CFpe0kfQ2pv7TDg1GJNJ84Iu85lrE7FbB/mXcEDxoFcU Y4zoR0VPRo1au7ajQlm0n06/1DSIaIb6A8jSkcsvHhD8BsUa8jYwjlHJKMjfVFNU lnyiDGNw/lUVN78lN5FwxZ14dlG0PHtPI7Ca7BPhYjAT2Uk3MU8u3Vnyo9B51oJb ltYIivPmhclfuiuHHBNo7e7JYeLGqUG7coJ1oEZk6Np+IsWsJ2B4mLf6lPt2x6dj ypVCddAqXJLP2QWNuZuXUN1YypEgBCffi6Rh9QeMt0vWhko0cZKTsRlqlK9nUfV2 w4oKUOoTdCMLCf23yi4EgdzxR65h52WydYxIX7VWwqKBZ7JU/yL1A68y9KP4huCY rd4uU2ZdoWI= =OpiD -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.2287.3 - UPDATE [Win][UNIX/Linux] Intel Processors:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.2287.3 IPU - Intel Processor Advisory 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Intel Processors Publisher: intel Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2022-21151 Original Bulletin: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00617.html Revision History: November 11 2022: Vendor Update June 14 2022: Updated Recommendations May 12 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Intel ID: INTEL-SA-00617 Advisory Category: Firmware Impact of vulnerability : Information Disclosure Severity rating : MEDIUM Original release: 05/10/2022 Last revised: 10/19/2022 Summary: A potential security vulnerability in some Intel Processors may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability. Vulnerability Details: CVEID: CVE-2022-21151 Description: Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVSS Base Score: 5.3 Medium CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N Affected Products: +--------------------------------------------------+---------------+---------+-------------+ |Product Collection |Vertical |CPU ID |Platform ID | | |Segment | | | +--------------------------------------------------+---------------+---------+-------------+ |10th Generation Intel Core Processor Family |Mobile |706E5 |80 | +--------------------------------------------------+---------------+---------+-------------+ |Intel Pentium Processor Silver Series |Desktop | | | | | | | | |Intel Celeron Processor J Series |Mobile |706A1 |01 | | | | | | |Intel Celeron Processor N Series" | | | | +--------------------------------------------------+---------------+---------+-------------+ |8th Generation Intel Core Processor Family |Desktop |906EB |02 | +--------------------------------------------------+---------------+---------+-------------+ |8th Generation Intel Core Processors |Mobile |806EC |94 | +--------------------------------------------------+---------------+---------+-------------+ |10th Generation Intel Core Processor Family |Desktop |A0653 |22 | | | | | | | |Mobile |A0655 |02 | | | | | | | | |AO661 |80 | | | | | | | | |806EC |94 | +--------------------------------------------------+---------------+---------+-------------+ |6th Generation Intel Core Processor Family |Desktop |506E3 |36 | | | | | | | |Mobile |406E3 |C0 | +--------------------------------------------------+---------------+---------+-------------+ |7th Generation Intel Core Processor Family |Desktop |906E9 |2A | | | | | | | |Mobile |806E9 |C0 | +--------------------------------------------------+---------------+---------+-------------+ |9th Generation Intel Core Processor Family |Desktop |A0671 |02 | +--------------------------------------------------+---------------+---------+-------------+ |3rd Generation Intel Xeon Scalable Processors |Server |606AX |0x87 | +--------------------------------------------------+---------------+---------+-------------+ Recommendations: Intel recommends that users of affected Intel Processors update to the latest version firmware provided by the system manufacturer that addresses these issues. Intel has released microcode updates for the affected Intel Processors that are currently supported on the public github repository. Please see details below on access to the microcode: GitHub*: Public Github: https://github.com/intel/ Intel-Linux-Processor-Microcode-Data-Files This CVE requires a Microcode Security Version Number (SVN) update. To address this issue, an Intel SGX TCB Recovery is planned. Details can be found here . Refer to Intel SGX Attestation Technical Details for more information on the SGX TCB recovery process. Further TCB Recovery Guidance for developers is available. Acknowledgements: This issue was found internally by Intel employees. Intel would like to thank Alysa Milburn, Jason Brandt, Avishai Redelman, Nir Lavi for reporting this issue. Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available. Revision History Revision Date Description 1.0 05/10/2022 Initial Release 1.1 06/13/2022 Updated Recommendations 1.2 10/19/2022 Updated SGX TCB Recovery plan Link - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23os8kNZI30y1K9AQj1Xw//bX+lwW0WOv2eMroG+G5EVlHnH/vRuugn RrrIteDUF2rbRGaUn7HIK8bcCd1FsDC8s+ZEuv9k03CQnSXPSsIAWN7CKuSk1n++ CuHa754LLsNxwETD4VYAN3g373bXDYQeHurr9yC2YFZ41tCpcnVtpdRi5jGxHnid T3NQBsfY8NVivP1uKBOB+aK2qY9HxAVm1JPX0y0NiwFYkJ6yF9JPw9LT39ZqRUIu kwO797j/w6LTCgY8+1PNqBOBdZBJFaO8vMyJru1Vnj5JL9uVa1pBvBFQWLEphZYx XfxWKSNOU2mbUzr91yB+AeaFRWl/nkxc5Lr57PomG9LbouHqTUqvZt54ykDSg1g6 W15t4XMa+EMxYJzof9h21jyRZVDbcknMpDw9WpD/FaYzacZhjUfr9vqqpPfo2TKY lPiu4MeHIjMSFH+zT8qK/GuN87bzOnaN8aguAaxYE/E6otJCWUHXB+2AINgUfVdZ Xyj4gL67HhRiiTfUi3ugHy2D/vUy/PQKkfVpHys9rvqqqO0g8edUrlTn6zrkP/Lz cuB3Aq6139UF59WWQ/ggE7fNU6UCgoEn/aWIUvowaoAp7lieZHlR5EEZA3fB+yx+ kkszROZqJyaobFemrNqX+5pyaAIqfuZhCLxQbsdCr4N8yoByN6o+dhTxiK+uRkKq sE7KkjYQI/Y= =uwnf -----END PGP SIGNATURE-----
2022. november 11.

ESB-2022.1912.3 - UPDATE [Cisco] Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software: CVSS (Max): 8.6

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1912.3 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Denial of Service Vulnerability 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Adaptive Security Appliance Software Firepower Threat Defense Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20745 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-tzPSYern Revision History: November 11 2022: Updated Subject to include CVSS Score November 10 2022: Vendor updated bulletin April 29 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-asafdt-webvpn-dos-tzPSYern First Published: 2022 April 27 16:00 GMT Last Updated: 2022 November 9 16:02 GMT Version 1.2: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvz70595 CSCwb87950 CSCwb93914 CVE Names: CVE-2022-20745 CWEs: CWE-20 Summary o A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper input validation when parsing HTTPS requests. An attacker could exploit this vulnerability by sending a crafted HTTPS request to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-tzPSYern This advisory is part of the April 2022 release of the Cisco ASA, FTD, and FMC Security Advisory Bundled publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software with a vulnerable remote access VPN configuration. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine the ASA Software Configuration To determine whether the software has a vulnerable feature configured, use the show running-config CLI command. In the following table, the left column lists the Cisco ASA Software features that are vulnerable. The right column indicates the basic configuration for each feature from the show running-config CLI command. If a device is running a vulnerable release and has one of these features configured, it is vulnerable. Cisco ASA Feature Vulnerable Configuration AnyConnect Internet Key Exchange crypto ikev2 enable client-services port Version 2 Remote Access (with client services) webvpn AnyConnect SSL VPN enable Clientless SSL VPN webvpn enable Determine the FTD Software Configuration To determine whether the software has a vulnerable feature configured, use the show running-config CLI command. In the following table, the left column lists the Cisco FTD Software features that are vulnerable. The right column indicates the basic configuration for each feature from the show running-config CLI command. If a device is running a vulnerable release and has one of these features configured, it is vulnerable. Cisco FTD Feature Vulnerable Configuration AnyConnect Internet Key Exchange crypto ikev2 enable client-services port Version 2 Remote Access (with client services) ^1,2 AnyConnect SSL VPN ^1,2 webvpn enable 1. Remote Access VPN features were introduced in Cisco FTD Software Release 6.2.2. 2. Remote Access VPN features are enabled by using Devices > VPN > Remote Access in Cisco Firepower Management Center (FMC) or by using Device > Remote Access VPN in Cisco Firepower Device Manager (FDM). Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by any of the Critical or High SIR vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities. ASA Software Cisco ASA First Fixed Release for First Fixed Release for Software Release CSCvz70595 CSCwb87950 and CSCwb93914 9.6 and earlier ^ Not vulnerable. Not vulnerable. 1 9.7 ^1 Migrate to a fixed Migrate to a fixed release. release. 9.8 9.8.4.44 9.8.4.46 9.9 ^1 Migrate to a fixed Migrate to a fixed release. release. 9.10 ^1 Migrate to a fixed Migrate to a fixed release. release. 9.12 9.12.4.35 9.12.4.52 9.13 ^1 Migrate to a fixed Migrate to a fixed release. release. 9.14 9.14.3.13 9.14.4.16 9.15 9.15.1.21 Migrate to a fixed release. 9.16 9.16.2.7 9.16.3.15 9.17 Not vulnerable. 9.17.1.16 9.18 Not vulnerable. 9.18.1.3 1. Cisco ASA Software releases 9.7 and earlier, as well as releases 9.9, 9.10, and 9.13, have reached end of software maintenance . Customers are advised to migrate to a supported release that includes the fix for this vulnerability. FTD Software Cisco First Fixed Release for CSCvz70595 First Fixed FTD Release for Software CSCwb87950 and Release CSCwb93914 6.1.0 and Not vulnerable. Not vulnerable. earlier ^1 6.2.2 ^1 Migrate to a fixed release. Migrate to a fixed release. 6.2.3 Migrate to a fixed release. Migrate to a fixed release. 6.3.0 ^1 Migrate to a fixed release. Migrate to a fixed release. 6.4.0 6.4.0.13 6.4.0.16 6.5.0 ^1 Migrate to a fixed release. Migrate to a fixed release. 6.6.0 6.6.5.1 6.6.7.1 Cisco_FTD_Hotfix_AA-6.7.0.4-2.sh.REL.tar 6.7.0 Cisco_FTD_SSP_FP1K_Hotfix_AA-6.7.0.4-2.sh.REL.tar Migrate to a Cisco_FTD_SSP_FP2K_Hotfix_AA-6.7.0.4-2.sh.REL.tar fixed release. Cisco_FTD_SSP_Hotfix_AA-6.7.0.4-2.sh.REL.tar 7.0.0 7.0.2 7.0.4 7.1.0 Not vulnerable. 7.1.0.3 7.2.0 Not vulnerable. 7.2.1 1. Cisco FMC and FTD Software releases 6.2.2 and earlier, as well as releases 6.3.0 and 6.5.0, have reached end of software maintenance . Customers are advised to migrate to a supported release that includes the fix for this vulnerability. For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide . The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Exploitation and Public Announcements o The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was originally found during the resolution of a Cisco TAC support case. Cisco would like to thank Saleh Iskandar from Indonesia for reporting that the fix for the vulnerability was incomplete. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: April 2022 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asafdt-webvpn-dos-tzPSYern Revision History o +---------+----------------------------+-----------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+----------------------------+-----------+--------+-------------+ | | Updated fixed release | | | | | | tables to reflect | Fixed | | | | 1.2 | additonal fixes for Cisco | Software, | Final | 2022-NOV-09 | | | bugs CSCwb87950 and | Source | | | | | CSCwb93914. Also updated | | | | | | source. | | | | +---------+----------------------------+-----------+--------+-------------+ | 1.1 | Updated ASA 9.8 first | Fixed | Final | 2022-JUN-01 | | | fixed release information. | Software | | | +---------+----------------------------+-----------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-27 | +---------+----------------------------+-----------+--------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23ZIMkNZI30y1K9AQgnXA/+JYpmzslwAArY7EKWFTWYNZZWisZaIKUm XMI4x+Z6Kg2ZEwTZQELaj7b8ITtv462DweAUR5bBFU7/LfpyD0gKdMGtmrzvPWQ2 y4G+4mtaiGNFTbycn9kJcAmiqvB2iVDWlTJM4cpeqTf9+aMdha0jmyajKHjP6CUg nHAHtP3kVeVGKvLEU6huF/bb6o6YAOUgJmQd0fRf0ysW8S5HojCLiz2Ujt3Nhp/N B8vnoov4LiEAK+semvvnGqmmG8pqYdjo+1ThvpQIjc0QTNxds+1YIZkXxJaj5ZIe 39hdHyHBlSr+dKDpKnM7AsJO2NeCHaD5XdzlKIz+ZnS6g9ueIgHdWZtw3btPrwHo 1420MJp2JxsntE1PyHx/QtfI717PCOqHKw4R65Za+EPwOOhnt4Wpqkgh4ruLA2Hq xkx5SXbc0jZjayKTO4SppYhJXrRBoD53BZ8f+ZoMVj8D448Hhxs7+rsPkeUo5qnG 3e8mJOLSQ5GHy/7W1FgawNbaDOfr9E+PTjvS96DBcmr+SS4wc4tL7w8axNc3g+2Z YPjYPn0rL8EhUMYIFpvNBGTdEnsAatjbL2/whuOEyPUvpyqRDy45Dn3635RtSLDG HhQPgyD9nvf6rGlynGEy/fJFnuX8rtUUFD08dYyQyfxhC/NTdlsvApUpcmQWgDsI 5xrO4pS3NJY= =s3Iq -----END PGP SIGNATURE-----
2022. november 10.

ESB-2022.5792.2 - UPDATE [Apple iOS] iOS and iPadOS: CVSS (Max): 8.2

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5792.2 APPLE-SA-2022-11-09-1 iOS 16.1.1 and iPadOS 16.1.1 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: iOS iPadOS Publisher: Apple Operating System: Apple iOS Resolution: Patch/Upgrade CVE Names: CVE-2022-40304 CVE-2022-40303 Original Bulletin: https://support.apple.com/HT213505 Comment: CVSS (Max): 8.2 CVE-2022-40304 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Revision History: November 11 2022: Changed product tag to include affected Apple products November 10 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-11-09-1 iOS 16.1.1 and iPadOS 16.1.1 iOS 16.1.1 and iPadOS 16.1.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213505. libxml2 Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: An integer overflow was addressed through improved input validation. CVE-2022-40303: Maddie Stone of Google Project Zero libxml2 Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNsFNIACgkQ4RjMIDke Nxl2og/7Bwq+DwNmc4conLeNZ/4RVZ8Abf2kKMj71ZJrSov1lvW6W9l3NswznKc9 pV0Cack8zm1she6dr+HNMYFcsSbFF/OTPKsf2jlZ3aZY5on7FpDdzB8bLDbw0dvS nO2Oc1mgcsBMIuSJBliUfgF0d6L6Hrj7L8Ja0pQP0W5BhcbWbd91wgj2KAQpaX6r gh7oEy7W5GRPJwLAdOfHmpzWws+PjZ3DMlLuGvGRLwEyizsLbq6rX166KG+asXZz CeWygTuKKcpZHG6FwahogBFnfl1ccTGJv4UV/9Ks3WEaZCGx5lpkgw+5H9Wx2HgX Tr9Sh01CQVADadfeGp/Iat0TE2hscMZaTm2A1ZdmOeyK70r0jXvCCHtna9spbPO7 N0OBERsqS9fC+X/XVHuehIzoUXxFUJAuaXD2weBZHJZBZ7MoUqNm50taDqoYUX0y B2BU0uWOitKfghLRBuFhpuUZtRaZdRfDLSEjSxCTCtGwWnIj4lLlZbE9RAwNNCU1 2+z6pHHlTxZ9c6IiQF8mrIx4IJ0OMIk6oH3gm71l8T5FSMiLCcuInL0XwC5ragJ/ irrxq3GuXL8x+3BjgxnRy4kKy6KUwZsLFp7OI71X/hyjEIyhcXopiRz0PXrooluR UtooyxSCV8M9u3658pFT2+X4WvQASmk3z+ZUnTBQXrfNgWkxyUs= =JERa - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY21dmMkNZI30y1K9AQj49g//fV6j/AG5sf/yExnBN4yuESfy84edzsUs bO0/jwu756Da9vKPaFin1HgRn91l2GbrgSH/Md/V9IQZPSxyphOHjodZugHO2+tE EDAZKFRORR3W/FQc7gEDbkgNqktv3W8PZBBheSblF6PNdeWhfKf1rG+itSMa9wJp X+to8kCBDdeU3g+aI7cPuVsyTaESgIjJG/M+cntbMdzBHOVZ9/gukAHumMHRaRc3 eRGwXV6HjIYDgfkx2uIEWa9gswKWPCOlw8S3FBLmK8VrtZEr+mjyz0Qdz2OgwqaW aEmahZz6ZeyB+plJacmYQWWV7QNwhfPSj/powE5ZGIRLv5yXiIKGh+xY7OZ68Ue4 OboXsNwrRasO3zmt+ASNfKexumwxVDHArJAYgHR9zIQo7E2DuuYB1u/QKPcZWvBe l3JX2niHSHrCcfZ50ruq7nzALokCjN3pNCRqyUeJnVfwx+aK1sJSrosnxhcncmAD pNSwtTRSPY0wEBuSSdH4/oNhtQOPXdEzfoJF+8SvcRUhjDUf5tOyWYNM2tkDDRcs xHHA0T3u29Uk72Q4pD8xQU/f4E/yJPU83mMYPbQ/0H94V2v2VgpZzJzE4CNR1zSq SIKkDMnVgOGTdp+svjNA4VtTIMX1/0oUvcQAwA38tK5j5KgZ4R99MMZHes0tK+de IzncMxNbx8E= =UebV -----END PGP SIGNATURE-----
2022. november 10.

ESB-2022.5474.4 - UPDATE [Win][UNIX/Linux][Appliance] Palo Alto Products:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5474.4 PAN-SA-2022-0006 Impact of OpenSSL 3.0 Vulnerabilities CVE-2022-3786 and CVE-2022-3602 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Palo Alto Products Publisher: Palo Alto Networks Operating System: UNIX variants (UNIX, Linux, OSX) Windows Network Appliance Resolution: None Original Bulletin: https://securityadvisories.paloaltonetworks.com/PAN-SA-2022-0006 Revision History: November 10 2022: Vendor updated bulletin: Final Release November 3 2022: Vendor updated bulletin November 2 2022: Palo Alto updated advisory with CVE details November 1 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Subject: Updated Palo Alto bulletin: PAN-SA-2022-0006 Impact of OpenSSL 3.0 Vulnerabilities CVE-2022-3786 and CVE-2022-3602 From: palo_alto-bulletins@auscert.org.au Palo Alto Networks Security Advisories / PAN-SA-2022-0006 PAN-SA-2022-0006 Impact of OpenSSL 3.0 Vulnerabilities CVE-2022-3786 and CVE-2022-3602 [INFO] Informational JSON Published 2022-10-31 Updated 2022-11-09 Reference PAN-SA-2022-0006 Discovered externally Description The OpenSSL Project has published two high severity vulnerabilities CVE-2022-3786 and CVE-2022-3602 that affect OpenSSL versions 3.0.0 through 3.0.6 on November 1st, 2022. The Palo Alto Networks Product Security Assurance team has evaluated and confirmed that all products and services are not impacted by these vulnerabilities. Product Status Versions Affected Unaffected AutoFocus None all Bridgecrew None all Cloud NGFW None all Cortex Data Lake None all Cortex XDR None all Cortex XDR Agent None all Cortex Xpanse None all Cortex XSOAR None all Enterprise Data Loss Prevention None all Exact Data Matching CLI None all Expanse None all Expedition Migration Tool None all GlobalProtect App None all IoT Security None all Okyo Garde None all Palo Alto Networks App for Splunk None all PAN-OS None all Prisma Access None all Prisma Cloud None all Prisma Cloud Compute None all Prisma SD-WAN (CloudGenix) None all Prisma SD-WAN ION None all SaaS Security None all User-ID Agent None all WildFire Appliance (WF-500) None all WildFire Cloud None all Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products. Solution No software updates are required at this time. NOTE: Cortex XDR Broker VM versions earlier than Cortex XDR Broker VM 17.4.1 contain an affected version of the OpenSSL 3.0 library but are not impacted. There are no scenarios in Cortex XDR Broker VM software that enable successful exploitation of these vulnerabilities. The OpenSSL 3.0 library has been removed from Cortex XDR Broker VM 17.4.1 and later versions for security assurance. Workarounds and Mitigations Customers with a Threat Prevention subscription can block known attacks for CVE-2022-3602 by enabling Threat ID 93212 (Applications and Threats content update 8638). This mitigation reduces the risk of exploitation from known exploits. Frequently Asked Questions Q. How can I find vulnerable versions of OpenSSL in my environment? With Prisma Cloud, security teams can prepare to detect and patch vulnerable systems as soon as the fix is available. Prisma Cloud customers can apply controls to address this vulnerability across multiple stages in the application lifecycle, from the code to the cloud. See https://www.paloaltonetworks.com/blog/prisma-cloud/ prepare-openssl-vulnerability/ for more information. Timeline 2022-11-09 Investigation is complete 2022-11-03 Cortex XDR Broker VM 17.4.1 is released and removes OpenSSL 3.0 for security assurance 2022-11-02 A threat prevention signature is now available for CVE-2022-3602 2022-11-01 Updated advisory to reference the CVEs 2022-10-31 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2022 Palo Alto Networks, Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yawMkNZI30y1K9AQi4iA//V4Xv8a572V/X/Z22t7zDbOi0Vvu/ukOU 0i3gOPfWGYzf5Wjyrh+yyHSMXUE9Y6OQDigCybDL0ypgU8tpXvNw43O4+nmxmwom 3QbAQxitl+E7eOFdBjtxOIop5kyGPRm7ncOTz3ZXFjJIWRAO7Uqbv5Zcoa+51pZb vVHjKR66XbU/2OZxpRwE9fBA1L+bFBfbSbIHjmwzio8UMWkdr6Y3AoWhFEqiqF/E +826g9Rv+mlcgr3ASbYbJzuzkTEPpHCwSBnkR9UsP5qWn3zKtJGKAJtR7jnxXyx1 IqvQ7v98QVWt/3I1915tQ0teb21kdylxOMJB6wVnH7VdPiHqVI9UQ3Mr1728FRxz pKksGFJH5pLzJtc70Vg546747E7VxM9pPCYc3ZyP0nsa5S3gnatdzujb+yaUEwdY 7DlHZ/b31tL5F/MCQOLNGVWDD8f6fItS3R1qLsbMXeQ3L5lEthtey3sYCxAfCKAt gQjmO4W2ilDWby7VFwYgvkxMejUHBA93To78l7/0anLczkHQDZ+GK+BMro2AqREo JWOo03lU2a39kkkVfhNM8zGEnvHIjQYG1RqVFC3mm7+xAXN1O7oupZ3eKy3sr+hT TMrB4j91d19Wn1rzQg7XETzQnGvQdHhw1rnSALPzng/5uTqTwOkI2ntw8EAUVO0c qbmtA1yQLJ4= =WepI -----END PGP SIGNATURE-----