News

U.S. Security Agencies Warn Russia Actively Exploiting 5 Software Security Flaws

• By Kurt Mackie
• 04/15/2021

U.S. government security agencies on Thursday issued a joint advisory (PDF) regarding five software security vulnerabilities that are currently getting exploited by the Russian Foreign Intelligence Service (SVR).

These vulnerabilities, described by the U.S. National Security Agency, the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation, aren't new. Here's the list of vulnerabilities being leveraged by attackers:

• CVE-2018-13379, a "Critical" vulnerability in some Fortinet FortiOS versions that permits "an unauthenticated attacker to download system files via special crafted HTTP resource requests."
• CVE-2019-9670, a Critical vulnerability in some Synacor Zimbra Collaboration Suite versions that enables "XML External Entity injection."
• CVE-2019-11510, a Critical vulnerability in some Pulse Secure VPNs that permits unauthenticated attackers to read files by sending "a specially crafted Uniform Resource Identifier."
• CVE-2019-19781, a Critical vulnerability in certain Citrix Application Delivery Controller and Gateway versions that allows "directory transversal" access.
• CVE-2020-4006, a Critical "command injection" vulnerability in certain "VMware Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector" products.

Ivanti, which acquired Pulse Secure last year, issued a statement noting that the vulnerability was addressed a couple of years ago by a patch:

The NSA has identified an old issue (CVE-2019-11510) that was patched on legacy Pulse Secure deployments in April 2019. Customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat. Ivanti regularly works with its Pulse Secure customers to rapidly install available patches that address previously known vulnerabilities.

Steps To Take
Typically, those three agencies would issue advice to federal organizations. However, the joint advisory was described as being applicable to "all network defenders." Several general steps were described as being the best practices to adopt.

Patches should be kept up to date, the agencies advised. An "assume breach" approach should be observed. Moreover, breaches should only be communicated through "out-of-band channels."

Practices such as least-privileged access and password changes should be followed. Obsolete or unused protocols at the network edge should be blocked or disabled. Organizations should use a network "demilitarized zone" for Internet-facing services.

Organizations should have a "robust logging" capability to track "Internet-facing services and authentication functions."

The advisory also recommended that organizations "disable external management capabilities and set up an out-of-band management network." An out-of-band management network separates management traffic from network operations traffic. The out-of-band management network approach is explained in a National Security Agency document (PDF).

The agencies also summarized those recommendations in an infographic (PDF).

On top of that advice, the Cybersecurity and Infrastructure Security Agency gave notice that it has updated its resources on the Russian targeting attempts. It also updated its analysis of the SolarWinds Orion malware.

U.S. Sanctions on Russia
The agencies' security warning is arriving concurrently with President Biden's announcement that the United States is imposing sanctions on Russia because of its interference in the 2020 U.S. election and its ongoing malicious cyberactivities. The sanctions include prohibiting U.S. financial organizations from making new purchases of Russian bonds or lending funds to the Russian government, among other measures. Also, 10 members of Russia's diplomatic core in Washington, D.C., are getting expelled.

Biden's announcement also officially blamed Russia for the SolarWinds Orion supply-chain software corruption that led to widespread spying or disruption of "more than 16,000 computer systems" around the world. Here's his statement:

Today the United States is formally naming the Russian Foreign Intelligence Service (SVR), also known as APT 29, Cozy Bear, and The Dukes, as the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructures. The U.S. Intelligence Community has high confidence in its assessment of attribution to the SVR.

Two other more general actions were mentioned by Biden.

There are plans to set up international law training courses for policy-makers worldwide on "the policy and technical aspects of publicly attributing cyber incidents."

Also, a Cyber Flag 21-1 exercise, used to probe cyberspace defensive capabilities, will be adding participation by the "UK, France, Denmark and Estonia." Cyber Flag 21-1 aims to better identify and jointly respond to threats that are "targeting our critical infrastructure and key resources."