thunderbird-102.9.0-1.fc38
Update to 102.9.0 ;
https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/ ;
https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes/
AI and machine learning (ML) capabilities present a huge opportunity for digital transformation but open yet another threat surface that CISOs and risk professionals will have to keep tabs on. Accordingly, CISOs will need to direct their teams to conduct red team exercises against AI models and AI-enabled applications — just as security teams do with any traditional application, platform, or IT system.
AI increasingly powers business decision-making, financial forecasting, predictive maintenance, and an endless list of other enterprise functions, weaving its way inextricably into the enterprise tech stack.
This is where AI red teaming comes into play. Forward-looking security pundits believe that the field of AI risk management and AI assurance will be a growing domain for CISOs and cybersecurity leaders to get a handle on in the coming years. Fundamental to managing AI risks will be threat modeling and testing for weaknesses in AI deployments.
New cybersecurity reporting requirements for publicly traded companies are expected to be enacted in the spring of 2023, with proposed rules from the US Securities and Exchange Commission (SEC) looking for more information and transparency from those hit with security incidents.
Under the proposal, the SEC would implement three new rules that public companies will need to follow:
A requirement that companies report any cybersecurity event within four business days of determining that it was a material incident.
Mandatory disclosures regarding the board of directors’ oversight of cybersecurity risk as well as details about the cybersecurity expertise and experience of individual board members.
Mandatory disclosures about management’s role in addressing cybersecurity risk.
The SEC action has — or should have — security leaders, their C-suite colleagues, and board directors prepping for the new steps they’ll have to follow. And it should have executives at private companies and other entities taking note, as the SEC action could have a trickle-down impact.
FortiGuard Labs is aware of a report that an improper access control vulnerability in Adobe ColdFusion (CVE-2023-26360) was observed to have been exploited in the wild. Unauthenticated attackers can exploit the vulnerability to achieve arbitrary code execution on a remote machine. On March 15th, CISA added CVE-2023-26360 to the Known Exploited Vulnerability catalog.Why is this Significant?This is significant because Adobe reported that an improper access control vulnerability in Adobe ColdFusion (CVE-2023-26360) was exploited in the wild. CISA also added the vulnerability to the Known Exploited Vulnerability catalog. As such the patch needs to be applied as soon as possible.What is CVE-2023-26360?CVE-2023-26360 is an improper access control vulnerability that affects ColdFusion 2021 version 5 and prior as well as ColdFusion 2018 version 15 and prior. Unauthenticated attackers can exploit the vulnerability to achieve arbitrary code execution on a remote machine.Is CVE-2023-26360 being Exploited in the Wild?Adobe confirmed in the advisory that CVE-2023-26360 was leveraged in the wild.Has the Vendor Released an Advisory for CVE-2023-26360?Yes. See the Appendix for a link to “Security updates available for Adobe ColdFusion | APSB23-25”.Has the Vendor Released a Patch for the Vulnerability?Yes, Adobe released a patch for CVE-2023-26360 on March 14th, 2023.What is the Status of Protection?At this time, there is not sufficient information that allows us to investigate for protection. This Threat Signal will be updated when new information becomes available.
FortiGuard Labs recently observed that multiple vulnerabilities (CVE-2019-18935, CVE-2017-11317 and CVE-2017-11357) in Progress Telerik UI (User Interface) are being exploited in chain to achieve arbitrary code execution on a remote machine. On March 15th, CISA released an advisory that multiple threat actors exploited unpatched IIS servers in a U.S. federal agency.Why is this Significant?This is significant because three Progress Telerik UI vulnerabilities are being exploited in chain for arbitrary code execution. On March 15th, 2023, CISA released an advisory that multiple threat actors exploited vulnerable IIS servers in a U.S. federal agency. As such, the patches need to be applied as soon as possible.What is CVE-2019-18935?CVE-2019-18935 is a critical deserialization of untrusted data vulnerability in the RadAsyncUpload functionProgress function of Telerik UI for ASP.NET AJAX, a suite of UI components for web applications. Successful exploitation of the vulnerability allows remote attackers to perform arbitrary file uploads or execute arbitrary code when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means.The vulnerability affects Telerik UI versions prior to R1 2020 (2020.1.114) and has a CVSS base score of 9.8.What is CVE-2017-11317?CVE-2017-11317 is an unrestricted file upload vulnerability in Telerik UI for ASP.NET AJAX. It leverages weakness RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.The vulnerability affects Telerik UI versions prior to R1 2020 (2020.1.114) and has a CVSS base score of 9.8.What is CVE-2017-11357?CVE-2017-11357 is an arbitrary file upload vulnerability in Telerik UI for ASP.NET AJAX components. It is an insecure direct object reference vulnerability in the RadAsyncUpload function, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code by manipulating user input.The vulnerability affects Telerik UI versions prior to R1 2020 (2020.1.114) and has a CVSS base score of 9.8.Has the Vendor Released an Advisory for CVE-2019-18935, CVE-2017-11317 and CVE-2017-11357?Yes. See the Appendix for a link to “Unrestricted File Upload in RadAsyncUpload”, “Allows JavaScriptSerializer Deserialization” and “Insecure Direct Object Reference in RadAsyncUpload”.Has the Vendor Released a Patch for the Vulnerabilities?Yes. Patches are available for all three vulnerabilities.What is the Status of Protection?FortiGuard Labs has the following IPS signature in place for CVE-2019-18935, CVE-2017-11317 and CVE-2017-11357:Telerik.Web.UI.RadAsyncUpload.Handling.Arbitrary.File.Upload
Today – March 14, 2023, Microsoft released 80 security updates for this month’s Patch Tuesday release. Two of the releases address known Zero Days in Microsoft Office (CVE-2023-23397 – Microsoft Outlook Elevation of Privilege Vulnerability) and Windows Operating Systems (CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability) which is related to last year’s December’s 2022 Patch Tuesday advisory for CVE-2022-44698 (Windows SmartScreen Security Feature Bypass Vulnerability).CVE-2023-23397 was observed being exploited in the wild by APT28/Fancy Bear attributed to the GRU which is an arm of the Russian government.What are the details for Both Zero Days?CVE-2023-23397 – is an Elevation of Privilege vulnerability (EoP) in Microsoft Outlook where an attacker that successfully exploits this vulnerability can access a user’s Net-NTLMv2 hash that could be used for an NTLM relay attack against another service to authenticate as the user. External attackers can create specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then use to authenticate as the victim via another service.CVE-2023-24880 is a vulnerability in Windows where an attacker can create a malicious file that would allow for the evasion of Mark of the Web (MOTW) protocols, resulting in the loss of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. This vulnerability is related to CVE-2022-44698 (Windows SmartScreen Security Feature Bypass Vulnerability) which was released in the December 2022 Microsoft Monthly Update.Are Both Vulnerabilities Being Exploited in the Wild?According to Microsoft CVE-2023-23397 (Microsoft Outlook Elevation of Privilege Vulnerability) has been exploited in the wild. This vulnerability was exploited by APT28/Fancy Bear which is attributed to GRU, an outpost of the Russian government.Regarding CVE-2023-24880 (Windows SmartScreen Security Feature Bypass Vulnerability) has not been reported to be exploited in the wild. However reports have previously connected last Decembers CVE-2022-44698 vulnerability being exploited by Magniber Ransomware group.What Suggested Mitigation is Available?For those unable to apply the patch for CVE-2023-23397, Microsoft recommends adding users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Also, blocking TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares. Microsoft suggests downloading the following document – “Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2.” This document discusses Pass-the-Hash (PtH) attacks against Windows operating systems and provides detailed insight against PtH attacks. This document can be found here. For CVE-2023-24880 – it is suggested to apply the available patches as soon as possible.What are the CVSS scores?For CVE-2023-23397 – Microsoft Outlook Elevation of Privilege Vulnerability the CVSS score is 9.8 (CRITICAL).For CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability the CVSS score is 5.4 (MEDIUM).What is the Status of Coverage?Fortinet customers running the latest version of IPS definitions are protected against exploitation of CVE-2023-24880 by:MS.Windows.SmartScreen.Security.Feature.Bypass (CVE-2023-24880)Regarding CVE-2023-23397, IPS coverage is being investigated for feasibility and this Threat Signal will be updated when relevant information is available.
It was discovered that Kerberos incorrectly handled memory when processing
KDC data, which could lead to a NULL pointer dereference. An attacker could
possibly use this issue to cause a denial of service or have other
unspecified impacts. (CVE-2021-36222, CVE-2021-37750)
A Russian hacktivist group has claimed to have breached the health management information system of India, which could contain health data of millions of Indian citizens.
“On 15 March 2023, CloudSek’s contextual AI digital risk platform XVigil discovered a threat actor group claiming to have targeted an Indian government website,” cybersecurity firm CloudSek said in a post. “An analysis of the samples shared concluded that the affected entity is the Health Management Information system belonging to the Indian Ministry of Health.”
The Health Management Information System is an online portal that provides information on health indicators in India. It compiles data from state and district-level health authorities, along with data from the National Family Health Survey (NFHS), the District Level Household Survey (DLHS), and the Office of the Registrar General & Census Commissioner.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Tecnomatix Plant Simulation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
