The Cybersecurity and Infrastructure Security Agency (CISA) issued its July patch advisory on Thursday, highlighting hundreds of critical vulnerabilities discovered in products from Cisco, Oracle, and Ivanti, urging administrators to apply patches immediately.
CISA’s advisory emphasizes at least 10 vulnerabilities in Cisco software, with the most severe identified by the Common Vulnerability Scoring System (CVSS). Among these is a Smart Software Manager On-Prem (SSM On-Prem) Password Change Vulnerability (CVE-2024-20419) with a critical base score of 10.
Additionally, Cisco reported a Secure Email Gateway Arbitrary File Write Vulnerability (CVE-2024-20401) with a critical score of 9.8, both disclosed on July 17th.
Dr. Howard Goodman, Technical Director at Skybox Security, noted that these high-scoring vulnerabilities “highlight the evolving threat landscape and the inadequacy of traditional reactive measures like periodic assessments and patching.”
Cisco’s advisory explains that the SSM On-Prem Password Change vulnerability could allow an unauthenticated, remote attacker to change any user’s password, including administrative users.
This vulnerability is specific to the Secure Email Gateway running Cisco AsyncOS with Content Scanner Tools version earlier than 23.3.0.4823, with file analysis or content filter features enabled and assigned to an incoming mail policy.
The vulnerability in Cisco’s Secure Email Gateway compromises its ability to scan and filter messages properly, allowing an unauthenticated, remote attacker to overwrite arbitrary files on the operating system. This could enable an attacker to “add users with root privileges, modify device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device,” Cisco explained.
Goodman recommends key strategies for mitigating these vulnerabilities, including “conducting continuous vulnerability assessments” and “integrating the latest threat intelligence.” This helps security teams promptly “identify and address” vulnerabilities before they are exploited.
He advises implementing “advanced detection techniques, such as real-time scanless methods,” which provide “immediate insights into emerging threats.” Security teams should prioritize vulnerabilities using metrics to ensure the most critical ones are addressed first, minimizing overall risk. Goodman suggests using tools like the Exploit Prediction Scoring System (EPSS).
Currently, there are no workarounds for either flaw, Cisco noted.
Oracle Discloses 300+ Flaws
Oracle issued its Quarterly Critical Patch Update Advisory for July, encompassing 386 new security patches across its product families.
The Austin, Texas-based company addressed multiple security vulnerabilities in both Oracle code and third-party components included in Oracle products. Oracle regularly receives reports of attackers attempting to exploit previously patched vulnerabilities, and for customers with unpatched systems, these attacks have been successful.
Oracle’s alert covers product families including JD Edwards, MySQL, Oracle Enterprise Manager, Fusion Middleware, Oracle Banking Platform, Oracle Communications, PeopleSoft, Contact Support, and Database, among others.
Oracle advises administrators to review previous patches, as the current collection is based on cumulative updates.
Goodman suggests that when immediate patching isn’t feasible, security teams should employ compensating controls such as network segmentation, enhanced monitoring, and adjusting user access privileges. Oracle notes that blocking network protocols required by an attack can be a temporary measure but isn’t a long-term solution.
“For attacks requiring certain privileges or access to specific packages, removing these privileges from users who do not need them can reduce the risk of a successful attack,” Oracle advises, emphasizing testing these measures on non-production systems first to avoid disrupting functionality.
By adopting robust strategies, “organizations can enhance their resilience against cyber threats and minimize the likelihood of successful attacks, ensuring the protection of critical assets and maintaining operational integrity,” Goodman concludes.