On April 3, 2020, Mozilla announced that it had released security updates in order to patch critical vulnerabilities in found in both Firefox and Firefox Extended Support Release (ESR) by security researchers with JMP Security. Both vulnerabilities...

On April 3, 2020, Mozilla announced that it had released security updates in order to patch critical vulnerabilities in found in both Firefox and Firefox Extended Support Release (ESR) by security researchers with JMP Security.

Both vulnerabilities allow for race conditions which can cause a use-after-free issue. The first vulnerability, CVE-2020-6819, allows for a race condition when running the nsDocShell destructor (under certain conditions). The second vulnerability, CVE-2020-6820, allows for a race condition when handling a ReadableStream (under certain conditions). 

According to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency’s United States Computer Emergency Readiness Team (US-CERT) program, “an attacker could exploit these vulnerabilities to take control of an affected system.”

“Both bugs…allow remote attackers to execute arbitrary code or trigger crashes on machines running versions of Firefox prior to 74.0.1 and its business-friendly Firefox Extended Support Release 68.6.1,” a researcher at ThreatPost said.

Mozilla said that they are aware of both vulnerabilities being used in targeted attacks by hackers.

One of the researchers who discovered the vulnerabilities, Francisco Alonso, tweeted that “there is still lots of work to do and more details to be published (including other browsers). Stay tuned.”

It is highly recommended that all Firefox users download and apply the latest patches in order to protect themselves from exploitation of these critical vulnerabilities.

For additional information, please see the following sources:

Mozilla. Mozilla Foundation Security Advisory 2020-11. April 3, 2020. hXXps://www.mozilla.org/en-US/security/advisories/mfsa2020-11/

Mozilla. Firefox Update. April 3, 200. hXXps://support.mozilla.org/en-US/kb/update-firefox-latest-release

DHS CISA US-CERT. Mozilla Patches Critical Vulnerabilities in Firefox, Firefox ESR. April 3, 2020. hXXps://www.us-cert.gov/ncas/current-activity/2020/04/03/mozilla-patches-critical-vulnerabilities-firefox-firefox-esr

Tom Spring. Firefox Zero-Day Flaws Exploited in the Wild Get patched. April 4, 2020. hXXps://threatpost.com/firefox-zero-day-flaws-exploited-in-the-wild-get-patched/154466/

The E-ISAC has not established any specified threat to the electricity community based upon these vulnerabilities. However, as the information above and in the links indicates, the likelihood of adversarial action based upon this vulnerability is high. If this or any other adversarial action is experienced, contact the E-ISAC Watch Operations Team [mailto:operations[@]eisac.com], and create a Portal Post for instant community awareness.

The Federal Bureau of Investigation (FBI) has released an  article  on defending against video-teleconferencing (VTC) hijacking (referred to as “Zoom-bombing” when attacks are to the Zoom VTC platform).  Many...

The Federal Bureau of Investigation (FBI) has released an article [hXXps://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic] on defending against video-teleconferencing (VTC) hijacking (referred to as “Zoom-bombing” when attacks are to the Zoom VTC platform).  Many organizations and individuals are increasingly dependent on VTC platforms, such as Zoom and Microsoft Teams, to stay connected during the Coronavirus Disease 2019 (COVID-19) pandemic. The FBI has released this guidance in response to an increase in reports of VTC hijacking.

The Cybersecurity and Infrastructure Security Agency encourages users and administrators to review the FBI article as well as the following steps to improve VTC cybersecurity:

CISA also recommends the following VTC cybersecurity resources:

This is an updated novel coronavirus (or COVID-19) Resource Guide for the electric power industry. This living document was developed under the direction of the Electricity Subsector Coordinating Council (ESCC), with participation from all segments...

This is an updated novel coronavirus (or COVID-19) Resource Guide for the electric power industry. This living document was developed under the direction of the Electricity Subsector Coordinating Council (ESCC), with participation from all segments of the industry and the natural gas sector. It provides information and options to consider when making localized decisions in response to the current global health emergency.

The spread of the global pandemic COVID-19 has resulted in many organizations adopting work-from-home policies. This professional change in shifting to an entirely remote workforce may be new for many businesses, which means they could lack the...

The spread of the global pandemic COVID-19 has resulted in many organizations adopting work-from-home policies. This professional change in shifting to an entirely remote workforce may be new for many businesses, which means they could lack the processes, policies, and technologies required for business continuity. In an effort to assist businesses in creating a secure remote workforce, SANS published a “Securely Working From Home Deployment Kit,” which can be found here [hXXps://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit?utm_medium=Email&utm_source=HL&utm_content=SANS+Resources+WFH+deployment+kit&utm_campaign=SANS+Resources].

On Friday, March 13, the President of the United States (POTUS) held a news conference regarding the global pandemic COVID-19 and declared a national emergency. This declaration will open up $60 billion to help the fight against the virus. Every...

On Friday, March 13, the President of the United States (POTUS) held a news conference regarding the global pandemic COVID-19 and declared a national emergency. This declaration will open up $60 billion to help the fight against the virus. Every state has been requested to set up Emergency Operations Centers and every hospital in the United States is activating emergency preparedness plans to meet the needs of Americans everywhere. The declaration also allows officials at the Department of Health and Human Services the ability to waive laws to enable telehealth so that remote doctor visits are feasible. The National Guard has said that it will deploy a maximum of 1,000 troops in six states by the end of the day (Friday). The Guard is also evaluating military bases across the country to use for “isolation housing” to stock medical supplies.

An announcement was made regarding a new partnership with the private sector to increase the capacity to test for COVID-19. 1.4 million tests are to be available next week and 5 million within a month. Pharmacies and retailers are planning to make drive thru tests available in critical locations so that individuals are able to get tested for the virus while remaining in their vehicles. Google is in the process of developing a website to determine whether or not a test is warranted and if so, to facilitate testing at a convenient location. Labs are to provide results within 24-36 hours after testing. On Sunday evening, the public will receive specific guidance on when the website will be operational.

The President also announced a few emergency Executive actions that have been implemented such as waiving interest in all student loans via helped from federal government agencies. Based on the price of oil, the Secretary of Energy has also purchased large quantities of crude oil for storage in the U.S. strategic reserve. Ultimately, these measures are aiming to save the American taxpayer billions of dollars, improve the oil industry, and help establish energy independence. When questioned about other specific targeted measures that the Administration is taking, the President stated that a report will be released in two hours regarding additional steps.

When questioned on the President’s photograph with an individual that was tested positive for COVID-19, he stated that he has no symptoms. When asked about how long the American people will have to remain in an emergency state, the President stated that it is impossible to predict the time element.

Microsoft issued a public advisory yesterday in light of the need for many companies to suddenly shift to an increase in employees working from home in response to the global pandemic COVID-19. The article highlighted the importance of remaining...

Microsoft issued a public advisory yesterday in light of the need for many companies to suddenly shift to an increase in employees working from home in response to the global pandemic COVID-19. The article highlighted the importance of remaining productive without increasing cyber security risk. Some considerations highlighted include implementing official chat tools to allow for a proper communication channel for the workforce, utilization of Azure AD Conditional Access [hXXps://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview] to secure access to cloud applications, and the Azure AD Application Proxy [hXXps://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-proxy] for publishing on-premises applications for remote availability.

Due to the increase in remote work, it is highly likely that organizations will also see an increase in the use of personal devices accessing company data. Therefore, using Azure AD Conditional Access and Microsoft Intune app protection policies [hXXps://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-protection-based-conditional-access] together can help manage and protect corporate data in approved applications on these personal devices. One of the best ways to improve security for employees working from home is to utilize multi-factor authentication by utilizing Windows Hello biometrics as well as smartphone authentication apps like Microsoft Authenticator.

For the full report by Microsoft, please visit: hXXps://www.microsoft.com/security/blog/2020/03/12/support-working-from-home-securely/

E-ISAC Update – March 13, 2020 In coordination with NERC, the E-ISAC, continues to track the evolving situation with regard to COVID-19. The E-ISAC is monitoring cyber and physical security issues related to coronavirus and encourage industry...

E-ISAC UpdateMarch 13, 2020

In coordination with NERC, the E-ISAC, continues to track the evolving situation with regard to COVID-19. The E-ISAC is monitoring cyber and physical security issues related to coronavirus and encourage industry to continue sharing information related to grid security issues.

At this point, the E-ISAC is limiting all non-essential travel for staff, encouraging full-time telework, and is restricting visitors to our offices. Through these unprecedented times, the E-ISAC continues to serve the electricity industry to support information sharing, and reduce cyber and physical risk to the North American power grid.

On March 12, NERC posted an announcement [hXXps://www.nerc.com/news/Headlines%20DL/Coronavirus%20Impacts%2011MAR20_final.pdf] on steps it is taking to prevent the impact of the coronavirus. This includes links to the Level 2 NERC Alert [hXXps://www.nerc.com/pa/rrm/bpsa/Alerts%20DL/NERC_Alert_R-2020-03-10-01_COVID-19_Pandemic_Contingency_Planning.pdf] issued on March 10 and ESCC Guidance [hXXps://images.magnetmail.net/documents/clients/EEI_/2020-03/ovodrzgn.2mp/ESCC_Coronovirus_Resource_Guide_031020.pdf] “Assessing and Mitigating the Novel Coronavirus [COVID-19].”

We are committed to the safety and security of our industry members and government and cross-sector partners and will continue to work with you to share information, best practices, and lessons learned.

Additional Resources

Visit the CDC [hXXps://www.cdc.gov/coronavirus/2019-ncov/index.html] and World Health Organization (WHO) [hXXps://www.who.int/emergencies/diseases/novel-coronavirus-2019] for the latest health information.

Find out more about the U.S. Government response [hXXps://www.usa.gov/coronavirus] to coronavirus including international travel restrictions, how you can prepare for coronavirus, and what the U.S. government is doing to respond.

Check out guidance from the Department of Homeland Security on risk management [hXXps://www.cisa.gov/sites/default/files/publications/20_0306_cisa_insights_risk_management_for_novel_coronavirus.pdf] and ongoing DHS Coronavirus News and Updates [hXXps://www.dhs.gov/coronavirus-news-updates].

 

For additional questions for the E-ISAC, contact us at Operations[@]eisac.com [mailto:Operations[@]eisac.com] or memberservices[@]eisac.com [mailto:memberservices[@]eisac.com]

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has issued a document describing steps for company executives to consider in order to reduce physical, cyber, and supply chain issues resulting from...

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has issued a document describing steps for company executives to consider in order to reduce physical, cyber, and supply chain issues resulting from COVID-19. The document is intended for widest distribution and may assist in preparing for any potential impacts to your company.

The document is attached to this post for your convenience. It is important to note that this was distributed broadly to critical infrastructure owners and operators, and not being specifically aimed at our industry.

Summary According to theregister.co.uk researchers at Singapore University disclosed 12 security vulnerabilities affecting certain Bluetooth Low Energy (BLE) software development kits (SDKs) from system-on-a-chip (SoC) vendors. The vulnerabilities...

Summary

According to theregister.co.uk [hXXps://www.theregister.co.uk/2020/02/13/dozen_bluetooth_bugs/] researchers at Singapore University disclosed 12 security vulnerabilities affecting certain Bluetooth Low Energy (BLE) software development kits (SDKs) from system-on-a-chip (SoC) vendors. The vulnerabilities may allow attackers to “crash or… bypass pairing security to gain arbitrary read and write access to device functions.” Proof-of-concept code and a video demonstrating the crash of a device (Fitbit) are publicly available.

Analysis

The register article quoted Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang with the following statement: "SWEYNTOOTH potentially affects IoT products in appliances such as smart-homes, wearables and environmental tracking or sensing." Their full research paper can be found here [hXXps://asset-group.github.io/disclosures/sweyntooth/sweyntooth.pdf].

Patches have been made available for some of the devices that are known to be vulnerable.

The E-ISAC recommends members evaluate IOT devices in use that are BLE enabled and may be vulnerable. Below is a list of the CVEs released with the research:

Vulnerability

CVE(s)

Vendor

Link Layer Length Overflow

CVE-2019-16336 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16336]
CVE-2019-17519 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17519]

Cypress
NXP

LLID Deadlock

CVE-2019-17061 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17061]
CVE-2019-17060 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17060]

Cypress
NXP

Truncated L2CAP

CVE-2019-17517 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17517]

Dialog

Silent Length Overflow

CVE-2019-17518 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17518]

Dialog

Public Key Crash

CVE-2019-17520 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17520]

Texas Instruments

Invalid Connection Request

CVE-2019-19193 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19193]

Texas Instruments

Invalid L2CAP Fragment

CVE-2019-19195 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19195]

Microchip

Sequential ATT Deadlock

CVE-2019-19192 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19192]

STMicroelectronics

Key Size Overflow

CVE-2019-19196 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19196]

Telink

Zero LTK Installation

CVE-2019-19194 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19194]

Telink

For the complete article with additional information, including proof-of-concept code and a video demonstrating the exploitation and crashing of a Fitbit device, please refer to the original article and research paper.

hXXps://www.theregister.co.uk/2020/02/13/dozen_bluetooth_bugs/

hXXps://asset-group.github.io/disclosures/sweyntooth/

hXXps://asset-group.github.io/disclosures/sweyntooth/sweyntooth.pdf

hXXps://youtu.be/Iw8sIBLWE_w

 

 

On August 29th, 2019, a cybersecurity firm, Armis Security, discovered five zero-day vulnerabilities in Cisco Devices collectively referred to as “CDPwn”, which could potentially impact tens of millions of devices. CDPwn consists of...

On August 29th, 2019, a cybersecurity firm, Armis Security, discovered five zero-day vulnerabilities in Cisco Devices collectively referred to as “CDPwn”, which could potentially impact tens of millions of devices. CDPwn consists of five Remote Code Execution vulnerabilities, as well as one Denial of Service vulnerability. CDPwn utilizes the Cisco Discovery Protocol (CDP), which is a layer-2 networking protocol that Cisco devices use to gather information about devices connected to the same network. The CDPwn vulnerabilities could potentially be utilized for the purposes of breaking network segmentation, data exfiltration of corporate network traffic traversing through an organization’s switches and routers, gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch, and data exfiltration of sensitive information such as phone calls from devices like IP phones and video feeds from IP cameras. Armis Security relayed information about CDPwn to Cisco soon after discovery.

On February, 5th, 2020, Cisco released patches for devices vulnerable to CDPwn exploitation. Cisco said that they are not aware of any malicious use of the CDPwn as of yet. In order to exploit the vulnerabilities, attackers would first need to establish a foothold inside a target’s network, and then hop from device to device (via CDPwn exploitation) to gain significant access and/or control over a network and potentially execute code or cause denial of service.

Many of the vulnerable Cisco products—such as desk phones, web cameras, and network switches—do not auto-update, and need manual patching to receive protection. Enterprise switches and routers are often behind on patches and updates due to avoidance of network downtime. CDP is implemented in virtually all Cisco products, including switches, routers, IP phones and cameras. All those devices ship from the factory with CDP enabled by default. According to Cisco, over 95 percent of Fortune 500 companies use Cisco Collaboration solutions.

Cisco device owners should look up whether or not their devices are listed by Cisco as being susceptible to CDPwn exploitation by going to Cisco’s website. If they are listed as containing CDPwn vulnerabilities, device owners should immediately download and manually install patches from Cisco’s website. Routine updates are recommended for all Cisco devices in order to avoid possible exploitation by malicious actors relying on utilizing unpatched devices as attack vectors for infiltrating enterprise systems.

The following fix action is recommended for Cisco device owners: please refer to the “Affected Products” section of the attached “CISCO CDP vulnerability for DoS.pdf” to determine whether or not your device(s) are listed as having CDPwn vulnerabilities and, if so, refer to the “Fixed Releases” section, and download and install the patch for the device.  A table containing both the affected devices series and links to their respective vulnerability patch instructions has been included below.

Recommendation: Partners and Client organizations should have cyber security teams determine which affected devices they have and patch accordingly.

Recommendation: More frequent updating of Cisco devices.

Affected Cisco Device(s)

Vulnerability Patch Instructions Link

IP Conference Phone 7832

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96069

IP Conference Phone 7832 with Multiplatform Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96060

IP Conference Phone 8832

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96071

IP Conference Phone 8832 with Multiplatform Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96064

IP Phone 6821, 6841, 6851, 6861, 6871 with Multiplatform Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96065

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96067

IP Phone 7811, 7821, 7841, 7861 Desktop Phones

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96739

IP Phone 7811, 7821, 7841, 7861 Desktop Phones with Multiplatform

Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96063

IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96066

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96069

IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones with Multiplatform Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96058

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96059

Unified IP Conference Phone 8831

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96738

Unified IP Conference Phone 8831 for Third-Party Call Control

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96057

Wireless IP Phone 8821 and 8821-EX

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96070

Firepower 4100 series and Firepower 9300 security appliances

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15083

IOS XR software

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr150824

MDS 9000 Series Multilayer Switches

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073

Nexus 1000 Virtual edge for VMware vSphere

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078]

Nexus 1000V Switch for Microsoft Hyper-V

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078]

Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone NX-OS Mode

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr14976 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr14976]

Nexus 5500 and 5600 Platform Switches and Nexus 6000 Series Switches

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15079 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15079]

Nexus 7000 Series Switches

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073]

Nexus 9000 Series Fabric Switches in ACI Mode

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15072 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15072]

UCS 6200, 6300, and 6400 Series Fabric Interconnects

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15082 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15082]  

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15111 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15111]