CISA and NSA Release Guidance on Selecting and Hardening VPNs

Original release date: September 28, 2021

The National Security Agency (NSA) and CISA have released the cybersecurity information sheet Selecting and Hardening Standards-based Remote Access VPN Solutions to address the potential security risks associated with using Virtual Private Networks (VPNs). Remote-access VPN servers allow off-site users to tunnel into protected networks, making these entry points vulnerable to exploitation by malicious cyber actors.

Exploitation of these devices can enable:

  • Credential harvesting
  • Remote code execution on the VPN device
  • Cryptographic weakening of encrypted traffic sessions
  • Hijacking of encrypted traffic sessions
  • Arbitrary reads of sensitive data (e.g., configurations, credentials, keys) from the device

The information sheet helps organizations select standards-based (rather than proprietary) VPN solutions and provides hardening guidance to prevent compromise and respond to attacks.

CISA encourages organizations to review and adopt recommendations in the information sheet to reduce risk.

This product is provided subject to this Notification and this Privacy & Use policy.

RCE Vulnerability in Hikvision Cameras (CVE-2021-36260)

Original release date: September 28, 2021

Hikvision has released updates to mitigate a command injection vulnerability—CVE-2021-36260—in Hikvision cameras that use a web server service. A remote attacker could exploit this vulnerability to take control of an affected device.
 
CISA encourages users and administrators to review Hikvision’s Security Advisory HSRC-202109-01 and apply the latest firmware updates. See security researcher Watchful IP’s technical blogpost for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

VMware vCenter Server Vulnerability CVE-2021-22005 Under Active Exploit

Original release date: September 24, 2021

On September 21, 2021, VMware disclosed that its vCenter Server is affected by an arbitrary file upload vulnerability—CVE-2021-22005—in the Analytics service. A malicious cyber actor with network access to port 443 can exploit this vulnerability to execute code on vCenter Server.

On September 24, 2021, VMware confirmed reports that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability.

To mitigate CVE-2021-22005, CISA strongly urges critical infrastructure entities and other organizations with affected vCenter Server versions to take the following actions.

This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome

Original release date: September 24, 2021

Google has released Chrome version 94.0.4606.61 for Windows, Mac, and Linux. This version addresses a vulnerability—CVE-2021-37973—that an attacker could exploit to take control of an affected system. An exploit for this vulnerability exists in the wild.

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary update as soon as possible.

This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates

Original release date: September 23, 2021

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to take control of an affected system. These vulnerabilities have been detected in exploits in the wild.

CISA encourages users and administrators to review the Apple security page for iOS 12.5.5 and Security Update 2021-006 Catalina and apply the necessary updates as soon as possible.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases Guidance: IPv6 Considerations for TIC 3.0

Original release date: September 23, 2021

The federal government has prioritized the transition of federal networks to Internet Protocol version 6 (IPv6) since the release of Office of Management and Budget (OMB) Memorandum 05-22 in 2005. In 2020, OMB renewed its focus on IPv6 through the publication of OMB Memorandum 21-07. That memorandum specifically entrusts CISA with enhancing the Trusted Internet Connections (TIC) program to fully support the implementation of IPv6 in federal IT systems. 

In accordance with this OMB mandate, CISA has issued IPv6 Considerations for TIC 3.0 to provide federal agencies with guidance to help them use IPv6 to secure their networks by:

  • Providing IPv6 protocol information to enable a general understanding,
  • Informing agencies of their responsibilities concerning OMB M-21-07,
  • Aligning TIC 3.0 security objectives and security capabilities with IPv6, and
  • Offering awareness and guidance regarding IPv6 security considerations.

CISA encourages IT decision-makers and administrators in all federal government agencies and organizations to review IPv6 Considerations for TIC 3.0 to facilitate advancing IPv6 networks and ensuring future growth and innovation in internet services and technology.

This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for Multiple Products

Original release date: September 23, 2021

Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Cisco Security Advisories page and apply the necessary updates.                                                                                

This product is provided subject to this Notification and this Privacy & Use policy.

CISA, FBI, and NSA Release Joint Cybersecurity Advisory on Conti Ransomware 

Original release date: September 22, 2021

CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) alerting organizations of increased Conti ransomware attacks. Malicious cyber actors use Conti ransomware to steal sensitive files from domestic and international organizations, encrypt the targeted organizations’ servers and workstations, and demand a ransom payment from the victims.

CISA, FBI, and NSA encourage network defenders to examine their current cybersecurity posture and apply the recommended mitigations in the joint CSA, which include:  

  • Updating your operating system and software, 
  • Requiring multi-factor authentication, and  
  • Implementing network segmentation.

Additionally, review the U.S. government resource StopRansomware.gov for more guidance on ransomware protection, detection, and response.

This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome

Original release date: September 22, 2021

Google has released Chrome version 94.0.4606.54  for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.                                                                              

This product is provided subject to this Notification and this Privacy & Use policy.

NETGEAR Releases Security Updates for RCE Vulnerability

Original release date: September 21, 2021

NETGEAR has released security updates to address a remote code execution vulnerability—CVE-2021-40847—in multiple NETGEAR routers. A remote attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review NETGEAR’s Security Advisory and update to the latest firmware. Given the increase in telework, CISA recommends that CISOs consider the risk that these vulnerabilities present to business networks. Review CISA’s Tip on Home Network Security for more information.

This product is provided subject to this Notification and this Privacy & Use policy.