29 Nov 2024

Week in review

Greetings,

This week, we had the exciting opportunity to reconnect with our Melbourne community at an AUSCERT member meetup. It was an inspiring space for collaboration, where participants shared experiences, discussed challenges in a supportive environment. Coming together in person highlighted the passion, innovation, and drive that are the heart of our community, reminding us of the importance of meaningful interactions as we work towards our common goals.

Following the meet up, the AUSCERT team attended the AISA Melbourne CyberCon where our General Manager, Ivano Bongiovanni, delivered three engaging sessions. These focused on the future of cyber security, the vital role of data governance, and decision-making in the age of AI. It was a great opportunity to reconnect with the AISA community and engage with the wider cyber security industry in Melbourne during this event!

This week the Australian government has passed its first standalone Cyber Security Act as part of the 2023–2030 Cyber Security Strategy. This landmark legislation aims to strengthen the nation's cyber resilience with provisions such as enhanced incident reporting, mandatory smart device security standards, and the creation of a Cyber Incident Review Board. A notable feature is the "limited use" obligation, which safeguards organisations that share data during cyber incidents, promoting greater collaboration between government and industry. The Act also updates critical infrastructure protections and broadens government powers to address emerging cyber threats.

Key elements of the legislative package include:

  1. Mandatory Ransomware Payment Reporting: Businesses with annual turnovers above AUD 3 million must disclose ransomware payments within a set timeframe, enhancing transparency and response efforts.

  2. IoT Security Standards: New regulations bring Australian IoT devices, like home security cameras and smart appliances, in line with international security standards to reduce vulnerabilities.

  3. Enhanced Protections for Data and Critical Infrastructure: Updates to laws such as the Privacy Act 1988 and the Security of Critical Infrastructure Act 2018 aim to fortify the security of critical infrastructure and improve data management.

  4. Liability Protections: The new rules offer [businesses "no-fault" protections when reporting cyber incidents, encouraging greater transparency without the fear of legal consequences.

These reforms represent a major step toward building a more secure digital environment across Australia.

QNAP addresses critical flaws across NAS, router software
Date: 2024-11-25
Author: Bleeping Computer

QNAP has released security bulletins over the weekend, which address multiple vulnerabilities, including three critical severity flaws that users should address as soon as possible.
Starting with QNAP Notes Station 3, a note-taking and collaboration application used in the firm's NAS systems, the following two vulnerabilities impact it:
CVE-2024-38643 – Missing authentication for critical functions could allow remote attackers to gain unauthorized access and execute specific system functions. The lack of proper authentication mechanisms makes it possible for attackers to exploit this flaw without prior credentials, leading to potential system compromise. (CVSS v4 score: 9.3, "critical")
CVE-2024-38645 – Server-side request forgery (SSRF) vulnerability that could enable remote attackers with authentication credentials to send crafted requests that manipulate server-side behavior, potentially exposing sensitive application data.

CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks
Date: 2024-11-26
Author: The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a now-patched critical security flaw impacting Array Networks AG and vxAG secure access gateways to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.
The vulnerability, tracked as CVE-2023-28461 (CVSS score: 9.8), concerns a case of missing authentication that could be exploited to achieve arbitrary code execution remotely. Fixes (version 9.4.0.484) for the security shortcoming were released by the network hardware vendor in March 2023.

Cyber security bill passes parliament
Date: 2024-11-26
Author: iTnews

Australia’s first cyber security legislation has been passed by parliament after being approved by the senate yesterday.
The package of legislation was introduced last month as part of the government’s 2023-2030 Australian Cyber Security Strategy.
Now, businesses that pay ransomware hackers will be compelled to report it to the government.
There is also a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD) to share information from a victim during an incident.

macOS Vulnerability (CVE-2023-32428) Grants Root Access, PoC Published
Date: 2024-11-26
Author: Security Online

Security researcher Gergely Kalman has detailed a high-severity vulnerability in Apple’s MallocStackLogging framework that could allow attackers to gain local privilege escalation (LPE) on macOS systems. The flaw, designated CVE-2023-32428 with a CVSS score of 7.8, demonstrates how seemingly helpful developer tools can be manipulated to bypass security measures and compromise high-privilege operations.

CVE-2024-8114: GitLab Vulnerability Allows Privilege Escalation
Date: 2024-11-26
Author: Security Online

GitLab has released critical security updates to address multiple vulnerabilities affecting its Community Edition (CE) and Enterprise Edition (EE) products. Versions 17.6.1, 17.5.3, and 17.4.5 contain important bug and security fixes, including patches for a high severity privilege escalation vulnerability.
“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” GitLab said in its security advisory.

ESB-2024.7747 – GitLab Community Edition (CE) and Enterprise Edition (EE)

GitLab has released critical security updates to address multiple vulnerabilities affecting its Community Edition (CE) and Enterprise Edition (EE) products.

ESB-2024.7745 – GlobalProtect App

An insufficient certification validation issue in the Palo Alto Networks GlobalProtect app enables attackers to connect the GlobalProtect app to arbitrary servers.

ESB-2024.7714 – OpenSSL

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing versions 3.2.2, 4.2.2 and higher.

ESB-2024.7561.2 – Palo Alto PAN-OS

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities.

Stay safe, stay patched and have a good weekend!

The AUSCERT team

More Week in review

// Week in review - 22 Nov 2024

AUSCERT Week in Review for 22nd November 2024

// Week in review - 15 Nov 2024

AUSCERT Week in Review for 15th November 2024

// Week in review - 8 Nov 2024

AUSCERT Week in Review for 8th November 2024

// Week in review - 1 Nov 2024

AUSCERT Week in Review for 1st November 2024

// Week in review - 25 Oct 2024

AUSCERT Week in Review for 25th October 2024

View more...