//Week in review - 30 Aug 2019

AusCERT Week in Review for 30th August 2019


As they say, out with the old, in with the new. Or should it be “out with the deprecated, in with the supported”?
End-of-life is approaching for both Windows 7 and Python 2.

But since they also say what goes around, comes around. So whilst “retro” can be considered cool in some circumstances, it cannot be considered so when retro to run with outdated IOS XE so go ahead and pick up your hardened version of the IOS XE software from Cisco today whilst stocks last.

Monopoly is one retro game that seems to forever stay young. Community Chest: Drive past Jail and pick up iOS 12.4.1. Winner!

As the week draws to a close, many webservers with HTTP/2 vulnerabilities have been patched over the last two weeks since they were reported by a Netflix researcher, so it’s good to hear of patching wins.  

In the news this week:

Windows 7 end of life: Months from patch cut-off, millions still haven’t upgraded
Author: ZDNet
Date published: 2019-08-28

With just under five months until Microsoft stops issuing free patches for Windows 7, millions of PCs are still relying on it, leaving them exposed to new bugs that will probably never be patched.

Microsoft has been nagging Windows 7 users to upgrade to Windows 10 for years now, yet a huge number of consumers and smaller businesses have either resisted those calls or missed them.

Cisco Fixes Critical Bug in Virtual Service Container for IOS XE
Author: BleepingComputer
Date published: 2019-08-28

Cisco today published an update for its IOS XE operating system to patch a critical vulnerability that could allow a remote attacker to bypass authentication on devices running an outdated version of virtual service containers.

Exploitation is possible if specific conditions are met by simply sending malicious HTTP requests to a target device. If an administrator is into the REST API interface, an adversary can get their ‘token-id’ and run commands with elevated privileges.

Time to shed Python 2
Author: National Cyber Security Centre (UK)
Date published: 2019-08-22

The end of life (EOL) date for Python 2 has been a long time coming, but it’s finally in sight. As of the 1st of January 2020, Python 2 will no longer be supported. There will be no more bug fixes, or security updates, from Python’s core developers.

So, if you’re still using 2.x, it’s time to port your code to Python 3. If you continue to use unsupported modules, you are risking the security of your organisation and data, as vulnerabilities will sooner or later appear which nobody is fixing.

Cyber security a key focus for Uni foreign interference taskforce
Author: iTnews
Date published: 2019-08-29

The cyber resilience of Australia’s universities will be a key focus of a new federal government taskforce aimed at addressing foreign interference concerns in the higher education sector.

Education minister Dan Tehan announced the creation of the University Foreign Interference Taskforce on Wednesday to assess the level of foreign interference in universities.

Noteworthy bulletins this week:

1. Symantec Reporter: Access confidential data

The Australian Taxation Office is credited as the source for this advisory.

2. Cisco IOS XE: Execute arbitrary code/commands

A CVSSv3 score of 10/10 for a full authentication bypass.

3. h2o web server: Denial of Service – Remote/Unauthenticated

The HTTP/2 vulnerabilities from a Netflix researcher have been patched in many webservers in the last fortnight, including h2o.

4. Apple iOS, macOS and tvOS: Root compromise – Existing Account

Regression of a bugfix for a vulnerability used in jailbreaks in iOS 12.4 led to the hasty release of 12.4.1 with the jailbreak patched out.

Reward yourself tonight or this weekend by putting up your feet, catching your favourite retro or modern show, or if books are more your thing, pick a good one.

Stay safe, stay patched and have a great weekend!