OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

Perspectives

CVE-2022-40684 and more: first officer's blog - week 21

CVE-2022-40684, a new Apple vulnerability, and more. Here's the latest roundup of the cyber risk stories from last week.

Mike Parkin | October 16, 2022

First Officer’s log, Terrestrial date, 20221017. Officer of the Deck reporting.  

While most of the crew were enjoying the hospitality at Starbase 42, the captain and senior staff briefed the rest of the department heads on what caused our diversion here in the first place. Apparently, one of the starbase’s officers misplaced their combadge while visiting another base.   

Said base is a former transfer facility that has disproportionate importance, largely due to its proximity to a stable wormhole and the border of [REDACTED] space. It is also known for Dabo tables of questionable legality and fairness, which is where the officer in question lost their combadge. 

Our security chief believes the device was actually stolen, but the officer was too embarrassed to admit it. That or he was paying far too much attention to the croupier and not enough to his situation. 

Regardless, Starbase 42’s security was breached using the "missing” combadge and the base’s staff has been furiously trying to remediate the damage and determine what other flaws are still present in their system.   

While they were able to identify the perpetrators, who are likely associated with the [REDACTED] and who have a long history of hostility towards the Federation, without resorting to exchanging phaser fire, the knowledge doesn’t directly address the problem. 

That’s where we come in. As a support ship, our crew are experienced at helping others put the pieces together. Which, here, are a lot of different pieces. While the local security team is frantically working towards undoing the existing damage, they’re too overwhelmed to see the next steps. 

This will delay our recovery of Lieutenant [REDACTED], but we will be able to advise the Starbase personnel on which risks need to be addressed first, and which repair strategies will be most effective. 

It is, after all, what we do best. 

A new flaw in Apple Gatekeeper

What happened 

A flaw in Apple’s Gatekeeper functionality could let threat actors bypass Gatekeeper’s security functionality and run malicious applications on a user’s system. The flaw, tracked as CVE-2022-32910, is a close relative of the earlier  CVE-2022-22616 vulnerability. 

Why it matters 

Apple users have come to trust the security features built into their devices, so vulnerabilities in those security features are problematic.  Fortunately, Apple has already released patches and the vast majority of their devices are updated automatically. Also, exploiting the vulnerability required a user to download and then launch a downloaded archive, which means user involvement was required. Though we know how often users will do just that sort of thing. 

What they said  

Apple vulnerabilities always cause a stir

CVE-2022-40684 added to CISA's list.  

What happened 

A recently reported vulnerability in several Fortinet security products, tracked as CVE-2022-40684, has been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) list of exploited vulnerabilities. The vulnerability could allow an attacker to bypass authentication and log into a vulnerable device with administrator privilege. 

Why it matters 

CISA’s advisories are directed towards the government organizations that are required to follow their advice, but their advisories are useful for any organization that takes their cybersecurity seriously. Which should be, basically, everyone. 

This advisory requires affected organizations to take action to correct the problem per Fortinet’s advice of applying the patch immediately or implementing compensating controls until the patch for CVE-2022-40684 is deployed. 

What they said  

CVE-2022-40684

When CISA talks, the industry takes note. Here's what people are saying about CVE-2022-40684. 

Microsoft's leaky ECB implementation

What happened 

It has been shown that Microsoft’s implementation of Electronic Code Book (ECB) encryption in Office 365 can leak information, which is an inherent aspect of the ECB encryption mode. Microsoft has stated that they will not be addressing this issue. Whether that is due to a new and more secure implementation of Office Message Encryption (OME) on the horizon, or other reasons, is not known. 

Why it matters  

The old phrase “close enough for Government work” could apply here regarding the OME implementation, though replacing Government with Business. Though, with encryption, it’s not actually close enough for government work, as Federal agencies are required to use more secure encryption standards. 

To be fair, most users are not sending anything that requires highly secure encryption so, in practice, this is a non-issue. It also requires a lot of message traffic on hand for a threat actor to analyze, which makes it unlikely that anything short of a State or State Sponsored threat is going to be doing this. If that’s the kind of threat you’re facing, you should already know to use something more secure than just relying on Office. For example, using GPG and sending the encrypted message as a doubly encrypted attachment inside a secure email. 

What they said 

Even if it doesn't affect the most sensitive data, this has been getting some attention.

___________________________________________________________________________________________________________________________

Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel