11 Oct 2024
Week in review
Greetings,
AUSCERT was proud to sponsor the Best Security Student Award at the Women in Security Awards, held in Sydney on Thursday. Now in its sixth year, the Australian Women in Security Awards® brings together the security industry to celebrate and elevate the profile of Australia’s IT Security, Cyber, and Protective Security sectors. By recognising and honouring the achievements, value, and contributions of individuals in Australia, the event aims to give them the acknowledgment they rightfully deserve.
In an exciting turn of events, our very own Business Manager, Bek Cheb, was recognised with the MVP in the Security Industry award. This award is a testament to Bek's dedication, leadership, and the profound impact she has made within the security industry. Her peers in the industry have recognised her for her exceptional contributions, including strategic initiatives, promotion of best practices, and her commitment to fostering a more inclusive and resilient security community.
This week, the Australian Federal Government introduced legislation proposing several changes to the cyber security regulatory environment. These measures include:
• Mandating minimum cyber security standards for ‘smart devices’
• Requiring mandatory reporting of ransomware payments for certain organisations
• Implementing ‘limited use’ restrictions on how information provided to the Australian Signals Directorate and the National Cyber Security Coordinator can be used
• Establishing a Cyber Incident Review Board to conduct “no fault” investigations into cyber security incidents and offer recommendations based on lessons learned
Additionally, the proposed changes include modifications to the existing Security of Critical Infrastructure (SOCI) legislation. These changes aim to clarify current obligations, empower the Government to mandate remediation of “serious deficiencies” in organisational risk management practices, and enhance information sharing between industry and government, among other adjustments.
Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications
Date: 2024-10-07
Author: The Hacker News
A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances.
The flaw, tracked as CVE-2024-47561, impacts all versions of the software prior to 1.11.4.
"Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code," the project maintainers said in an advisory released last week. "Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue."
Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities
Date: 2024-10-08
Author: Cisco Talos
[For the latest Microsoft ASBs, please visit AUSCERT's security bulletin page.]
The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings.
October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities.
The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.
Ivanti warns of three more CSA zero-days exploited in attacks
Date: 2024-10-08
Author: Bleeping Computer
[AUSCERT contacted the impacted members (where possible) via email on 23 September 2024]
American IT software company Ivanti has released security updates to fix three new Cloud Services Appliance (CSA) zero-days tagged as actively exploited in attacks.
As Ivanti revealed on Tuesday, attackers are chaining the three security flaws with another CSA zero-day patched in September.
Qualcomm patches high-severity zero-day exploited in attacks
Date: 2024-10-07
Author: Bleeping Computer
Qualcomm has released security patches for a zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of chipsets.
The security flaw (CVE-2024-43047) was reported by Google Project Zero's Seth Jenkins and Amnesty International Security Lab's Conghui Wang, and it is caused by a use-after-free weakness that can lead to memory corruption when successfully exploited by local attackers with low privileges.
"Currently, the DSP updates header buffers with unused DMA handle fds. In the put_args section, if any DMA handle FDs are present in the header buffer, the corresponding map is freed," as explained in a DSP kernel commit.
New Generation of Malicious QR Codes Uncovered by Researchers
Date: 2024-10-09
Author: Infosecurity Magazine
A new generation of QR code phishing (quishing) attacks have been uncovered by threat analysts at Barracuda.
Research by the email protection firm highlighted new techniques that have been designed to evade traditional security defenses by including QR codes built from text-based ASCII/Unicode characters rather than the standard static image.
This tactic is designed to evade optical character recognition (OCR)-based defenses. In an email, it will look like a traditional QR code. To a typical OCR detection system, it appears meaningless.
ESB-2024.6438 – Google Android: CVSS (Max): 9.8*
The advisory highlights multiple vulnerabilities in Google Android OS that could enable remote code execution by attackers. These flaws could potentially compromise devices and lead to unauthorised access or control. Users are urged to update their systems to mitigate these security risks.
ESB-2024.6467 – Adobe Products: CVSS (Max): 9.8
Critical vulnerabilities detected in Adobe Commerce and Magento could allow Privilege escalation and Arbitrary code execution. Users are urged to update their installations promptly to mitigate these risks. The advisory specifies affected versions and offers guidance for securing the platform.
ESB-2024.6478 – Google Chrome: CVSS (Max): None
Google has released a critical security update for Chrome, addressing several vulnerabilities, particularly two high-severity type confusion flaws in the V8 JavaScript engine, tracked as CVE-2024-9602 and CVE-2024-9603. These flaws could enable arbitrary code execution, risking sensitive data and disrupting system operations.
ASB-2024.0184 – Microsoft Windows: CVSS (Max): 9.0
For October 2024 Patch Tuesday, Microsoft released fixes for 117 security vulnerabilities, including two actively exploited flaws: CVE-2024-43573, a spoofing bug in the Windows MSHTML Platform, and CVE-2024-43572, a remote code execution flaw in the Microsoft Management Console. CVE-2024-43573 has similarities to a previously exploited MSHTML vulnerability, and both flaws require user interaction to be exploited, typically involving social engineering.
ESB-2024.6504 – Palo Alto Expedition: CVSS (Max): 9.9
Palo Alto Networks has disclosed multiple vulnerabilities in Expedition, allowing attackers to read sensitive database contents and arbitrary files, as well as write files to temporary storage. Key vulnerabilities include CVE-2024-9463 and CVE-2024-9464, both allowing OS command injection, and CVE-2024-9465, which enables SQL injection to access database information like usernames and passwords. All versions prior to 1.2.96 are affected, and these flaws could lead to severe security breaches if exploited.
ESB-2024.6524 – Firefox and Firefox ESR: CVSS (Max): 9.8
Mozilla has released an emergency update for Firefox and Firefox ESR to address the actively exploited zero-day vulnerability CVE-2024-9680, a use-after-free issue that can lead to code execution. The update was made available within 25 hours of the vulnerability being reported, with affected versions being Firefox 131.0.2 and Firefox ESR 115.16.1 and 128.3.1. Users are urged to update their browsers promptly, as automatic updates are typically enabled by default.
Stay safe, stay patched and have a good weekend!
The AUSCERT team