Red Hat Security Advisory 2024-1856-03 - An update for opencryptoki is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1856.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opencryptoki security updateAdvisory ID:        RHSA-2024:1856-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1856Issue date:         2024-04-16Revision:           03CVE Names:          CVE-2024-0914====================================================================Summary: An update for opencryptoki is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards, such as IBM 4764 and 4765 crypto cards. These packages includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z). The opencryptoki packages also bring a software token implementation that can be used without any cryptographic hardware. These packages contain the Slot Daemon (pkcsslotd) and general utilities.Security Fix(es):* opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) (CVE-2024-0914)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0914References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2260407

Red Hat Security Advisory 2024-1856-03

A native-first approach delivers better protections and a more efficient use of resources than best-of-breed solutions, benefiting cloud service providers and end-user customers alike.

Source: Rasi Bhadramani via Alamy Stock Photo

As companies increasingly migrate to public cloud platforms like Microsoft Azure, Amazon Web Services (AWS), and Google Cloud, many are opting to lift and shift their existing security toolsets in the process. Today, the average company deploys as many as 76 disparate security tools. This is commonly known as a best-of-breed approach.

However, the problem with a best-of-breed model is that it creates security and efficiency gaps for cloud workloads. Because third-party cloud security solutions rely on the visibility provided by the cloud service provider's (CSP) application programming interface (API), each one comes with its own unique set of limitations and blind spots. This makes it difficult for security engineers and analysts to accurately and efficiently triage and remediate threats.

By contrast, a native-first cloud security approach deploys seamlessly integrated first-party security solutions to drive greater cost and resource efficiencies, as well as increase overall security resiliency. Here are three reasons to prioritize a native-first approach over best-of-breed.

**Reduce Your Attack Surface**

One key argument for implementing a native-first cloud security approach over best-of-breed is that relying on multiple third-party security solutions can inadvertently expand an organization's attack surface. Each new tool introduces its own set of configurations, APIs, and potential vulnerabilities. If not properly managed, third-party tools can create additional opportunities for attackers to exploit weaknesses in the security infrastructure. In fact, cloud misconfigurations were responsible for 80% of data security breaches in 2023.

On the other hand, a native-first cloud security approach relies on first-party solutions and doesn't require any changes to the customer's cloud environment. That minimizes the risk of introducing additional weaknesses.

**Eliminate Security Blind Spots**

Another core benefit of a native-first cloud security model is that it eliminates the blind spots often seen with best-of-breed solutions. Third-party solutions often struggle to integrate with one another or with the specific cloud platform being used, which can lead to gaps in visibility and coordination — making it difficult to have a unified view of the security landscape. And because public cloud environments often rely on a variety of interconnected services and APIs, organizations run the risk of missing potential threats or vulnerabilities if their best-of-breed security tools are not designed to work seamlessly with these cloud-native services.

A native-first approach eliminates this issue because all of the CSP solutions are already designed to work together seamlessly. For example, a cloud container workload protection plan that natively integrates with Azure Kubernetes Services (AKS) and Azure Container Repository (ACR) would not require any changes to the protection plan when changes are made to the container-based solution. Similarly, a cloud-native application protection platform (CNAPP) integrating with Microsoft threat intelligence can ensure security teams can respond to security incidents in real time.

**Drive Greater Team Efficiencies**

Finally, taking a best-of-breed approach means that security teams are responsible for managing multiple security solutions from different vendors. This is complex and resource-intensive, requiring teams to understand the various interfaces, policies, and update schedules, while also managing crucial security configurations and responding promptly to emerging threats. Running multiple security tools concurrently can also lead to redundant system resources. This redundancy affects the overall performance of the cloud environment and increases operational costs without necessarily improving security effectiveness.

Under a native-first model, security teams only need to understand their CSP's services — thus cutting down on the initial learning curve required since the native solutions leverage other native services, such as dashboards and responses. Many CSPs are also designed to ensure the efficient use of customers' cloud resources, with much of the heavy lifting done within the CSP's control plane. 

Ultimately, a native-first cloud security approach delivers better protections and a more efficient use of resources than best-of-breed third-party solutions. And because CSPs are used to serving a wide range of customers and use cases, they can often offer more flexibility, innovation, and specialized security expertise than third-party vendors. By exploring available native-first security solutions to see what makes the most sense for their environments, organizations can take the first step toward a more secure and more efficient cloud-based future.

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Why a Native-First Approach Is Key to Cloud Security

By Uzair Amir
Discover how omnichannel campaign management helps businesses thrive in 2024. Learn the benefits & unlock the secrets to success in today's tech-driven market.
This is a post from HackRead.com Read the original post: The Future of Business Communications: Trends Shaping the Industry

Keeping up with technology trends, especially focusing on effective business communication with your customers across all platforms, is crucial for your company’s success. Trends in 2024 include integrating omnichannel campaign management solutions to make business communications as effective and efficient as possible.

Integration testing services play a critical role in this context. They ensure that the various components of omnichannel platforms work together flawlessly, providing a consistent and reliable customer experience across all channels.

We will explore the following topics: what makes a successful business, the importance of knowing technology trends, and how a business can benefit from an omnichannel campaign management platform.

****What makes a successful business?********Provides high-quality products and services****

A successful business provides quality products and services that meet or exceed the customers’ expectations to build customers’ trust and loyalty.

****Enhances customer experience through omnichannel campaign management strategy****

A good, successful business provides an exceptional, quality customer experience. To grow your business, continue beyond closing a sale. The goal should be to satisfy customers with the products and services you provide and to consistently stay responsive in communicating with your customers to ensure their happiness with their purchase or subscription.

This includes knowing how else you can make customers happy by turning them into repeat buyers and by receiving positive feedback, recommendations, and referrals from them due to your high-quality customer service.

****Focuses on customers’ needs****

A successful business understands what its customers need, and its goal is to consistently deliver these needs and preferences to ensure customer retention and satisfaction.

****Innovates and adapts to current trends in technology****

To thrive, a business should innovate and adapt to current trends in technology to stay relevant, capitalize on emerging opportunities, and gain an advantage over existing competitors.

****The importance of knowing the trends in Technology****

Staying abreast with the latest trends in technology in business communications is crucial for the following reasons:

****It sustains competitiveness****

Keeping up with technological advancements guarantees that your business stays competitive in the market. Embracing innovative communication tools and tactics enables you to stay aligned with industry norms and fulfil customer demands, giving you a competitive advantage over rivals who may be slower to adopt new technologies.

****It enhances customer experience****

Trends in technology significantly influence customer experiences. By utilizing cutting-edge communication tools and platforms, businesses can offer smooth, tailored interactions across various channels. This elevates customer satisfaction, nurtures loyalty, and boosts the probability of repeat purchases and favourable recommendations.

****It improves productivity and efficiency****

Incorporating cutting-edge technology into business communications streamlines operations automates tasks, and boosts overall efficiency and productivity. Advanced collaboration platforms, AI-driven chatbots, and cloud-based communication solutions expedite decision-making, streamline workflows, and reduce turnaround times.

****It reduces the risks****

Neglecting technological trends in business communications can leave businesses vulnerable to risks. Outdated systems are susceptible to security breaches, compliance issues, and operational inefficiencies. Keeping up with the latest technologies allows businesses to anticipate and address potential risks, protect sensitive information, and stay ahead in an ever-changing digital environment.

****It adjusts to evolving consumer behaviour****

Adapting to changes in consumer behaviour enables businesses to tailor their communication strategies accordingly. Whether it involves embracing social media marketing, enhancing mobile experiences, or incorporating voice assistants, staying updated allows businesses to connect with customers where they are and effectively engage with them.

****How a business can benefit from an omnichannel campaign managing platform********Increase in customer engagement and loyalty****

An omnichannel campaign management platform enables businesses to interact with customers through various channels, including email, SMS, social media, etc., ultimately resulting in higher engagement and loyalty.

****Improved targeting and segmentation**    **

Enhanced targeting and segmentation enable businesses to customize marketing campaigns for specific customer segments, considering demographics, behaviour, and preferences. This yields more relevant and effective communication, ultimately driving higher conversion rates and ROI.

****Streamlined campaign management****

It offers businesses a centralized platform for planning, executing, and analyzing marketing campaigns across various channels, simplifying the management process, minimizing manual tasks, and enhancing overall efficiency.

****Seamlessly integrates with existing CRM, email marketing, and other business systems****

This seamless integration guarantees data coherence and enables personalized communication across different channels.

****Achieve a competitive advantage****

By utilizing an omnichannel campaign management platform, businesses can achieve a competitive advantage by delivering exceptional customer experiences, boosting revenue, and distinguishing themselves from rivals using conventional marketing approaches.

****Conclusion****

Staying updated with technology trends in business communications is essential for maintaining competitiveness and achieving success. One way to do this is to leverage omnichannel campaign management platforms. These platforms boost customer engagement, simplify campaign management, and seamlessly integrate with current systems, offering businesses a competitive edge.

****_RELATED ARTICLES_****

1.  How Cross-Chain DEXes Democratize the Crypto Market?
2.  Understanding Software Supply Chain and How to Secure It
3.  Digital Transformation in Financial Industry – Role of Fintech
4.  15 Best SaaS SEO Experts That Will Help You Dominate Online
5.  Zerocopter Debuts First Hacker-Led Cybersecurity Marketplace

The Future of Business Communications: Trends Shaping the Industry

Ubuntu Security Notice 6733-1 - It was discovered that GnuTLS had a timing side-channel when performing certain ECDSA operations. A remote attacker could possibly use this issue to recover sensitive information. It was discovered that GnuTLS incorrectly handled verifying certain PEM bundles. A remote attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.10.

==========================================================================  
Ubuntu Security Notice USN-6733-1  
April 15, 2024

gnutls28 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in GnuTLS.

Software Description:  
- gnutls28: GNU TLS library

Details:

It was discovered that GnuTLS had a timing side-channel when performing  
certain ECDSA operations. A remote attacker could possibly use this issue  
to recover sensitive information. (CVE-2024-28834)

It was discovered that GnuTLS incorrectly handled verifying certain PEM  
bundles. A remote attacker could possibly use this issue to cause GnuTLS to  
crash, resulting in a denial of service. This issue only affected Ubuntu  
22.04 LTS and Ubuntu 23.10. (CVE-2024-28835)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   libgnutls30                     3.8.1-4ubuntu1.3

Ubuntu 22.04 LTS:  
   libgnutls30                     3.7.3-4ubuntu1.5

Ubuntu 20.04 LTS:  
   libgnutls30                     3.6.13-2ubuntu1.11

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6733-1  
   CVE-2024-28834, CVE-2024-28835

Package Information:  
   https://launchpad.net/ubuntu/+source/gnutls28/3.8.1-4ubuntu1.3  
   https://launchpad.net/ubuntu/+source/gnutls28/3.7.3-4ubuntu1.5  
   https://launchpad.net/ubuntu/+source/gnutls28/3.6.13-2ubuntu1.11

Ubuntu Security Notice USN-6733-1

This Metasploit exploit module leverages an improperly controlled modification of dynamically-determined object attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1. It is possible to set some user's session properties by sending an HTTP request with specially crafted Header key-value pairs. This enables an unauthenticated attacker to access files anywhere on the server file system and steal the session cookies of valid authenticated users. The attack consists in hijacking a user's session and escalates privileges to obtain full control of the target. Remote code execution is obtained by abusing the dynamic SQL driver loading and configuration testing feature.

CrushFTP Remote Code Execution

Debian Linux Security Advisory 5659-1 - Bartek Nowotarski discovered that Apache Traffic Server, a reverse and forward proxy server, was susceptible to denial of service via HTTP2 continuation frames.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5659-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 14, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : trafficserverCVE ID         : CVE-2024-31309Bartek Nowotarski discovered that Apache Traffic Server, a reverse andforward proxy server, was susceptible to denial of service via HTTP2continuation frames.For the oldstable distribution (bullseye), this problem has been fixedin version 8.1.10+ds-1~deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 9.2.4+ds-0+deb12u1.We recommend that you upgrade your trafficserver packages.For the detailed security status of trafficserver please refer toits security tracker page at:https://security-tracker.debian.org/tracker/trafficserverFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYcGbUACgkQEMKTtsN8TjZEQw//YeLDMyZ2KnFxSaZbRAv/UkFNmOsYEwNtYn7xDTdogl3jRWNgqye4wwK2IHB9H4r3n91yBEmQ8CeRTMk07/VI1salyaXHPy5lCK+FuBEp4g5pWT6aCAb6z1KWxfD7AUzFbnLOvLCINvNcnDrYQAn+qaVUxXaD4ArvzjFEfw+AMDNCEnRsiQs83lPzDr5Bm48WYK9MAJteuDoFbWYHjcpyY0ZNxj7VtZP6cSKBqDXcPOjaUZysJjDX3cXqCHEioz3X35SJa+GckVD90h7wzDSHZSaDflUVLc4wwZ5ZNZkzOBKwCvurh52f79hVVjRjlO9UzY+VNuBOqtgP8nX9ByTNDkcsa7Rojgv56km58OIheALPoDHJiTpEWt2CPhxwV3oFYNQzBu2akbCdW+s+ir8p4uS4BxK6B6gz+lfnFuQ+L1MIJtlSDoPu08IYf79aYJKMA33+hXL1rjCggWu1EfofQpQMB/yJkxK/dN4A2xKI91XJshIUPQAcScjDHYnomfBAPzcbiRlYgjJS9WXR7gckX5fKjR9MPOD4t9vaGpy+wMARAFNRxCVBnl/QLsRkpwoAznbqGknXtWsbqNjhkRaLIpLG29YS6gBD4c4D8Q5WKgU7hNC+m4ZZK49u495fwFbQi2nVzn3boCTNIeJDvqrZ0pRePIl97zjzyhxg8PFrgLA==XO+d-----END PGP SIGNATURE-----

Debian Security Advisory 5659-1

Red Hat Security Advisory 2024-1804-03 - An update for unbound is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1804.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: unbound security updateAdvisory ID:        RHSA-2024:1804-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1804Issue date:         2024-04-15Revision:           03CVE Names:          CVE-2023-50387====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es):* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)Security Fix(es):* A vulnerability was found in Unbound due to incorrect default permissions,allowing any process outside the unbound group to modify the unbound runtimeconfiguration. The default combination of the \"control-use-cert: no\" option witheither explicit or implicit use of an IP address in the \"control-interface\"option could allow improper access. If a process can connect over localhost toport 8953, it can alter the configuration of unbound.service. This flaw allowsan unprivileged local process to manipulate a running instance, potentiallyaltering forwarders, allowing them to track all queries forwarded by the localresolver, and, in some cases, disrupting resolving altogether.To mitigate the vulnerability, a new file\"/etc/unbound/conf.d/remote-control.conf\" has been added and included in themain unbound configuration file, \"unbound.conf\". The file contains twodirectives that should limit access to unbound.conf:    control-interface: \"/run/unbound/control\"    control-use-cert: \"yes\"For details about these directives, run \"man unbound.conf\".Updating to the version of unbound provided by this advisory should, in mostcases, address the vulnerability. To verify that your configuration is notvulnerable, use the \"unbound-control status | grep control\" command. If theoutput contains \"control(ssl)\" or \"control(namedpipe)\", your configuration isnot vulnerable. If the command output returns only \"control\", the configurationis vulnerable because it does not enforce access only to the unbound groupmembers. To fix your configuration, add the line \"include:/etc/unbound/conf.d/remote-control.conf\" to the end of the file\"/etc/unbound/unbound.conf\". If you use a custom\"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to thisfile. (CVE-2024-1488)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-50387References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263914https://bugzilla.redhat.com/show_bug.cgi?id=2263917https://bugzilla.redhat.com/show_bug.cgi?id=2264183

Red Hat Security Advisory 2024-1804-03

Red Hat Security Advisory 2024-1802-03 - An update for unbound is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1802.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: unbound security updateAdvisory ID:        RHSA-2024:1802-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1802Issue date:         2024-04-15Revision:           03CVE Names:          CVE-2024-1488====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es):* A vulnerability was found in Unbound due to incorrect default permissions,allowing any process outside the unbound group to modify the unbound runtimeconfiguration. The default combination of the \"control-use-cert: no\" option witheither explicit or implicit use of an IP address in the \"control-interface\"option could allow improper access. If a process can connect over localhost toport 8953, it can alter the configuration of unbound.service. This flaw allowsan unprivileged local process to manipulate a running instance, potentiallyaltering forwarders, allowing them to track all queries forwarded by the localresolver, and, in some cases, disrupting resolving altogether.To mitigate the vulnerability, a new file\"/etc/unbound/conf.d/remote-control.conf\" has been added and included in themain unbound configuration file, \"unbound.conf\". The file contains twodirectives that should limit access to unbound.conf:    control-interface: \"/run/unbound/control\"    control-use-cert: \"yes\"For details about these directives, run \"man unbound.conf\".Updating to the version of unbound provided by this advisory should, in mostcases, address the vulnerability. To verify that your configuration is notvulnerable, use the \"unbound-control status | grep control\" command. If theoutput contains \"control(ssl)\" or \"control(namedpipe)\", your configuration isnot vulnerable. If the command output returns only \"control\", the configurationis vulnerable because it does not enforce access only to the unbound groupmembers. To fix your configuration, add the line \"include:/etc/unbound/conf.d/remote-control.conf\" to the end of the file\"/etc/unbound/unbound.conf\". If you use a custom\"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to thisfile. (CVE-2024-1488)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1488References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2264183

Red Hat Security Advisory 2024-1802-03

Red Hat Security Advisory 2024-1801-03 - An update for unbound is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1801.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: unbound security updateAdvisory ID:        RHSA-2024:1801-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1801Issue date:         2024-04-15Revision:           03CVE Names:          CVE-2023-50387====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es):* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)* A vulnerability was found in Unbound due to incorrect default permissions,allowing any process outside the unbound group to modify the unbound runtimeconfiguration. The default combination of the \"control-use-cert: no\" option witheither explicit or implicit use of an IP address in the \"control-interface\"option could allow improper access. If a process can connect over localhost toport 8953, it can alter the configuration of unbound.service. This flaw allowsan unprivileged local process to manipulate a running instance, potentiallyaltering forwarders, allowing them to track all queries forwarded by the localresolver, and, in some cases, disrupting resolving altogether.To mitigate the vulnerability, a new file\"/etc/unbound/conf.d/remote-control.conf\" has been added and included in themain unbound configuration file, \"unbound.conf\". The file contains twodirectives that should limit access to unbound.conf:    control-interface: \"/run/unbound/control\"    control-use-cert: \"yes\"For details about these directives, run \"man unbound.conf\".Updating to the version of unbound provided by this advisory should, in mostcases, address the vulnerability. To verify that your configuration is notvulnerable, use the \"unbound-control status | grep control\" command. If theoutput contains \"control(ssl)\" or \"control(namedpipe)\", your configuration isnot vulnerable. If the command output returns only \"control\", the configurationis vulnerable because it does not enforce access only to the unbound groupmembers. To fix your configuration, add the line \"include:/etc/unbound/conf.d/remote-control.conf\" to the end of the file\"/etc/unbound/unbound.conf\". If you use a custom\"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to thisfile. (CVE-2024-1488)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-50387References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263914https://bugzilla.redhat.com/show_bug.cgi?id=2263917https://bugzilla.redhat.com/show_bug.cgi?id=2264183

Red Hat Security Advisory 2024-1801-03

Microsoft has stumbled through a series of major cybersecurity failures over the past few years. Experts say the US government’s reliance on its systems means the company continues to get a free pass.

When Microsoft revealed in January that foreign government hackers had once again breached its systems, the news prompted another round of recriminations about the security posture of the world’s largest tech company.

Despite the angst among policymakers, security experts, and competitors, Microsoft faced no consequences for its latest embarrassing failure. The United States government kept buying and using Microsoft products, and senior officials refused to publicly rebuke the tech giant. It was another reminder of how insulated Microsoft has become from virtually any government accountability, even as the Biden administration vows to make powerful tech firms take more responsibility for America’s cyberdefense.

That state of affairs is unlikely to change even in the wake of a new report by the Cyber Safety Review Board (CSRB), a group of government and industry experts, which lambasts Microsoft for failing to prevent one of the worst hacking incidents in the company’s recent history. The report says Microsoft’s “security culture was inadequate and requires an overhaul.”

Microsoft’s almost untouchable position is the result of several intermingling factors. It is by far the US government’s most important technology supplier, powering computers, document drafting, and email conversations everywhere from the Pentagon to the State Department to the FBI. It is a critical partner in the government’s cyberdefense initiatives, with almost unparalleled insights about hackers’ activities and sweeping capabilities to disrupt their operations. And its executives and lobbyists have relentlessly marketed the company as a leading force for a digitally safer world.

These enviable advantages help explain why senior government officials have refused to criticize Microsoft even as Russian and Chinese government-linked hackers have repeatedly breached the company’s computer systems, according to cybersecurity experts, lawmakers, former government officials, and employees of Microsoft’s competitors.

These people—some of whom requested anonymity to candidly discuss the US government and their industry’s undisputed behemoth—argue that the government’s relationship with Microsoft is crippling Washington’s ability to fend off major cyberattacks that jeopardize sensitive data and threaten vital services. To hear them tell it, Microsoft is overdue for oversight.

**A History of Breaches and Controversy**

Microsoft has a long track record of security breaches, but the past few years have been particularly bad for the company.

In 2021, Chinese government hackers discovered and used flaws in Microsoft’s email servers to hack the company’s customers, later releasing the flaws publicly to spark a feeding frenzy of attacks. In 2023, China broke into the email accounts of 22 federal agencies, spying on senior State Department officials and Commerce Secretary Gina Raimondo ahead of multiple US delegation trips to Beijing. Three months ago, Microsoft revealed that Russian government hackers had used a simple trick to access the emails of some Microsoft senior executives, cyber experts, and lawyers. Last month, the company said that attack also compromised some of its source code and “secrets” shared between employees and customers. On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that those customers included federal agencies, and issued an emergency directive warning agencies whose emails were exposed to look for signs that the Russian hackers were attempting to use login credentials contained in those emails.

These incidents occurred as security experts were increasingly criticizing Microsoft for failing to promptly and adequately fix flaws in its products. As by far the biggest technology provider for the US government, Microsoft vulnerabilities account for the lion’s share of both newly discovered and most widely used software flaws. Many experts say Microsoft is refusing to make the necessary cybersecurity improvements to keep up with evolving challenges.

Microsoft hasn’t “adapted their level of security investment and their mindset to fit the threat,” says one prominent cyber policy expert. “It’s a huge fuckup by somebody that has the resources and the internal engineering capacity that Microsoft does.”

The Department of Homeland Security’s CSRB endorsed this view in its new report on the 2023 Chinese intrusion, saying Microsoft exhibited “a corporate culture that deprioritized both enterprise security investments and rigorous risk management.” The report also criticized Microsoft for publishing inaccurate information about the possible causes of the latest Chinese intrusion.

The recent breaches reveal Microsoft’s failure to implement basic security defenses, according to multiple experts.

Adam Meyers, senior vice president of intelligence at the security firm CrowdStrike, points to the Russians’ ability to jump from a testing environment to a production environment. “That should never happen,” he says. Another cyber expert who works at a Microsoft competitor highlighted China’s ability to snoop on multiple agencies’ communications through one intrusion, echoing the CSRB report, which criticized Microsoft’s authentication system for allowing broad access with a single sign-in key.

“You don't hear about these types of breaches coming out of other cloud service providers,” Meyers says.

According to the CSRB report, Microsoft has “not sufficiently prioritized rearchitecting its legacy infrastructure to address the current threat landscape.”

In response to written questions, Microsoft tells WIRED that it’s aggressively improving its security to address recent incidents.

“We are committed to adapting to the evolving threat landscape and partnering across industry and government to defend against these growing and sophisticated global threats,” says Steve Faehl, chief technology officer for Microsoft’s federal security business.

As part of its Secure Future Initiative launched in November, Faehl says, Microsoft has improved its ability to automatically detect and block abuses of employee accounts, begun scanning for more types of sensitive information in network traffic, reduced the access granted by individual authentication keys, and created new authorization requirements for employees seeking to create company accounts.

Microsoft has also redeployed “thousands of engineers” to improve its products and has begun convening senior executives for status updates at least twice weekly, Faehl says.

The new initiative represents Microsoft’s “roadmap and commitments to answer much of what the CSRB report called out as priorities,” Faehl says. Still, Microsoft does not accept that its security culture is broken, as the CSRB report argues. “We very much disagree with this characterization,” Faehl says, “though we do agree that we haven’t been perfect and have work to do.”

**A Security Revenue ‘Addiction’**

Microsoft has earned special enmity from the cybersecurity community for charging its customers extra for better security protections like threat monitoring, antivirus, and user access management. In January 2023, the company touted that its security division had passed $20 billion in annual revenue.

“Microsoft has shifted to looking at cybersecurity as something that's meant to generate revenue for them,” says Juan Andrés Guerrero-Saade, associate vice president of research at security firm SentinelOne. His colleague Alex Stamos recently wrote that Microsoft’s “addiction” to this revenue “has seriously warped their product design decisions.”

These tensions exploded into the open in early 2021, as Congress and the new Biden administration scrambled to understand Russia’s far-reaching SolarWinds hacking campaign.

After breaching government networks through SolarWinds software, Moscow’s operatives fooled Microsoft’s cloud platform into granting them expansive access. Because most agencies weren’t paying for Microsoft’s premium service tier, they didn’t have the network activity logs necessary to detect these intrusions. Lawmakers were outraged that Microsoft was charging the government extra for such a basic feature, and Biden administration officials spent the next two and a half years privately urging Microsoft to make log data free for all customers. Microsoft finally agreed to do so last July—eight days after announcing yet another major hack, this one discovered by an agency paying for log data.

Microsoft won’t say if it plans to make other premium security features free for all of its customers. “We continue to raise the built-in security of our products and services to benefit customers,” Faehl says.

Asked about experts’ arguments that Microsoft’s strategy of profiting off of cybersecurity is incompatible with a security-first mindset, Faehl says, “We would disagree with that characterization.”

**A System That’s Everywhere**

Microsoft’s dominance has prompted concerns that it represents a single point of failure, concentrating America’s technology dependence in such a way that hackers could easily sabotage essential services by targeting one company’s products.

Few services better illustrate the government’s overwhelming dependence on Microsoft—and an area where some experts say a more diversified approach would be safer—than email. A former US cybersecurity official who works at one of Microsoft’s competitors predicts that an attack crippling Microsoft’s email platform would significantly reduce the government’s ability to operate.

Warnings about a Microsoft “monoculture” date back two decades, but the idea is now attracting new attention from policymakers.

“The US government’s dependence on Microsoft poses a serious threat to US national security,” says US senator Ron Wyden. “The government is effectively stuck with the company’s products, despite multiple serious breaches of US government systems by foreign hackers caused by the company’s negligence.”

Last Monday, Wyden announced draft legislation that would set a four-year deadline for the federal government to stop buying collaboration technology like Microsoft Office that critics say doesn’t integrate well with competing services.

Reducing the government’s reliance on a single vendor wouldn’t just benefit the government, experts say. It would also spread the attack risk across more companies, taking some of the pressure off of Microsoft to protect such a vast portfolio of systems. The giant target on Microsoft’s back makes it a magnet for cybercriminals and government hackers, which helps explain its outsize number of breaches.

The government’s reliance on Microsoft also entrenches a sense of familiarity with its products that cements its places in federal networks. While some agencies are exploring alternatives to Microsoft, most of them are sticking with what they know—largely because it’s easier than switching to an alternative platform, the former cyber official says.

Microsoft denies making it difficult for customers to switch to or incorporate competitors’ products. “Our competitors often stoke subjective complaints about ‘compatibility,’” Faehl says, but “we hear this more from the vendors of some third-party products” than from customers trying to use them.

Regardless, experts say, the upshot is clear: The government is dependent on Microsoft, robbing it of the leverage needed to push back on the company’s practices.

**Working the Refs**

Microsoft isn’t counting on its market dominance alone to defang government oversight. Since its antitrust battles with the government in the 1990s, the company has crafted a sophisticated public policy strategy that combines earnest calls to protect cyberspace with omnipresent participation in government initiatives.

“Microsoft is by far the slickest operation out there in tech when it comes to these issues,” says Andrew Grotto, a former senior White House cyber official who now leads Stanford University’s Program on Geopolitics, Technology, and Governance and consults for some of Microsoft’s competitors. “They learned this lesson 25 years ago and have been applying it ever since.”

Microsoft’s threat intelligence team, which knows more about malicious cyber activity than virtually any other company and most governments, regularly publishes research about cyber threats and collaborates with law enforcement on operations to dismantle hackers’ infrastructure. The company also helps fund groups like the CyberPeace Institute, which advocates for a safer internet and helps defend nongovernment organizations from hackers. And it has positioned itself as a helpful partner to policymakers who want to take on cyber issues but don’t know where to start, sometimes providing lawmakers with draft legislative language.

With its market dominance and political savvy, Microsoft has ensured that officials almost never publicly criticize it, experts say.

“The government's uncomfortable saying bad things about Microsoft because they're fully committed to them,” says Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, a think tank.

The Biden administration has spoken grandly about wielding the government’s formidable contracting power to force companies to improve their security. But with Microsoft, that leverage is nonexistent, experts say. “There is no realistic chance that the government will wholesale cancel its contracts with Microsoft,” Paul Rosenzweig, a cyber consultant and former DHS policy official, says in an email.

Microsoft disputes this argument. “The idea that the government is too dependent on Microsoft is at odds with reality,” Faehl says.

The government’s lack of leverage means federal officials never use the kind of blunt language found in the CSRB report when discussing Microsoft, even when they insist on speaking to reporters anonymously. The result is a remarkable display of government deference to Microsoft.

After Chinese hackers broke into government email systems and eluded agencies not paying for Microsoft’s premium security features, a senior official at CISA acknowledged that Microsoft’s business model was “not yielding the sort of security outcomes that we seek,” but they declined to directly rebuke Microsoft, instead sticking to talking points about productive conversations with the company.

In fact, despite Microsoft’s yearslong defiance of CISA’s high-profile push for companies to be “secure by design,” CISA has steadfastly refused to criticize Microsoft’s failures. When Microsoft finally bowed to pressure and made logs free last July, CISA director Jen Easterly said she was “extremely pleased with Microsoft’s decision.”

The former cyber official finds the government’s meekness remarkable. “When their own emails are stolen, they don’t seem to push back on the vendor who is the cause of that.”

The White House’s National Security Council declined to comment for this story. In a statement, Eric Goldstein, CISA’s executive assistant director for cybersecurity, says his agency “has a robust partnership with Microsoft and will continue to collaborate in many areas,” while also continuing to “impress upon all technology companies the urgency of developing products that are secure by design so that consumers can trust the safety and integrity of the technology that they use every day.”

Microsoft’s Faehl says his company is “committed to secure by design and secure by default.”

**Forcing Change**

The CSRB report on Microsoft’s cloud breach calls for dramatic changes to the company’s security culture. According to many experts, it’s time for the government to find its spine and compel those changes.

“Big, powerful companies in general don’t change their behavior unless they’re incentivized to do so,” Stanford University’s Grotto says.

The CSRB report recommends tough new requirements for cloud providers like Microsoft, including periodic security reviews after they receive federal contracts. Experts say those requirements could shift corporate incentives in favor of better security.

Microsoft seems to realize that its recent breaches have sparked a public relations crisis. “We expect and welcome fair scrutiny,” says Faehl. “As an industry leader we must be accountable for the security of our products and services.”

At the same time, he says, Microsoft “wouldn’t mind seeing some scrutiny” of its competitors who “seek to sow fear, uncertainty and doubt about our position as a way to seek advantage for their own products.”

Taking on Microsoft would also be a way for the Biden administration to live up to the principles in its National Cybersecurity Strategy, which prioritizes shifting the burden of cybersecurity onto large, well-resourced tech vendors. “They make the point … that this balance needs to shift,” Grotto says. “The question now is, ‘Okay, what does administration do with that diagnosis?’”

There are signs that the administration is heeding this advice. During a briefing with reporters on Thursday about the possibility that Russian operatives stole government secrets through their latest Microsoft hack, Goldstein said that CISA and other agencies are “are working closely with Microsoft, in alignment with the recommendations of the Cyber Safety Review Board, to drive further progress in Microsoft’s improvement plans with their broader security culture and enterprise.”

In the meantime, experts say, the status quo allows Microsoft to shirk responsibility for problems that it is uniquely capable of resolving.

“No harm comes from doing nothing, at least not to these companies,” Guerrero-Saade of SentinelOne says. “And that’s what’s going to destroy us.”

Tag

#ssl