Category: HP

NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks

The National Institute of Standards and Technology (NIST) on Thursday released an updated cybersecurity guidance for managing risks in the supply chain, as it increasingly emerges as a lucrative attack vector.

“It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination,” NIST said in a statement.

The new directive outlines major security controls and practices that entities should adopt to identify, assess, and respond to risks at different stages of the supply chain, including the possibility of malicious functionality, flaws in third-party software, insertion of counterfeit hardware, and poor manufacturing and development practices.

Software Supply Chain Risks

The development follows an Executive Order issued by the U.S. President on “Improving the Nation’s Cybersecurity (14028)” last May, requiring government agencies to take steps to “improve the security and integrity of the software supply chain, with a priority on addressing critical software.”

Supply Chain Risks

It also comes as cybersecurity risks in the supply chain have come to the forefront in recent years, in part compounded by a wave of attacks targeting widely-used software to breach dozens of downstream vendors all at once.

According to the European Union Agency for Cybersecurity’s (ENISA) Threat Landscape for Supply Chain Attacks, 62% of 24 attacks documented from January 2020 to early 2021 were found to “exploit the trust of customers in their supplier.”

“Managing the cybersecurity of the supply chain is a need that is here to stay,” said NIST’s Jon Boyens and one of the publication’s authors. “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”

Source :
https://thehackernews.com/2022/05/nist-releases-updated-guidance-for.html

Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches

Cybersecurity researchers have detailed as many as five severe security flaws in the implementation of TLS protocol in several models of Aruba and Avaya network switches that could be abused to gain remote access to enterprise networks and steal valuable information.

The findings follow the March disclosure of TLStorm, a set of three critical flaws in APC Smart-UPS devices that could permit an attacker to take over control and, worse, physically damage the appliances.

IoT security firm Armis, which uncovered the shortcomings, noted that the design flaws can be traced back to a common source: a misuse of NanoSSL, a standards-based SSL developer suite from Mocana, a DigiCert subsidiary.

The new set of flaws, dubbed TLStorm 2.0, renders Aruba and Avaya network switches vulnerable to remote code execution vulnerabilities, enabling an adversary to commandeer the devices, move laterally across the network, and exfiltrate sensitive data.

Affected devices include Avaya ERS3500 Series, ERS3600 Series, ERS4900 Series, and ERS5900 Series as well as Aruba 5400R Series, 3810 Series, 2920 Series, 2930F Series, 2930M Series, 2530 Series, and 2540 Series.https://player.vimeo.com/video/704230226?h=6c3f78c718&byline=0&portrait=0

Armis chalked up the flaws to an “edge case,” a failure to adhere to guidelines pertaining to the NanoSSL library that could result in remote code execution. The list of bugs is as follows –

  • CVE-2022-23676 (CVSS score: 9.1) – Two memory corruption vulnerabilities in the RADIUS client implementation of Aruba switches
  • CVE-2022-23677 (CVSS score: 9.0) – NanoSSL misuse on multiple interfaces in Aruba switches
  • CVE-2022-29860 (CVSS score: 9.8) – TLS reassembly heap overflow vulnerability in Avaya switches
  • CVE-2022-29861 (CVSS score: 9.8) – HTTP header parsing stack overflow vulnerability in Avaya switches
  • HTTP POST request handling heap overflow vulnerability in a discontinued Avaya product line (no CVE)

Even more concerningly, the vulnerabilities found in Avaya switches are zero-click, meaning they can be activated via unauthenticated network packets without any user interaction.

“These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure,” Barak Hadad, head of research in engineering at Armis, said.

Organizations deploying impacted Avaya and Aruba devices are highly recommended to apply the patches to mitigate any potential exploit attempts.

Source :
https://thehackernews.com/2022/05/critical-tlstorm-20-bugs-affect-widely.html