FEDORA-2022-613e993500
Packages in this update:
xorg-x11-server-1.20.14-9.fc36
Update description:
Security fix for CVE-2022-3550, CVE-2022-3551
xorg-x11-server-1.20.14-9.fc36
Security fix for CVE-2022-3550, CVE-2022-3551
xorg-x11-server-1.20.14-9.fc37
Security fix for CVE-2022-3550, CVE-2022-3551
It was discovered that PHP incorrectly handled certain gzip files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2022-31628)
It was discovered that PHP incorrectly handled certain cookies.
An attacker could possibly use this issue to compromise the data
(CVE-2022-31629)
It was discovered that PHP incorrectly handled certain image fonts.
An attacker could possibly use this issue to expose sensitive information.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.10, and Ubuntu 22.04 LTS.
(CVE-2022-31630)
Nicky Mouha discovered that PHP incorrectly handled certain SHA-3 operations.
An attacker could possibly use this issue to cause a crash
or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS,
Ubuntu 22.10, and Ubuntu 22.04 LTS. (CVE-2022-37454)
Mastodon is hot right now. After some years of only being used by geeks (yes, I’ve had an account for a while now) it’s at the tipping point of becoming mainstream. If you’re part of the exodus of users leaving Twitter for Mastodon, what are the security and privacy issues that you need to be aware of?
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for privilege escalation. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.
xorg-x11-server-Xwayland-21.1.4-3.fc35
Security fix for CVE-2022-3550, CVE-2022-3551
Maddie Stone discovered that pixman incorrectly handled certain memory
operations. A remote attacker could use this issue to cause pixman to
crash, resulting in a denial of service, or possibly execute arbitrary
code.
This technique measures device response time to determine distance:
The scientists tested the exploit by modifying an off-the-shelf drone to create a flying scanning device, the Wi-Peep. The robotic aircraft sends several messages to each device as it flies around, establishing the positions of devices in each room. A thief using the drone could find vulnerable areas in a home or office by checking for the absence of security cameras and other signs that a room is monitored or occupied. It could also be used to follow a security guard, or even to help rival hotels spy on each other by gauging the number of rooms in use.
There have been attempts to exploit similar WiFi problems before, but the team says these typically require bulky and costly devices that would give away attempts. Wi-Peep only requires a small drone and about $15 US in equipment that includes two WiFi modules and a voltage regulator. An intruder could quickly scan a building without revealing their presence.
Research paper.
The cybersecurity industry has seen a lot of recent trends. For example, the proliferation of multifactor authentication (MFA) to fight against credential harvesting is a common thread. Threat actors have been creating legitimate-looking phishing campaigns, which have been a big driver for this trend. Although some of the tools for MFA can be complex, proper authentication/authorization is an absolute fundamental that every enterprise should embrace.
Where should we start with fundamentals?
Let’s have a little more strategic look at this, though. To provide a holistic approach to security, a higher-level perspective is necessary. Your Process must be sound. Yes, that means policy-level guidance. Yes, that means that standards need to be in place. Finally, it means that procedures to provide more detailed guidance must be available for employees.
Again, perspective is essential. Nobody wants to work on the process first. Indeed, I was guilty of having a negative view of process early in my career. Let’s take the first example and reveal how the process might assist. An enterprise policy statement might provide simple guidance that access to all company resources requires management approval (as a policy).
How does an enterprise define who needs access to specific resources? Glad you asked. Standards can be used to and determine data classification and controls for accessing and protecting the various categories of data. An access control standard would also be appropriate to complement the data categories. So far, we have policy-level guidance, data classification, and access control standards which guide the controls necessary to control access to company resources.
Where does the requirement for MFA live? That is a good question; my thoughts are likely in the standards area. However, requiring MFA could be a policy, standard, or process/procedure level requirement. The next reasonable question is: where do the requirements for implementing an MFA belong? In an authentic consultant manner, I would say: It depends. Take that with the lighthearted intention I meant it with. Implementing MFA may be a process/procedure used by IT. Why did I say, “maybe?”
The reality is that there may be automation that handles this. It is possible that HR defines each employee’s role, and based on that, an HR system provides that through API to the systems used to provide authentication/authorization. Doesn’t that sound pleasantly streamlined?
More likely, things are not that automated. If they are, then kudos to your enterprise. There are likely multiple processes and procedures required before even setting this up, but I think most of the folks reading this will understand where I’m trying to go with this.
HR will have processes and procedures around defining roles and requesting implementation. IT will have processes and procedures focused on implementing the solution. The information security team will have processes and procedures for monitoring authentication/authorization mechanisms. This is just to state that Process is as important as the tool or technology chosen to meet the need. None of these documents state which tool or Technology to use. That is the point. If you have policy guidance and standards that define the need and processes to guide implementing MFA, then the Technology should be interchangeable. So, the first fundamental which should be a foundation is sound process.
I spoke about various teams here (IT and HR). That is another fundamental: People. People need to understand the requirements. People need to understand their role, and people need to be part of the solution.
Finally, the last high-level fundamental is Technology. But I said Technology could be interchanged. Yes, in many cases it can but it is one of the three primary fundamentals required to manage and secure an enterprise. Are their differences in the technical solutions used for MFA? Certainly, there are and what Technology is used very much depends on your environment and the resources that will be accessed using MFA.
OK, Cybersecurity 101 so far: People, Process & Technology. The title uses fundamentals in battling complex cybersecurity threats. Right you are! The introduction shows that People, Process and Technology are critical to managing and securing your environment (Technology and facilities). Now let’s look at another group of 3 fundamentals: Prepare, Respond & Recover.
Prepare – How do you prepare for cyber threats? Based on the intro, it would be evident that having the correct people, process and technologies in place would be good preparation. Gold star for you if you were already thinking that. Let’s take a closer look.
How do you prepare for Ransomware? Let me answer that question with several other questions: Do you have an incident response plan (Process [Policy])? Do you have a playbook (Process [procedure]) that provides your IT or Security group guidance for identifying, containing, eradicating, responding, and recovering from a ransomware attack?
Do you have an endpoint detection and response (EDR) solution (Technology) that can help prevent or minimize the spread of malware? Do you have a standard for collecting inventory and vulnerability information on your network resources or a tool like a vulnerability scanning platform to collect that information? Does the standard guide the prioritization of remediation of those vulnerabilities?
Do you have a security information and event management (SIEM) solution that ingests this type of information and assists with identifying possible indicators of compromise? Do you have the People necessary to remediate the problems? So many questions. Preparing for complex attacks can be hard.
But aren’t we still talking about fundamentals? Yes, Preparing includes understanding the environment which means the inventory of assets and vulnerabilities. Preparing includes good cyber hygiene and remediation of problems when they are found. Training is an essential aspect of preparation. Support people need the correct knowledge and skills. End users must understand the importance of reporting anomalies and to whom to report them.
Respond – What happens when you have prepared, and Ransomware still impacts you? It is time to respond. Proper response requires an even more detailed understanding of the issue. It requires research using tools like a SIEM and containing the problem by isolating with EDR tools or network controls. The response includes communicating to leadership that a problem exists. Response may require that you inform employees on proper guidance for sharing information. Response can also mean that you reach out to a partner or third-party expert to assist with investigating the problem.
Depending on the severity of the issue, response may include your leadership notifying customers that there is an issue. How well we prepare can greatly impact how well we respond. Ransomware is often complex and frequently an attack by a sophisticated threat actor. Even if an organization doesn’t have the qualified People part of the three fundamentals, they can still successfully respond to these attacks by having the right Technology in place and processes that include engaging partners with the right skills.
Recover – What does recovery look like? First, let me ask: Do you have any disaster recovery (DR) or business continuity plan (BCP)? Have you tested it? Ransomware is a type of cyber incident and certainly a type of disaster. Does that mean you can use disaster recovery procedures to recover from a ransomware attack?
The procedures may be different, but your DR processes can be leveraged to recover from a ransomware attack. Of course, the exact processes may be a little different. Still, fundamentals like recovering systems from backup and using alternative processes for system outages may be necessary during a ransomware attack. Just like with any type of disaster, recovery should be the highest priority. How do you know if you can successfully recover from any type of disaster?
It would be easy to write a book on this stuff, and I’m sure others have done exactly that. I have talked about fundamentals like People, Process and Technology as well as Preparing, Responding and Recovering. The question you may have is: what is the short list of things we need to ensure we have or are doing?
Have a plan! (Prepare) – Have a formal DR Plan. Have a formal Incident Response Plan. Have supporting processes like playbooks that provide specific guidance to maintain calm rather than letting chaos rule.
Test the plan! (Prepare) – Practice like you are under attack. Perform a tabletop exercise. Engage a partner to conduct a Red Team exercise. You want to test the Processes, People, and Technology to make sure they are all sound.
Build or buy! Have processes, technologies, and people needed to respond! (Respond) – If you don’t have the expertise in-house, find a trusted firm that can step in and assist. Implement tools (SIEM, EDR & scanning) or outsource if necessary.
Recover – Just having backups isn’t good enough anymore. Data needs to be backed up to prevent altering (immutable). Make sure that all of the identified problem areas have been remediated. The last thing an organization wants is to restore operations only to find that the problem is still resident. Use a scanning tool to verify that common vulnerabilities are fixed.
These are all basic fundamentals. Every organization needs to evaluate their environment to see where the gaps are. Using a framework like NIST, CIS or other industry standards to assess your environment is a great place to start. These assessments can reveal gaps in People, Process or Technology. Once you have the gaps identified, create a plan to address those areas.