Cisco Releases Security Updates for Multiple Products

/in ,

Original release date: November 3, 2022

Cisco has released security updates for vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

CISA encourages users and administrators to review the advisories and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Update for Xcode

/in ,

Original release date: November 3, 2022

Apple has released a security update to address vulnerabilities in Xcode. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security page for Xcode 14.1 and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases Three Industrial Control Systems Advisories

/in ,

Original release date: November 3, 2022

CISA has released three (3) Industrial Control Systems (ICS) advisories on November 3, 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations:

•    ICSA-22-307-01 ETIC RAS 
•    ICSA-22-307-02 Nokia ASIK 5G AirScale System Module 
•    ICSA-22-307-03 Delta Industrial Automation DIALink 

This product is provided subject to this Notification and this Privacy & Use policy.

OpenSSL Releases Security Update

/in ,

Original release date: November 1, 2022

OpenSSL has released a security advisory to address two vulnerabilities, CVE-2022-3602 and CVE-2022-3786, affecting OpenSSL versions 3.0.0 through 3.0.6.

Both CVE-2022-3602 and CVE-2022-3786 can cause a denial of service. According to OpenSSL, a cyber threat actor leveraging CVE-2022-3786, “can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution,” allowing them to take control of an affected system.

CISA encourages users and administrators to review the OpenSSL advisory, blog, OpenSSL 3.0.7 announcement, and upgrade to OpenSSL 3.0.7. For additional information on affected products, see the 2022 OpenSSL vulnerability – CVE-2022-3602 GitHub repository, jointly maintained by the Netherland’s National Cyber Security Centrum (NCSC-NL) and CISA.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Upgrades to TLP 2.0

/in ,

Original release date: November 1, 2022

Today, CISA officially upgraded to Traffic Light Protocol (TLP) 2.0, which facilitates greater information sharing and collaboration. CISA made this upgrade in accordance with the recommendation from the Forum of Incident Response and Security Teams to upgrade to TLP 2.0 by January 2023.

Key TLP 2.0 updates:

  • TLP 2.0 changes TLP:WHITE to TLP:CLEAR.
  • TLP 2.0 adds the designation TLP:AMBER+STRICT, which instructs the recipient to keep the information strictly within their organization only.

Note: CISA’s Automated Indicator Sharing (AIS) capability will not update from TLP 1.0 to TLP 2.0 until March 2023. This exception includes AIS’s use of the following open standards: the Structured Threat Information Expression (STIX™) for cyber threat indicators and defensive measures information and the Trusted Automated Exchange of Intelligence Information (TAXII™) for machine-to-machine communications.

CISA encourage all individuals and organizations in the cybersecurity community to adopt TLP 2.0. For more information, see CISA’s TLP webpage, www.cisa.gov/tlp and FIRST’s TLP webpage, https://www.first.org/tlp/.

 

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases One Industrial Control Systems Advisory

/in ,

Original release date: November 1, 2022

CISA released one Industrial Control Systems (ICS) advisory on November 1, 2022. This advisory provides timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review the newly released ICS advisory for technical details and mitigations:

This product is provided subject to this Notification and this Privacy & Use policy.