GoCD Authentication Vulnerability

Original release date: October 29, 2021

GoCD has released a security update to address a critical authentication vulnerability in GoCD versions 20.6.0 through 21.2.0. GoCD is an open-source Continuous Integration and Continuous Delivery system. A remote attacker could exploit this vulnerability to obtain sensitive information.

CISA encourages users and administrators to update to GoCD 21.3.0 or apply the necessary workarounds.

For more information, see Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD.

This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome

Original release date: October 29, 2021

Google has released Chrome version 95.0.4638.69 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. Some of these vulnerabilities have been detected in exploits in the wild.

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary update as soon as possible.

This product is provided subject to this Notification and this Privacy & Use policy.

NSA-CISA Series on Securing 5G Cloud Infrastructures

Original release date: October 28, 2021

The National Security Agency (NSA) and CISA have published the first of a four-part series, Security Guidance for 5G Cloud Infrastructures. Security Guidance for 5G Cloud Infrastructures – Part I: Prevent and Detect Lateral Movement provides recommendations for mitigating lateral movement attempts by threat actors who have gained initial access to cloud infrastructures. 

This guidance has been created by the Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework Working Group—a public-private working group that provides cybersecurity guidance addressing high-priority cyber threats to the nation’s critical infrastructure. 

CISA encourages 5G providers, integrators, and network operators to review the guidance and consider the recommendations.

This product is provided subject to this Notification and this Privacy & Use policy.

ISC Releases Security Advisory for BIND

Original release date: October 28, 2021

The Internet Systems Consortium (ISC) has released a security advisory that addresses a vulnerability affecting multiple versions of the ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit this vulnerability to cause a denial-of-service condition.

CISA encourages users and administrators to review the ISC advisory for CVE-2021-25219 and apply the necessary updates or workaround.

This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for Multiple Products

Original release date: October 28, 2021

Cisco has released security updates to address vulnerabilities in multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisory

CISA encourages users and administrators to review the Cisco advisory and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

2021 CWE Most Important Hardware Weaknesses

Original release date: October 28, 2021

The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses List. The 2021 Hardware List is a compilation of the most frequent and critical errors that can lead to serious vulnerabilities in hardware. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.
 
CISA encourages users and administrators to review the Hardware Weaknesses List and evaluate recommended mitigations to determine those most suitable to adopt.

This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates for Multiple Products

Original release date: October 27, 2021

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Adobe Releases Security Updates for Multiple Products

Original release date: October 27, 2021

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Adobe’s Security Bulletins and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

FBI Releases Indicators of Compromise Associated with Ranzy Locker Ransomware

Original release date: October 27, 2021

The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks using Ranzy Locker, a ransomware variant first identified targeting victims in the United States in late 2020.

CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000153-MW and apply the recommend mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

NOBELIUM Attacks on Cloud Services and other Technologies

Original release date: October 25, 2021

Microsoft has released a blog on NOBELIUM attacks on cloud services and other technologies. CISA urges users and administrators to review [NOBELIUM targeting delegated administrative privileges to facilitate broader attacks] and apply the necessary mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.