New studies show less than a third of organizations use software bills of materials (SBoMs), but momentum is building to boost that number.

While the drumbeat grows louder for widespread adoption of software bills of materials (SBoM) in IT environments, the reality remains that relatively few organizations consistently implement SBoMs to track the software components used within their application portfolios.

A recent study by ReversingLabs, conducted by Dimensional Research, found that less than a third of companies today use SBoMs. Among those, half said the process of generating and reviewing SBoMs involve manual steps – an onerous process when there are thousands of pieces of code potentially in the mix.

Still, security experts increasingly believe that SBoMs are a foundational step for understanding and managing software supply chain risks. Modern development practices have pushed most software engineering teams to avoid reinventing the wheel when building common functions into their software and instead use open source libraries and packages that have already been developed by the community. Doing so makes their work faster and more predictable, but if there’s no governance or visibility into which components they use, the risk from vulnerabilities can quickly grow unmanageable. 

SBoMs help development teams understand what code is operating under the hood of their applications and to pinpoint when underlying components are found to be vulnerable.

Given the low prevalence of SBoMs reported by the ReversingLabs survey participants, it should come as no surprise that nearly half of them also admit they’re unprepared to protect their software from supply chain attacks.

Application security advocates in industry groups, open source communities, and government agencies alike are all involved in efforts to increase the prevalence of SBoMs and, in turn, improve the state of software supply chain security. In the past several weeks, these groups have launched three different initiatives aimed at not only boosting the rate at which SBoMs are generated, but also the effectiveness in how organizations use them to protect their software.

**CISA Listening Groups**

Last week the Cybersecurity and Infrastructure Security Agency (CISA) announced a series of public listening sessions scheduled for July aimed at gathering members of the software and security communities to discuss how to improve SBoMs best practices and standards.

“CISA believes that the concept of SBOM and its implementation need further refinement,” the agency wrote in a Federal Register post. “Work to help scale and operationalize SBOM implementation should continue to come from a broad-based community effort, rather than be dictated by any specific entity.”

The listening session topics that CISA will facilitate include cloud and online applications, sharing and exchanging SBoMs, tools and implementation, and on-ramps and adoption.

**OpenSSF Action Plan**

Last month at the Open Source Software Security Summit in Washington, DC, the Linux Foundation and the Open Source Security Foundation (OpenSSF) unveiled a 10-point security mobilization plan for improving the state of open source and commercial software worldwide.

Among the recommended priorities was getting SBoMs in place everywhere by focusing on improving SBoM tooling, training, and advocacy across the industry to normalize SBoM creation and consumption.

“The more ubiquitous SBOMs are, the more valuable they can be to the industry. Generally, we believe that SBOMs should be produced automatically via well-vetted tools every time that software is built or distributed,” the document explained. “To get to the point where SBOMs are ubiquitous in software distributions, we need to remove all friction for adoption."

The Linux Foundation and OpenSSF are planning on targeting $3.2 million in investments in the first year of their work on this SBoM initiative.

**OWASP CycloneDX API Rollout**

In order to create an easily operationalized SBoM, software and security teams need a consistent and standardized way to communicate bill-of-materials information – including everything from licensing and copyright information to security-related metadata such as versioning.

The two major choices of standards on this front are SPDX (a Linux Foundation Project) and CycloneDX, a lightweight SBoM standards project by OWASP. The OpenSSF action plan will continue to refine and move forward the SPDX standard. Meantime, OWASP continues to move the ball forward with OWASP. Most notably, last month OWASP launched the draft version of a new BOM Exchange API that’s designed to standardize how bills of materials are published and retrieved independent of the software ecosystem.

“There are lots of products and tools being released that support the production and consumption of SBOMs in standard data formats, but we haven’t had a standard way to transfer SBOMs between systems,” says Patrick Dwyer, co-leader of the CycloneDX standard. “With the release of this API specification, products and tools can start transferring this data in a standard way, enabling greater out-of-the-box integration across the SBOM product and tool ecosystem.”

Gathering Momentum: 3 Steps Forward to Expand SBoM Use

Plus: The US admits to cyber operations supporting Ukraine, SCOTUS investigates its own, and a Michael Flynn surveillance mystery is solved.

Not to freak out anyone, but there's a serious flaw in all supported versions of Microsoft Windows that allows attackers to take over your machine. The so-called Follina vulnerability can be exploited using a weaponized Word document, and security researchers say they've already spotted government-backed hackers using this attack in the wild. Fingers crossed that Microsoft, which has downplayed the severity of the flaw, issues a patch soon.

Speaking of patches, everything from Apple's iOS and Google Android to Chrome, Firefox, and Zoom received major security updates in May. Check out our complete list of available updates to see which apps you need to attend to as soon as possible.

We also explored the race to protect your voice from hackers and corporate greed. And we tried to unravel the mystery of China's sudden warnings about US state-sponsored hackers going after Chinese systems, despite the fact that these hacks are well known and happened ages ago.

Meanwhile, in India, the country's telecom regulator is preparing to crack down on robocall spam and scammers by requiring callers' names to appear on caller ID. The idea sounds good—until you realize the privacy implications and the fact that such a plan might not even work.

Finally, because nothing's sacred, Canada's privacy commissioner this week announced that a mobile app for Tim Hortons, the beloved coffee chain, illegally spied on its users' locations. The app, which used location-tracking tech from US-based firm Radar, collected a constant stream of users' location data—checking as frequently as every 2.5 minutes—and would create an “event” anytime a user “entered or left” their home, office, major sports complex, or rival coffee shop, according to the commissioner's office.

But that's not all, folks. Each week, we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there. 

If you lived in Illinois between May 1, 2015, and April 25, 2022, Google may owe you some cash. The company recently settled a class-action lawsuit over a feature in the Google Photos app that categorized photos of people based on their faces. The problem? According to the lawsuit, Google failed to receive consent to do so from millions of users, a violation of the state's Biometric Information Privacy Act. Google did not admit fault as part of the settlement, but it has agreed to pay $100 million and put in place measures to avoid further privacy violations. If you were an Illinois resident during that seven-year period and appeared in a photo uploaded to the Google Photos app, you can file a claim for your piece of the $100 million pie.

The blurry line between “at war” and “not at war” grew even fuzzier this week. General Paul Nakasone, the head of US Cyber Command and the NSA, told Sky News that the US military has conducted “a series of operations across the full spectrum," including “offensive, defensive, and information operations” in support of Ukraine's defense against Russia's invasion. Nakasone declined to detail what these operations entailed but assured that they were perfectly legal. The general's admission coincides with the US agreeing to provide Ukraine with advanced missile systems with a range of 50 miles. The Kremlin responded to this news by saying the US was “pouring fuel on the fire.”

As part of the US Supreme Court's investigation into the leak of a draft opinion overturning guaranteed abortion rights in the United States, the Court's clerks have been asked to turn over their private phone records and sign an affidavit, according to CNN. The “unprecedented” move is jarring for civil liberties advocates. As Albert Fox Cahn, found of the Surveillance Technology Oversight Project, writes for WIRED: “The intrusive probe reveals a disturbing about-face from the Supreme Court, and particularly Chief Justice John Roberts, on surveillance powers.” The clerks, meanwhile, are reportedly hesitant to refuse the demand for phone records or seek legal counsel for fear of being wrongly suspected of leaking the draft opinion to _Politico_ reporters.

A Trump-era conspiracy theory can finally be put to rest—theoretically, at least. A 52-page classified report into the “unmasking” of Michael Flynn, a former US national security adviser to Donald Trump, has now been made public thanks to a Freedom of Information Act request filed by Jason Leopold of Buzzfeed News. Republicans have long accused Obama administration operatives of revealing Flynn's name in classified material for political purposes in the lead-up to the 2016 election. But the Justice Department report, prepared by former US Attorney John Brash, found “no evidence that unmasking requests were made for political purposes or other inappropriate reasons during the 2016 election period or the ensuing transition period." Flynn ultimately resigned in 2017 for misleading vice president Mike Pence about Flynn’s calls with Russia's ambassador to the US.

Google May Owe You a Chunk of $100 Million

May 2022 saw the continued dominance of LockBit, and a possible disbursement of the Conti gang into other ransomware groups.
The post Ransomware: May 2022 review appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team monitors the threat landscape continuously and produces monthly ransomware reports based on a mixture of proprietary and open-source intelligence.

**Conti sleight of hand?**

Although LockBit remained the most widely-deployed ransomware in May 2022, it was, typically, Conti that sucked all of the air out of the room.

Conti ransomware and the group that distributes it has been a dangerous, noisy presence in the ransomware ecosystem since 2020. It has been involved in hundreds of attacks, including the horrific disabling of Ireland’s Health Service Executive, and according to the FBI, it is “the costliest strain of ransomware ever documented”, having raked in over $150 million in ransom payments.

Recently, the group has had its troubles. On February 27, an individual with access to the group’s inner-workings started leaking a treasure trove of data that included source code, files, and tens of thousands of internal chat messages. Not long after, a hacking group began using the leaked source code to attack targets inside Russia, violating one of ransomware’s unspoken rules. And at the start of this month, the FBI put a $10 million bounty on the group’s head.

On May 8 the newly-inaugurated president of Costa Rica declared a national emergency across the country’s public sector, in response to the continuing effects of a devastating Conti ransomware attack carried out in April. On the same day, an inflammatory message appeared on the group’s leak site, alongside a leak of 672 GB of stolen data.

The message itself is the usual grandiose puffery: It took a swing at US President Joe Biden—”this old fool will soon die”, claimed the attack had been carried out by just two people, and threatened that Costa Rica was just a “Demo version” of what was to come.

You would be forgiven for thinking that despite recent travails, Conti is going strong.

But according to an in-depth analysis by Advintel though, that’s what it wants you to think. It says that far from being in rude health, the Conti brand is in the process of disbanding and that the attacks on Costa Rica were a deliberately showy act from an operation being run by a skeleton crew.

It seems that the decision to offer its “full support of Russian government” in February, following the invasion of Ukraine, may have been a fatal error. By aligning itself to the Russian state it had made ransom payments a potential sanctions violation, killing the group’s income.

Advintel asserts that as a result the Conti group has been “silently creating subdivisions that began operations before the start of the shutdown process.” These subdivisions—said to include KaraKurt, BlackByte, BlackBasta—are supposed to establish themselves before Conti disappears to avoid the kind of shallow and transparent rebrand some other groups have pursued.

Malwarebytes Threat Intel has been able to confirm that there was an internal announcement about the shutdown for affiliates, and that the group’s internal chat servers are down, although the leak site is still operational, and updated almost daily with additional data.

**Ransomware attacks in May 2022**

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

In May, LockBit remained by far the most widely-used ransomware. Conti remained active, but its activity was significantly reduced compared to recent months. Notably, three of the four groups that have overtaken it—Black Basta, Hive, and ALPHV—are linked to the alleged Conti disbandment. Intriguingly, Hive was named as the ransomware used in an attack on Costa Rica’s national health service on May 31.

The USA remained far and away the country most badly affected by ransomware attacks in May, and services the industry sector more likely to be attacked.

Known ransomware attacks by group, May 2022

Known ransomware attacks by country, May 2022

Known ransomware attacks by industry, May 2022

****Ransomware mitigations****

Source: IC3.gov

*   Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
*   Implement network segmentation, such that all machines on your network are not accessible from every other machine.
*   Install and regularly update antivirus software on all hosts, and enable real-time detection.
*   Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
*   Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
*   Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
*   Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
*   Consider adding an email banner to emails received from outside your organization.
*   Disable hyperlinks in received emails.
*   Use double authentication when logging into accounts or services.
*   Ensure routine auditing is conducted for all accounts.
*   Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

****How Malwarebytes protects against ransomware****

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

Ransomware: May 2022 review

Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contains an open port vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure and arbitrary code execution.

**Vaikutus**

Critical

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-22556

Dell PowerStore contains an Uncontrolled Resource Consumption Vulnerability in PowerStore User Interface. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to the Denial of Service.

3.7

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2022-22557

Dell PowerStore contains Plain-Text Password Storage Vulnerability in version 2.0.0.x. and 2.0.1.x. A locally authenticated attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-26866

Dell PowerStore contains a Stored Cross-Site Scripting Vulnerability, an authenticated attacker may potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.

5.5

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CVE-2022-26867

Dell PowerStore contains formula injection vulnerability in which it supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It may allow a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file.

5.9

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

CVE-2022-26868

Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x are vulnerable to a command injection flaw. An authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.

6.4

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-26869

Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contain an open port vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to information disclosure, arbitrary code execution.

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-26870

Dell PowerStore versions 2.1.0.x contain an Authentication bypass vulnerability. A remote unauthenticated attacker may  potentially exploit this vulnerability when both Remote Secure Credential and External SSH are enabled. An attacker would gain “service” account access upon successful exploit.

7.0

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

 

**Third-Party Component**

**CVEs**

**More Information**

NVMe SSD

CVE-2021-0148

Intel-SA-00535

Axios

CVE-2020-28168

See NVD (http://nvd.nist.gov/) for individual scores of each CVE.

bind-libs  
bind-libs-lite  
bind-utils  
bind-license

CVE-2021-25215

glib2

CVE-2021-27219

gupnp

CVE-2021-33516

java-1.8.0-openjdk

CVE-2021-2369

CVE-2021-2388

CVE-2021-2341

libldb

CVE-2021-20277

libwbclient

CVE-2021-20254

Lo-dash

CVE-2021-23337

CVE-2020-28500

CVE-2020-8203

Log4j

CVE-2021-45105

CVE-2021-44832

CVE-2022-23307

nettle

CVE-2021-20305

nss  
nss-sysinit  
nss-tools

CVE-2020-25648

openldap

CVE-2020-25692

pillow

CVE-2021-28675

CVE-2021-28676

CVE-2021-25288

CVE-2021-25287

CVE-2021-28677

CVE-2021-28678

postgres

CVE-2021-20229

CVE-2021-32027

CVE-2021-3393

postgres-libs

CVE-2021-32027

postgresql-libs

CVE-2019-10208

CVE-2020-25694

CVE-2020-25695

samba-common  
samba-client-libs  
samba-common-libs libwbclient

CVE-2021-20254

screen version

CVE-2021-26937

urllib3

CVE-2021-33503

xterm

CVE-2021-27135

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-22556

Dell PowerStore contains an Uncontrolled Resource Consumption Vulnerability in PowerStore User Interface. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to the Denial of Service.

3.7

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2022-22557

Dell PowerStore contains Plain-Text Password Storage Vulnerability in version 2.0.0.x. and 2.0.1.x. A locally authenticated attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-26866

Dell PowerStore contains a Stored Cross-Site Scripting Vulnerability, an authenticated attacker may potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.

5.5

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CVE-2022-26867

Dell PowerStore contains formula injection vulnerability in which it supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It may allow a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file.

5.9

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

CVE-2022-26868

Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x are vulnerable to a command injection flaw. An authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.

6.4

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-26869

Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contain an open port vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to information disclosure, arbitrary code execution.

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-26870

Dell PowerStore versions 2.1.0.x contain an Authentication bypass vulnerability. A remote unauthenticated attacker may  potentially exploit this vulnerability when both Remote Secure Credential and External SSH are enabled. An attacker would gain “service” account access upon successful exploit.

7.0

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

 

**Third-Party Component**

**CVEs**

**More Information**

NVMe SSD

CVE-2021-0148

Intel-SA-00535

Axios

CVE-2020-28168

See NVD (http://nvd.nist.gov/) for individual scores of each CVE.

bind-libs  
bind-libs-lite  
bind-utils  
bind-license

CVE-2021-25215

glib2

CVE-2021-27219

gupnp

CVE-2021-33516

java-1.8.0-openjdk

CVE-2021-2369

CVE-2021-2388

CVE-2021-2341

libldb

CVE-2021-20277

libwbclient

CVE-2021-20254

Lo-dash

CVE-2021-23337

CVE-2020-28500

CVE-2020-8203

Log4j

CVE-2021-45105

CVE-2021-44832

CVE-2022-23307

nettle

CVE-2021-20305

nss  
nss-sysinit  
nss-tools

CVE-2020-25648

openldap

CVE-2020-25692

pillow

CVE-2021-28675

CVE-2021-28676

CVE-2021-25288

CVE-2021-25287

CVE-2021-28677

CVE-2021-28678

postgres

CVE-2021-20229

CVE-2021-32027

CVE-2021-3393

postgres-libs

CVE-2021-32027

postgresql-libs

CVE-2019-10208

CVE-2020-25694

CVE-2020-25695

samba-common  
samba-client-libs  
samba-common-libs libwbclient

CVE-2021-20254

screen version

CVE-2021-26937

urllib3

CVE-2021-33503

xterm

CVE-2021-27135

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**CVEs Addressed**

**Products**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-22557

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions 2.0.0.x and 2.0.1.x  
\*PowerStore T OS versions 1.0.x.x are not affected.

PowerStore X OS versions 2.0.0.x and 2.0.1.x  
\*PowerStore X OS versions 1.0.x.x are not affected.

PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore T OS Upgrade 2.1.0.1-1602345

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887

https://www.dell.com/support/home/?app=drivers

CVE-2022-22556

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions before PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887

PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore T OS Upgrade 2.1.0.1-1602345

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS”  
PowerStore X OS Upgrade 2.1.1.0-1649887

CVE-2021-0148

CVE-2020-28168

CVE-2021-25215

CVE-2021-27219

CVE-2021-33516

CVE-2021-2369

CVE-2021-2388

CVE-2021-2341

CVE-2021-20277

CVE-2021-20254

CVE-2021-23337

CVE-2020-28500

CVE-2020-8203

CVE-2020-25692

CVE-2021-28675

CVE-2021-28676

CVE-2021-25288

CVE-2021-25287

CVE-2021-28677

CVE-2021-28678

CVE-2021-20229

CVE-2021-32027

CVE-2021-3393

CVE-2019-10208

CVE-2020-25694

CVE-2020-25695

CVE-2021-20254

CVE-2021-26937

CVE-2021-33503

CVE-2021-27135

CVE-2022-26867

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions before PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887

CVE-2022-26867

CVE-2021-45105

CVE-2021-44832

CVE-2022-23307

CVE-2022-26868

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x  
\*PowerStore T OS versions 1.0.x.x are not affected.

PowerStore X OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x  
\*PowerStore X OS versions 1.0.x.x are not affected.

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887

CVE-2022-26869

CVE-2022-26870

PowerStore T OS

PowerStore T OS versions 2.1.0.x  
\*PowerStore T OS 1.0.x.x, 2.0.0.x, 2.0.1.x are not affected

PowerStore T OS Upgrade 2.1.1.0-1649887  
 

**CVEs Addressed**

**Products**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-22557

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions 2.0.0.x and 2.0.1.x  
\*PowerStore T OS versions 1.0.x.x are not affected.

PowerStore X OS versions 2.0.0.x and 2.0.1.x  
\*PowerStore X OS versions 1.0.x.x are not affected.

PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore T OS Upgrade 2.1.0.1-1602345

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887

https://www.dell.com/support/home/?app=drivers

CVE-2022-22556

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions before PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887

PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore T OS Upgrade 2.1.0.1-1602345

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS”  
PowerStore X OS Upgrade 2.1.1.0-1649887

CVE-2021-0148

CVE-2020-28168

CVE-2021-25215

CVE-2021-27219

CVE-2021-33516

CVE-2021-2369

CVE-2021-2388

CVE-2021-2341

CVE-2021-20277

CVE-2021-20254

CVE-2021-23337

CVE-2020-28500

CVE-2020-8203

CVE-2020-25692

CVE-2021-28675

CVE-2021-28676

CVE-2021-25288

CVE-2021-25287

CVE-2021-28677

CVE-2021-28678

CVE-2021-20229

CVE-2021-32027

CVE-2021-3393

CVE-2019-10208

CVE-2020-25694

CVE-2020-25695

CVE-2021-20254

CVE-2021-26937

CVE-2021-33503

CVE-2021-27135

CVE-2022-26867

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions before PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887

CVE-2022-26867

CVE-2021-45105

CVE-2021-44832

CVE-2022-23307

CVE-2022-26868

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x  
\*PowerStore T OS versions 1.0.x.x are not affected.

PowerStore X OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x  
\*PowerStore X OS versions 1.0.x.x are not affected.

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887

CVE-2022-26869

CVE-2022-26870

PowerStore T OS

PowerStore T OS versions 2.1.0.x  
\*PowerStore T OS 1.0.x.x, 2.0.0.x, 2.0.1.x are not affected

PowerStore T OS Upgrade 2.1.1.0-1649887  
 

**Versiohistoria****Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

Tämän Dell Technologiesin tietoturvatiedotteen tiedot on luettava, ja niiden avulla voidaan välttää tilanteita, jotka voivat johtua tässä kuvatuista ongelmista. Dell Technologiesin tietoturvatiedotteet tuovat tärkeitä tietoturvatietoja haavoittuvuudelle alttiiden tuotteiden käyttäjien tietoon. Dell Technologies arvioi riskin perustuen asennettujen järjestelmien hajautetun joukon keskimääräisiin riskeihin, eikä se välttämättä vastaa paikallisen asennuksen ja yksittäisen ympäristön todellista riskiä. Suositus on, että kaikki käyttäjät ratkaisevat näiden tietojen sovellettavuuden yksittäisten ympäristöjen mukaan ja ryhtyvät tarvittaviin toimenpiteisiin. Tässä esitetyt tiedot annetaan "sellaisenaan" ilman minkäänlaista takuuta. Dell Technologies kiistää kaikki suorat tai epäsuorat takuut, mukaan lukien takuut soveltuvuudesta kaupankäynnin kohteeksi, sopivuudesta tiettyyn käyttötarkoitukseen, omistusoikeudesta ja loukkaamattomuudesta. Dell Technologies, sen tytäryhtiöt tai toimittajat eivät missään tilanteessa ole vastuussa mistään vahingoista, jotka johtuvat tässä asiakirjassa mainituista tiedoista tai toimenpiteistä, joihin käyttäjä päättää ryhtyä. Tämä koskee kaikkia suoria, epäsuoria, satunnaisia, välillisiä, liikevoiton menetykseen liittyviä tai erityisluontoisia vahinkoja, vaikka Dell Technologies tai sen tytäryhtiöt tai toimittajat olisivat saaneet tiedon tällaisten vahinkojen mahdollisuudesta. Jotkin osavaltiot eivät salli satunnaisten tai seuraamuksellisten vahinkojen vastuun poistamista tai rajoittamista, joten edellä mainittua rajoitusta sovelletaan vain lain sallimassa laajuudessa.

PowerStore, PowerStore 1000X, PowerStore 1000T, PowerStore 3000X, PowerStore 3000T, PowerStore 5000X, PowerStore 5000T, PowerStore 500T, PowerStore 7000X, PowerStore 7000T, PowerStore 9000X, PowerStore 9000T, Product Security Information

21 huhtik. 2022

CVE-2022-26869: DSA-2022-014: Dell EMC PowerStore Family Security Update for Multiple Vulnerabilities

net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.

CVE-2022-32250: security - Linux Kernel use-after-free write in netfilter

79% of CISOs say continuous runtime vulnerability management is an essential capability to keep up with the expanding complexity of modern multi-cloud environments.

WALTHAM, Mass.--(BUSINESS WIRE)--Software intelligence company Dynatrace (NYSE: DT) announced today the findings of an independent global survey of 1,300 chief information security officers (CISOs) in large-size organizations. The research reveals that the speed and complexity created by using multicloud environments, multiple coding languages, and open source software libraries are making vulnerability management more difficult. 75% of CISOs say that despite having a multi-layered security posture, persistent coverage gaps allow vulnerabilities into production. This highlights the growing need for observability and security to converge, paving the way toward AISecDevOps practices. This will empower organizations with a more effective way of managing vulnerabilities at runtime, and the ability to detect and block attacks in real time. The complimentary report, _Observability and security must converge to enable effective vulnerability management_, is available for download.

Findings from the research include:

*   69% of CISOs say vulnerability management has become more difficult as the need to accelerate digital transformation has increased.
*   More than three-quarters (79%) of CISOs say that automatic, continuous runtime vulnerability management is key to filling the gap in the capabilities of existing security solutions. However, just 4% of organizations have real-time visibility into runtime vulnerabilities in containerized production environments.
*   Only 25% of security teams can access a fully accurate, continuously updated report of every application and code library running in production in real time.

“These findings underscore that there are always opportunities for vulnerabilities to slip past security teams, regardless of how robust their defenses might be. Both new applications and stable legacy software are prone to vulnerabilities that are more reliably detected in production. Log4Shell was the poster child for this problem, and there will undoubtedly be other scenarios like it in the future,” said Bernd Greifeneder, Chief Technology Officer at Dynatrace. “It’s also clear that most organizations still lack real-time visibility into runtime vulnerabilities. The problem stems from the growing use of cloud-native delivery practices, which enable greater business agility, but also introduce new complexity for vulnerability management, attack detection, and blocking. The rapid pace of digital transformation means that already overstretched teams are bombarded by thousands of security alerts that make it impossible to see through the noise and focus on what matters. Teams find it impossible to respond manually to every alert, and organizations are exposed to unnecessary risk by allowing vulnerabilities to escape into production.”

Additional findings include:

*   On average, organizations receive 2,027 alerts of potential application security vulnerabilities each month.
*   Less than a third (32%) of the application security vulnerability alerts organizations receive each day require action, compared to 42% last year.
*   On average, application security teams waste 28% of their time on vulnerability management tasks that could be automated.

“Organizations realize that to manage vulnerabilities in the cloud-native era effectively, security must become a shared responsibility. The convergence of observability and security is critical to providing development, operations, and security teams with the context needed to understand how their applications are connected, where the vulnerabilities lie, and which need to be prioritized. This accelerates risk management and incident response,” continued Greifeneder. “To be truly effective, organizations should look for solutions that have AI and automation capabilities at their core, enabling AISecDevOps. These solutions empower their teams to quickly identify and prioritize vulnerabilities at runtime, block attacks in real time, and remediate software flaws before they can be exploited. This means teams can stop wasting time in war rooms or chasing false positives and potential vulnerabilities that will never make it into production. Instead, they confidently deliver better, more secure software faster.”

The report is based on a global survey of 1,300 CISOs in large-size organizations with more than 1,000 employees, conducted by Coleman Parkes and commissioned by Dynatrace in April 2022. The sample included 200 respondents in the U.S., 100 each in the UK, France, Germany, Spain, Italy, the Nordics, the Middle East, Australia, and India, and 50 each in Singapore, Malaysia, Brazil, and Mexico.

**About Dynatrace**

Dynatrace (NYSE: DT) exists to make the world’s software work perfectly. Our unified software intelligence platform combines broad and deep observability and continuous runtime application security with the most advanced AIOps to provide answers and intelligent automation from data at an enormous scale. This enables innovators to modernize and automate cloud operations, deliver software faster and more securely, and ensure flawless digital experiences. That is why the world’s largest organizations trust the Dynatrace® platform to accelerate digital transformation.

Curious to see how you can simplify your cloud and maximize the impact of your digital teams? Let us show you. Sign up for a free 15-day Dynatrace trial.

Research Reveals 75% of CISOs Are Worried Too Many Application Vulnerabilities Leak Into Production, Despite a Multi-Layered Security Approach

As insurers and brokers reckon with unexpected losses, they're charging more for policies and setting higher requirements.

Chaos reigns in the cyber insurance market. Brokers and cyber insurance carriers — the companies that actually offer the policies — are tightening requirements on what applicants need to do to obtain policies due to losses the insurers have suffered from ransomware coverage. During the past year, premiums grew 18% in the first quarter of 2021 and were up 34% in the fourth quarter of 2021, according to Jess Burn, senior analyst at Forrester. .

Organizations often find they cannot obtain cyber insurance, are not being renewed for coverage they already have, or are faced with soaring prices and shrinking coverage. Despite the value many organizations put on cyber insurance — in some cases, they're required to carry it to comply with regulations — obtaining such policies is getting more difficult.

While raising premiums, some insurers are reducing coverage. If an organization bought $10 million worth of coverage for a given price in 2021, for example, renewing that policy in 2022 might see the coverage amount fall to $3 million and the premiums for that lower coverage rise. This phenomenon is due, in part, to insurers trying to strike the right balance of customers' risk profile versus their risk-mitigation efforts.

In the recently released "2022 Voice of the CISO" report from Proofpoint, just 49% of CISOs at US-based organizations said they have cyber insurance and are confident that it will be there when needed. This is well below the 58% global average; Canada led the study at 88%, whereas the US ranked 11th worldwide. In that same report, 56% of global CISOs specifically cited the increase of ransomware attacks as a main driver of concern and a key reason to obtain cyber insurance.

**Losses Are Wreaking Havoc**

This situation was underscored in a March 2022 cyber insurance event, sponsored by cybersecurity vendor Sophos, called "Optimizing Your Cyber Insurance Position," where Marsh McLennan Agency (MMA) risk management consultant Marc Schein, national co-chair of the Cyber Center of Excellence, laid out why cyber insurers are revising their requirements for applicants and why their models needed to change.

Schein said the global average associated with ransomware recovery for 2021 was expected to reach roughly $20 billion. The frequency and severity of attacks are increasing, he said, and "insurers' rating models did not accurately predict some of the loss severity that they've actually been seeing \[with\] evolving privacy regulation."

Additionally, increasing regulatory fines and penalties "really have started to wreak havoc on the cyber insurance marketplace," Schein said.

The industry is seeing "increasing conservative limit deployment from certain carriers in response to an increase in volatility from large losses and deteriorating financial performance," he added. "They're not only raising prices, but they're also now starting to change the way that the coverage is structured."

Scott Godes, a partner with law firm Barnes & Thornburg, is a cyber insurance specialist. He agrees that major changes are occurring, noting that some carriers are implementing new exclusions and limitations on the types of coverage policyholders need the most. Nearly all carriers are raising their rates across the board.

"Carriers are getting significantly more aggressive on their claim positions," Godes says. "They are using outside counsel much more frequently to investigate, handle, and adjust claims. It seems very unlikely that carriers hire lawyers to adjust claims to give the most coverage possible to their insureds."

Insurers are finding that assumptions they made about potential losses, based on their experience with other insurance policies such as personal and property liability, are not accurate. Losses have been much higher on some cyber insurance policies over the past several years than insurers anticipated five years ago.

An August 2021 article in Canadian Underwriter highlighted the financial effect some of these assumptions are having on insurance companies' bottom line. "In cyber liability, total net premiums earned for the second half of 2021 were $94.15 million – $12.15 million from Canadian insurers and $82 million from foreign insurers," it reported. "But total net claims incurred (not including reinsurers' share but including adjustment expenses) were $106.26 million ($97.4 million from foreign insurers and $8.86 million from Canadian insurers), for a loss ratio of nearly 113%."

**Setting Baseline Security Controls**

Insurance brokers and carriers are responding to the higher losses from ransomware and unexpected costs by modifying how and to whom they write policies.

Insurers are beginning to require certain security controls be in place prior to sitting down with a prospect to discuss cyber insurance.

"What cyber insurance brokers and carriers want to see from policyholders is a real effort and investment made to reduce the likelihood of a ransomware attack and to be prepared to respond to one should it happen," Forrester's Burn says.

To that end, she recommends that organizations put the following controls in place immediately:

*   Securing Remote Desktop Protocol (RDP) and other remote access configurations.
*   Restricting macros from executing when downloaded from the Internet.
*   Establishing an incident response plan — companies must have playbooks for common attack scenarios like ransomware and business email compromises, and they must test those plans and playbooks regularly with tabletop exercises and crisis simulations.
*   Implementing multifactor authentication.
*   Implementing an offsite backup solution.

MMA's list of controls includes the above, plus the following:

*   Employee cybersecurity training.
*   Third-party risk management (TPRM).
*   Patch management.
*   Vulnerability management.
*   Endpoint detection and response (EDR) and managed detection and response (MDR).
*   Logging and monitoring.
*   End-of-life plan.
*   Email filtering.
*   Privileged access management (PAM).

TPRM is often poorly understood, since organizations have a difficult time determining the risks associated with their supply chains. It is even more difficult to determine the risk of a supply chain's supply chain.

Burn says she expects to see a new, focused breed of cyber insurance policies in the next 12 months to 18 months to cover the weakest link in the supply chain. What those policies will cover is still unwritten.

Turbulent Cyber Insurance Market Sees Rising Prices and Sinking Coverage

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.

CVE-2022-1982: Security Updates

SQL injection in Logon Page of IDCE MV's application, version 1.0, allows an attacker to inject SQL payloads in the user field, connecting to a database to access enterprise's private and sensitive information.

Olá!

Neste artigo eu comprovo a falha de SQL Injection no software de gestão de saúde IDCE da empresa MV Informática para a base do CVE-2022-30496.

Embora o software seja de uma versão antiga, lançada há alguns anos atrás, algumas empresas brasileiras de saúde ainda o utilizam em larga escala. A maioria das empresas o tem rodando apenas em redes locais ou protegidos por VPN. Porém ainda é possível encontrar este software vulnerável sendo utilizado abertamente através da internet e sem nenhuma proteção extra.

Aproveito para informar que a ação de coletar informações de serviços não é caracterizado crime, uma vez que foi utilizado um ambiente controlado de teste e nenhuma informação privada foi revelada. Esta matéria tem como fins apresentar os métodos utilizados por hackers para encontrar informações de empresas e apresentar aos desenvolvedores as falhas de segurança que suas aplicações web (portais, sites de atendimento, etc) possuem. Corrigir ou não é uma decisão dos desenvolvedores e gestores/clientes destas aplicações.

Por Iran Macedo, especialista em proteção de dados e segurança ofensiva / Pentest.

**A falha de SQLi**

O software testado foi o IDCE - MV Medicina Diagnóstica. Este software é utilizado por hospitais e seus médicos para gerarem laudos de exames médicos de pacientes. Mas não somente isso, pois pode controlar fluxo de pagamentos, gerenciar usuários, suas informações e permissões, dados de parceiros, de fornecedores e de clientes (pacientes) e outros serviços gerenciais relativos aos hospitais e clínicas.

Realizando o teste mais básico de SQL Injection, não conseguimos nada. Por exemplo, ao adicionar uma aspas simples ' no campo usuário, temos a resposta "Usuário e/ou Senha inválidos!", o que parece ser um bom sinal, uma vez que a aplicação parece tratar a entrada enviada pelo usuário antes de envia-la ao banco de dados.

**Time-Based Blind injection**

Para iniciar meus testes, fiz o envio de um usuário e senha inválidos, interceptei pelo Burp, copiei os dados de requisição e salvei num arquivo TXT, que foi utilizado pelo SQLMap como base da requisição através do parâmetro "-r".

Num teste anterior em um outro produto do desenvolvedor MV, vimos que o banco de dados utilizado era um Oracle. Desta forma as chances do desenvolvedor utilizar na epoca o Oracle como a solução de banco de dados para todas as suas aplicações é grande. Partindo deste princípio, configurei o meu SQLMap para testar todas os possíveis ataques (level 5 e risk 3) somente para banco Oracle nesta aplicação. Isso reduz a quantidade e o tempo de execução dos testes.

Como resultado, o campo testado (Usuário) pareceu ser vulnerável a um ataque de SQL Injection em Oracle e Time-Based Blind.

Ao final dos testes o SQLMap trouxe a confirmação da falha de segurança da aplicação, evidenciando o banco de dados encontrado (Oracle), a versão e o sistema operacional do servidor do banco de dados (Windows 2008 R2) e outras informações. Isto já é suficiente para comprovar a falha de segurança na aplicação.

Para ser mais conclusivo, outros dados não sensíveis foram capturados, como por exemplo o usuário utilizado pelo banco de dados e a base atualmente acessada.

E, para evidenciar que seria possível acessar todas as informações dentro desta base, pegamos os nomes das colunas de uma dada tabela utilizada pela aplicação IDCE.

Estas evidências são suficientes para comprovar a falha de segurança da aplicação, que acaba expondo as informações dentro do seu banco de dados.

Por ser um falha baseada em tempo de resposta às cegas (Time-Based Blind), este tipo de ataque pode levar muito tempo para ser executado.

**Correção da falha** _(informação atualizada)_

Conversando por vídeo conferência com o desenvolvedor em maio de 2020 e em junho de 2022, fui informado de que a MV Informática corrigiu as falhas apresentadas nesta versão testada. Desta forma, é recomendado que a solução de medicina diagnóstica IDCE seja utilizada sempre de forma atualizada. Infelizmente algumas empresas ainda utilizam versões desatualizadas e vulneráveis.

**Conclusão**

Mantenha o seu software atualizado e sempre utilize as versões mais atuais e estáveis. Utilizar softwares piratas pode parecer como uma solução viável e barata para quem não quer gastar dinheiro pagando por programas licenciados. Mas lembre-se de que isto não é legal (no termo jurídico da palavra), além de não ter as atualizações necessárias para mantê-lo seguro. O "barato" pode acabar saindo muito, mas muito mais caro do que pagar por softwares licenciados. Visto que uma multa aplicada por processos judiciais de clientes afetados através da LGPD não é nada barato, sem dizer dos riscos de se ter o banco de dados principal invadido.

Mantenha-se seguro e um grande abraço!

Documentação formal do CVE na Mitre: MeuGithub

CVE ID: CVE-2022-30496.

Tag

#ios