Cyber Security Alerts
CONSULT THE CYBER SECURITY ALERTS
IMPORTANT INFORMATION ABOUT COHESITY
Latest LTS (Long Term Support) version for Cohesity Data Cloud 6.8.1_u3 is released
Cohesity recently announced that version 6.8.1_u3 has been designated as a Long Term Support (LTS) release, so all future 6.8.x releases will receive LTS support.
Long Term Support (LTS) releases are supported for a minimum of 12 months from the date of LTS designation and a minimum of 6 months of overlapping coverage between two LTS releases, with the estimated end of support date for version 6.8.1 being May 15, 2024.
The previous LTS version, 6.6.0d, ends on November 15, 2023.
🔄 We recommend installing or upgrading to LTS versions in all production environments.
IMPORTANT INFORMATION
ℹ️ Customers who are already running 6.8.1 and cannot perform a full upgrade to 6.8.1_u3, should apply p10/p10s1, as it is functionally equivalent to 6.8.1_u3.
ℹ️ Customers upgrading to 6.8.1_u3 are not required to apply p10/p10s1 to the cluster.
ℹ️ Applying p10/p10s1 to a 6.8.1_u3 cluster will fail, as 6.8.1_u3 comes pre-packaged with p10 fixes and agent binaries.
ℹ️ Patches p11 and later, once released, can be applied normally.
ℹ️ Software version 6.8.1.x introduces enhanced security through Secure Shell functionality.
Customers upgrading to 6.8.1.x from a software version 6.6.x or earlier are recommended to refer to the section Using Secure Shell to understand the functionality and the resulting changes.
✅ 6.6.x and later ⇢ upgrade directly to 6.8.1_u3
✅ 6.5.1c to 6.5.1f_u1 ⇢ upgrade directly to 6.8.1_u3
✅ 6.5.1 to 6.5.1b ⇢ an interim upgrade is required. Upgrade to 6.5.1f and then upgrade to 6.8.1_u3
✅ 6.3.1.x ⇢ an interim upgrade is required. Upgrade to 6.5.1f, then upgrade to 6.8.1_u3.
CRITICAL VULNERABILITY - Microsoft Security Updates for March 2023
New Technology LAN Manager (NTLM) credentials theft
Microsoft Threat Intelligence has published the security updates, corresponding to the month of March and which includes all the information between 02/15/2023 and 03/14/2023, consists of 109 vulnerabilities (with assigned CVE), rated as: 9 of critical severity, 70 important, 1 moderate and 29 without assigned severity.
The published vulnerabilities correspond to the following types:
❌ Denial of service.
❌ Privilege escalation.
❌ Information disclosure.
❌ Remote execution of code.
❌ Omission of security measures.
❌ Identity theft (spoofing).
👀 You can consult the list of affected resources here.
This targeted abuse would allow the theft of new technology LAN manager (NTLM) credentials. It requires no user interaction and is triggered when an attacker sends a specially crafted message with an extended MAPI property with a UNC path to an SMB share (TCP 445) on a server controlled by a threat actor. In addition, the exploit can be performed before viewing the email in Preview Pane.
AFFECTED RESOURCES
CRITICAL VULNERABILITIES - FORTINET PRODUCTS
Fortinet has issued 15 advisories, 1 critical, 5 high, 8 medium and 1 low severity.
The critical vulnerability could allow an attacker to execute remote code and/or perform a denial of service,
The vulnerability is described in this article.
AFFECTED RESOURCES
– 7.2.0 through 7.2.3;
– 7.0.0 through 7.0.9;
– 6.4.0 through 6.4.11;
– 6.2.0 through 6.2.12;
– all 6.0 versions.
❌ FortiProxy, versions:
– 7.2.0 through 7.2.2;
– 7.0.0 through 7.0.8;
– 2.0.0.0 through 2.0.11;
– all versions 1.2;
– all versions 1.1.
Upgrade to the following versions to fix the critical vulnerability:
🔄 FortiOS:
– 7.4.0 or higher;
– 7.2.4 or higher;
– 7.0.10 or higher;
– 6.4.12 or higher;
– 6.2.13 or higher.
🔄 FortiProxy:
– 7.2.3 or higher;
– 7.0.9 or higher;
– 2.0.12 or higher.
🔄 FortiOS-6K7K:
– 7.0.10 or higher;
– 6.4.12 or higher;
– 6.2.13 or higher.
CRITICAL VULNERABILITY - Veeam® Backup & Replication™
Unauthorized access to backup infrastructure hosts
In mid-February, a vulnerability has been detected in a Veeam® Backup & Replication™ component with a CVSS score of 7.5, indicating high severity. This vulnerability could allow an unauthenticated user to request encrypted credentials that could lead to gaining access to backup infrastructure hosts.
AFFECTED RESOURCES
❌ All versions of Veeam Backup & Replication
For the time being, it is recommended to:
Proceed with the update of the installations.
🔄 Patches have been developed for V11 and V12 to mitigate this vulnerability.
🔄 If you are using a Veeam all-in-one appliance without remote backup infrastructure components, you can also block external connections to TCP port 9401 on the backup server firewall as a temporary workaround until the patch is installed.
CRITICAL VULNERABILITY - VMware ESXi
RANSOMWARE EXPLOITS TWO-YEAR-OLD VULNERABILITY
Several system administrators, hosting providers and even several CERTs are warning of numerous attacks targeting unpatched VMware ESXi servers.
The main problem lies in the exploitation of a vulnerability detected in February 2021, with code CVE-2021-21974 and a score of 9.8 out of 10.
Despite its seriousness, the fact that two years have passed since its discovery and that there are patches and mitigation measures to prevent it from being exploited by attackers, many machines are still vulnerable.
The highest degree of exposure to this vulnerability is caused when we have published the vCenter service to the outside.
AFFECTED RESOURCES
❌ ESXi v7.x prior to ESXi70U1c-17325551
❌ ESXi v6.7.x prior to ESXi670-202102401-SG
❌ ESXi v6.5.x prior to ESXi650-202102101-SG
For the time being, it is recommended to:
Apply security patches and update our systems within a reasonable period of time.
CRITICAL VULNERABILITY - COHESITY
DATA INTEGRITY ISSUES AT THE TIME OF RECOVERY
If you have scheduled incremental forever backups for file-based workloads on your physical server (Windows, Linux, AIX, Solaris), you may encounter data integrity issues at recovery time.
This is unlikely to occur as the behavior only manifests itself after a new root path. When entering a new root path, previously included legacy paths may not be available in subsequent snapshots.
Any modified data in existing paths will be copied as expected. If you encounter this problem, you will need to perform a full copy to recover all data. However, this is only possible if the server is available and functioning to perform the copy.
AFFECTED RESOURCES
❌ Version 6.6.0.d_U2 or earlier when the last full backup was performed.
❌ If you back up file-based workloads from physical servers.
❌ If you use the incremental-forever method (a full backup followed by all incremental runs).
❌ If you have added a parent directory to the data since the last full backup.
Versions 6.6.0d_u3 and higher have the solution applied.
For the time being, it is recommended to:
Proceed with the update of:
🔄 LTS version 6.6.0.d_u6 and perform a full backup.
🔄 If you have already upgraded to version 6.6.0d_u3 or higher, schedule a full backup for all your relevant jobs at least once to prevent the behavior from being passed along with the upgrade.
For more specific information about the cluster version ⇢ KB article
CRITICAL VULNERABILITY - Fortinet & Exchange 0 Day
In this section we explain two vulnerabilities detected in the last hours.
CRITICAL VULNERABILITY - Buffer Overflow in Fortinet products
On 12/23/2022, a 0 day (highest level critical) heap-based buffer overflow vulnerability was reported in Fortinet, the exploitation of which could allow a remote, unauthenticated attacker to execute arbitrary code via malicious requests.
The vulnerability has been assigned the identifier CVE-2022-42475.
AFFECTED RESOURCES
❌ FortiOS, versions:
⇢ from 7.2.0 to 7.2.2;
⇢ from 7.0.0.0.0 to 7.0.8;
⇢ from 6.4.0 to 6.4.10;
⇢ from 6.2.0 to 6.2.11;
[Update 12/23/2022]
⇢ from 6.0.0 to 6.0.15;
⇢ from 5.6.0 through 5.6.14;
⇢ from 5.4.0 through 5.4.13;
⇢ from 5.2.0 through 5.2.15;
⇢ from 5.0.0.0 through 5.0.14;
❌ FortiOS-6K7K, versions:
⇢ from 7.0.0 to 7.0.7;
⇢ from 6.4.0 through 6.4.9;
⇢ from 6.2.0 through 6.2.11;
⇢ from 6.0.0.0 through 6.0.14;
[Update 12/23/2022]
❌ FortiOSProxy, versions:
⇢ from 7.2.0 to 7.2.1;
⇢ from 7.0.0 through 7.0.7;
⇢ from 2.0.0.0 through 2.0.11;
⇢ from 1.2.0 through 1.2.13;
⇢ from 1.1.0 through 1.1.6;
⇢ from 1.0.0.0 through 1.0.7.
For the time being, it is recommended:
Proceed with the updating of:
🔄 FortiOS:
⇢ 7.2.3;
⇢ 7.0.9;
⇢ 6.4.11;
⇢ 6.2.12;
⇢ [Upgrade 23/12/2022] 6.0.16.
🔄 FortiOS-6K7K:
⇢ 7.0.8 (forthcoming publication);
⇢ 6.4.10;
⇢ 6.0.15;
[Upgrade 23/12/2022]
🔄 FortiProxy:
⇢ 7.2.2;
⇢ 7.0.8;
⇢ 2.0.12 (forthcoming publication)
CRITICAL VULNERABILITY - Microsoft Exchange Server
On 12/23/2022, Microsoft is investigating two 0 day (highest level critical) vulnerabilities affecting Microsoft Exchange Server, the exploitation of which could allow a remote, unauthenticated attacker to execute arbitrary code via malicious requests.
The first is a Server-Side Request Forgery (SSRF) vulnerability, while the second allows remote code execution (RCE) when the attacker can access PowerShell.
There is currently no update or security patch available to fix these vulnerabilities.
The vulnerability is described in this article.
If you are not running Microsoft Exchange on premise and do not have Outlook Web App with Internet access, you will not be affected.
❌ Exchange Server 2013;
❌ Exchange Server 2016;
❌ Exchange Server 2019;
Microsoft recommends applying a series of mitigation measures and reminds you of the importance of always keeping your systems and applications up to date.
CRITICAL VULNERABILITY - VMware Horizon
This is a variant of the previous Log4shell attack, which in this case exploits a vulnerability in the “VMware Horizon View Blast Secure Gateway” service to execute a script that calls Horizon’s own nssm.exe application.
The service is legal and comes installed as standard with Horizon, the problem is that the malicious call is not controlled by the application.
Involved Systems
🔂 Upgrade Connection Servers to version 2111 or 7.13.1
🔂 Update affected agents.
CRITICAL VULNERABILITY - Log4j en Apache
This library is widely used all over the world and affects an infinite number of products.
Specifically, all versions of Apache log4j-core equal to or earlier than 2.14.1 will be affected by the vulnerability.
- If possible, upgrade Log4j directly to version 2.15.0 or higher.
- Between versions 2.10 and 2.14.1, it can be alleviated by modifying the system property log4j2.formatMsgNoLookups = true.
- Between versions 2.0-beta9 and 2.10.0, it is recommended that you remove the class JndiLookupdel classpath: zip -q -d log4j-core – *. Jar org / apache / logging / log4j / core / lookup / JndiLookup .class.
- Check if any of your products are affected from the following published list of affected products.
- Over the next few days, pay attention to announcements and releases of new patches from your suppliers.
QNAP fixes four vulnerabilities
On 4/10/2021, QNAP announces that 4 vulnerabilities have been fixed, 2 of which are HIGH severity. These allow attackers to perform XSS (cross-site scripting) attacks and inject code for malicious purposes.
The affected devices are:
QNAP EOL devices – discontinued products – that execute QVR
- Versions prior to 5.1.5 compiling 20210902.
QNAP NAS devices running Photo Station
- Versions Prior to 6.0.18
- Versions Prior to 5.7.13
- Versions Prior to 5.4.10
QNAP NAS devices running Image2PDF
- Versions Prior to 2.15
¡WARNING!
It is recommended to check the firmware status of the device, as well as the support status of the affected applications.
The official security note published by INCIBE explains a Workaround to mitigate this vulnerability.
To upgrade QVR devices:
- Log into QVR as administrator.
- Go to “Control Panel > System Settings > Firmware Update”.
- “Live Update”, click on “Check for Update”.
- The latest available QVR update is downloaded and installed.
To upgrade Photo Station or Image2PDF:
- Log in to QTS or QuTS hero as administrator.
- Open the App Center and then click on the magnifying glass icon, a search box will appear.
- Type “Photo Station” or “Image2PDF” and then press ENTER
- Click on Update and a confirmation message will appear.
- Note: The Upgrade button is not available if you are already upgraded.
- When OK appears, click on it and it means that the application is updated.
At Encora we are experts in cybersecurity and we can help you solve this and other problems in your company.
CRITICAL VULNERABILITY
MICROSOFT WINDOWS (CVE - 2021 - 40444)
The developer is investigating a remote code execution (RCE) vulnerability in MSHTML, a component of Internet Explorer, which is being actively attacked and could affect Microsoft Windows, through the use of specially crafted Microsoft Office documents for malicious use.
An attacker could create a malicious ActiveX control to be used by a Microsoft Office document by attacking the browser engine.
The attacker would therefore have to convince the user to open the malicious document.
Users whose accounts are configured to have fewer user rights on the system are less likely to be affected than those operating with administrator rights.
At Encora we are experts in cybersecurity and we can help you solve this and other problems in your company.
Affected Versions:
For both 32-bit and 64-bit systems:
- Windows 10 and versions 1607, 1809, 1909, 2004, 20H2 y 21H1
- Windows 7 Service Pack 1
- Windows 8.1
- Windows Server 2008 Service Pack 2 and 2008 Service Pack 2 (Server Core installation)
For 64-bit systems:
- Windows Server 2008 R2 Service Pack 1 and 2008 R2 Service Pack 1 (Server Core installation)
- 2012 and 2012 R2; both also for Server Core installations.
- 2016, 2019 and 2022: in all three cases also for Server Core installations.
- 2004 (Server Core installation) and 20H2 (Server Core installation)
For ARM64 systems:
- Windows 10 versiones 1809, 1909, 2004, 20H2 and 21H1
- Windows RT 8.1
Microsoft has not yet released an update to fix the vulnerability.
Until its publication, here are some prevention actions:
- Open Microsoft Office documents downloaded from the Internet in Protected View mode, this way the attack will have no effect.
- Update and enable Microsoft Defender as it provides detection and protection for this vulnerability.
If you do not use Microsoft Defender, keep your antivirus updated.
The official security note published by Microsoft explains a Workaround to temporarily mitigate this vulnerability.
Note that this involves modifying the Windows registry and restarting the system.
⚠️ ¡WARNING! ⚠️
Using the registry editor incorrectly can cause serious problems that may require reinstallation of the operating system. In this particular case, making the modifications indicated by Microsoft should not have any consequences since it would only affect Internet Explorer.
At Encora we are experts in cybersecurity and we can help you solve this and other problems in your company.
Azure AD environment audit
heck here our Cyber Security portfolio.
