Lots to learn, clearly explained in plain English… listen now! (Full transcript inside.)Read More
The all in one place for non-profit security aid.
Lots to learn, clearly explained in plain English… listen now! (Full transcript inside.)Read More
CrowdStrike Publishes Technical Root Cause Analysis of Faulty Falcon Update
Cybersecurity giant CrowdStrike has released a comprehensive technical root cause analysis detailing the events that led to a problematic Falcon sensor update on July 19, 2024. The incident caused system crashes for some Windows users and prompted a swift response from the company.
The investigation shows that the problem came from a complicated interaction of factors within CrowdStrike’s Rapid Response Content delivery system.
At the core of the problem was a mismatch between the number of input fields expected by the sensor’s Content Interpreter and those provided by a new Template Type introduced in February 2024.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
According to the report, the IPC (Interprocess Communication) Template Type was designed to expect 21 input fields, but the sensor code only supplied 20. This discrepancy went undetected during the development and testing phases, partly due to the use of wildcard matching criteria in the 21st field during initial deployments.
The issue occurred when a new version of Channel File 291 was deployed on July 19, introducing a non-wildcard matching criterion for the 21st input parameter. This triggered an out-of-bounds memory read in affected sensors, resulting in system crashes.
CrowdStrike has outlined several key findings and corresponding mitigations:
Implementation of compile-time validation for template-type input fields
Addition of runtime array bounds checks in the Content Interpreter
Expansion of Template Type testing to cover a wider variety of matching criteria
Correction of a logic error in the Content Validator
Introduction of staged deployment for Template Instances
Provision of customer control over Rapid Response Content updates
The company has engaged two independent third-party software security vendors to conduct further reviews of the Falcon sensor code and its end-to-end quality process.
This morning, we published the Root Cause Analysis (RCA) detailing the findings, mitigations and technical details of the July 19, 2024, Channel File 291 incident. We apologize unreservedly and will use the lessons learned from this incident to become more resilient and better…
— CrowdStrike (@CrowdStrike) August 6, 2024
CrowdStrike emphasized that as of July 29, approximately 99% of Windows sensors were back online compared to pre-incident levels. A sensor software hotfix addressing the issue is scheduled for general availability by August 9, 2024.
CrowdStrike has hired two independent third-party software security companies to further review the Falcon sensor code for both security and quality assurance.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) – Free Guide
The post CrowdStrike Publishes Technical Root Cause Analysis of Faulty Falcon Update appeared first on Cyber Security News.
ICS/OTICS Patch Tuesday: Siemens and Schneider Electric Releases Patch for 50 vulnerabilities
Siemens and Schneider Electric published nine new security warnings that together addressed 50 vulnerabilities impacting its industrial devices.
Recently, Schneider Electric and Siemens Energy indicated that they were the targets of the Cl0p ransomware group’s attack that took use of a MOVEit zero-day vulnerability.
To alert consumers to the existence of fixes for more than 40 vulnerabilities, Siemens has published five new advisories.
Siemens fixed a ‘high-severity’ defect that might allow an attacker to get around network isolation as well as a ‘critical’ flaw that could be used to acquire admin access and take full control of a device in its Simatic CN 4100 communication system.
The company patched 21 vulnerabilities in Ruggedcom ROX products, including ones that could be used to steal data, run arbitrary commands or code, create a DoS scenario, or carry out arbitrary activities via CSRF attacks.
The bulk of these security flaws has ‘critical’ or ‘high’ severity rankings and some of them affect third-party components.
In Simatic MV500 optical readers, including in its web server and third-party components, over a dozen vulnerabilities, including ‘critical’ and ‘high-severity; issues, have been fixed. Information disclosure or DoS might result from exploitation.
Patches for six ‘high-severity’ problems with the Tecnomatix Plant Simulation software have also been patched.
By convincing the intended user to open specially crafted files, they provide an attacker the ability to crash the application or maybe execute arbitrary code.
Additionally, Siemens fixed a serious DoS problem affecting the SiPass access control system.
There are four new advisories from Schneider Electric. They address six weaknesses in the company’s products as well as over a dozen problems impacting a third-party component, the Codesys runtime system V3 communication server.
Reports say the PacDrive and Modicon controllers, Harmony HMIs, and the SoftSPS simulation runtime integrated with EcoStruxure Machine Expert are all affected by the Codesys weaknesses. Exploiting the security flaws may result in remote code execution and DoS.
Schneider fixed two high-severity and two medium-severity flaws that might have allowed for unauthorized access or remote code execution in the StruxureWare Data Centre Expert (DCE) monitoring software.
Further, a ‘medium-severity’ information disclosure weakness has been patched in the EcoStruxure OPC UA Server Expert product, while a high-severity vulnerability has been addressed in the Accutech Manager sensor application.
The post ICS/OTICS Patch Tuesday: Siemens and Schneider Electric Releases Patch for 50 vulnerabilities appeared first on Cyber Security News.
Cyber Security News
CISA Reveals Guidance For Implementation of Encrypted DNS Protocols
“Encrypted DNS Implementation Guidance,” a detailed document from the Cybersecurity and Infrastructure Security Agency (CISA), tells government agencies how to improve their cybersecurity by using encrypted Domain Name System (DNS) protocols.
This advice is in line with Memorandum M-22-09 from the Office of Management and Budget (OMB), which lays out a “zero trust” cybersecurity plan for departments in the Federal Civilian Executive Branch (FCEB).
The document, which was released in April 2024, explains in great detail how federal agencies must meet federal requirements for encrypting DNS data.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
As required by M-22-09 and 6 U.S.C. § 663 Note, Agency Responsibilities, it stresses using CISA’s Protective DNS feature for all outgoing DNS resolve.
The guidelines help agency network professionals use the most up-to-date technology tools to protect DNS infrastructure.
OMB posted Memorandum M-22-09, the Federal Zero Trust Strategy, on January 26, 2022, to back up Executive Order 14028, “Improving the Nation’s Cybersecurity.”
This plan requires all DNS traffic within FCEB agencies to be encrypted by FY24. The document’s goal is to help agencies use encrypted DNS protocols that align with these zero-trust concepts.
Checklist for Agency Implementation
The advice lists the most important rules and recommended methods for encrypting DNS data and using CISA’s Protective DNS for upstream DNS resolution.
Setting up the agency’s DNS infrastructure to handle encrypted DNS protocols is one of the most critical points.
Configuring agency DNS infrastructure to support encrypted DNS protocols.
Using Protective DNS as the upstream provider.
Disabling DNS Root Hints and other mechanisms that might bypass Protective DNS.
Configuring SASE/SSE solutions to send all device DNS queries through encrypted protocols.
Ensuring on-premises and roaming endpoints use authorized DNS configurations.
Phased Implementation
Given the complexity of transitioning to encrypted DNS, the guidance recommends a phased approach:
Use Protective DNS: Configure internal DNS infrastructure to use Protective DNS.
Block Unauthorized DNS Traffic: Configure networks to block unauthorized DNS traffic.
Encrypt DNS Traffic with Protective DNS: Use encrypted DNS when communicating with Protective DNS.
Encrypt DNS for Roaming and Nomadic Endpoints: Configure endpoints to use SASE/SSE solutions for DNS requests.
Encrypt DNS Traffic in Cloud Deployments: Configure cloud deployments to use encrypted DNS.
Encrypt DNS Traffic for On-Premises Endpoints: Support encrypted DNS protocols for on-premises endpoints.
The document gives thorough technical instructions on how to use CISA’s Protective DNS service and encrypt DNS. It
talks about ways to encrypt DNS data, like DNS-over-HTTPS, DNS-over-TLS, and DNS-over-QUIC.
It also talks about how Protective DNS can be used to stop endpoints from resolving malicious names.
Implementation advice for web browsers, operating systems, and DNS servers that are unique to each vendor is included in Appendix A.
It tells you exactly how to set up Firefox, Chrome, Safari, Microsoft Windows, macOS, iOS/iPadOS, BIND DNS Server, Microsoft DNS Server, Azure Private DNS Server, and Infoblox DNS Appliance so that they can handle encrypted DNS protocols.
The “Encrypted DNS Implementation Guidance” from CISA is very important for government agencies that want to improve their security by using encrypted DNS protocols.
Even though it’s mostly for FCEB agencies, other groups may find it useful for zero-trust attempts. The guidance paper is marked so that anyone can see it and share it without any problems.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
The post CISA Reveals Guidance For Implementation of Encrypted DNS Protocols appeared first on Cyber Security News.