NSA Releases Guidance on Securing Wireless Devices While in Public

Original release date: July 30, 2021

The National Security Agency (NSA) has released an information sheet with guidance on securing wireless devices while in public for National Security System, Department of Defense, and Defense Industrial Base teleworkers, as well as the general public. This information sheet provides information on malicious techniques used by cyber actors to target wireless devices and ways to protect against it.

CISA encourages organization leaders, administrators, and users to review NSA’s guidance on Securing Wireless Devices in Public Settings and CISA’s Security Tip on Privacy and Mobile Device Apps for information on protecting devices and data.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Announces Vulnerability Disclosure Policy (VDP) Platform

Original release date: July 30, 2021

CISA has announced the establishment of its Vulnerability Disclosure Policy (VDP) Platform for the federal civilian enterprise, which will allow the Federal Civilian Executive Branch to coordinate with the civilian security research community in a streamlined fashion. The VDP Platform provides a single, centrally managed website that agencies can leverage as the primary point of entry for intaking, triaging, and routing vulnerabilities disclosed by researchers. It enables researchers and members of the general public to find vulnerabilities in agency websites and submit reports for analysis.

This new platform allows agencies to gain greater insights into potential vulnerabilities, which will improve their cybersecurity posture. This approach also means  agencies no longer need to develop separate systems to enable vulnerability reporting  and triage of identified vulnerabilities, providing government-wide cost savings that CISA estimates at over $10 million.

For more details, see the blog post by CISA’s Executive Assistant Director for Cybersecurity, Eric Goldstein.

This product is provided subject to this Notification and this Privacy & Use policy.

Top Routinely Exploited Vulnerabilities

Original release date: July 28, 2021

CISA, the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) have released the Joint Cybersecurity Advisory Top Routinely Exploited Vulnerabilities, which details the top vulnerabilities routinely exploited by malicious actors in 2020 and those being widely exploited thus far in 2021.   

CISA encourages users and administrators to review the Joint Cybersecurity Advisory for information on assessing and remediating vulnerabilities as quickly as possible to reduce the risk of exploitation.  

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases Security Advisory for Geutebruck Devices

Original release date: July 27, 2021

CISA has released an Industrial Control Systems (ICS) advisory detailing multiple vulnerabilities in multiple Geutebruck G-CAM E2 series devices and Encoder G-Code versions. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the ICS Advisory ICSA-21-208-03 Geutebruck G-Cam E2 and G-Code and apply the necessary updates and workarounds

This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases Guidance for Mitigating PetitPotam NTLM Relay Attacks

Original release date: July 27, 2021

On July 23, Microsoft released KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) to address a NTLM Relay Attack named PetitPotam. CISA encourages users and administrators to review KB5005413 and apply the necessary mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates

Original release date: July 27, 2021

Apple has released security updates to address a vulnerability in multiple products. An attacker could exploit this vulnerability to take control of an affected device.

CISA encourages users and administrators to review the security update page for the following products and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Drupal Releases Security Updates

Original release date: July 22, 2021

Drupal has released security updates to address a critical third-party-library vulnerability that could affect Drupal 7,  8.9, 9.1, and 9.2. An attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review the Drupal security advisory and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

 Cisco Releases Security Updates

Original release date: July 22, 2021

Cisco has released security updates to address multiple vulnerabilities in Intersight Virtual Appliance. An attacker could exploit these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

CISA encourages users and administrators to review Cisco Advisory cisco-sa-ucsi2-iptaclbp-L8Dzs8m8 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

2021 CWE Top 25 Most Dangerous Software Weaknesses

Original release date: July 21, 2021

The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The Top 25 uses data from the National Vulnerability Database (NVD) to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.

CISA encourages users and administrators to review the Top 25 list and evaluate recommended mitigations to determine those most suitable to adopt.

This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome

Original release date: July 21, 2021

Google has released Chrome version 92.0.4515.107 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.