Advisories

1.0 Introduction
VMware has released security updates to address a critical vulnerability (CVE-2021-22005) found in the vCenter Server and Cloud Foundation. Users and administrators are encouraged to review the VMware Security Advisory VMSA-2021-0020 and apply the necessary updates and workarounds.

2.0 Impact
Exploiting this vulnerability may allow an attacker with network access to port 443 to execute code on vCenter Server by uploading a specially crafted file.

3.0 Affected System and Devices
Updates are available include:
• VMware vCenter Server (vCenter Server) version 6.7, 7.0
• VMware Cloud Foundation (Cloud Foundation) version 3.x, 4.x

4.0 Recommendations
To mitigate CVE-2021-22005, MyCERT strongly urges critical infrastructure entities and other organizations with affected vCenter Server versions to take the following actions.

• Upgrade to a fixed version as quickly as possible. See VMware Security Advisory VMSA-2021-0020 for patching information.
• Apply the temporary workaround provided by VMware, if unable to upgrade to a fixed version immediately. See VMware’s workaround instructions for CVE-2021-22005, supplemental blog post, and frequently asked questions for additional information.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.vmware.com/security/advisories/VMSA-2021-0020.html
• https://core.vmware.com/vmsa-2021-0020-questions-answers-faq#section1
• https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active
• https://www.bleepingcomputer.com/news/security/vmware-warns-of-critical-bug-in-default-vcenter-server-installs/
• https://kb.vmware.com/s/article/85717
• https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html
• https://core.vmware.com/vmsa-2021-0020-questions-answers-faq

1.0 Introduction

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. This month’s security update notification presents 8 newly reported vulnerabilities, where 4 have been rated critical while the remaining classified as important.

2.0 Impact
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

• Windows 10 v21H1, v20H2, v2004, and v1909
• Windows Server 2022, Windows Server 2019, Windows Server 2016, and Server Core installations (2019, 2016, v20H2, and v2004)
• Windows 8.1, Windows Server 2012 R2, and Windows Server 2012
• Microsoft Azure-related software
• Microsoft Office-related software
• Microsoft SharePoint-related software
• Microsoft Visual Studio-related software
• Microsoft Dynamics 365-related software

4.0 Recommendations
Users and administrators are recommended to review the below URLs and perform necessary update. Kindly refer to the below URL:

https://msrc.microsoft.com/update-guide/deployments
https://msrc.microsoft.com/update-guide/releaseNote/2021-Sep

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://us-cert.cisa.gov/ncas/current-activity/2021/09/14/microsoft-releases-september-2021-security-updates
• https://msrc.microsoft.com/update-guide/deployments
• https://msrc.microsoft.com/update-guide/releaseNote/2021-Sep

1.0 Introduction

MyCERT is aware of a user credential leak on a hacking forum that involved approximately 500,000 Fortinet Fortigate VPN logins. The user credentials were allegedly scraped from exploitable devices last summer. The detail about this vulnerability can be found at https://www.mycert.org.my/portal/advisory?id=MA-794.112020.

2.0 Impact
The exposure of the credentials could allow an attacker to access a network to perform malicious activities such as data exfiltration, malware installation, and ransomware attacks.

3.0 Affected System and Devices
• FortiOS 6.0 - 6.0.0 to 6.0.4
• FortiOS 5.6 - 5.6.3 to 5.6.7
• FortiOS 5.4 - 5.4.6 to 5.4.12
• (other branches and versions than above are not impacted)
• ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled

4.0 Recommendations
MyCERT strongly urges administrators of affected Fortinet VPN to follow the guidance below.

•  Ensure that the products are patched to the latest versions immediately. If administrators are unable to do so immediately, disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.
• Treat all credentials as potentially compromised by performing an organization-wide password reset, and set new strong passwords immediately.
• Consider enabling two-factor authentication (2FA) to secure the VPN accounts, using external authentication services where possible.
• Check the Fortigate appliance's Audit Event log and VPN Event Log for signs of unauthorised or unusual logins, such as logins using valid credentials but from abnormal overseas IP address or logins at an unusual time of day.
• Monitor the network for any suspicious activities such as possible intrusion attempts.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

1. https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials
2. https://www.csa.gov.sg/en/singcert/Alerts/al-2021-053
3. https://www.bleepingcomputer.com/news/security/hackers-leak-passwords-for-500-000-fortinet-vpn-accounts/
4. https://www.mycert.org.my/portal/advisory?id=MA-794.112020