Boris Johnson pleads ignorance, which just might work
Also: More high-profile MOVEit victims; CVSS 4.0 coming soon; and a long list of critical vulnerabilities
Infosec in brief Former UK prime minister Boris Johnson lobbed a wrench into the works of the country's COVID-19 inquiry by claiming he couldn't remember the passcode to unlock an old phone being sought by investigators.
The inquiry has been seeking the device because it's believed to contain a trove of WhatsApp messages from the early days of the COVID-19 pandemic when the encrypted chat app was used widely – amid criticism – by the PM and other ministers unable to meet face-to-face.
BoJo reportedly last used the device in question in May 2021 after it was revealed that his phone number had been freely available to anyone online who knew where to look for a press release he had put out in 2006 while MP from Henley and shadow minister for higher education. His phone number – still in use while PM – was reportedly unchanged over the 15 years after the press release was published.
Johnson couldn't remember the passcode "with 100 percent confidence," according to The Times, leading to fears that the device could be wiped if the ex-PM guessed wrong too many times.
Johnson's lapse of memory came after the UK High Court ruled that messages and diaries had to be handed over without redaction – which the government opposed on the grounds that it would have led to the exposure of "unambiguously irrelevant" material.
Justices dismissed that argument last week, saying that the inclusion of irrelevant material didn't invalidate the order to turn all of it over without taking the time to redact it first. Part of the inquiry's message demand included one-on-one communications between Johnson, then-chancellor Rishi Sunak, and cabinet secretary Simon Case.
Everyone can rest easy, though. By Thursday the government claimed that it had found a record of the pin code for Johnson's old device and opened it up to the committee. Per the BBC, the Cabinet Office has until 1600 BST Monday to hand over the requested messages in their entirety.
This doesn't mean those outside the inquiry will see them, however. The Cabinet Office and the Inquiry itself retain the right to make redactions before wider dissemination to experts, witnesses or the public.
Critical vulnerabilities: The week-long Patch Tuesday edition
To say it's been a busy week in patch land is an understatement. Along with Tuesday's huge list of updates from Microsoft, a bunch of other companies have been dealing with critical vulnerabilities, so let's get into it.
First, researchers found several critical vulnerabilities in the SDK and API for popular chat and video framework QuickBlox that, if exploited, could allow retrieval of full user lists, PII on users, and creation of new users. Patches are available, so install ASAP.
There are a couple of missed updates from Patch Tuesday that are worth knowing about:
- HPE notified users of multiple high-risk vulnerabilities in multiple versions of ArubaOS running on different devices that could lead to XSS attacks, arbitrary command execution, and more.
- Juniper patched 14 vulnerabilities in Junos OS as and Junos OS Evolved this week addressing a number of high-risk vulnerabilities.
Additionally, ICS systems were in an update frenzy this week thanks to lots of critical issues:
- CVSS 9.9 – Multiple CVEs: Siemens SIMATIC CN 4100 devices are improperly controlling access and contain incorrect default permissions that an attacker could use to bypass network isolation and escalate privileges.
- CVSS 9.8 – Multiple CVEs: Siemens RUGGEDCOM ROX switches running software versions 2.16.0 or older are packed with vulnerabilities that could allow an attacker to send malformed HTTP packets to achieve MITM status and execute arbitrary code.
- CVSS 9.8 – Multiple CVEs: Experion's PKS, LX and PlantCruise (versions prior to R520.2) contain a series of vulnerabilities that could cause DoS or let an attacker elevate permissions and remotely execute code.
- CVSS 9.8 – Multiple CVEs: Anyone with a Rockwell Automation 1756 controller of any model should update immediately, as they're almost all vulnerable to an out-of-bounds write attack that could allow a bad actor to gain access to the module's running memory.
- CVSS 9.6 – CVE-2023-2746: Rockwell Automation's Enhanced HIM communications interface v. 1.001 contains a cross-site request forgery vulnerability that could be used to gain full remote access over affected devices.
- CVSS 9.1 – CVE-2023-20214: A flaw in request authentication validation for the REST-API in Cisco SD-WAN vManage software could give an unauthenticated attacker read and limited write permissions to an affected vManage instance's configuration settings.
- CVSS 8.8 – CVE-2023-2072: Rockwell Automation Power Monitor 1000 v4.011 is vulnerable to XSS that could lead to RCE and loss of availability.
- CVSS 8.2 – Multiple CVEs: Siemens SIMATIC MV500 series devices contain a series of vulnerabilities that an attacker could use to read memory contents or cause DoS.
- CVSS 8.2 – Multiple CVEs: BD Alaris medical pumps and several elements of their software are vulnerable to a bunch of issues that an attacker could use to compromise data, hijack sessions, modify firmware, and otherwise cause serious damage.
Only a single new known exploited vulnerability was added to CISA's database this week: a 9.8 CVSS RCE vulnerability issue in Netwrix Auditor server and agent software that could allow an attacker to execute arbitrary code.
As always, get patching.
Cybercriminals love to MOVEit: Two more high-profile victims admit hits
What do financial giant Deutsche Bank and elite US university Rutgers have in common? They've both become collateral damage as hackers continue exploiting a now-patched vulnerability in MOVEit file transfer software.
In a statement earlier this week, Deutsche Bank admitted one of its external service providers in Germany experienced a security incident. While not saying that the attack was definitely caused by a MOVEit vulnerability, DB did tell BC that "In addition to our service provider, we understand that more than 100 companies in more than 40 countries are potentially affected."
Combined with the fact that Deutsche Bank used the affected service provider for operating its account switching service, MOVEit is a likely cause because of the high volume of data being transferred from one institution to another.
Rutgers University, on the other hand, said the exposure of some of its data handled by the National Student Clearinghouse was due to the MOVEit vulnerability. Rutgers likely isn't alone, either: NSC works with 3,600 colleges across the US to collate student data for the Department of Education.
Rutgers and Deutsche Bank both said their internal systems were unaffected.
CVSS 4.0 is coming
The Forum of Incident Response and Security Teams (FIRST) unveiled the fourth iteration of its Common Vulnerability Scoring System (CVSS) this week with promises to "provide the highest fidelity of vulnerability assessment for both industry and the public."
There are a number of changes in CVSS 4.0, like the removal of the "scope" concept and its replacement with "vulnerable" and "subsequent" system impacts, vulnerability scoring for software libraries and allowance for multiple base scores.
Perhaps the most notable change is to CVSS nomenclature, which is being modified to include the metrics used to arrive at the score: Base, environment or threat. CVSS scores will be labeled as CVSS-B (base only), CVSS-BE (base, environmental), CVSS-BT (base and threat) or CVSS-BTE when all three were included in calculations.
The reason for the new nomenclature, FIRST said, is because CVSS-B scores only measure the severity of a vulnerability, but don't reflect risks to individual environments or systems. CVSS-B scores "should be supplemented with an analysis of the environment," FIRST said, and given environmental and threat metrics that are periodically updated.
Public preview and comment for CVSS 4.0 ends July 31, with a targeted publication date of October 1, 2023, for the new standard. ®