CyberScotland Bulletin

Microsoft released its monthly security update on Tuesday 8^th March 2022, patching 71 issues across its suite of products.

This Patch Tuesday, the breakdown of vulnerabilities includes 3 Critical issues, with the remaining being labelled as Important. No vulnerabilities this time around have been found to be actively exploited, although 3 of them were known publicly at the time of release.

The 3 critical vulnerabilities addressed relate to remote code execution flaws were:

• CVE-2022-22006 – Affects HEVC Video Extensions
• CVE-2022-23277 – Affects Microsoft Exchange Server
• CVE-2022-24501 – Affects VP9 Video Extensions

As reported by The Hacker News, this month’s patches address 29 remote code execution vulnerabilities, 6 information disclosure vulnerabilities, 4 denial-of-service vulnerabilities, 3 security feature bypass vulnerabilities, 3 spoofing vulnerabilities, and 1 tampering vulnerability.

A full list of Microsoft’s March 2022 patches can be found here: Microsoft Security Response Center

According to QNAP, a local privilege escalation vulnerability named DirtyPipe has been found to affect the Linux Kernel on “all QNAP x86-based NAS and some QNAP ARM-based NAS running QTA 5.0.x and QuTS hero h5.0.x”. The organisation also stated that “if exploited, this vulnerability allows an unprivileged user to gain administration privileges and inject malicious code”.

The CVE is being tracked as CVE-2022-0847. According to The Hacker News, the issue is high risk as it allows numerous malicious actions to be conducted on the system. These include tampering with sensitive files like /etc/passwd, adding SSH keys for gaining remote access, and executing arbitrary binaries with the highest privileges.

According to IONOS software developer Max Kellerman, this vulnerability has been fixed in Linux versions 5.16.11, 5.15.25, and 5.10.102.

This Tuesday, Microsoft confirmed the extortion hacking gang LAPSUS$ gain “limited access” to the organisation’s systems. Okta confirmed that “approximately 2.5%” of their customers have been potentially impacted by the breach. As reported by the Microsoft Threat Intelligence Center (MSTIC), none of their customer code or data was involved in the observed actions by the hacking group. Previously, the LAPSUS$ hacker group have compromised other large organisations such as Nvidia and Samsung.

To mitigate these threats for other organisations, Microsoft is recommending that multi-factor authentication is mandated, that organisations make use of authentication options such as OAuth or SAML, review individual sign-ins on systems in search of anomalous activity, and finally, monitor incident response communications for unauthorised attendees.

Further information on the incidents involving Okta and Microsoft can be found here: ThreatPost

On March 15^th, the OpenSSL Security Advisory addressed a high rated vulnerability in a security update, among other general fixes.

The vulnerability, tracked as CVE-2022-0778, relates to a program loop that had the potential to iterate infinitely. This led to hanging up the program using the offending code, which caused a denial-of-service (DoS) condition. This term refers to when systems or servers are overloaded with data or access requests, rendering the service unusable.

To mitigate this issue, upgrade to the latest version of OpenSSL, which fixes this issue. Detailed information on how the vulnerability works, including information on how programmers can avoid this issue, can be found on Naked Security by SOPHOS.

The Cyber Security Information Sharing Partnership is a joint initiative between government and industry to share cyber threat information in a secure and confidential environment.

Organisations that are proactive in their approach for the management and handling of cyber security should consider joining CiSP to keep up with emerging threats.

Your organisation can register to join CiSP here. If your organisation is looking for a sponsor please contact the the Scottish Government’s Cyber Resilience Unit at cyberresilience@gov.scot

When your organisation has joined, you can register as an individual here.