CISA on Thursday sent out its July patch advisory addressing hundreds of critical vulnerabilities found in multiple products for Cisco, Oracle, and Ivanti – warning administrators to patch now.
The US Cybersecurity and Security Infrastructure Agency (CISA) sent its first advisory warning to patch at least 10 vulnerabilities affecting Cisco software.
The most critical of the vulnerabilities, based on the Common Vulnerability Scoring System (CVEE), includes a Smart Software Manager On-Prem (SSM On-Prem) Password Change Vulnerability (CVE-2024-20419) with a critical base score of 10.
Cisco also reported a Secure Email Gateway Arbitrary File Write Vulnerability (CVE-2024-20401) with a critical score of 9.8. Both vulnerabilities were published on July 17th.
Dr. Howard Goodman, Technical Director at Skybox Security, said these highest-scoring Cisco vulnerabilities “highlight the evolving threat landscape and the inadequacy of traditional reactive measures like periodic assessments and patching.”
The Cisco advisory states the SSM On-Prem Password Change authentication system vulnerability could allow an unauthenticated, remote attacker to change the password of any user, including administrative users.
Specifically, this vulnerability applies to the Secure Email Gateway only if it is running Cisco AsyncOS, and if the Content Scanner Tools version is earlier than 23.3.0.4823, and the file analysis or content filter features are enabled and assigned to an incoming mail policy.
Alternatively, the vulnerability in Cisco’s Secure Email Gateway affects its ability to properly scan and filter messages, including their content, allowing an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system, Cisco stated.
This could further allow an attacker “to add users with root privileges, modify device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device,” Cisco said.
#Cisco released security updates addressing vulnerabilities in multiple products. Users & admins are encouraged to review & apply the necessary updates. Read more at https://t.co/gK7O7X2iH7 #Cybersecurity #InfoSec
undefined CISA Cyber (@CISACyber) July 18, 2024
Goodman says key strategies for mitigating the highest-rated vulnerabilities begin with “conducting continuous vulnerability assessments” and “integrating the latest threat intelligence.”
This allows security teams to promptly “identify and address” vulnerabilities before an attacker is able to exploit them.
Goodman says this should include implementing “advanced detection techniques, such as real-time scanless methods,” which can provide “immediate insights into emerging threats.”
Once identified, security teams should be “prioritizing vulnerabilities using metrics” to make sure the most critical vulnerabilities are taken care of first, minimizing overall risk, Goodman explained, suggesting tools such as the Exploit Prediction Scoring System (EPSS).
The software giant noted that there are currently no workarounds for either flaw at this time.
Oracle discloses 300+flaws
Computer technology firm Oracle issued its Quarterly Critical Patch Update Advisory for July, which contains a total of 386 new security patches across its product families.
The Austin, Texas-based company said the collection of patches specifically addresses multiple security vulnerabilities in Oracle code and third-party components included in Oracle products.
Oracle points out that it regularly receives reports from customers who have found attackers continuously trying to “maliciously exploit” previously patched vulnerabilities.
For customers who with unpatched vulnerabilities, those targeted attacks have been successful, Oracle said.
Oracles product families in the alert include JD Edwards, MySQL, Oracle Enterprise Manager, Fusion Middleware, Oracle Banking Platform, Oracle Communications, PeopleSoft, Contact Support, and Database, among others.
Oracle said that administrators should review previous patches, as the current collection is based on cumulative updates.
Goodman pointed out that when immediate patching isn't feasible, security teams should employ compensating controls, including network segmentation, enhanced monitoring, and adjusting current user access privileges.
For this type of workaround, Oracle said users can block the network protocols required by an attack, but noted that these are not long term solutions.
“For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of a successful attack,” it said, also noting that these should always be tested first on non-production systems, to avoid breaking a system's functionality.
By adopting robust strategies, “organizations can enhance their resilience against cyber threats and minimize the likelihood of successful attacks, ensuring the protection of critical assets and maintaining operational integrity,” Goodman said.
Ivanti critical patches
Additionally, US security software company Ivanti on Thursday released two critical security updates for its Endpoint Manager (EPM) Core servers, including for its Endpoint Core mobile servers (EPMM).
According to CISA, the vulnerabilities, that could allow an attacker unauthorized access to network devices through myriad ways, ranged from a CVSS rating of 5.3 to 8.8.
Ivanti said at the moment, only a hot patch has been released for its EPM flat 2024, but it plans to resolve the bug for all future releases. A full resolution was made available for all Ivanti’s supported EPMM mobile versions, covering 11.12.0.3, 12.0.0.3, and 12.1.0.
The tech company said it is “not aware” of any customers being exploited by the vulnerabilities “at the time of disclosure.”
CISA provides links to the full list of vulnerabilities issued in the CISCO patch advisory, Oracle and Ivanti advisories.
Your email address will not be published. Required fields are markedmarked