Zoho Releases Security Advisory for ManageEngine Desktop Central and Desktop Central MSP

Original release date: December 6, 2021

Zoho has released a security advisory to address an authentication bypass vulnerability in ManageEngine Desktop Central and Desktop Central MSP. An attacker could exploit this vulnerability to take control of an affected system. According to Zoho, this vulnerability is being actively exploited in the wild.

CISA encourages users and administrators to review the Zoho Vulnerability Notification and the Zoho ManageEngine Desktop Central and  ManageEngine Desktop Central MSP security advisories and apply the recommended mitigations immediately.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases Security Advisory on WebHMI Vulnerabilities

Original release date: December 6, 2021

CISA has released an Industrial Controls Systems (ICS) advisory detailing vulnerabilities in Distributed Data Systems WebHMI products. A remote attacker could exploit these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review ICS advisory ICSA-21-336-03 Distributed Data Systems WebHMI for more information and apply the necessary mitigations. 

This product is provided subject to this Notification and this Privacy & Use policy.

CISA and FBI Release Alert on Active Exploitation of CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus

Original release date: December 2, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory identifying active exploitation of a vulnerability—CVE-2021-44077—in Zoho ManageEngine ServiceDesk Plus. CVE-2021-44077 is an unauthenticated remote code execution vulnerability that affects all ServiceDesk Plus versions up to, and including, version 11305. 

This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. If left unpatched, successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Zoho has set up a security response plan center that provides additional details, a downloadable tool that can be run on potentially affected systems, and a remediation guide.

CISA encourages organizations to review the joint Cybersecurity Advisory and apply the recommended mitigations immediately.

This product is provided subject to this Notification and this Privacy & Use policy.

NSA and CISA Release Part III of Guidance on Securing 5G Cloud Infrastructures

Original release date: December 2, 2021

CISA has announced the joint National Security Agency (NSA) and CISA publication of the third of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part III: Data Protection examines security during all phases of the data lifecycle—in transit, in use, and at rest. The guidance focuses on protecting the confidentiality, integrity, and availability of data within a 5G cloud infrastructure to protect sensitive information from unauthorized access. This series is being published under the Enduring Security Framework (ESF), a public-private cross-sector working group led by NSA and CISA.

CISA has also released a set of four 5G educational videos to enhance the awareness and importance of the safe and secure development and deployment of 5G infrastructure. 

CISA encourages 5G providers, integrators, and network operators to review the guidance and consider the recommendations. See CISA’s 5G Security and Resilience webpage for more information. 

This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Network Security Services

Original release date: December 2, 2021

Mozilla has released security updates to address a vulnerability in Network Security Services (NSS).  An attacker could exploit this vulnerability to take control of an affected system.  

CISA encourages users and administrators to review the Mozilla Security Advisory for NSS and apply the necessary update. 

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Adds Five Known Exploited Vulnerabilities to Catalog

Original release date: December 1, 2021

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.

CVE Number  CVE Title Remediation Due Date
CVE-2020-11261 Qualcomm Multiple Chipsets Improper Input Validation Vulnerability 06/01/2022
CVE-2018-14847 MikroTik Router OS Directory Traversal Vulnerability 06/01/2022
CVE-2021-37415 Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability 12/15/2021
CVE-2021-40438 Apache HTTP Server-Side Request Forgery (SSRF)  12/15/2021
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution 12/15/2021

 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria

This product is provided subject to this Notification and this Privacy & Use policy.