16 March 2023
Known Vulnerability, CVE-2019-18935, Led to Hacking of Government Agency
Per the Cyberscoop article by Christian Vasquez, on 15 March, the Cybersecurity and Infrastructure Security Agency released a joint alert (Joint Cybersecurity Advisory) highlighting the use of a deserialization vulnerability (CVE-2019-18935) to infiltrate an agency since… November 2022 until January 2023. The hackers successfully exploited the vulnerability, which allowed for remote code execution. After reading that, did anyone else’s heart jump into their throat besides mine?
What Does That Mean?
Deserialization vulnerability involves using unknown or untrusted data. It can result in attacks such as denial of service (DoS), malicious code execution, bypassing authentication measures, or other abuses of application logic. Deserialization is extracting data from files, networks, or streams and rebuilding it as objects instead of serialization (which is converting objects to a storable format (i.e., YAML, JSON XML, etc.)).
Remote Code Execution is a security vulnerability that allows an attacker to run arbitrary code on a remote machine, connecting to it over public or private networks. RCE is problematic because it will enable an attacker to penetrate your network, escalate privileges once in the network, expose sensitive data, and ultimately hold your organizational data for ransom.
Patch, patch, patch! Patch management, also synonymous with flaw remediation, is as important as (my favorites) configuration management, auditing, and access control. Patch management is the systematic notification, identification, deployment, installation, and verification of operating systems and application software code revisions. An effective patch management program ensures system/network administrators routinely review vendor sites, bulletins, and notifications (CISA Resources) and proactively update information systems with fixes, patches, definitions, service packs, or implementation of vulnerability mitigation strategies. To the maximum extent possible, your organization should employ automated patch management tools on all components to increase the speed and effectiveness of your patch management program.
There are instances where an organization may not be able to apply automatic patches, which is understandable. However, the business should have or investigate using a cloned physical or virtual test environment to test patches and work through any challenges before applying them to their live networks and systems. If there are challenges, work through them. The risk of not applying a patch can have a massive impact on your business.
In the Joint Cybersecurity Advisory, organizations who may have the vulnerability mentioned above are strongly encouraged to manage vulnerabilities and configurations by:
- Upgrade all instances of Telerik UI ASP.NET AJAX to the latest version after appropriate testing
- Prioritize remediation of vulnerabilities of internet-facing systems.
- Implement a patch management solution.
- Ensure vulnerability scanners are configured to scan a comprehensive scope of devices and locations.
- Validate output from patch management and vulnerability scanning solutions against running services.
Also, by segmenting networks based on functions:
- Implement network segmentation to separate network segments based on role and functionality.
- Isolate similar systems and implement mico-segmentation with granular access and policy restrictions.
Contact us if your organization needs support implementing mitigations or other cybersecurity practices. Our team of cyber professionals is prepared to support you.