CISA Releases SCuBA TRA and eVRF Guidance Documents
CISA has released several documents as part of the Secure Cloud Business Applications (SCuBA) project:
The Technical Reference Architecture (TRA) document, previously released for public comment on April 19, 2022, is the final version of a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture, and zero trust frameworks.
The extensible Visibility Reference Framework (eVRF) guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps. The guidebook is accompanied by two workbooks: eVRF Google Workspace and eVRF Microsoft 365 and two spreadsheets: eVRF Google Workspace and eVRF Microsoft 365 that detail Google Workspace and Microsoft 365 security controls.
Visit CISA’s SCuBA project page for more information and to review the guidance documents. Please contact CISA’s Cybersecurity Shared Services Office at CyberSharedServices@cisa.dhs.gov.
VMware Releases Security Update for vCenter Server and Cloud Foundation
VMware has released a security update to address multiple memory corruption vulnerabilities in vCenter Server and Cloud Foundation. A cyber threat actor could exploit these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review VMware Security Advisory VMSA-2023-0014 and apply the necessary updates.
CISA Adds Five Known Exploited Vulnerabilities to Catalog
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2023-32434 Apple Multiple Products Integer Overflow Vulnerability
CVE-2023-32435 Apple iOS and iPadOS WebKit Memory Corruption Vulnerability
CVE-2023-32439 Apple iOS, iPadOS, and macOS WebKit Type Confusion Vulnerability
CVE-2023-20867 VMware Tools Authentication Bypass Vulnerability
CVE-2023-27992 Mozilla Firefox, Firefox ESR, and Thunderbird Use-After-Free Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Apple Releases Security Updates for Multiple Products
Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device.
CISA encourages users and administrators to review the following advisories and apply the necessary updates.
watchOS 8.8.1
macOS Big Sur 11.7.8
macOS Monterey 12.6.7
iOS 15.7.7 and iPadOS 15.7.7
watchOS 9.5.2
macOS Ventura 13.4.1
iOS 16.5.1 and iPadOS 16.5.1
ISC Releases Security Advisories for Multiple Versions of BIND 9
The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC’s Berkeley Internet Name Domain (BIND) 9. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions.
CISA encourages users and administrators to review the following ISC advisories CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911 and apply the necessary mitigations.
Juniper Networks Releases Security Advisory for Junos OS and Junos OS Evolved
Juniper Networks has released a security advisory that addresses a vulnerability in Junos OS and Junos OS Evolved. A remote attacker could exploit this vulnerability to cause a denial-of-service condition.
CISA encourages users and administrators to review the Juniper Security Advisory for CVE-2023-0026 and apply the necessary updates.