Written by: Ferdi Gül

Welcome to this week’s Focus Friday, where we delve into high-profile vulnerabilities impacting third-party software and explore their implications for Third-Party Risk Management (TPRM). This edition examines two notable vulnerabilities: the path traversal vulnerabilities in Atlassian Jira, Ivanti Connect Secure, and Nostromo nhttpd. With each vulnerability carrying the potential for severe exploitation, our insights aim to equip TPRM professionals with the knowledge and tools necessary to understand the impact of these risks on their organizations and address them proactively. By leveraging Black Kite’s FocusTags^TM, we enable TPRM teams to respond swiftly and strategically to evolving cyber threats, mitigating the cascading effects of third-party vulnerabilities on enterprise security.

CVE-2021-26086: Path Traversal Vulnerability in Atlassian Jira

What is the Path Traversal Vulnerability in Atlassian Jira (CVE-2021-26086)?

CVE-2021-26086 is a path traversal vulnerability in Atlassian Jira Server and Data Center versions prior to 8.5.14, between 8.6.0 and 8.13.6, and between 8.14.0 and 8.16.1. This vulnerability allows remote attackers to read specific files via a crafted request to the /WEB-INF/web.xml endpoint. The vulnerability has a CVSS score of 5.3, indicating a medium severity level, and an EPSS score of 97.11%, suggesting a high likelihood of exploitation. 

PoC exploit code is available. It was first disclosed in August 2021 and has been actively exploited in the wild, with CISA adding it to their Known Exploited Vulnerabilities (KEV) catalog on November 12, 2024. The threat actor group Androxgh0st has been identified as exploiting this vulnerability.

You can access the workaround details shared on Atlassian’s official site here. However, upgrading to the latest version will help enhance your resilience against current and future vulnerabilities.

Why Should TPRM Professionals Be Concerned About CVE-2021-26086?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2021-26086 because it allows unauthorized access to sensitive files on vulnerable Jira instances. If a vendor’s Jira system is compromised, attackers could gain access to internal project information, user data, and other confidential materials, potentially leading to data breaches and further exploitation within the organization’s network.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2021-26086?

• Have you identified any instances of Atlassian Jira Server or Data Center within your infrastructure?
• If so, have these instances been updated to versions 8.5.14, 8.13.6, 8.16.1, or later to address CVE-2021-26086?
• What measures have you implemented to detect and prevent unauthorized access attempts exploiting this vulnerability?
• Can you provide details on any monitoring or logging mechanisms in place to identify potential exploitation of this vulnerability?

Remediation Recommendations for Vendors

• Upgrade Jira Instances: Update all Atlassian Jira Server and Data Center instances to the latest fixed versions (8.5.14, 8.13.6, 8.16.1, or later) to mitigate the vulnerability. Atlassian provides the latest versions (9.12.15) on their support site, ensuring protection against this and other known vulnerabilities.
• Implement Access Controls: Restrict access to Jira instances through secure methods such as VPNs and enforce strong authentication mechanisms.
• Apply Workarounds if Immediate Upgrade Isn’t Possible:
  • Reverse Proxy/Load Balancer Configuration: Configure reverse proxies or load balancers to block path traversal attempts by denying requests containing traversal sequences.
  • URL Rewrite Rules: Modify Jira’s urlrewrite.xml to redirect suspicious requests containing path traversal characters to safe URLs.
• Monitor Systems: Regularly review access logs and network traffic for unusual activities that may indicate exploitation attempts.

How Can TPRM Professionals Leverage Black Kite for CVE-2021-26086?

Black Kite’s FocusTag™ for Atlassian Jira, published on November 13, 2024, enables TPRM professionals to identify vendors potentially affected by CVE-2021-26086. By providing detailed information on vulnerable assets, such as specific IP addresses and subdomains, Black Kite allows organizations to prioritize assessments and remediation efforts effectively. This targeted approach helps reduce the scope of vendor inquiries, minimizing questionnaire fatigue and streamlining the risk management process.

Critical Ivanti Connect Secure Vulnerabilities

What Are the RCE and Privilege Escalation Vulnerabilities in Ivanti Connect Secure?

After creating our FocusTag™ for Ivanti Connect Secure, specifically for CVE-2024-37404 on October 9, 2024, we mentioned this FocusTag™ in our Focus Friday post on October 11, 2024. This week, Ivanti’s Security Advisory page published an update with 25 CVEs, and 14 of these, selected based on their criticality, are discussed below. You can find the other vulnerabilities here.

The vulnerabilities identified in Ivanti Connect Secure and Policy Secure include a total of 14 critical issues, such as use-after-free (CVE-2024-9420, CVE-2024-47906), stack-based buffer overflow (CVE-2024-47907), argument injection (CVE-2024-38655, CVE-2024-38656, CVE-2024-39710), command injection (CVE-2024-11007, CVE-2024-11006, CVE-2024-11005), and reflected XSS (CVE-2024-11004). These vulnerabilities enable attackers to escalate privileges, execute arbitrary commands, and in some cases, cause denial of service. Specifically:

• CVE-2024-9420: A use-after-free vulnerability in Ivanti Connect Secure versions prior to 22.7R2.3, allowing remote authenticated attackers to achieve remote code execution.
• CVE-2024-47906: Another use-after-free issue that allows local attackers to escalate privileges.
• CVE-2024-47907: A stack-based buffer overflow in the IPsec module of Ivanti Connect Secure, potentially causing a denial of service attack by unauthenticated remote attackers.
• CVE-2024-37400: An out-of-bounds read vulnerability leading to infinite loop and potential denial of service.
• CVE-2024-38655, CVE-2024-38656: Argument injection vulnerabilities that allow remote code execution with admin privileges.
• CVE-2024-39709: Incorrect file permissions, which could allow local attackers to escalate their privileges.
• CVE-2024-39710, CVE-2024-39711, CVE-2024-39712: Argument injection vulnerabilities enabling remote code execution.
• CVE-2024-11007, CVE-2024-11006, CVE-2024-11005: Command injection vulnerabilities allowing admin-level code execution.
• CVE-2024-11004: A reflected XSS vulnerability allowing privilege escalation through user interaction.

While these vulnerabilities are not yet reported to be exploited in the wild, the widespread use of Ivanti products in enterprise environments increases the potential risk. The Ivanti Connect Secure tag was updated on November 14, 2024, to reflect the latest risk assessment.

Why Should TPRM Professionals Be Concerned About These Vulnerabilities?

These vulnerabilities could enable unauthorized actors to access Ivanti systems, move laterally within a network, access sensitive information, or disrupt critical services. Given Ivanti Connect Secure’s role in VPN and access management, the exploitation of these vulnerabilities could lead to significant security and operational impacts for enterprises.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

• Have you applied the latest patches (e.g., Ivanti Connect Secure 22.7R2.3) to mitigate these vulnerabilities?
• Can you confirm if you have implemented the recommended mitigation steps provided by Ivanti, such as restricting admin access to the management interface, strengthening password policies and MFA protections, and disabling remote access where possible?
• Have you taken measures to monitor network traffic for any unusual activities, specifically in relation to the potential exploitation of the use-after-free, stack-based buffer overflow, argument injection, command injection, and reflected cross-site scripting (XSS) vulnerabilities identified in the Ivanti products?
• What additional precautions are in place to prevent privilege escalation or command injection attacks? Can you confirm if you have addressed the privilege escalation vulnerability (CVE-2024-39709) in Ivanti Connect Secure & Policy Secure by regularly auditing permissions, particularly for admin-level accounts?

Remediation Recommendations for Vendors

To mitigate these risks, vendors should:

• Upgrade to the latest versions—Ivanti Connect Secure 22.7R2.3, and Ivanti Policy Secure 22.7R1.2.
• Enable admin access only on the management interface, ensuring it is isolated from the internet by a firewall or jump-host.
• Implement strong passwords, regular password rotation, credential vaults, and multi-factor authentication (MFA) to further limit exposure.
• Regularly audit permissions, particularly for admin-level accounts, to prevent privilege escalation risks.
• For those unable to apply the update immediately, Ivanti provides mitigation steps, including restricting admin access to the management interface and strengthening password policies and MFA protections.
• Disable remote access where possible, and if remote access is essential, secure it via a VPN.
• Monitor network traffic for any unusual activities.

How Can TPRM Professionals Leverage Black Kite for These Vulnerabilities?

Black Kite’s updated FocusTag™ as of November 14, 2024, provides critical insights, including vulnerable IPs and subdomains, enabling TPRM professionals to focus on vendors directly impacted by these vulnerabilities. Black Kite’s detailed approach helps streamline the TPRM process by reducing questionnaire fatigue while enabling proactive risk management.

CVE-2019-16278 Nostromo nhttpd Path Traversal Vulnerability

What is the Nostromo nhttpd Path Traversal and Remote Code Execution Vulnerability?

CVE-2019-16278 is a critical path traversal vulnerability in the Nostromo nhttpd web server, which can enable remote code execution (RCE). Rated with a CVSS score of 9.8 and an EPSS score of 97.46%, this vulnerability exists in the http_verify function of Nostromo nhttpd versions up to 1.9.6. 

Attackers can exploit this flaw by sending a specially crafted HTTP POST request with directory traversal sequences to gain access to restricted directories and invoke commands on the target system. The vulnerability can lead to complete system compromise, allowing unauthorized code execution with root privileges, potentially stealing sensitive data, disrupting services, or deploying additional malicious software.

Discovered in 2019, this vulnerability remains actively exploited. Recently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on November 7, 2024, this vulnerability has been observed in real-world attack campaigns.

Why Should TPRM Professionals Care About Nostromo nhttpd Vulnerabilities?

For TPRM professionals, vulnerabilities in the Nostromo nhttpd web server present significant third-party risks due to the severity of potential impacts. An attacker exploiting this vulnerability can execute code with high-level privileges, enabling unauthorized access to critical data, systems, and even broader network infiltration. Organizations relying on third-party vendors using Nostromo nhttpd could face exposure to breaches involving sensitive information, service interruptions, and reputational damage. This vulnerability’s presence in publicly accessible servers magnifies the risk for organizations across various sectors.

What Questions Should TPRM Professionals Ask Vendors About Nostromo nhttpd Vulnerabilities?

To assess risk mitigation, TPRM professionals should ask vendors the following questions:

1. Have you upgraded Nostromo nhttpd to a version beyond 1.9.6 that addresses CVE-2019-16278? If updating Nostromo nhttpd was not feasible, have you restricted access to the web server and used application-layer firewalls to filter malicious HTTP requests as recommended in the advisory?
2. What measures are in place to restrict web server access and monitor HTTP requests for directory traversal patterns?
3. How do you regularly assess server configurations and permissions for vulnerabilities?
4. Are there any incident response procedures for detecting and responding to suspected exploits of this vulnerability?

Remediation Recommendations for Vendors Subject to this Risk

Vendors using Nostromo nhttpd should consider these recommended actions:

• Upgrade to a version of Nostromo nhttpd that addresses CVE-2019-16278 to eliminate the vulnerability.
• If immediate upgrade is not feasible, implement workarounds, such as:
  • Restricting server access to trusted IP ranges.
  • Using application-layer firewalls to block malicious HTTP requests targeting directory traversal sequences.
• Implement continuous monitoring for suspicious activities related to HTTP requests containing directory traversal sequences.
• Regularly review server configurations and access permissions.
• Enable strict access controls and limit remote access to critical services.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite helps TPRM professionals identify vendors affected by CVE-2019-16278 through a comprehensive FocusTag™, released on November 8, 2024. With detailed asset information, including IP addresses and subdomains, Black Kite empowers TPRM professionals to operationalize the risk, enabling early intervention. For TPRM teams, this capability enhances monitoring and response to vendor security issues, adding a valuable layer of defense against potential exploitation.

Enhancing TPRM Strategies With Black Kite’s FocusTags™

In today’s fast-paced cyber threat landscape, staying ahead of vulnerabilities is essential for a robust Third-Party Risk Management (TPRM) approach. Black Kite’s FocusTags™ are designed to provide critical insights that enhance these strategies, transforming complex threat information into actionable intelligence. Here’s how these tags help TPRM professionals respond effectively to vulnerabilities like those recently highlighted in Atlassian Jira, Ivanti Connect Secure and Nostromo nhttpd:

• Real-Time Vulnerability Tracking: Black Kite’s FocusTags™ immediately identify vendors affected by emerging vulnerabilities, enabling TPRM teams to implement responses promptly and accurately.
• Strategic Risk Prioritization: FocusTags™ help prioritize risks by combining vendor criticality with vulnerability severity, allowing organizations to allocate resources to the most pressing risks.
• Enhanced Vendor Communication: By offering vendor-specific insights, FocusTags™ facilitate productive conversations with vendors about their exposure and response to particular vulnerabilities.
• Comprehensive Threat Landscape Overview: Black Kite’s FocusTags™ provide a broad view of the cybersecurity landscape, supporting the development of more resilient defenses against evolving threats.

Through Black Kite’s FocusTags™, TPRM professionals gain an invaluable tool for managing third-party cyber risks in a constantly changing environment, ensuring that vulnerabilities are managed proactively to protect enterprise security.

But having these vulnerability insights is only one step in the process. You need to work with your vendors to remediate these risks effectively and efficiently. For a comprehensive guide on transforming vendor collaboration in times of urgency, check out our latest interactive guide, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events. Learn how to streamline communication, prioritize vendor actions, and implement scalable workflows that keep your third-party risk response strong when every second counts.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

• Atlassian Jira: CVE-2021-26086, Path Traversal Vulnerability in Atlassian Jira Server and Data Center.
• Ivanti Connect Secure: 
• Nostromo nhttpd: CVE-2019-16278, Path Traversal Vulnerability, RCE Vulnerability in Nostromo nhttpd.
• LiteSpeed Cache: CVE-2024-50550, Privilege Escalation Vulnerability iin LiteSpeed Cache plugin.
• RICOH Web Image Monitor: CVE-2024-47939, Buffer Overflow Vulnerability in RICOH Web Image Monitor.
• Squid Proxy: CVE-2024-45802, DoS Vulnerability in Squid Proxy Servers.
• XLight FTP: CVE-2024-46483, Integer Overflow and RCE Vulnerabilities in XLight FTP Servers.
• Exchange Server RCE: CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, Remote Code Execution Vulnerability in Exchange Server.
• FortiManager: CVE-2024-47575, Missing Authentication Vulnerability in FortiManager.
• Grafana: CVE-2024-9264, Remote Code Execution Vulnerability  in Grafana.
• Roundcube Webmail: CVE-2024-37383, Cross-Site Scripting (XSS) Vulnerability in Roundcube Webmail.
• Cisco FMC: CVE-2024-20424, Command Injection Vulnerability in Cisco Secure Firewall Management Center.
• Oracle WebLogic Server: CVE-2024-21216, Remote Code Execution Vulnerability in Oracle WebLogic Server.
• GitHub Enterprise: CVE-2024-9487, SAML SSO Authentication Bypass Vulnerability in GitHub Enterprise Server.
• Fortinet Core Products: CVE-2024-23113, Format String Vulnerability in FortiOS, FortiPAM, FortiProxy, and FortiWeb. 
• Cisco RV Routers: CVE-2024-20393, CVE-2024-20470, Privilege Escalation and RCE Vulnerability in RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. 
• Ivanti Connect Secure: CVE-2024-37404, Remote Code Execution Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra: CVE-2024-45519, Remote Command Execution Vulnerability in Zimbra.
• DrayTek Routers: CVE-2020-15415, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
• Authentik: CVE-2024-47070, Authentication Bypass Vulnerability in Authentik.
• Octopus Deploy: CVE-2024-9194, SQL Injection Vulnerability in Octopus Server.

References

https://nvd.nist.gov/vuln/detail/cve-2021-26086#range-13344932

https://packetstormsecurity.com/files/164405/Atlassian-Jira-Server-Data-Center-8.4.0-File-Read.html

https://jira.atlassian.com/browse/JRASERVER-72695

https://confluence.atlassian.com/jirakb/workaround-for-cve-2019-15004-979416164.html

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs?language=en_US

https://nvd.nist.gov/vuln/detail/CVE-2024-11004

https://nvd.nist.gov/vuln/detail/CVE-2024-9420

https://nvd.nist.gov/vuln/detail/CVE-2024-47906

https://nvd.nist.gov/vuln/detail/CVE-2024-47907

https://nvd.nist.gov/vuln/detail/CVE-2024-37400

https://nvd.nist.gov/vuln/detail/CVE-2024-38655

https://nvd.nist.gov/vuln/detail/CVE-2024-38656

https://nvd.nist.gov/vuln/detail/CVE-2024-39709

https://nvd.nist.gov/vuln/detail/CVE-2024-39710

https://nvd.nist.gov/vuln/detail/CVE-2024-39711

https://nvd.nist.gov/vuln/detail/CVE-2024-39712

https://nvd.nist.gov/vuln/detail/CVE-2024-11007

https://nvd.nist.gov/vuln/detail/CVE-2024-11006

https://nvd.nist.gov/vuln/detail/CVE-2024-11005

https://blackkite.com/blog/focus-friday-insights-into-third-party-risks-in-fortinet-core-products-cisco-rv-routers-and-ivanti-connect-secure-vulnerabilities

https://nvd.nist.gov/vuln/detail/CVE-2019-16278#range-13412787

https://www.exploit-db.com/exploits/47837

https://www.nazgul.ch/dev/nostromo_man.html

The post Focus Friday: Third-Party Risk Insights Into Atlassian Jira, Ivanti Connect Secure, and Nostromo nhttpd Vulnerabilities With Black Kite’s FocusTags™ appeared first on Black Kite.

Written by: Bob Maley

Imagine your company is evaluated by a potential client, only to discover that the intelligence they rely on is riddled with inaccuracies. That’s exactly what happened to us at Black Kite recently.

We were being evaluated as a vendor by a prospective customer who at the time was using a competing third-party risk management (TPRM) solution. They used that solution to pull a report on Black Kite, but the “intelligence” they shared with us was way off. The report found a lot of assets in our digital footprint that frankly didn’t exist. Because they were adamant they trusted the data, we investigated further. Turns out, those assets were showing up as a result of shadow IT and weren’t really in our environment at all. The fact that their solution failed to provide accurate data while ours did closed the deal.

That’s how important accurate data is in TPRM. You need to know what exactly is happening with your vendors to assess the risk they pose to your business, and you need to be able to share accurate data with your vendors to take action. On many occasions, we’ve seen Black Kite customers share data with their third parties that those third parties wouldn’t have had access to otherwise, down to the asset impacted with step-by-step remediation guidance. This helps vendors address issues faster and more accurately, boosting trust and collaboration.

This is why good data is the key to unlocking vendor engagement for collaborative risk remediation and reduction. It gets their attention because it’s accurate, detailed, and in many cases, completely new to them. 

The More Connected We Are, the More We Need Accurate Data

Companies are more connected than ever, sharing data, processes, tools, and platforms with an expanding network of third parties to operate and grow their businesses. According to one report, 182 vendors connect to the average enterprise’s systems weekly. 

But fast-paced IT growth can lead to increased gaps and vulnerabilities that attackers are looking to exploit. Third-party breaches and other security incidents can significantly harm a company’s ability to maintain operational continuity and safeguard its reputation. So having a third-party risk management program to identify, quantify, prioritize, and mitigate these cybersecurity risks is critical.

However, traditional episodic risk assessments impose a heavy burden on TPRM teams and vendors alike, as they often use manual processes, spending hundreds of hours pulling and analyzing data. It takes most (92% of) companies an average of 31 days to complete a control assessment, while 40% require up to 61 days. Understandably, this dynamic can cause a lot of friction between companies and their vendors. Risk conversations can be challenging and adversarial.

But there’s a better way forward. With the right technology and processes, your company can create a robust, agile risk management program powered by continuous and accurate risk data. 

So, how can your organization leverage accurate data to build these essential relationships?

Use Good Data to Get Your Vendor’s Full Attention

By consistently providing accurate, actionable risk data, companies not only enhance their own security posture but also build trust and cooperation with their vendors, laying the groundwork for a more resilient, collaborative risk management ecosystem.

Here are a few best practices you can adopt to create reliable risk data and share it with partners:

1. Collect comprehensive data:

Engage with a cyber risk intelligence provider to access up-to-date, high-quality risk data, including information about third and fourth+ parties that can be used to make critical business, operational, and security decisions. However, remember that not all risk intelligence vendors are created equal — choose one that offers standards-based ratings to gain a single version of truth.

2. Focus on the right alerts:

When high-profile cyber events occur, it’s crucial to have immediate visibility into which vendors are at risk to notify them to take action. For example, you should know whether they’re affected by a data breach, ransomware, or known exploitable vulnerabilities – as well as the context on how it might affect your business, enabling TPRM teams to separate serious threats from noise. Importantly, this information can be communicated to vendors to guide their response.

3. Create a robust and agile risk assessment program:

Instead of executing episodic assessments that capture static data, you can build a continuous risk assessment program that monitors and improves the company’s risk posture and that of vendors.

4. Dynamically assess the latest risks:

Grade vendors’ cybersecurity postures, identify vulnerabilities, forecast the likelihood of attack patterns such as ransomware impacting them, and calculate the potential financial impact of certain third-party breaches. Then, use these insights to prioritize risks and create a risk response plan.

5. Elevate the ecosystem:

Provide data-backed intelligence on risks to vendors, suppliers, and partners so they can mitigate risks proactively. Build stronger relationships by helping vendors avoid harm to their businesses. Warning a vendor that it’s vulnerable to a ransomware attack can help them make proactive improvements to avoid it, saving them from operational paralysis, customer harm, ransoms, lawsuits, and fines.

6. Work with the best:

Use the data and insights from a risk intelligence provider to rate potential vendors, select the more security-forward partners, and weed out low performers.

Build Trust and Cooperation with Vendors to Improve Engagement

Accurate, reliable risk data is the foundation of effective third-party risk management. It empowers companies to engage their vendors with confidence, enables proactive risk mitigation, and fosters stronger partnerships built on trust and transparency. By leveraging solutions like Black Kite Bridge™, organizations can share precise, actionable intelligence that encourages vendors to take immediate, targeted actions—leading to faster risk reduction and a more secure ecosystem for everyone involved. In fact, early users of Black Kite Bridge™ have experienced more than 200% increase in vendor responses, resulting in considerable reduction in third-party risk.

Looking for step-by-step guidance to elevate your vendor collaboration efforts? Get a before-and-after look at how to transform third-party outreach and collaboration in our interactive ebook Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events (no download required).

The post How Reliable Risk Data Unlocks Vendor Engagement appeared first on Black Kite.

Written by: Jeffrey Wheatman

I recently had the opportunity to speak with a group of cybersecurity and risk leaders at an event where we discussed challenges around managing third-party cyber risk management (TPCRM).The big takeaway: when it comes to managing third-party cyber risk, cyber leaders are feeling spread thin. 

I empathize with the frustration. With the expansion in size and complexity of cyber ecosystems we’ve seen over the last decade, it’s really no surprise. After all, most enterprises must assess risk for anywhere from 1,000 to 10,000+ partners now, often in the same amount of time and without much more budget than they had when they were assessing under 100 vendors.

Top 3 Struggles with Third-Party Risk Management (TPRM)

From my point of view, struggles with third-party risk management (TPRM) come down to these three major challenges:

• Resource strain
• Limited access to reliable data
• Lack of clarity about who owns what, both within the company (Who owns third-party risk management?)

3 Strategies TPRM Leaders Can Use to Alleviate These Challenges

1. Improve With Processes, Not People

Let’s be real. Throwing more people at TPRM problems doesn’t solve them. The key to tackling third-party risk is revising the processes organizations use to evaluate security postures — not just adding more humans to the mix. We covered this in a recent RiskBusters™ episode, where we tackled the myth that you need a larger team to effectively manage third-party risk. 

As organizations grow their cyber ecosystems, it’s become increasingly more difficult for them to effectively manage cyber risk exposure in their supply chains. It might seem intuitive to add more security people when you add more third parties, but here’s the main issue: If you don’t have the right processes in place, then any size team will get stuck spinning its wheels. 

I heard several security leaders mention that they keep adding people, training them, and processing ever more security questionnaires—without moving the needle on decreasing third-party risk. When it comes to TPCRM, more (people) is not always better. It’s about the quality of the TPCRM processes and protocols you follow. You need streamlined standard operating procedures (SOPs) backed by the right technology to reduce noise and ensure quality data hits your desks. 

Ultimately, all TPCRM processes should have one goal: Gaining reliable data to make better risk decisions.

2. Source Data You Can Trust

Decisions are only as good as the data used to make them. But here’s the issue: Security leaders still struggle to find threat and risk data they can trust — and that’s because there’s both too much data and not enough of the right data hitting their desks.

Vendor assessments are a major source of that rapid influx of unnecessary data. Those assessments — aka security questionnaires — can be as long as 500+ questions. However, more questions doesn’t equal less risk. 

Defaulting to asking every vendor hundreds of questions only increases the work your teams have to do to parse through potentially irrelevant, sometimes even inaccurate data. (And it annoys your vendors to no end.) There’s not much value to adding people to a team if they’re spending time doing tasks that don’t increase insight into real risks or decrease their potential impact on the organization.

Instead, organizations must identify what vendors are most critical to their business processes as well as which vulnerabilities could have the greatest potential impact to their business. This greatly narrows down what your team needs to focus on to only the vulnerabilities that are actual risks, and not the giant mountain of risks that probably exist in your cyber ecosystem.

To prioritize vulnerabilities based on their level of risk to the organization, security teams can ask the following questions:

• What’s our exposure if this vendor does experience a breach?
• Does this vendor have access to our sensitive and valuable data?
• How can we keep tabs on new vulnerabilities this vendor might be exposed to?
• What processes can I automate to save time and resources?

When organizations gain clarity on those critical questions, they can better manage third-party cyber risk by sending over specific, relevant questions instead of going total buckshot.

3. Make TPRM A Group Effort

Ownership is another common issue in the TPRM space. At one company, the CISO could own all of TPRM. At another, there could be a dedicated third-party risk person or team — or even a supply chain risk-focused group. There’s no standardized approach today for deciding who owns what tasks, processes, and decisions related to third-party risk.

It’s critical for organizations to identify what works best for them. However, TPRM should always be a group effort. Leadership across the organization should understand how third-party risk is managed and why it’s so important. 

Why? Cyber risks often have a cascading and outsized impact. For example, a hacked vulnerability in Kaseya’s VSA software led to a massive ransomware attack affecting up to 1,500 companies worldwide and disrupting operations for days. While CISOs and Chief Risk Officers have a responsibility to captain the ship when it comes to TPRM, it’s also critical that organizations start with a strong cultural foundation that emphasizes the importance of security.

Additionally, organizations need tools that enable clarity, communication, and collaboration. These tools should help:

• Prioritize vendors based on potential business impact and Cyber Risk Quantification (CRQ)
• Collect and surface relevant data on attacks, threats, and vulnerabilities
• Use AI to parse important security documents and map data to appropriate compliance and security frameworks
• Connect to your vendors’ security teams to share risk intelligence and collaboratively remediate it

When TPRM teams have a platform to manage those critical tasks, they can work together to mitigate risk more effectively.

The Black Kite Difference

At Black Kite, we built our platform from the ground up to address these growing challenges in the TPRM space.

Automated Processes

We leverage automated parsing technology that can sift through extensive security resources (like questionnaires) and identify what’s important vs. what’s irrelevant. That way, your teams can get the data they need to identify risks with greater speed, efficiency, and accuracy.

We also created Black Kite Bridge™ to streamline vendor communications, making it easier for organizations and their third parties to connect, share information, and strategize together after a high-profile cyber event. Simply invite vendors to our portal, where you can direct their attention to your most pressing concerns, share actionable asset-level vulnerability intelligence, and provide real-time ratings updates to simplify vendor engagement.

You’ll maximize time and value without adding unnecessary overhead.

Trustworthy Data

We know trustworthy data starts with trustworthy sources. Our platform aggregates hundreds of data streams from open-source intelligence (OSINT) across the web, including hacker forums, social networks, and leaked database dumps.

By providing consistently trustworthy data, we give our clients the risk intelligence they need to make smart choices. That reduces false positives and bolsters third-party risk management. 

H3: Reliable Cyber Risk Quantification

Our data is always reliable — which means CISOs can trust that we have the viable cyber risk quantification (CRQ) they need to collaborate with business leaders on TPRM strategies and responses. 

We vet the data we collect against reputable standards, including:

• MITRE ATT&CK frameworks
• Open FAIR™
• MITRE CTSA

That’s how we map out CRQ. No magic tricks. No black boxes. Just facts. Industry analyst firm Forrester even highlighted our dedication to ratings integrity with the following assessment:

“[Black Kite is] the only vendor in this evaluation whose customers were unanimously satisfied with its rating accuracy.”
Plus, we distinctly map out cyber risk in financial terms. By putting an actual dollar value to risk, CISOs can better collaborate with business leaders and illustrate the practical impact of risk. That leads to better communication, better decisions, and better results.

It’s About Quality, Not Quantity

More isn’t always better. Quantity (i.e., adding more people or questionnaires) won’t make third-party cyber risk easier to handle. Quality processes, with purpose-built tools and accurate data, will.

We built Black Kite with exactly that purpose in mind. Our features help streamline processes with automation, deliver reliable data, and enable collaboration. Your teams will be empowered to make confident and informed risk decisions no matter the challenge—and finally feel like they’re doing TPCRM right.

CTA: Don’t just take my word for it. See Black Kite in action. Get a free cyber assessment. 

The post Why TPCRM Teams Feel Spread Thin and 3 Coverage Strategies appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s edition of FOCUS FRIDAY, where we delve into high-profile cybersecurity incidents from a Third-Party Risk Management (TPRM) perspective. In this installment, we examine critical vulnerabilities affecting widely-used products such as LiteSpeed Cache, RICOH Web Image Monitor, Squid Proxy, and Xlight FTP. By leveraging Black Kite’s proprietary FocusTags™, we provide actionable insights and strategic recommendations to help organizations effectively manage and mitigate the risks associated with these vulnerabilities. Join us as we explore the details of each incident and outline best practices for enhancing your TPRM strategies.

CVE-2024-50550: LiteSpeed Cache Privilege Escalation Vulnerability

What is the LiteSpeed Cache Privilege Escalation Vulnerability (CVE-2024-50550)?

CVE-2024-50550 is a high-severity privilege escalation vulnerability identified in the LiteSpeed Cache plugin for WordPress. With a CVSS score of 8.1, this vulnerability allows unauthorized users to gain administrator-level access to affected WordPress sites. Discovered and published on November 1, 2024, the flaw resides in the is_role_simulation() function within the plugin’s Crawler feature. By exploiting inadequate hashing mechanisms, attackers can bypass security checks, enabling them to upload and activate malicious plugins, potentially leading to full site takeover. POC exploit code is not available and the vulnerability has not yet been added to CISA’s Known Exploited Vulnerabilities catalog. The vulnerabilities can be exploited by threat actors. Once an attacker circumvents the hash check, they could gain full control over the site, leading to the installation of malware, data theft, and even disruptions to website operations.

Why Should TPRM Professionals Care About CVE-2024-50550?

From a Third-Party Risk Management (TPRM) perspective, CVE-2024-50550 poses significant risks to organizations relying on WordPress sites that utilize the LiteSpeed Cache plugin. A successful exploitation can compromise site integrity, leading to unauthorized data access, malware distribution, and operational disruptions. Given the plugin’s widespread use—over six million active installations—TPRM professionals must assess the potential impact on their vendor ecosystems to prevent cascading security breaches.

What Questions Should TPRM Professionals Ask Vendors About CVE-2024-50550?

To effectively evaluate the risk associated with CVE-2024-50550, TPRM professionals should engage vendors with the following targeted questions:

1. Have you updated all instances of LiteSpeed Cache to version 6.5.2 or later to mitigate the risk of CVE-2024-50550?
2. Can you confirm if you have deactivated the Crawler feature in LiteSpeed Cache to limit potential exploit vectors related to the privilege escalation vulnerability?
3. Are you regularly monitoring server logs and website activity, specifically for unusual behavior around plugin installation and activation, to detect potential exploitation of the CVE-2024-50550 vulnerability?
4. Have you enabled virtual patching through security platforms like Patchstack until the LiteSpeed Cache plugin is updated to address the CVE-2024-50550 vulnerability?

Remediation Recommendations for Vendors Subject to CVE-2024-50550

Vendors should adopt the following remediation strategies to address CVE-2024-50550 effectively:

• Upgrade the LiteSpeed Cache Plugin: Immediately update to LiteSpeed Cache version 6.5.2 or newer to patch the identified vulnerability.
• Implement Virtual Patching: Utilize security platforms like Patchstack to apply virtual patches until the plugin update is completed.
• Restrict Access: Limit access to site settings and other sensitive areas to minimize potential exploitation vectors.
• Monitor Activity: Regularly review server logs and website activities for any signs of unusual behavior, particularly related to plugin installations and activations.
• Optimize Plugin Usage: Ensure that only essential plugins are active and disable the Crawler feature if it is not required for your operations.

How TPRM Professionals Can Leverage Black Kite for CVE-2024-50550

Black Kite’s FocusTag™ for CVE-2024-50550 was published on November 1, 2024, providing TPRM professionals with precise intelligence to identify vendors at risk. By utilizing Black Kite’s platform, organizations can efficiently filter and focus on vendors that specifically use the vulnerable LiteSpeed Cache plugin, thereby streamlining their risk assessment processes. Additionally, Black Kite offers detailed asset information, including affected IP addresses and subdomains, enabling targeted remediation efforts and reducing the overhead associated with broad-based vendor questionnaires.

CVE-2024-47939: RICOH Web Image Monitor Buffer Overflow Vulnerability

What is the RICOH Web Image Monitor Buffer Overflow Vulnerability (CVE-2024-47939)?

CVE-2024-47939 is a critical stack-based buffer overflow vulnerability identified in Ricoh’s Web Image Monitor, a component utilized in numerous Ricoh laser printers and Multi-Function Printers (MFPs). With a CVSS score of 9.8 and an EPSS score of 0.05%, this vulnerability allows attackers to execute arbitrary code remotely or cause a denial of service (DoS) by sending specially crafted HTTP requests to affected devices. Discovered and published on November 4, 2024, the flaw arises from improper handling of HTTP requests within the Web Image Monitor, enabling malicious actors to manipulate device settings, install malware, or disrupt printing services. Currently, there is no PoC exploit available, and the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. However, the potential for exploitation remains high given the nature of the vulnerability.

Affected Products: Ricoh’s security advisory lists specific MFP and printer models. MP 501SPF, MP 601SPF, IM 550F, IM 600F, IM 600SRF, SP 5300DN, SP 5310DN, P 800, P 801, IM 2702, MP C8003, MP C6503, IM C6500, IM C8000, IM 350F, IM 350, IM 430F, IM 430Fb, P 501, P 502, IM 2500, IM 3000, IM 3500, IM 4000, IM 5000, IM 6000, MP 2555, MP 3055, MP 3555, MP 4055, MP 5055, MP 6055, SP 8400DN, SP 6430DN, IM C530F, IM C530FB, MP 402SPF, IM C400F, IM C400SRF, IM C300F, IM C300, P C600, Aficio MP 2001, Aficio MP 2501, MP 6503, MP 7503, MP 9003, IM 7000, IM 8000, IM 9000, MP C3003, MP C3503, MP C4503, MP C5503, MP C6003, MP C2003, MP C2503, MP C3004ex, MP C3504ex, MP C2004ex, MP C2504ex, MP C4504ex, MP C5504ex, MP C6004ex, MP C3004, MP C3504, MP C2004, MP C2504, MP C4504, MP C5504, MP C6004, IM C3000, IM C3500, IM C2000, IM C2500, IM C4500, IM C5500, IM C6000, SP C842DN, SP C340DN, SP C342DN, MP C501SP, IM CW2200, IP CW2200, Aficio MP 301, SP C360SNw, SP C360SFNw, SP C361SFNw, SP C352DN, SP C360DNw, SP C435DN, SP C440DN, MP C3003, MP C3503, MP C4503, MP C5503, MP C6003, MP C2003, MP C2503, MP C6502, MP 2554, MP 3054, MP 3554, MP 4054, MP 5054, MP 6054, MP C306, MP C406, Pro 8300S, Pro 8310S, Pro 8320S, Pro 8310, Pro 8320, Pro C5200S, Pro C5210S, Pro C5300S, Pro C5310S, Pro C5300SL, Pro C7200S, Pro C7210S, Pro C7200SX, Pro C7210SX, Pro C7200SL, Pro C7200, Pro C7210, Pro C7200X, Pro C7210X, Pro C7200e, Pro C9100, Pro 9110, Pro C7100S, Pro C7110S, Pro C7100SX, Pro C7110SX, Pro C7100, Pro C7110, Pro C7100X, Pro C7110X, Pro C9200, Pro C9210.

Why Should TPRM Professionals Care About CVE-2024-47939?

From a Third-Party Risk Management (TPRM) perspective, CVE-2024-47939 poses significant threats to organizations that rely on Ricoh printers and MFPs within their operational infrastructure. Exploitation of this vulnerability can lead to unauthorized access to sensitive documents, disruption of essential printing services, and potential pivot points for broader network compromises. Given the extensive range of affected Ricoh devices, organizations must assess the impact on their vendor ecosystems to mitigate risks associated with data breaches, operational downtime, and compromised network integrity.

What Questions Should TPRM Professionals Ask Vendors About CVE-2024-47939?

To effectively evaluate the risk associated with CVE-2024-47939, TPRM professionals should engage vendors with the following targeted questions:

1. Have you updated the firmware for all affected Ricoh printers and MFPs as advised by Ricoh to mitigate the vulnerability of CVE-2024-47939?
2. Have you implemented strong network segmentation and isolated printing devices from other critical network segments to reduce the impact of a potential compromise due to CVE-2024-47939?
3. Are you monitoring network traffic to identify any unusual behavior from Ricoh devices that could indicate an exploitation of the buffer overflow vulnerability CVE-2024-47939?
4. Have you configured firewall rules to block unauthorized IPs from accessing the device and limited access to the Web Image Monitor to trusted networks only to prevent potential exploitation of CVE-2024-47939?

Remediation Recommendations for Vendors Subject to CVE-2024-47939

Vendors should adopt the following remediation strategies to effectively address CVE-2024-47939:

• Update the firmware for all affected Ricoh printers and MFPs as advised by Ricoh to mitigate the vulnerability.
• Limit access to the Web Image Monitor to trusted networks only. Configure firewall rules to block unauthorized IPs from accessing the device.
• Monitor network traffic to identify any unusual behavior from Ricoh devices. Enable logging features where possible to track access and detect potential intrusions.
• Implement Strong Network Segmentation. Isolate printing devices from other critical network segments to reduce the impact of a potential compromise.

How TPRM Professionals Can Leverage Black Kite for CVE-2024-47939

Black Kite’s FocusTag™ for CVE-2024-47939 was published on November 4, 2024, equipping TPRM professionals with actionable intelligence to identify and assess vendors utilizing vulnerable Ricoh printers and MFPs. By leveraging Black Kite’s platform, organizations can precisely filter and target vendors that operate affected Ricoh devices, thereby streamlining their risk assessment and mitigation processes. Additionally, Black Kite provides detailed asset information, including specific IP addresses and subdomains associated with the vulnerable systems, enabling targeted remediation efforts and minimizing the resources spent on broad-based vendor evaluations.

CVE-2024-45802: Squid Proxy DoS Vulnerability

What is the Squid Proxy Denial-of-Service Vulnerability (CVE-2024-45802)?

CVE-2024-45802 is a high-severity Denial-of-Service (DoS) vulnerability identified in the Squid caching proxy server when the Edge Side Includes (ESI) feature is enabled. With a CVSS score of 7.5 and an EPSS score of 0.12%, this vulnerability allows trusted servers to disrupt services by exploiting flaws in input validation, premature release of resources, and missing release of resources. Disclosed on October 30, 2024, the vulnerability affects Squid versions 3.0 through 6.9 configured with ESI, as well as Squid 6.10 and newer if ESI is manually re-enabled. There is currently no proof-of-concept (PoC) exploit available, and the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Additionally, there are no indications of active exploitation campaigns or specific threat actors targeting this vulnerability.

Why Should TPRM Professionals Care About CVE-2024-45802?

From a Third-Party Risk Management (TPRM) standpoint, CVE-2024-45802 poses substantial risks to organizations that utilize Squid Proxy servers within their infrastructure. Exploitation of this vulnerability can lead to significant service disruptions, affecting all clients reliant on the Squid proxy. In environments where Squid is deployed as a reverse proxy, such disruptions can impede critical business operations, compromise the availability of web services, and potentially serve as a pivot point for further network attacks. Given the widespread use of Squid in various network architectures, TPRM professionals must evaluate the potential impact on their vendor networks to ensure continuity and maintain robust security postures.

What Questions Should TPRM Professionals Ask Vendors About CVE-2024-45802?

To thoroughly assess the risk associated with CVE-2024-45802, TPRM professionals should pose the following specific inquiries to their vendors:

1. Can you confirm if you have updated all instances of Squid Proxy Server to version 6.10 or later, ensuring that the Edge Side Includes (ESI) feature is disabled by default, to mitigate the risk of CVE-2024-45802?
2. Have you run the command ‘squid -v’ to verify the build parameters and confirm that ESI is disabled in your Squid Proxy Server configuration? If ‘–enable-esi’ appears, have you rebuilt Squid with ‘–disable-esi’?
3. Have you restricted proxy server access to trusted networks only to reduce exposure to potential exploitation sources, as recommended in the advisory for CVE-2024-45802?
4. Are you monitoring network traffic for unusual or sustained requests, which may indicate attempted exploitation of the DoS vulnerability in Squid Proxy Server?

Remediation Recommendations for Vendors Subject to CVE-2024-45802

Vendors should implement the following remediation measures to effectively mitigate the risks posed by CVE-2024-45802:

• Upgrade Squid Proxy: Immediately update all Squid Proxy servers to version 6.10 or newer, ensuring that the ESI feature is disabled by default to eliminate the vulnerability.
• Verify Configuration: Execute squid -v to confirm that the –disable-esi flag is present in your Squid Proxy build parameters. If the –enable-esi option is enabled, rebuild Squid with the –disable-esi configuration.
• Implement Network Monitoring: Continuously monitor network traffic for any unusual or sustained request patterns that may suggest attempts to exploit the DoS vulnerability.
• Restrict Access: Limit access to Squid Proxy servers by configuring firewall rules to allow connections only from trusted networks and authorized IP addresses.
• Temporary Mitigation: For environments where immediate upgrading is not feasible, rebuild Squid Proxy with the –disable-esi flag as a temporary measure to prevent exploitation.

How TPRM Professionals Can Leverage Black Kite for CVE-2024-45802

Black Kite’s FocusTag™ for CVE-2024-45802 was published on October 30, 2024, providing TPRM professionals with precise intelligence to identify vendors utilizing vulnerable Squid Proxy servers. By leveraging Black Kite’s platform, organizations can efficiently filter and concentrate on vendors that operate affected Squid Proxy versions, streamlining their risk assessment and mitigation processes. Additionally, Black Kite offers detailed asset information, including specific IP addresses and subdomains associated with the vulnerable systems, enabling targeted remediation efforts and reducing the resources required for broad-based vendor evaluations.

CVE-2024-46483: Xlight FTP Critical Vulnerability

What is the Xlight FTP Remote Code Execution Vulnerability (CVE-2024-46483)?

CVE-2024-46483 is a critical heap overflow vulnerability identified in Xlight SFTP Server, a widely-used FTP and SFTP solution for Windows. With a CVSS score of 9.8, this vulnerability allows unauthenticated attackers to execute remote code or initiate denial-of-service (DoS) attacks. Disclosed on October 31, 2024, the flaw originates from inadequate validation in the SFTP protocol’s packet parsing, specifically in handling client-sent strings. By manipulating a four-byte string length prefix, attackers can craft malicious packets that trigger out-of-bounds memory operations, potentially leading to complete system compromise. While PoC exploit code is publicly available on GitHub, the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and there are no current reports of active exploitation by threat actors.

Why Should TPRM Professionals Care About CVE-2024-46483?

From a Third-Party Risk Management (TPRM) perspective, CVE-2024-46483 poses significant threats to organizations utilizing Xlight SFTP Server for secure file transfers. Exploitation of this vulnerability can result in unauthorized system access, allowing attackers to execute arbitrary commands, install malware, or disrupt critical services through DoS attacks. Given the widespread deployment of Xlight SFTP Server in various industries, including finance, healthcare, and technology, the potential impact on vendor ecosystems is substantial. TPRM professionals must assess the presence of vulnerable Xlight instances within their supply chains to prevent cascading security breaches and ensure the integrity of sensitive data exchanges.

What Questions Should TPRM Professionals Ask Vendors About CVE-2024-46483?

To effectively evaluate the risk associated with CVE-2024-46483, TPRM professionals should engage vendors with the following targeted questions:

1. Have you updated all instances of Xlight SFTP Server to the latest version that patches CVE-2024-46483, specifically versions 3.9.4.2 and earlier?
2. Can you confirm if you have implemented firewall rules to restrict access to the SFTP server and are actively monitoring for unexpected traffic as recommended?
3. Are you limiting network access to the SFTP server to trusted IPs only as a measure to mitigate the risk of CVE-2024-46483?
4. Given the public availability of PoC exploit code for CVE-2024-46483 on GitHub, what specific measures have you taken to monitor and detect potential exploitation attempts on your Xlight SFTP Server?

Remediation Recommendations for Vendors Subject to CVE-2024-46483

Vendors should implement the following remediation measures to effectively mitigate the risks posed by CVE-2024-46483:

• Update Xlight SFTP Server: Immediately upgrade to the latest version of Xlight SFTP Server, which patches CVE-2024-46483, to eliminate the vulnerability.
• Restrict Network Access: Limit access to the SFTP server by configuring firewall rules to allow connections only from trusted IP addresses, thereby reducing exposure to potential attackers.
• Monitor Network Traffic: Continuously monitor network traffic for any abnormal patterns or sustained requests that may indicate attempted exploitation of the vulnerability.
• Implement Strong Authentication: Enhance security by enforcing robust authentication mechanisms, such as multi-factor authentication (MFA), to prevent unauthorized access.
• Regular Security Audits: Conduct regular security assessments and vulnerability scans to ensure that all systems are up-to-date and free from exploitable vulnerabilities.

How TPRM Professionals Can Leverage Black Kite for CVE-2024-46483

Black Kite’s FocusTag™ for CVE-2024-46483 was published on October 31, 2024, providing TPRM professionals with actionable intelligence to identify vendors utilizing vulnerable Xlight SFTP Server instances. By leveraging Black Kite’s platform, organizations can efficiently filter and target vendors that operate affected Xlight versions, streamlining their risk assessment and mitigation processes. Additionally, Black Kite offers comprehensive asset information, including specific IP addresses and subdomains associated with the vulnerable systems, enabling targeted remediation efforts and minimizing the resources required for broad-based vendor evaluations.

Elevating TPRM Strategies with Black Kite’s FocusTags™

Black Kite’s FocusTags™ are instrumental in enhancing Third-Party Risk Management (TPRM) approaches, particularly when addressing vulnerabilities in widely-deployed systems like LiteSpeed Cache, RICOH Web Image Monitor, Squid Proxy, and Xlight FTP. These tags provide:

• Real-Time Vulnerability Tracking: Instantly identifying vendors affected by the latest vulnerabilities enables rapid and strategic responses.
• Risk Prioritization: By evaluating both the criticality of vendors and the severity of vulnerabilities, FocusTags™ assists in allocating resources more effectively.
• Informed Vendor Engagement: Facilitate targeted discussions with vendors, focusing on their specific security postures in relation to the identified vulnerabilities.
• Comprehensive Security Overview: With a broad view of the threat landscape, these tags aid in enhancing overall cybersecurity strategies.

Black Kite’s FocusTags™, tailored to the complexities of vulnerabilities in diverse systems, offer a streamlined, intelligent approach to TPRM. By converting intricate cyber threat data into actionable intelligence, these tags are critical for managing risks efficiently and proactively in an environment where cyber threats are constantly evolving.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

• LiteSpeed Cache: CVE-2024-50550, Privilege Escalation Vulnerability iin LiteSpeed Cache plugin.
• RICOH Web Image Monitor: CVE-2024-47939, Buffer Overflow Vulnerability in RICOH Web Image Monitor.
• Squid Proxy: CVE-2024-45802, DoS Vulnerability in Squid Proxy Servers.
• XLight FTP: CVE-2024-46483, Integer Overflow and RCE Vulnerabilities in XLight FTP Servers.
• Exchange Server RCE: CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, Remote Code Execution Vulnerability in Exchange Server.
• FortiManager: CVE-2024-47575, Missing Authentication Vulnerability in FortiManager.
• Grafana: CVE-2024-9264, Remote Code Execution Vulnerability  in Grafana.
• Roundcube Webmail: CVE-2024-37383, Cross-Site Scripting (XSS) Vulnerability in Roundcube Webmail.
• Cisco FMC: CVE-2024-20424, Command Injection Vulnerability in Cisco Secure Firewall Management Center.
• Oracle WebLogic Server: CVE-2024-21216, Remote Code Execution Vulnerability in Oracle WebLogic Server.
• GitHub Enterprise: CVE-2024-9487, SAML SSO Authentication Bypass Vulnerability in GitHub Enterprise Server.
• Fortinet Core Products: CVE-2024-23113, Format String Vulnerability in FortiOS, FortiPAM, FortiProxy, and FortiWeb. 
• Cisco RV Routers: CVE-2024-20393, CVE-2024-20470, Privilege Escalation and RCE Vulnerability in RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. 
• Ivanti Connect Secure: CVE-2024-37404, Remote Code Execution Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra: CVE-2024-45519, Remote Command Execution Vulnerability in Zimbra.
• DrayTek Routers: CVE-2020-15415, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
• Authentik: CVE-2024-47070, Authentication Bypass Vulnerability in Authentik.
• Octopus Deploy: CVE-2024-9194, SQL Injection Vulnerability in Octopus Server.
• pgAdmin: CVE-2024-9014, OAuth2 Authentication Vulnerability in pgAdmin.
• Keycloak: CVE-2024-8698, CVE-2024-8883, SAML Signature Validation Bypass and Session Hijacking Vulnerability in Keycloak.
• Navidrome: CVE-2024-47062, SQL Injection Vulnerability in Navidrome.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-50550

https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-5-1-privilege-escalation-vulnerability?_s_id=cve

https://securityonline.info/over-6-million-sites-at-risk-severe-privilege-escalation-flaw-cve-2024-50550-in-litespeed-cache-plugin

https://nvd.nist.gov/vuln/detail/CVE-2024-47939

https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2024-000011

https://nvd.nist.gov/vuln/detail/CVE-2024-45802

https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj

https://nvd.nist.gov/vuln/detail/CVE-2024-46483

https://github.com/kn32/cve-2024-46483

https://www.xlightftpd.com/whatsnew.htm

The post FOCUS FRIDAY: TPRM INSIGHTS ON LITESPEED CACHE, RICOH WEB IMAGE MONITOR, SQUID PROXY, AND XLIGHT FTP VULNERABILITIES WITH BLACK KITE’S FOCUSTAGS™ appeared first on Black Kite.

Written by: Ferdi Gül

Welcome to this week’s edition of Focus Friday, where we explore high-profile cybersecurity incidents and vulnerabilities through the lens of Third-Party Risk Management (TPRM). In today’s rapidly evolving threat landscape, critical vulnerabilities pose a significant risk to organizations relying on third-party software and services. This week, we dive into several crucial vulnerabilities, including those affecting Exchange Server, FortiManager, Grafana, Roundcube Webmail, and Cisco FMC each with potentially severe impacts on businesses. By leveraging Black Kite’s FocusTags™, TPRM professionals can gain key insights and stay ahead of these evolving threats.

Critical Microsoft Exchange Server RCE Vulnerabilities

What are the Microsoft Exchange Server RCE Vulnerabilities?

The vulnerabilities impacting Microsoft Exchange Server, particularly CVE-2021-26855, are critical Remote Code Execution (RCE) issues. CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to send arbitrary HTTP requests and execute code on the target Exchange Server. Other vulnerabilities like CVE-2021-27065, CVE-2021-26858, and CVE-2021-26857 enable the attacker to install malicious programs and exfiltrate data. These vulnerabilities have a high EPSS score, with CVE-2021-26855 scoring 97.5%, indicating a significant likelihood of exploitation in the wild.

First discovered in early 2021, these vulnerabilities were rapidly exploited by various threat actors, including the Chinese-based group Salt Typhoon, targeting critical infrastructure. Exploits have allowed attackers to plant backdoors, steal sensitive data, and compromise systems. Microsoft and several security agencies, including CISA, have released advisories and urged immediate patching. CVE-2021-34473 and CVE-2021-31196 were added to CISA’s KEV catalog on August 21, 2024. 

The vulnerability was reported in the Wall Street Journal (WSJ) on October 11, 2024, and the details were later shared on the Chertoff Group website on October 18, 2024. Among the four CVEs we discussed (CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857), we included these in the FocusTag scope, which was tagged earlier this week by Black Kite’s Research & Intelligence Team (BRITE). Clients tagged under this FocusTag, who had previously taken precautions against CVE-2021-31196 and CVE-2021-34473, were protected from these four vulnerabilities as well. In addition to the above-mentioned group of four CVEs that were discussed in recent blogs, it is crucial for security personnel in organizations to remain vigilant regarding CVE-2021-31196 and CVE-2021-34473. We had previously mentioned CVE-2021-31196 and CVE-2021-34473 vulnerabilities in our August 23, 2024 Focus Friday post.

Why Should TPRM Professionals Be Concerned?

From a third-party risk management perspective, these vulnerabilities pose significant risks to organizations that rely on Microsoft Exchange Server for communication and operational functions. A successful attack on Exchange Servers can lead to full system compromise, allowing attackers to access sensitive emails, contacts, and other communications. Additionally, the compromised server can be leveraged for further attacks, potentially spreading malware or stealing additional data from third-party vendors. Given the widespread use of Exchange Servers in enterprise environments, the ripple effects of such a breach can be substantial, especially when considering the possibility of fraudulent emails being sent from compromised accounts.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

1. Have you applied the latest security updates to all affected versions of Exchange Server (2019 CU1 to CU8, 2016 CU8 to CU19, 2013 CU22, CU23, SP1, and 2010 SP3) to mitigate the risk of CVE-2021-31196, CVE-2021-34473, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, and CVE-2021-26857?
2. 2. Can you confirm if you have implemented strong security practices, including limiting access to the server, enabling multi-factor authentication, and regularly auditing access logs, to prevent potential exploitation of the Remote Code Execution (RCE) vulnerabilities in Microsoft Exchange Server?
3. 3. Are you actively monitoring network traffic to and from Exchange Server for any unusual activity that may indicate exploitation attempts related to CVE-2021-31196, CVE-2021-34473, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, and CVE-2021-26857?
4. 4. Given the critical nature of Exchange Server, have you undertaken proactive threat hunting to identify potential indicators of compromise related to the aforementioned CVEs?

Remediation Recommendations for Vendors

• Apply the Latest Security Updates. Microsoft has released security updates to address this vulnerability. Ensure that all affected Exchange Server installations are updated to the latest cumulative updates as listed above.
• Organizations are advised to prioritize patch management, strengthen authentication measures, and collaborate with ISPs to mitigate these evolving risks.
• Implement Strong Security Practices. Ensure that Exchange Server is properly configured with strong security settings, including limiting access to the server, enabling multi-factor authentication, and regularly auditing access logs.
• Consider Proactive Threat Hunting. Given the critical nature of Exchange Server, proactive threat hunting to identify potential indicators of compromise may be warranted.
• Monitor Network Traffic. Regularly monitor network traffic to and from Exchange Server for any unusual activity that may indicate exploitation attempts.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite provides a streamlined approach for identifying vendors at risk of these vulnerabilities. The Exchange Server RCE FocusTag enables TPRM professionals to pinpoint vendors who have vulnerable Microsoft Exchange Servers in their environment. Black Kite helps operationalize this information by providing detailed asset intelligence, including IP addresses and subdomains, linked to the vendors. With this level of insight, TPRM teams can prioritize outreach and remediation efforts, ensuring that only vendors with exposure to these vulnerabilities are addressed. Black Kite first published this tag in August 2024 and most recently updated it on October 23, 2024, with new threat intelligence related to Chinese state-sponsored threat actors.

FortiManager: CVE-2024-47575 Missing Authentication Vulnerability

What is the FortiManager CVE-2024-47575 Vulnerability?

CVE-2024-47575 is a critical missing authentication vulnerability that affects FortiManager, a system used to manage Fortinet’s network security devices. This vulnerability, assigned a CVSS score of 9.8 and an EPSS score of 0.04%, was first identified in the wild on June 27, 2024. It allows unauthenticated attackers to execute arbitrary code or commands by exploiting the FortiManager fgfmd daemon via specially crafted requests. Both on-premise and cloud versions of FortiManager are impacted, making this vulnerability a significant threat. On October 23, 2024, this vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability is actively exploited by the UNC5820 threat group, which has used it to steal configuration files, IP addresses, and credentials from FortiGate devices managed by FortiManager systems. This flaw poses a severe risk to organizations using FortiManager as it allows attackers to automate the exfiltration of sensitive information and potentially compromise their entire security infrastructure.

Why Should TPRM Professionals Be Concerned About the FortiManager Vulnerability?

Third-Party Risk Management (TPRM) professionals should be concerned because FortiManager is a critical tool for managing and securing network infrastructure. If compromised, attackers can gain access to sensitive configuration files and credentials for FortiGate devices, potentially leading to wider network breaches and unauthorized control of key network devices. The exposure of configuration details can lead to attackers disabling security defenses or manipulating device settings to bypass security measures. Additionally, the exploitation of this vulnerability could facilitate future attacks by providing attackers with the necessary information to escalate privileges or conduct lateral movements within the network.

As FortiManager is widely used by organizations to manage network security, the impact of this vulnerability could be devastating, particularly if sensitive information is exfiltrated and used to compromise other critical systems.

What Questions Should TPRM Professionals Ask Vendors About the FortiManager Vulnerability?

When assessing vendor exposure to CVE-2024-47575, TPRM professionals should ask:

1. Has the vendor applied the latest firmware updates that address CVE-2024-47575?
2. Are unregistered devices being blocked from connecting to the FortiManager system using the fgfm-deny-unknown configuration?
3. Have all FortiGate device credentials been updated following the discovery of this vulnerability?
4. Is the vendor actively monitoring FortiManager event logs for any suspicious activities, especially from unregistered devices like “localhost”?

Remediation Recommendations for Vendors subject to this risk

To mitigate the risks associated with CVE-2024-47575, vendors should:

• Apply firmware updates immediately. Ensure all FortiManager installations are updated to the latest secure versions (7.6.1, 7.4.5, 7.2.8, 7.0.13, 6.4.15, or above).
• Restrict device registrations by enabling fgfm-deny-unknown, which prevents unregistered devices from attempting to connect to FortiManager.
• Implement IP restrictions to limit access only to trusted FortiGate devices through the config system local-in-policy.
• Review FortiManager logs regularly for indicators of compromise (IoCs), including connections from unregistered devices or malicious IP addresses.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite published the FocusTag™ on October 23, 2024, identifying CVE-2024-47575 as a significant threat due to its active exploitation in the wild. TPRM professionals can operationalize this tag by using Black Kite’s insights to determine which of their vendors may be exposed to this vulnerability. Black Kite provides asset information such as IP addresses and subdomains that may be at risk, allowing organizations to pinpoint which vendors may need to implement remediation steps. This vulnerability was last updated in the tag with information about ongoing threat activity by the UNC5820 group, ensuring TPRM professionals stay informed as new details emerge.

CVE-2024-9264 and Grafana RCE Vulnerability

What is the Grafana RCE Vulnerability?

CVE-2024-9264 is a critical Remote Code Execution (RCE) vulnerability affecting Grafana, a popular open-source platform used for monitoring and observability. This vulnerability has a CVSS score of 9.9, making it extremely severe, indicating lower immediate exploitation potential. First disclosed in October 2024, this vulnerability is linked to an experimental feature, SQL Expressions, which was enabled by default due to improper implementation of feature flags. Attackers can inject system commands through improperly sanitized SQL queries, which could lead to full system compromise if exploited successfully.

While the vulnerability has not yet been observed in widespread exploitation, the presence of the PoC raises concerns about the likelihood of future attacks. The exploitation depends on whether the DuckDB binary is present on the Grafana server. If DuckDB is manually installed, attackers could read sensitive files like “/etc/passwd” or retrieve environment variables, making the impact devastating. As of now, this vulnerability has not been added to CISA’s Known Exploited Vulnerabilities catalog.

Why Should TPRM Professionals Be Concerned?

From a TPRM perspective, CVE-2024-9264 presents serious risks to organizations using Grafana. Since Grafana is commonly deployed to monitor critical infrastructure, any compromise could lead to the exposure of sensitive data, such as operational logs or system configurations. Moreover, if an attacker gains control of the Grafana instance, they can potentially pivot to other parts of the network, launching further attacks. Given that any user with Viewer permissions can exploit this vulnerability, organizations using Grafana may unknowingly expose themselves to insider threats or unauthorized access by users with minimal privileges.

What Questions Should TPRM Professionals Ask Vendors About the Grafana RCE Vulnerability?

1. Have you upgraded your Grafana instances to one of the patched versions (v11.0.5+security-01, v11.1.6+security-01, v11.2.1+security-01, v11.0.6+security-01, v11.1.7+security-01, v11.2.2+security-01) to mitigate the risk of CVE-2024-9264?
2. Can you confirm if the DuckDB binary has been removed from the system’s PATH or uninstalled entirely to prevent exploitation of the CVE-2024-9264 vulnerability?
3. Have you implemented measures to regularly review system logs for suspicious activity, specifically related to potential exploitation of the SQL Expressions feature in Grafana?
4. Can you confirm if you have implemented proper access controls for users with Viewer permissions or higher to prevent unauthorized exploitation of the SQL Expressions feature in Grafana?

Remediation Recommendations for Vendors

• Immediately upgrade Grafana to a patched version, such as v11.0.5+security-01, v11.1.6+security-01, or the latest v11.2.2+security-01, to prevent exploitation.
• If a patch cannot be applied right away, remove or uninstall the DuckDB binary from the system to mitigate the risk.
• Regularly audit system logs and monitor access control for any unusual activity involving Grafana users with Viewer permissions or higher.
• Follow Grafana Labs’ security announcements for any additional updates or mitigations related to this vulnerability.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite helps TPRM professionals determine which vendors are vulnerable to this critical Grafana RCE vulnerability. The FocusTag™ for Grafana enables users to identify vendors who are potentially exposed by flagging related assets, including IP addresses and subdomains. With this actionable intelligence, TPRM teams can prioritize communications with affected vendors, ensuring timely remediation efforts. This tag was published by Black Kite in October 18, 2024, and ongoing updates are provided as new information becomes available.

CVE-2024-37383 and Roundcube Webmail XSS Vulnerability

What is the Roundcube Webmail XSS Vulnerability?

CVE-2024-37383 is a medium-severity Cross-Site Scripting (XSS) vulnerability impacting Roundcube Webmail. This vulnerability, with a CVSS score of 6.1 and an EPSS score of 0.05%, allows attackers to inject and execute arbitrary JavaScript code within the victim’s web browser. Discovered in October 2024, the flaw was exploited by unknown threat actors to steal user credentials by embedding malicious SVG animate attributes in emails. Once the victim opened the email, the embedded script exfiltrated login credentials to an external server. It’s currently not clear who is behind the exploitation activity, although prior flaws discovered in Roundcube have been abused by multiple hacking groups such as APT28, Winter Vivern, and TAG-70. After we tagged it, it was published in CISA’s Known Exploited Vulnerabilities (KEV) catalog on October 24, 2024.

Why Should TPRM Professionals Be Concerned?

From a TPRM perspective, this XSS vulnerability in Roundcube Webmail poses a significant risk to organizations that rely on this platform for email services. Exploitation of this vulnerability can lead to credential theft, allowing attackers to gain unauthorized access to sensitive accounts, potentially compromising email communications and exposing confidential information. Furthermore, the ability to execute malicious code via emails makes it a potent vector for phishing attacks, putting both vendors and their partners at risk. Email remains a critical component of most business operations, and any breach in this system can have far-reaching consequences, including reputational damage and regulatory scrutiny.

What Questions Should TPRM Professionals Ask Vendors About the Roundcube Webmail XSS Vulnerability?

1. Have you updated your Roundcube Webmail instances to the patched versions (1.5.7 or 1.6.7) that address CVE-2024-37383?
2. What measures have you implemented to detect and mitigate phishing attacks targeting email clients like Roundcube?
3. Can you confirm if you have implemented email filtering tools to block malicious attachments and scripts within emails as recommended in the advisory?
4. Have you enabled multi-factor authentication (MFA) on all critical systems to mitigate credential theft risks associated with this vulnerability?
5. Have you reviewed your email logs for any suspicious login activities or interactions with known malicious domains, such as ‘libcdn[.]org’?

Remediation Recommendations for Vendors

• Upgrade Roundcube Webmail to versions 1.5.7 or 1.6.7 to patch the XSS vulnerability and mitigate the risk of credential theft.
• Educate employees on how to identify and avoid phishing emails, with an emphasis on recognizing suspicious attachments or links.
• Implement multi-factor authentication (MFA) across all critical systems to reduce the likelihood of unauthorized access through stolen credentials.
• Conduct a thorough audit of Roundcube logs for any indicators of compromise (IoCs) related to this vulnerability or phishing attacks.
• Use email filtering tools to block potentially malicious content, such as scripts or SVG files, embedded within emails.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite’s FocusTag™ for Roundcube Webmail enables TPRM professionals to identify vendors using vulnerable versions of Roundcube. By providing detailed asset information, including IP addresses and subdomains associated with vendors, Black Kite allows TPRM teams to target remediation efforts where they are most needed. This FocusTag was published on October 24, 2024, and ongoing updates are available to ensure that TPRM professionals stay informed about the latest exploitation trends and mitigations related to this vulnerability.

CVE-2024-20424 and Cisco FMC Command Injection Vulnerability

What is the Cisco FMC Command Injection Vulnerability?

CVE-2024-20424 is a critical command injection vulnerability in Cisco Secure Firewall Management Center (FMC) Software, with a CVSS score of 9.9. This vulnerability arises from insufficient input validation in the web-based management interface of the software. Exploiting this flaw allows authenticated remote attackers to execute arbitrary commands with root privileges, potentially compromising the entire system. The vulnerability was first disclosed in October 2024, and although no active exploitation has been reported yet, the critical nature of this flaw makes it a priority for patching.

Attackers could exploit this vulnerability using credentials from a low-privileged account, such as a Security Analyst (Read Only), to escalate privileges and run high-level commands. This could result in unauthorized modifications, malware installation, or disabling critical security defenses. While there is no PoC available yet, the risk posed by this vulnerability is significant, particularly for organizations heavily relying on Cisco FMC software for managing their firewalls.

Why Should TPRM Professionals Be Concerned?

For third-party risk management (TPRM) professionals, this vulnerability presents a significant risk to organizations using Cisco FMC software. Compromising this system would allow attackers to control network security policies, firewall settings, and other critical functions, leading to potential unauthorized access across the network. Cisco FMC is often used to manage firewalls, and any disruption or control takeover could result in network breaches, exposure of sensitive data, and operational disruption. The criticality of CVE-2024-20424 makes it essential for TPRM professionals to ensure that their vendors and partners using Cisco FMC have properly mitigated this vulnerability.

What Questions Should TPRM Professionals Ask Vendors About the Cisco FMC Command Injection Vulnerability?

• Have you applied Cisco’s latest software updates that address CVE-2024-20424 and CVE-2024-20379 in Cisco FMC?
• Can you confirm if you have restricted access to the web-based management interface of Cisco FMC Software to trusted users only, as a measure to prevent potential exploitation of CVE-2024-20424 and CVE-2024-20379?
• Have you implemented multi-factor authentication (MFA) for user accounts, especially for low-level user accounts such as Security Analyst (Read Only), to prevent privilege escalation and execution of highly privileged commands as a result of CVE-2024-20424?
• Are you monitoring network activity for unusual behavior indicative of potential exploitation of the command injection vulnerability (CVE-2024-20424) and the improper input validation vulnerability (CVE-2024-20379) in Cisco FMC Software?

Remediation Recommendations for Vendors

• Immediately apply the latest software patches released by Cisco to address CVE-2024-20424 and CVE-2024-20379.
• Implement multi-factor authentication (MFA) for all users accessing Cisco FMC to mitigate unauthorized access risks.
• Restrict access to the Cisco FMC web-based management interface to trusted IP addresses and users only.
• Regularly monitor network traffic and logs for any suspicious activity or indicators of compromise.
• Follow Cisco’s official advisory for further instructions and guidance on securing Cisco FMC software.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite’s FocusTag™ for Cisco FMC provides a comprehensive view of which vendors are potentially exposed to these vulnerabilities. This tag allows TPRM professionals to pinpoint which of their third-party vendors or partners are using vulnerable Cisco FMC versions. By leveraging Black Kite’s asset intelligence, such as associated IP addresses and subdomains, TPRM teams can focus their remediation efforts on the vendors that pose the highest risk. Black Kite published this FocusTag on October 24, 2024, and it will be updated as new details or patches are released by Cisco.

Maximizing TPRM Effectiveness with Black Kite’s FocusTags™

Black Kite’s FocusTags™ are vital tools for enhancing Third-Party Risk Management strategies, offering targeted insights that help organizations mitigate risks more efficiently. These tags, especially when dealing with vulnerabilities in Exchange Server, FortiManager, Grafana, Roundcube Webmail, and Cisco FMC, provide:

• Real-Time Risk Identification: Immediate recognition of vendors impacted by critical vulnerabilities, facilitating prompt and decisive action.
• Risk Prioritization: By assessing vendor importance and vulnerability severity, TPRM professionals can focus on the most critical issues first, ensuring resources are used effectively.
• Informed Vendor Engagement: Black Kite’s FocusTags™ empower organizations to hold informed, meaningful conversations with vendors about their security posture and remediation efforts, specifically addressing exposure to identified vulnerabilities.
• Strengthened Cybersecurity Posture: These tags offer a comprehensive overview of the threat landscape, enabling organizations to enhance their overall cybersecurity strategies, improving their resilience against future threats.

By transforming complex threat data into actionable intelligence, Black Kite’s FocusTags™ streamline the risk management process, enabling TPRM professionals to respond swiftly to emerging vulnerabilities and ensure the safety of their third-party ecosystem.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

• Exchange Server RCE: CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, Remote Code Execution Vulnerability in Exchange Server.
• FortiManager: CVE-2024-47575, Missing Authentication Vulnerability in FortiManager.
• Grafana: CVE-2024-9264, Remote Code Execution Vulnerability  in Grafana.
• Roundcube Webmail: CVE-2024-37383, Cross-Site Scripting (XSS) Vulnerability in Roundcube Webmail.
• Cisco FMC: CVE-2024-20424, Command Injection Vulnerability in Cisco Secure Firewall Management Center.
• Oracle WebLogic Server: CVE-2024-21216, Remote Code Execution Vulnerability in Oracle WebLogic Server.
• GitHub Enterprise: CVE-2024-9487, SAML SSO Authentication Bypass Vulnerability in GitHub Enterprise Server.
• Fortinet Core Products: CVE-2024-23113, Format String Vulnerability in FortiOS, FortiPAM, FortiProxy, and FortiWeb. 
• Cisco RV Routers: CVE-2024-20393, CVE-2024-20470, Privilege Escalation and RCE Vulnerability in RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. 
• Ivanti Connect Secure: CVE-2024-37404, Remote Code Execution Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra: CVE-2024-45519, Remote Command Execution Vulnerability in Zimbra.
• DrayTek Routers: CVE-2020-15415, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
• Authentik: CVE-2024-47070, Authentication Bypass Vulnerability in Authentik.
• Octopus Deploy: CVE-2024-9194, SQL Injection Vulnerability in Octopus Server.
• pgAdmin: CVE-2024-9014, OAuth2 Authentication Vulnerability in pgAdmin.
• Keycloak: CVE-2024-8698, CVE-2024-8883, SAML Signature Validation Bypass and Session Hijacking Vulnerability in Keycloak.
• Navidrome: CVE-2024-47062, SQL Injection Vulnerability in Navidrome.
• PAN-OS Cleartext: CVE-2024-8687, Cleartext Exposure Security Flaw in PAN-OS, GlobalProtect, Prisma Access.
• FileCatalyst Workflow: CVE-2024-6633, CVE-2024-6632, Insecure Default Configuration and SQL Injection Vulnerability in Fortra FileCatalyst Workflow.
• WPML: CVE-2024-6386, Critical Remote Code Execution Vulnerability via Twig Server-Side Template Injection in WPML Plugin
• SonicWall Firewalls: CVE-2024-40766, Critical Improper Access Control Vulnerability in SonicWall Firewalls

References

https://www.wsj.com/politics/national-security/u-s-officials-race-to-understand-severity-of-chinas-salt-typhoon-hacks-6e7c3951

https://chertoffgroup.com/china-based-cyber-attacks-highlight-us-tech-vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2021-26855

https://nvd.nist.gov/vuln/detail/CVE-2021-27065

https://nvd.nist.gov/vuln/detail/CVE-2021-26858

https://nvd.nist.gov/vuln/detail/CVE-2021-26857

https://blackkite.com/blog/focus-friday-tprm-insights-into-critical-vulnerabilities-in-microsoft-windows-solarwinds-whd-zimbra-and-exchange-server

https://nvd.nist.gov/vuln/detail/CVE-2024-47575

https://fortiguard.fortinet.com/psirt/FG-IR-24-423

https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-fortimanager-flaw-used-in-zero-day-attacks

https://nvd.nist.gov/vuln/detail/CVE-2024-9264

https://github.com/nollium/CVE-2024-9264/tree/main

https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264

https://grafana.com/security/security-advisories/cve-2024-9264

https://github.com/advisories/GHSA-q99m-qcv4-fpm7

https://nvd.nist.gov/vuln/detail/CVE-2024-37383

https://thehackernews.com/2024/10/hackers-exploit-roundcube-webmail-xss.html

https://github.com/roundcube/roundcubemail/releases/tag/1.6.7

https://nvd.nist.gov/vuln/detail/CVE-2024-20424

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-v3AWDqN7

https://securityonline.info/cve-2024-20424-cvss-9-9-cisco-fmc-software-vulnerability-grants-attackers-root-access

The post FOCUS FRIDAY: ADDRESSING EXCHANGE SERVER RCE, FORTIMANAGER, GRAFANA, ROUNDCUBE WEBMAIL, AND CISCO FMC VULNERABILITIES FROM A TPRM PERSPECTIVE appeared first on Black Kite.

Written By: Ferdi Gül

This week’s Focus Friday blog highlights two critical vulnerabilities that pose significant risks to third-party ecosystems—CVE-2024-21216 affecting Oracle WebLogic Server and CVE-2024-9487 impacting GitHub Enterprise. These vulnerabilities, involving remote code execution and authentication bypass, respectively, threaten not only the organizations directly utilizing these products but also their entire supply chains. In this blog, we will dive into each vulnerability, its potential impact, and why Third-Party Risk Management (TPRM) professionals should pay close attention. We also explore how Black Kite’s FocusTags™ can streamline your risk assessment process by identifying vendors impacted by these threats and providing actionable insights for mitigation.

CVE-2024-21216: Oracle WebLogic Server RCE Vulnerability

What is the Oracle WebLogic Server RCE Vulnerability?

CVE-2024-21216 is a critical Remote Code Execution (RCE) vulnerability in Oracle WebLogic Server, affecting versions 12.2.1.4.0 and 14.1.1.0.0. This vulnerability allows attackers with network access via T3 or IIOP protocol to gain full control over the server without requiring authentication. Exploitation could lead to unauthorized data access, system manipulation, and further malicious activities like ransomware deployment. The vulnerability was first published on Oracle’s October 2024 CPU and holds a CVSS score of 9.8, signifying its severity. Although no known exploitation has been reported in the wild, a PoC is not yet available. Historically, similar vulnerabilities have been exploited by Chinese threat actors.

Why Should TPRM Professionals Care About Oracle WebLogic Server RCE Vulnerability?

Oracle WebLogic Server is a widely used platform for hosting business-critical applications. A successful attack could result in complete system compromise, exposing sensitive data or enabling malicious control of the organization’s operations. This vulnerability is particularly dangerous for organizations hosting externally-facing instances of WebLogic, as it could expose them to external threats. In the context of third-party risk management, any vendors or partners using Oracle WebLogic Server should be thoroughly assessed for potential exposure, especially if these servers host sensitive applications or data.

What questions should TPRM professionals ask vendors about CVE-2024-21216?

• Have you identified any instances of Oracle WebLogic Server versions 12.2.1.4.0 or 14.1.1.0.0 in your infrastructure?
• Have you applied the security patches released by Oracle in October 2024 for the affected WebLogic Server versions?
• Are the T3 and IIOP protocols disabled if they are not necessary for your environment?
• What security controls, such as MFA and access restrictions, are in place to protect administrative access to your WebLogic servers?

Remediation Recommendations for Vendors Subject to This Risk

• Immediately apply Oracle’s latest security patches for WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0.
• Disable or restrict access to T3 and IIOP protocols unless necessary for business operations.
• Implement strong access controls, including multi-factor authentication, for any WebLogic administrative interfaces.
• Limit external access to WebLogic servers by configuring firewalls or restricting IPs to trusted sources only.
• Regularly monitor network traffic for any suspicious activity targeting WebLogic servers.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the Oracle WebLogic Server FocusTag on October 16, 2024, offering detailed insights into which vendors are at risk of this critical vulnerability. TPRM professionals can operationalize this FocusTag by identifying vendors using vulnerable WebLogic versions and prioritizing assessments and remediation efforts. The FocusTag also provides IP addresses and subdomains hosting the vulnerable systems, empowering organizations to act swiftly and mitigate risk efficiently. Monitoring vendors with exposure to this vulnerability through Black Kite’s intelligence platform can significantly reduce response time and mitigate potential exploitation risks.

CVE-2024-9487: GitHub Enterprise SAML SSO Authentication Bypass Vulnerability

What is the GitHub Enterprise SAML SSO Authentication Bypass Vulnerability?

CVE-2024-9487 is a critical vulnerability that affects GitHub Enterprise Server versions prior to 3.15. This vulnerability allows attackers to bypass SAML Single Sign-On (SSO) authentication, potentially granting unauthorized access to sensitive GitHub Enterprise Server instances. The issue stems from improper verification of cryptographic signatures during the SAML authentication process, which may allow attackers to bypass authentication and gain unauthorized access. This vulnerability has a CVSS score of 9.5, indicating its critical severity, and an EPSS score of 0.05%. While no known public exploitation has been reported, it poses a significant risk to enterprises that utilize GitHub Enterprise Server with SAML SSO and encrypted assertions.

The vulnerability was disclosed in October 2024 and has not yet been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. However, given the critical nature of the vulnerability and its potential impact on organizations, it should be addressed immediately by applying the recommended patches.

Why Should TPRM Professionals Care About the GitHub Enterprise Vulnerability?

GitHub Enterprise is widely used by organizations to manage their development environments and host proprietary code. A successful exploitation of CVE-2024-9487 could lead to unauthorized access to sensitive repositories, potentially exposing intellectual property, sensitive data, or security credentials. For TPRM professionals, the exposure of a third-party development platform like GitHub could have a cascading impact on software supply chains, making it critical to assess whether any vendors or partners are at risk due to this vulnerability.

Organizations with vendors relying on GitHub Enterprise must act swiftly to ensure that these systems are secure, as a breach could lead to unauthorized changes in code, further introducing vulnerabilities into the products and services downstream.

What questions should TPRM professionals ask vendors about CVE-2024-9487?

• Are you running any instances of GitHub Enterprise Server prior to version 3.15?
• Have you applied the necessary patches to mitigate CVE-2024-9487, especially for SAML SSO configurations?
• Is the “encrypted assertions” feature in SAML enabled on your GitHub Enterprise Server? If so, have you considered disabling it as a temporary mitigation?
• Have you implemented network access restrictions or monitoring mechanisms to detect unauthorized access attempts?

Remediation Recommendations for Vendors Subject to This Risk

• Upgrade GitHub Enterprise Server to one of the following patched versions: 3.11.16, 3.12.10, 3.13.5, or 3.14.2.
• If upgrading is not feasible immediately, disable the “encrypted assertions” feature within SAML configurations to mitigate the risk temporarily.
• Restrict network access to GitHub Enterprise Server to minimize exposure and reduce the attack surface.
• Monitor user access logs and network activity for any unusual authentication events or user provisioning activities that could indicate attempted exploitation.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the GitHub Enterprise FocusTag on October 14, 2024, offering in-depth insights into which vendors are exposed to this critical SAML SSO authentication bypass vulnerability. TPRM professionals can leverage this tag to identify at-risk vendors quickly, enabling faster remediation and risk mitigation. Additionally, Black Kite’s FocusTags™ provide a unique advantage by supplying the IP addresses and subdomains associated with vulnerable instances, allowing organizations to take swift, targeted action to secure their supply chain.

ENHANCING TPRM STRATEGIES WITH BLACK KITE’S FOCUSTAGS™

In an ever-evolving cybersecurity landscape, Black Kite’s FocusTags™ serve as a powerful tool to manage third-party risks efficiently. This week’s vulnerabilities in Oracle WebLogic Server and GitHub Enterprise exemplify how high-profile security flaws can cascade through supply chains, affecting multiple vendors and partners. With FocusTags™, you can stay ahead of these threats by:

• Instant Risk Identification: Quickly pinpoint which vendors in your supply chain are impacted by emerging vulnerabilities like CVE-2024-21216 and CVE-2024-9487, ensuring a fast and focused response.
• Risk Prioritization: FocusTags™ allow you to prioritize risks based on the criticality of affected vendors and the severity of vulnerabilities, ensuring your TPRM efforts are aligned with the highest potential risks.
• Vendor Engagement: Black Kite’s FocusTags™ equip you with detailed insights that facilitate meaningful discussions with your vendors, particularly about how they are addressing these specific vulnerabilities.
• Holistic Cybersecurity Posture: By providing a comprehensive view of the threat landscape, FocusTags™ enhance your overall cybersecurity strategy, helping you to address not just the vulnerabilities of today but also prepare for the risks of tomorrow.

Black Kite’s FocusTags™ continue to be an invaluable asset for TPRM professionals, offering real-time insights and targeted recommendations to help mitigate third-party risks associated with high-profile vulnerabilities.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

• Oracle WebLogic Server: CVE-2024-21216, Remote Code Execution Vulnerability in Oracle WebLogic Server.
• GitHub Enterprise: CVE-2024-9487, SAML SSO Authentication Bypass Vulnerability in GitHub Enterprise Server.
• Fortinet Core Products: CVE-2024-23113, Format String Vulnerability in FortiOS, FortiPAM, FortiProxy, and FortiWeb. 
• Cisco RV Routers: CVE-2024-20393, CVE-2024-20470, Privilege Escalation and RCE Vulnerability in RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. 
• Ivanti Connect Secure: CVE-2024-37404, Remote Code Execution Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra: CVE-2024-45519, Remote Command Execution Vulnerability in Zimbra.
• DrayTek Routers: CVE-2020-15415, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
• Authentik: CVE-2024-47070, Authentication Bypass Vulnerability in Authentik.
• Octopus Deploy: CVE-2024-9194, SQL Injection Vulnerability in Octopus Server.
• pgAdmin: CVE-2024-9014, OAuth2 Authentication Vulnerability in pgAdmin.
• Keycloak: CVE-2024-8698, CVE-2024-8883, SAML Signature Validation Bypass and Session Hijacking Vulnerability in Keycloak.
• Navidrome: CVE-2024-47062, SQL Injection Vulnerability in Navidrome.
• PAN-OS Cleartext: CVE-2024-8687, Cleartext Exposure Security Flaw in PAN-OS, GlobalProtect, Prisma Access.
• FileCatalyst Workflow: CVE-2024-6633, CVE-2024-6632, Insecure Default Configuration and SQL Injection Vulnerability in Fortra FileCatalyst Workflow.
• WPML: CVE-2024-6386, Critical Remote Code Execution Vulnerability via Twig Server-Side Template Injection in WPML Plugin
• SonicWall Firewalls: CVE-2024-40766, Critical Improper Access Control Vulnerability in SonicWall Firewalls
• Dahua IP Camera: CVE-2021-33045, CVE-2021-33044, Critical Authentication Bypass Vulnerabilities in Dahua IP Camera Systems

References

https://nvd.nist.gov/vuln/detail/CVE-2024-21216

https://www.oracle.com/security-alerts/cpuoct2024.html

https://nvd.nist.gov/vuln/detail/CVE-2024-9487

https://securityonline.info/github-enterprise-server-patches-critical-security-flaw-cve-2024-9487-cvss-9-5

https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.2

The post FOCUS FRIDAY: TPRM INSIGHTS INTO ORACLE WEBLOGIC SERVER AND GITHUB ENTERPRISE VULNERABILITIES appeared first on Black Kite.

Written by: Ferhat Dikbiyik, Chief Research & Intelligence Officer

Manufacturing companies are in the crosshairs of cybercriminals, with ransomware attacks as the number one threat to the industry. In our 2024 Report: The Biggest Third-Party Risks in Manufacturing, we analyzed 1,039 manufacturing companies across 10 sub-industries and found the sector accounts for 21% of all ransomware attacks globally. While these figures reveal the urgent need for individual companies to shore up their defenses, it’s essential to recognize that manufacturing companies do not operate in isolation—they exist within an intricate web of supply chains, where a disruption to one player can have cascading effects on others. 

Consider this: a ransomware attack on one of your key suppliers can stop your operations in their tracks. If a supplier responsible for microchips, preservatives, or critical machinery parts is taken offline, your own company might not be able to continue production. Even if you have no direct ransomware attack on your systems, you’re vulnerable to supply chain delays that can ripple throughout the network.

This means third-party risk management (TPRM) is not just a priority but a necessity for manufacturing companies that want to avoid catastrophic operational and financial consequences. Fixing your own vulnerabilities is essential, but if your key suppliers are compromised, your production lines and supply chain will suffer just as much.

A Chain is Only as Strong as Its Weakest Link

Why is the manufacturing industry such a hotbed for ransomware activity? Our findings indicate that 67% of manufacturing companies have vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. These are known vulnerabilities actively targeted by threat actors. If these go unchecked in your supply chain, your company may face operational disruptions, even if you’ve taken steps to secure your own systems.

For example, imagine you’re a food manufacturer relying on a supplier for metal cans. If that supplier is hit by ransomware, it can delay or prevent the packaging of your products, leading to missed deliveries and spoiled goods. Or consider an electronics manufacturer that relies on a supplier for microchips—an attack on the supplier could grind your production to a halt, leaving you unable to meet your customers’ demand.

Real-World Examples of Supply Chain Disruption

To contextualize just how consequential these unchecked risks can be, here are real-world examples of how ransomware attacks on manufacturers and their suppliers have caused significant operational and financial disruptions throughout the supply chain.

1. Clorox (2023): A ransomware attack on Clorox disrupted its IT infrastructure, causing product shortages that rippled through the supply chain. The attack forced Clorox to shut down its automated systems and switch to manual operations, significantly slowing down production and resulting in widespread product unavailability for retailers and consumers, particularly for high-demand products. The recovery process, which extended over weeks, showcased the broader impact of cyberattacks on supply chains and consumer markets.
2. Norsk Hydro (2019): The 2019 LockerGoga ransomware attack on aluminum giant Norsk Hydro halted production at several of its global facilities and cost the company approximately $71 million. The company had to switch from automated to manual operations, leading to significant delays in manufacturing and delivery of aluminum products. This affected industries that depend on Norsk Hydro’s aluminum, such as automotive, construction, and packaging, causing delays and shortages in their own supply chains, highlighting the interconnectedness of global supply chains and the severe impact a single cyberattack can have across multiple industries.
3. Lacroix Electronics (2023): Lacroix, a French electronics manufacturer, temporarily shut down three of its production sites following a ransomware attack. The shutdown of production over the course of a week created bottlenecks, impacting both Lacroix’s internal processes and its downstream partners.
4. Acer (2021): Acer was hit by a $50 million ransomware attack in March 2021, launched by the REvil group. The attackers gained access to Acer’s systems and demanded payment in cryptocurrency to provide a decryption key and avoid leaking sensitive data. As a major player in electronics manufacturing, disruptions at Acer affected the availability of critical components, which in turn impacted other companies reliant on Acer for parts.

In each case, it wasn’t just the ransomed companies facing operational chaos—real, time-sensitive challenges fell on the businesses that relied on them for critical supplies and components. These dependent companies had to navigate the cascading effects of disrupted supply chains, from raw material shortages to delayed shipments. So ransomware isn’t just an internal issue for the company dealing with the attack firsthand. It’s a third-party risk management (TPRM) problem for companies relying on the compromised supplier.

Proactive Steps to Secure Your Supply Chain

In 2023, the MOVEit Transfer vulnerability exposed hundreds of organizations, including manufacturers, to ransomware attacks. The CLOP ransomware group exploited a software flaw, leading to widespread disruptions in industries ranging from logistics to production. This incident demonstrates the importance of scrutinizing third-party software tools—any weak link in the supply chain could be an entry point for cybercriminals, potentially affecting your entire business.

One effective way to manage this is by leveraging tools like Black Kite’s Ransomware Susceptibility Index® (RSI™), which measures how likely a company or supplier is to suffer a ransomware attack. This allows you to assess not only your own company’s risk but also the risk posed by your third-party vendors. With these insights, you can take proactive steps to address vulnerabilities in your supply chain before they become costly breaches.

Conclusion: Securing the Entire Ecosystem

The findings from our report should serve as a wake-up call to manufacturing companies. It’s not enough to secure your own systems—you must ensure that your supply chain is secure. Ransomware attacks and cyber vulnerabilities within your third-party vendors pose a significant risk to your operations.

By taking a proactive, comprehensive approach to third-party risk management, you can mitigate these risks and ensure business continuity, protecting not only your operations but also the entire supply chain on which you depend.

Want to learn how your company and its third-party vendors stack up in terms of ransomware susceptibility and cyber risk? Schedule a demo with Black Kite today and take the first step toward securing your manufacturing operations.

References:

https://www.industryweek.com/technology-and-iiot/article/21274431/the-clorox-co-recovers-from-severe-cyberattack

https://news.microsoft.com/source/features/digital-transformation/hackers-hit-norsk-hydro-ransomware-company-responded-transparency

https://www.securityweek.com/lacroix-closes-production-sites-following-ransomware-attack/amp

https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/amp

The post Manufacturing at Risk: Why Securing Your Supply Chain is Critical appeared first on Black Kite.

Written by: Jeffrey Wheatman

When it comes to third-party risk management (TPRM), many organizations treat it as a purely technical issue, relying on cybersecurity teams to handle vendor vulnerabilities and security gaps. However, this mindset often overlooks a critical truth: TPRM is a business problem that requires strategic decisions based on business value, operational impact, and financial risk—not just technical fixes.

That means, you can’t just go throwing a bunch of technical requests over to your vendors’ technical teams. Yet that’s exactly what many TPRM teams do today. They end up sending the vendors a long list of concerns such as open vulnerabilities, missing patches, and other technology threats, believing that the best way forward is for the vendors’ technical teams to take action. How can your vendors possibly handle that workload from you, let alone all the other customers they serve? The truth is, they can’t.

As we reveal in our RiskBusters episode, there is a better way. While technical people play a crucial role in assessing security controls and identifying risks, these insights need to be contextualized within a broader business framework. It’s not just about patching vulnerabilities; it’s about determining which risks have the most significant impact on your business and working collaboratively with vendors to mitigate those risks. The solution? A balanced approach that aligns technical assessments with business priorities.

Let’s dig deeper into the facts. 

3 Facts About the Importance of TRPM for Businesses

Fact: Organizations are being targeted through their third-parties.

What You Should Know:

• Zero-day vulnerabilities allow mass exploitation.
• Third-party vendors are now prime targets for cybercriminals.
• An increased reliance on vendors increases risk exposure.
• A single vendor breach can impact many organizations.

With the impact of third-party breaches intensifying with each passing year, we see more and more cases in which vendor relationships become the “way in” for bad actors. The attackers themselves have realized how many of today’s businesses rely heavily on their third-party vendor relationships, and a single breach can cause significant cascading effects. Zero-day vulnerabilities, like the one found in MOVEit last year, make it especially easy for bad actors to exploit dozens of businesses using a single, vulnerable system.

Fact: Not every vulnerability is going to get fixed.

What You Should Know:

• Not every vulnerability poses a serious risk to your business.
• Assess financial and operational impacts first.
• Prioritize the vulnerabilities that matter most.
• Focus resources on high-impact issues.

When it comes to managing third-party risk, not every vulnerability is equal, and not every risk requires immediate action. The key to effective risk management is understanding the potential impact of vulnerabilities on your business. By using contextual intelligence, you can assess the financial, operational, and reputational costs of leaving certain risks unaddressed. This allows business stakeholders to prioritize vulnerabilities based on their potential impact, rather than overwhelming vendors with every issue.

With a clear understanding of which risks pose the greatest threat to your bottom line, your technical teams and vendors can focus their efforts on mitigating what matters most—ensuring that your resources are used efficiently and effectively.

Fact: It’s possible to overwhelm your vendors with requests.

What You Should Know: 

• Bombarding vendors with issues slows down remediation.
• Vendors may ignore unclear or excessive demands.
• Generic scores or long lists create frustration.
• Overwhelming vendors damages collaboration.

Prioritization is important because many businesses have tried to collaborate with their vendors and been met with silence or inaction. This is often because they go into conversations with existing or prospective vendors expecting them to fix an unfiltered list of security issues. Because after all, they believe that this is simply a technical problem and the vendor has the right technical people to do something about it! Because of this expectation, these businesses end up sending their vendors one of the following documents:

• A): a long list of security concerns (“Hey, we need you to fix these 783 vulnerabilities by next month.”)
• B): a vague SRS risk score (“You scored a D according to X firm. Fix that, or else!”)
• C): a lengthy questionnaire (“We want to make sure that you’re secure enough to meet our compliance requirements. Please take eight hours out of your day to fill in this detailed questionnaire.”)

But when they send this type of vague and/or overwhelming information without a clear idea as to which third-party risks are most pressing to fix, these companies end up sabotaging their relationships with vendors. The vendors either ignore the requests because they don’t know where to start, or the relationship becomes strained. Either way, it’s not the result you’re looking for: action taken to mitigate overall business risk.

Is a secure and collaborative vendor relationship just the stuff of myths and legends?

How can organizations shift away from overwhelming their vendors with technical requests and focus on what really matters—reducing business risk? Watch the video below to find out how aligning technical assessments with business priorities can lead to more effective, collaborative TPRM strategies.

Check Out Episode 4 Now!

Align Third-Party Risk Management with Business Priorities

Managing third-party risk doesn’t have to overwhelm your team—or your vendors. By focusing on business-critical risks and using tools like Black Kite’s Strategy Report, you can guide your vendors toward actionable, prioritized risk remediation steps. With clear communication and a well-defined strategy, you’ll not only protect your business but also foster stronger, more collaborative relationships with your vendors.

And with Black Kite Bridge™️, you can take what you’ve prioritized in the Strategy Report to your vendors with streamlined communication, allowing vendors to easily access your most pressing concerns and providing them with actionable intelligence. This collaborative approach ensures that risk management becomes a shared responsibility, not just a technical burden.

To learn more about turning TPRM into a business-driven process and debunking common myths, watch our latest RiskBusters episode above. Subscribe to our YouTube channel for more myth-busting insights into third-party risk management!

To learn more about common TPRM assumptions and see if they’re fact or fiction, subscribe to our YouTube channel so you can catch all of our RiskBusters™️ episodes!

The post RiskBusters™ Reveal: TPRM Is More Than a Technical Problem, It’s a Business Imperative appeared first on Black Kite.

Written By: Ferdi Gül

Welcome to this week’s Focus Friday blog, where we delve into high-profile cybersecurity incidents from a Third-Party Risk Management (TPRM) perspective. This week, we examine critical vulnerabilities affecting Fortinet Core Products, Cisco RV Routers, and Ivanti Connect Secure. These vulnerabilities present significant risks, from privilege escalation to remote code execution, impacting enterprise security across various sectors. Understanding and addressing these issues are essential to maintaining a strong security posture and mitigating potential breaches.

CVE-2024-23113: Fortinet Core Products Format String Vulnerability

What is the Fortinet Core Products Format String Vulnerability?

CVE-2024-23113 is a critical format string vulnerability affecting Fortinet products, including FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. This flaw allows a remote, unauthenticated attacker to execute arbitrary code by sending specially crafted requests to the affected systems. The vulnerability, with a CVSS score of 9.8 and an EPSS score of 0.80%, was disclosed in February 2024 and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on October 9, 2024. Although no proof-of-concept (PoC) exploit code has been publicly released, threat actors are focusing on exploiting vulnerabilities in Fortinet systems to breach corporate networks, aiming to launch ransomware attacks or engage in cyber espionage. Therefore, it is recommended to upgrade the Fortinet’s products to the patched versions.

Why Should TPRM Professionals Care About This Vulnerability?

For TPRM professionals, vulnerabilities in Fortinet core products are highly concerning because these systems are often deployed in sensitive enterprise environments. If exploited, CVE-2024-23113 could allow attackers to take control of Fortinet systems, execute arbitrary commands, and compromise the entire network. This risk is particularly critical in environments where FortiOS is used to secure sensitive operations, including financial transactions, communications, and administrative controls. The vulnerability’s ability to bypass authentication and execute commands remotely makes it a prime target for ransomware attacks and cyber espionage.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

To mitigate the risk of CVE-2024-23113, TPRM professionals should ask vendors the following questions:

1. Have you updated all instances of FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager to the latest versions (FortiOS: 7.4.3, 7.2.7, or 7.0.14 or above, FortiProxy: 7.4.3, 7.2.9, or 7.0.16 or above, FortiSwitchManager: 7.2.4 or 7.0.4 or above) to mitigate the risk of CVE-2024-23113?
2. Have you implemented the recommended action of disabling FGFM access for each interface until the system can be updated, and closely observing network activity for any abnormal behavior that may indicate attempted exploitation of this vulnerability?
3. Can you confirm if you have restricted FGFM connections to specific IPs as an additional mitigation step, even though it does not fully prevent exploitation and should be treated as a temporary solution until patching is completed?
4. For FortiPAM, have you migrated to fixed releases as no specific patches are provided for vulnerable versions to mitigate the risk of CVE-2024-23113?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using affected Fortinet products should:

• Apply patches immediately to upgrade FortiOS to versions 7.4.3, 7.2.7, or 7.0.14 and similar versions for FortiProxy and FortiSwitchManager.
• Disable FGFM access temporarily, or restrict it to specific trusted IPs to minimize exposure.
• Implement local-in policies to restrict access to FGFM services.
• Monitor network activity closely for signs of exploitation, and review access logs regularly.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite provides the Fortinet Core Products FocusTag to help identify vendors with potential exposure to CVE-2024-23113. The tag, first published on October 9, 2024, allows TPRM professionals to identify at-risk vendors by mapping affected assets like IP addresses and subdomains. This enables targeted risk assessments and allows professionals to prioritize outreach and remediation efforts for the most vulnerable vendors. Black Kite’s ability to provide real-time intelligence on exploited vulnerabilities is a key differentiator in managing third-party risks.

CVE-2024-20393 and CVE-2024-20470: Cisco RV Routers Privilege Escalation and Remote Code Execution Vulnerabilities

What are the Cisco RV Routers Privilege Escalation and RCE Vulnerabilities?

CVE-2024-20393 and CVE-2024-20470 are high-severity vulnerabilities impacting Cisco RV340, RV340W, RV345, and RV345P VPN Routers. CVE-2024-20393 enables privilege escalation, while CVE-2024-20470 allows remote code execution. Both vulnerabilities involve weaknesses in the web-based management interface and can be exploited by an authenticated attacker with limited privileges. With CVSS scores of 7.2 and 8.8, respectively, these flaws pose serious risks to network integrity and sensitive data.

Why Should TPRM Professionals Care About These Vulnerabilities?

For organizations using Cisco RV routers, these vulnerabilities can severely compromise network security. If exploited, attackers can escalate privileges or execute arbitrary code, leading to unauthorized access to sensitive data or full system takeover. Given that these routers are often used in business-critical environments, failing to address these vulnerabilities may result in breaches, data exfiltration, or service disruption.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

1. Have you checked and confirmed that the remote management feature is disabled on all your Cisco Small Business RV Series routers, specifically the RV340, RV340W, RV345, and RV345P models, to mitigate the risk of CVE-2024-20393 and CVE-2024-20470?
2. Given that Cisco has not provided any patches or workarounds for these vulnerabilities, have you considered replacing the affected Cisco Small Business RV Series routers with more secure alternatives that receive active support and security updates?
3. Can you confirm if you have implemented network monitoring solutions to detect any suspicious activity that could indicate an exploitation of the privilege escalation and remote code execution vulnerabilities (CVE-2024-20393 and CVE-2024-20470) in the Cisco Small Business RV Series routers?
4. Have you taken steps to restrict network access to the affected Cisco Small Business RV Series routers to local connections only, as a measure to mitigate the risk of CVE-2024-20393 and CVE-2024-20470?

Remediation Recommendations for Vendors Subject to This Risk

• Disable remote management immediately.
• Migrate to secure router models, as these devices no longer receive software support.
• Restrict network exposure to local traffic only.
• Monitor network traffic for suspicious activity related to privilege escalation or RCE attempts.

How Can TPRM Professionals Leverage Black Kite for These Vulnerabilities?

Black Kite’s Cisco RV Routers FocusTag helps TPRM professionals identify vendors at risk from these vulnerabilities. Published on October 7, 2024, the FocusTag offers real-time data on vulnerable assets, allowing organizations to prioritize mitigation efforts and reduce exposure. By providing asset-specific intelligence such as IP addresses and vulnerable systems, Black Kite enables more focused risk management.

CVE-2024-37404: Ivanti Connect Secure Remote Code Execution Vulnerability

What is the Ivanti Connect Secure RCE Vulnerability?

CVE-2024-37404 is a critical Remote Code Execution (RCE) vulnerability affecting Ivanti Connect Secure and Policy Secure products. This flaw, caused by improper input validation in the admin portal during the Certificate Signing Request (CSR) generation process, allows an authenticated attacker to execute arbitrary code. With a CVSS score of 9.1, this vulnerability poses a significant risk, potentially allowing attackers to take full control of vulnerable systems. The issue was first disclosed in October 2024, and while no known exploitation has been observed in the wild, a proof-of-concept (PoC) has been published, demonstrating how the attack can be carried out by manipulating configuration files through specially crafted input. 

In previous discussions on ICS, we noted that the Chinese nation-state-linked threat actor UTA0178 is suspected of exploiting these systems. MITRE research highlights the ROOTROT webshell tool, used by attackers to execute commands, steal credentials, exfiltrate files, and more. Vulnerabilities in ICS devices are exploited to propagate the Mirai botnet, leading to large-scale DDoS attacks and other cyber threats.

Why Should TPRM Professionals Care About this Vulnerability?

For organizations utilizing Ivanti Connect Secure, this vulnerability could lead to complete system compromise. Given the privileged role these systems play in secure communications and network management, the exploitation of this flaw could result in data breaches, system disruptions, and potential ransomware attacks. Attackers could use compromised admin credentials to access and exploit this vulnerability, especially in environments where access controls are weak or multi-factor authentication (MFA) is not implemented.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

1. Have you upgraded all instances of Ivanti Connect Secure and Policy Secure to versions 22.7R2.1, 22.7R2.2, and 22.7R1.1 respectively to mitigate the risk of CVE-2024-37404?
2. Can you confirm if you have implemented the recommended mitigation measures such as enabling admin access only on the management interface, monitoring network traffic for unusual activities, and strengthening password policies and MFA protections?
3. Have you taken steps to prevent the injection of Carriage Return Line Feed (CRLF) characters into input fields in the admin portal, specifically in the Certificate Signing Request (CSR) generation process, to prevent the manipulation of configuration files and loading of malicious libraries?
4. Can you confirm if you have implemented measures to detect and prevent the uploading of malicious ZIP files masquerading as client logs, which could lead to remote code execution and granting of root-level access to the system?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using Authentik should follow these remediation steps:

• Update to the latest versions of Ivanti Connect Secure (22.7R2.1 or 9.1R18.9 when available) and Ivanti Policy Secure (22.7R1.1).
• Restrict admin access to internal networks and ensure it is protected by a firewall or jump host.
• Enforce strong access controls, including MFA and password vaults, to limit exposure.
• Enable admin logging and monitor for suspicious activity involving administrative credentials.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite provides the Ivanti Connect Secure FocusTag, which helps TPRM professionals identify vendors at risk of this vulnerability. Published in October 2024, this FocusTag delivers critical insights into affected assets, allowing TPRM professionals to prioritize vendors that need immediate remediation. This targeted intelligence aids in reducing exposure by focusing on the vendors most likely to be impacted by CVE-2024-37404, helping organizations streamline their third-party risk management processes.

By providing detailed asset information such as vulnerable subdomains or IP addresses, Black Kite allows its customers to operationalize these insights and reduce the potential risk from vendors who might be compromised through this vulnerability.

Maximizing TPRM Effectiveness With Black Kite’s FocusTags™

Black Kite’s FocusTags are indispensable tools for refining Third-Party Risk Management (TPRM) strategies. Here’s how Black Kite’s FocusTags™ empower organizations to effectively manage vulnerabilities like those in Fortinet Core Products, Cisco RV Routers, and Ivanti Connect Secure:

• Real-Time Risk Identification: FocusTags instantly identify vendors impacted by critical vulnerabilities, enabling organizations to react swiftly and mitigate threats before they escalate.
• Targeted Risk Prioritization: By assessing both the severity of the vulnerability and the criticality of the affected vendors, FocusTags help allocate resources efficiently to address the most pressing risks.
• Informed Vendor Engagement: These tags facilitate deeper discussions with vendors about their exposure and remediation plans, ensuring that conversations are focused and actionable.
• Comprehensive Security Enhancement: With a broad view of the threat landscape, FocusTags strengthen the overall security posture, allowing TPRM professionals to adapt their strategies to the latest cyber risks.

Incorporating Black Kite’s FocusTags into your TPRM processes ensures that your organization remains proactive and responsive to the rapidly evolving cyber threat environment, empowering you to manage third-party risks effectively and safeguard your enterprise.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

• Fortinet Core Products: CVE-2024-23113, Format String Vulnerability in FortiOS, FortiPAM, FortiProxy, and FortiWeb. 
• Cisco RV Routers: CVE-2024-20393, CVE-2024-20470, Privilege Escalation and RCE Vulnerability in RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. 
• Ivanti Connect Secure: CVE-2024-37404, Remote Code Execution Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra: CVE-2024-45519, Remote Command Execution Vulnerability in Zimbra.
• DrayTek Routers: CVE-2020-15415, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
• Authentik: CVE-2024-47070, Authentication Bypass Vulnerability in Authentik.
• Octopus Deploy: CVE-2024-9194, SQL Injection Vulnerability in Octopus Server.
• pgAdmin: CVE-2024-9014, OAuth2 Authentication Vulnerability in pgAdmin.
• Keycloak: CVE-2024-8698, CVE-2024-8883, SAML Signature Validation Bypass and Session Hijacking Vulnerability in Keycloak.
• Navidrome: CVE-2024-47062, SQL Injection Vulnerability in Navidrome.
• PAN-OS Cleartext: CVE-2024-8687, Cleartext Exposure Security Flaw in PAN-OS, GlobalProtect, Prisma Access.
• FileCatalyst Workflow: CVE-2024-6633, CVE-2024-6632, Insecure Default Configuration and SQL Injection Vulnerability in Fortra FileCatalyst Workflow.
• WPML: CVE-2024-6386, Critical Remote Code Execution Vulnerability via Twig Server-Side Template Injection in WPML Plugin
• SonicWall Firewalls: CVE-2024-40766, Critical Improper Access Control Vulnerability in SonicWall Firewalls
• Dahua IP Camera: CVE-2021-33045, CVE-2021-33044, Critical Authentication Bypass Vulnerabilities in Dahua IP Camera Systems
• Microsoft Privilege Escalation Vulnerability: CVE-2024-38193, CVE-2024-38106, CVE-2024-38107, Critical Privilege Escalation Vulnerabilities in Microsoft Windows
• SolarWinds WHD: CVE-2024-28986, Critical Remote Code Execution Vulnerability in SolarWinds Web Help Desk

References

https://www.fortiguard.com/psirt/FG-IR-24-029

https://nvd.nist.gov/vuln/detail/CVE-2024-23113

Cisco Security Advisory – Cisco Small Business RV34x VPN Routers Privilege Escalation and Remote CodeExecution Vulnerabilities

https://nvd.nist.gov/vuln/detail/CVE-2024-20393

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-and-Policy-Secure-CVE-2024-37404?language=en_US

https://securityonline.info/cve-2024-37404-critical-rce-flaw-discovered-in-ivanti-connect-secure-policy-secure-poc-published

https://blackkite.com/blog/focus-friday-tprm-challenges-in-the-face-of-ivanti-ics-cacti-sonicwall-confluence-and-citrix-vulnerabilities

The post FOCUS FRIDAY: INSIGHTS INTO THIRD-PARTY RISKS IN FORTINET CORE PRODUCTS, CISCO RV ROUTERS, AND IVANTI CONNECT SECURE VULNERABILITIES appeared first on Black Kite.

Written by: Bob Maley, Chief Security Officer

Reactivity isn’t the best option in most areas of life. You don’t want to buy a first aid kit while you’re actively wounded or hike to the nearest exit to fill up a gas can because your car ran out of fuel on the highway. In the same way, reacting to third-party risk as it’s happening (e.g., one of your vendors facing a zero-day threat or an auditor flagging one of your business-critical vendors as noncompliant) is responding too late. And your risk posture, reputation, and (let’s be honest) sanity will likely suffer as a result. 

Instead, protecting your business against increased third-party breaches and responding to a rapidly expanding vendor ecosystem requires a more proactive, planned approach. It takes new strategies that traditional TPRM solutions often don’t consider—monitoring your third-party risks in real-time and identifying weak points before anything significant ever happens. It’s like watching your gas gauge and filling up your car long before you hit empty or preparing for unforeseen injuries by keeping a first aid kit on hand. 

Let’s dive into a few differences between a traditional, reactive approach to TPRM and a proactive cyber security strategy powered by Black Kite that keeps you one step ahead.

From Point-in-Time Snapshots to Continuous Monitoring

Traditional TPRM tends to lean on point-in-time snapshots about a company’s third-party risk posture. However, this approach misses many rapidly shifting factors in vendor relationships. A vendor that seemed secure might suddenly make changes that increase their level of risk. Or a new zero-day vulnerability might emerge that affects some of your third-party resources.

How Black Kite Solves It

To keep a close eye on these constant changes, Black Kite offers continuous monitoring, with the ability to narrow down findings to the risks that matter most to your organization. We don’t inundate you with data; instead, we prioritize and bring attention to the alerts that matter most in a sea of vendors, applications and data points. By watching vendors’ security posture over an extended period, your team collects better context than a static score or rating could ever provide. 

From Inaccurate Scoring to Precise Data

When your team considers quantifying risk, established systems like security rating services (SRS) scores might come to mind. However, these scoring systems leave out many important nuances, such as how a vendor is mitigating an emerging threat. SRS scores can also be vague, as two security service organizations will often provide two different letter ratings for the same business. Sometimes, it seems like the score came out of a black box, with no way of knowing how the security service decided on that particular rating. 

How Black Kite Solves It

Instead of relying on ambiguous scoring systems, Black Kite uses technical cybersecurity ratings using commonly-used frameworks developed by the MITRE Corporation. We conduct non-intrusive scans and rank each vendor in 20 categories, such as patch management, attack surface, and network security. The total score is a weighted average of these individual categories. It is then translated into a letter-grade system for quantifying risk at a glance.

Black Kite also shows how each vendor ranks in the following categories:

• Potential financial impact by monetary amount, calculated with the Open FAIR™ model
• Correlation with industry-accepted compliance frameworks 
• Ransomware susceptibility, as shown by the Ransomware Susceptibility Index^®

With this precise data, your team can take proactive cyber security to the next level by accurately identifying which vendors pose the most significant threats and make informed risk decisions.

From Vague Findings to Actionable Insights

Commonly used rating systems also fail to provide actionable information. If the only information you have about a business-critical vendor’s risk posture is that they scored a “D” in their SRS rating, your team might not know what to do next. Do you tell the vendor and invite further confusion because neither party knows what caused the low score? Do you ignore it and hope for the best? Or do you raise the alarm in your organization and cause a domino effect of business complications?

How Black Kite Solves It

Black Kite prioritizes transparency and accuracy in vendor risk management, offering deep, actionable insights into each vendor’s risk posture, including their susceptibility to ransomware attacks. With this detailed data, you can better reach out to stakeholders within the business or to the vendors directly and have productive conversations about risk management. By fostering more collaborative relationships and removing uncertainty, you increase the likelihood that a vendor will take positive action to improve their risk posture. 

In the case of significant threats, such as data breaches or ransomware attacks, we also leverage FocusTags™, ensuring that your team immediately sees when a high-risk incident occurs in your vendor ecosystem. We filter out the noise and confusion, so your team can focus on the next steps that will most significantly mitigate your third-party risk. 

Sign Up for a Vendor Risk Assessment Today

A proactive approach to third-party risk management can make all the difference for your security team. Proactive cyber security contributes to a better relationship between you and your vendors, less noise and confusion for your team, and more concrete, actionable next steps. Rather than waiting to see what happens or chasing false alarms, your team can take control of vendor risk and prioritize protecting your most valuable assets. 

Want to see Black Kite in action? Sign up for our free risk assessment to see how your vendor ecosystem stacks up.

The post Heading Off Disruption: How to Implement Truly Proactive TPRM appeared first on Black Kite.

Written by: Bob Maley, Chief Security Officer

Contributor: Candan Bolukbas, CTO and Founder

In today’s fast-moving tech landscape, companies often face the temptation to prioritize speed over security when developing software. While getting to market quickly might offer a competitive edge for a software company, the long-term risks can be catastrophic—especially when that company becomes a third-party vendor whose products are embedded in other cyber ecosystems. When security is treated as an afterthought, the consequences can ripple across entire supply chains, leaving businesses vulnerable to breaches, ransomware attacks, and data loss. 

For companies relying on third-party vendors, a single security oversight can expose them to significant financial loss, reputational damage, and regulatory penalties. As cyber threats become more sophisticated, the price of neglecting security during product development is far too high for both vendors and their customers.

That’s why, in 2016, when we first built Black Kite as a third-party risk management (TPRM) solution, security was at the very top of our list. As a vendor ourselves, we understood the responsibility that comes with being part of our customers’ cyber ecosystems. We knew that any vulnerability in our own product could become a vulnerability for the companies relying on us to secure their third-party relationships. Our goal wasn’t just to help businesses identify and manage risks in their vendor networks—it was also to ensure that we weren’t contributing to those risks. 

From day one, we designed Black Kite to be as secure as possible, embedding security into every layer of our platform, just like our solution helps companies do with their own vendors.

So when the opportunity to sign the CISA Secure by Design Pledge came around last year, it felt like a natural step for us. The pledge aligns perfectly with the principles we’ve followed since the beginning—building secure software that protects not only our customers but also the broader digital ecosystem. By committing to this initiative, we reinforced our dedication to putting security at the forefront of everything we do. 

Taking the CISA Secure by Design Pledge

Recently, we joined more than 200 tech companies in signing CISA’s Secure by Design Pledge. For Black Kite, signing the pledge wasn’t about making a drastic shift; it was about publicly affirming what we’ve practiced for the past eight years. As a Chief Information Security Officer (CSO) who joined in 2019, I was thrilled to join a company whose product was already well-established, with many proactive security measures in place. 

I recently sat down with co-founder and Chief Technology Officer Candan Bolukbas to discuss how Black Kite’s security-first approach already aligns with the tenets of the pledge, underscoring our commitment to helping businesses protect themselves from third-party risks.

The pledge requires us to meet seven key security goals within the year following signature. That would be daunting for many companies of our size, but it was a no-brainer for me and our leadership team.

For one, the seven goals outlined in the pledge align well with several compliance frameworks we had already embraced at Black Kite, including ISO 27001, SOC 2, and FedRAMP. Moreover, we have already adopted many essential security best practices that map to the pledge, like using MFA and avoiding default passwords in our software. 

While compliance frameworks and pledges like CISA’s are designed to improve security, any CISO worth their salt will tell you that checking the boxes on a compliance audit or pledge does not mean you are fully secure. We’ve always considered it a goal to be one step ahead of the “bad guys” and remain on the cutting edge of defensive and offensive security.

Today, I want to share some foundational principles built into Black Kite and how we have evolved our security practices. Our goal, of course, is not just to tick the boxes on the pledge, but to uphold and demonstrate our commitment to security — for all of our stakeholders, from employees to customers to investors. 

Black Kite’s Secure by Design Roots

One of the most unusual facets of Black Kite’s culture is the security knowledge and expertise in our C-Suite. Our CEO, CTO, CSO (myself), and COO all have backgrounds in security; in fact, our COO is a former CISO himself. 

This isn’t something that every business can replicate. But it’s part of the reason we’ve had such success with building a secure-by-design organization and product. Everyone in the C-Suite has bought into the importance of security from day one.

This has reinforced for me that the culture of security is just as important as the tools, processes, and people who make security happen. 

Let’s face it: The role of CISO is a challenging job. That’s true even when you have access to Fortune 500 resources. For one thing, the security talent shortage continues to plague every industry, meaning that even large companies rarely have sufficient personnel for security. Meanwhile, the threat landscape shifts faster every year — now at an exponential rate, thanks to AI — meaning that CISOs only have to deal with more risk as time passes. And, unfortunately, when a breach happens, whether it was the CISO’s fault or not, they are often scapegoated. 

With this pressure in mind, I always say educating the team about security is 90% of the battle. Fortunately, at Black Kite’s highest levels, I haven’t had to educate; rather, I’ve had partners who support my vision without hesitation. Again, this isn’t a luxury every business has. But it’s key to understand that culture and education lay the foundation for security.

In addition to this culture of security, the founders of Black Kite, as I mentioned earlier, believe deeply in security by design. Our CTO, in particular, brings a background as an “offensive” security practitioner to bear on his vision for Black Kite. Candan served as a network and security administrator and then a security manager for the government of Turkey. He also served as a Certified Ethical Hacker (CEH) for NATO, testing the security posture of many global organizations. 

As a co-founder of Black Kite, Candan has spearheaded the effort to ensure security across our culture, systems, and code. Black Kite’s software has been built with secure-by-design principles from the very beginning. And Candan and the rest of the executive team have been true partners to me, making my job easier because they already fully grasp the importance of what a CISO does.

Before I joined Black Kite (at the seed stage, so very early in the company’s journey), the team had already implemented measures like:

• Information security policies
• Multi-factor authentication
• Implementation of third-party risk monitoring (TPRM)

Candan and the team embraced these practices, not just because they were building a security platform but because they knew first-hand the repercussions of operating insecurely.

Black Kite and the CISA Secure by Design Pledge

As I mentioned, when we were invited to take the CISA Secure by Design Pledge, I had no hesitations. Here are the core aspects of the Secure by Design Pledge and how we implement them at Black Kite today:

1. Multi-Factor Authentication

The CISA pledge asks signers to implement MFA across as much of their environment as possible. At Black Kite, we have implemented and enforced MFA since 2017 via Google Authenticator. We enforce MFA for all federal clients and privileged accounts. Black Kite customers can also enable their personal MFA in conjunction with established MFA. 

Candan implemented MFA early on at Black Kite because of several career experiences. When he worked for the Counter Cyber Terrorism Task Force, he and the red teams there would often employ brute forcing to test defenses. When they found open, remote administrative ports, they would search the dark web for leaked credentials, then use those to gain access and attempt lateral movement.

MFA is a key countermeasure to prevent the success of similar attacks. Attackers need access to at least two different authentication sources to succeed with a brute-force attack. Authenticator tools are an ideal MFA component since their short-lived, one-time codes make it even harder for attackers to succeed with password-based attacks.

2. Default Passwords

Many development and production environments use default passwords. CISA’s pledge requires organizations to minimize the use of default passwords to close off this attack surface. Black Kite does not use default passwords in any development or production environments. All access is based on actual user accounts. 

This means even if a bad actor gained entry to a system, they could not use default passwords to expand their footprint within it. This quickly stops much of the fallout from a successful breach.

3. Reducing Entire Classes of Vulnerability

This pledge component involves improving vulnerability management to reduce risk over time.

Early on, Black Kite adopted the widely-known Patch Tuesday — implementing patches for known vulnerabilities on the second Tuesday of every month. When I joined the team, we expanded our countermeasures to include regular vulnerability scanning using several tools and services. 

In addition, our architecture team is working towards implementing least privilege access across the company and our product. We are also empowering developers to build more securely. We monitor our Jira ticketing system for vulnerabilities, and our metric for measuring reduction is a decline in tickets created.

4. Security Patches

By signing the pledge, organizations agree to work on increasing the use of patches by their customers and users. 

At Black Kite, our customers are responsible for performing systems security patching on their own platforms. To support them, Black Kite performs independent penetration testing on its code, and any identified defects are repaired in development and then released as patches.

5. Vulnerability Disclosure Policy

This part of the pledge requests teams to produce a vulnerability disclosure policy, permit anyone to disclose vulnerabilities without repercussions, provide a channel for reporting them, and allow public disclosure in line with global standards. 

Black Kite practices full disclosure with our customers. If Black Kite were to experience an intrusion, customers would have access to gather evidence. In my experience, this level of maturity is fairly rare for a company of our size and age. 

In addition, we have a Trust center, found at trust.blackkite.com, where anyone can learn more about our commitment to security and request a SOC 2 report or penetration test results. 

6. CVEs

CVEs, or common vulnerabilities and exposures, is a system used to identify and track vulnerabilities in software and systems. The pledge asks signers to demonstrate transparent reporting of vulnerabilities.

Black Kite identifies its own CVEs through independent penetration tests. While Black Kite does not publish its CVEs publicly, we do make our penetration test results available to customers on request.

Additionally, anyone can visit Black Kite’s Trust Center for more detailed security control and process information. Any stakeholder may request our SOC 2 report and proof of compliance with other well-known standards.

7. Evidence of Intrusions 

Finally, the CISA pledge calls on organizations to enable customers to gather evidence of intrusions within their products. At Black Kite, we fully embrace this level of transparency. Should an intrusion occur, we have a clear process in place that allows customers to collect relevant forensic data directly from our systems. This ensures they can take necessary action to protect their own environments.

In addition, Black Kite provides customers with access to detailed logs, incident reports, and audit trails upon request so they can perform their own incident investigations. We believe that empowering our customers with the right tools and information is essential to maintaining trust and ensuring that both parties can respond swiftly and effectively to any potential threats.

Startups and Security Maturity

While working at a startup or scale-up can sometimes be seen as a disadvantage when it comes to security, there are some unique advantages at play these days. For example, many investors now seek evidence of security policies and controls before funding companies. Customers are also increasingly savvy about security, in part due to measures like CISA’s pledge. In other words, there are many incentives today to “do the right thing” regarding security. 

One of the other major advantages that startups and scale-ups have is their ability to build security processes from the ground up rather than retrofitting them into legacy systems. Startups can often move more quickly to adopt new security technologies and practices without being slowed down by outdated infrastructures or bureaucratic hurdles. At Black Kite, we took full advantage of this agility. From day one, security wasn’t just something we added on after our product matured—it was a core part of our design and architecture.

As a third-party vulnerability management platform, Black Kite’s customers naturally request to see proof of our own security posture. We make this available through our Trust Center, where customers can access critical resources, including our SOC 2 Type II report, ISO 27001:2022 certificate, and a summary of penetration tests. Additionally, our platform leverages trusted subprocessors like Google Cloud to ensure the highest levels of data protection.

Black Kite’s Trust Center also showcases our extensive security controls, including encryption, access restrictions, and disaster recovery plans, all of which are updated regularly to reflect our ongoing commitment to secure operations. This transparency allows our customers to verify our security posture and gives them confidence that we’ve built our platform with secure-by-design principles from the very beginning.

As a CISO, I feel fortunate to be part of a scale-up business that takes security seriously. While signing the CISA pledge is neither the beginning nor the end of our security efforts, it’s an important way to join forces with other organizations and demonstrate our shared commitment to security.

Visit our Trust Center to learn more about our security practices, access compliance certifications like SOC 2 and ISO 27001, and review key resources like our Pentest Summary and Information Security Policy. You can also explore our security controls and infrastructure details or request access to additional documentation of our commitment to transparency and secure-by-design principles.

The post Built to Protect: The Importance of Security by Design in TPRM appeared first on Black Kite.

Written By: Ferdi Gül
Contributor: Ferhat Dikbiyik

Welcome to this week’s edition of Focus Friday, where we dive into critical vulnerabilities affecting the third-party ecosystem from a Third-Party Risk Management (TPRM) perspective. As organizations face mounting pressure to manage vulnerabilities swiftly and effectively, identifying and addressing these threats becomes crucial for maintaining cybersecurity resilience. In today’s blog, we will explore significant vulnerabilities affecting widely used platforms like Zimbra, DrayTek Routers, Authentik, and Octopus Deploy. These vulnerabilities pose significant risks, potentially allowing unauthorized access, remote command execution, and data breaches. We’ll provide actionable insights and discuss how TPRM professionals can leverage Black Kite’s FocusTags™ to mitigate these risks effectively.

CVE-2024-45519: Zimbra Remote Command Execution Vulnerability

What Is the Zimbra Remote Command Execution Vulnerability?

CVE-2024-45519 is a critical vulnerability in the Zimbra Collaboration Suite that allows unauthenticated attackers to execute arbitrary commands remotely on unpatched Zimbra servers. This vulnerability is caused by improper sanitization of user input within the postjournal service, where the ‘popen’ function is used to construct and execute commands from SMTP recipient addresses. Attackers can exploit this flaw by sending specially crafted SMTP messages that inject malicious commands, leading to unauthorized remote command execution.

The vulnerability, discovered in September 2024, has a high CVSS score of 9.0, marking it as a severe threat. Although no active exploitation has been reported, researchers demonstrated PoC exploits capable of compromising the entire system. This vulnerability has not yet been added to CISA’s Known Exploited Vulnerabilities catalog, but it poses a significant risk if left unpatched. The vulnerability in Zimbra Collaboration could potentially be exploited by attackers with the right tools and knowledge, as Zimbra has been a frequent target for malicious actors.

Why Should TPRM Professionals Care About the Zimbra Vulnerability?

TPRM professionals should pay close attention to this vulnerability due to the critical role that Zimbra plays in email communication and collaboration for many organizations. An attack on this platform can lead to unauthorized access to sensitive emails and files, installation of malware, and further attacks on internal systems. The remote nature of the attack and the unauthenticated access make it particularly dangerous, as threat actors can exploit vulnerable Zimbra instances without any prior credentials.

In addition, Zimbra has historically been a target for malicious actors, increasing the likelihood that threat actors will attempt to leverage CVE-2024-45519 in future campaigns. The potential for full system compromise makes this a high-priority vulnerability for vendor risk management.

What Questions Should TPRM Professionals Ask Vendors About the Zimbra Vulnerability?

To address the risk posed by CVE-2024-45519, TPRM professionals should ask the following questions:

1. Have you applied the latest security patches to Zimbra Collaboration Suite, specifically versions 9.0.0 Patch 41, 10.0.9, 10.1.1, or 8.8.15 Patch 46?
2. Have you disabled the postjournal service if it is not required in your Zimbra environment? If so, what procedures have been followed to ensure this service is not in use?
3. Are input sanitization rules and filtering mechanisms in place to prevent the execution of dangerous SMTP commands?
4. What monitoring and detection measures are implemented to identify potential exploitation attempts via SMTP?

Remediation Recommendations for Vendors Subject to This Risk

Vendors with Zimbra installations should follow these remediation steps to mitigate the risk of CVE-2024-45519:

• Patch immediately: Update to the latest versions of Zimbra Collaboration Suite, which include critical fixes.
• Disable unnecessary services: If the ‘postjournal’ service is not required, disable it using the appropriate Zimbra configuration commands.
• Enforce input validation: Apply strong input sanitization to SMTP commands to prevent malicious injections.
• Monitor SMTP traffic: Set up continuous monitoring for unusual or malicious SMTP activity that could indicate exploitation attempts.
• Network segmentation: Implement network segmentation to limit lateral movement if a Zimbra system is compromised.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite helps TPRM professionals quickly identify vendors potentially affected by CVE-2024-45519. The FocusTag for Zimbra was published on September 30, 2024, providing users with critical intelligence about vulnerable Zimbra assets within their vendor ecosystem. This intelligence includes IP addresses and subdomains that are associated with vulnerable Zimbra servers.

CVE-2020-15415: DrayTek Routers Remote Code Execution Vulnerability

What Is the DrayTek Routers Remote Code Execution Vulnerability?

CVE-2020-15415 is a critical remote code execution vulnerability impacting DrayTek Vigor3900, Vigor2960, and Vigor300B routers. This vulnerability arises from improper validation of filenames with shell metacharacters during the upload of configuration files via the WebUI endpoint cgi-bin/mainfunction.cgi/cvmcfgupload. By exploiting this flaw, attackers can send specially crafted HTTP POST requests that allow them to execute arbitrary commands on the affected devices, potentially compromising the entire system.

With a CVSS score of 9.8, this vulnerability is categorized as critical. The EPSS score is 94.31%, indicating a notable chance of exploitation. The vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog on September 30, 2024, highlighting its severity and risk of exploitation in the wild. Proof-of-concept exploits are available, increasing the likelihood of malicious actors targeting vulnerable systems.

Why Should TPRM Professionals Care About the DrayTek Routers Vulnerability?

DrayTek routers play a significant role in network infrastructure for businesses, providing remote access and connectivity across multiple devices. A remote code execution vulnerability on these devices could lead to unauthorized access, data exfiltration, and complete system compromise. Given that these routers may be deployed in critical business environments, the impact of a breach could extend beyond the initial router, leading to further network infiltration or exploitation of connected systems.

For TPRM professionals, ensuring that vendors using DrayTek routers are secured against CVE-2020-15415 is vital to preventing unauthorized access to critical data or systems. Exploitation could enable attackers to carry out further attacks, such as malware installation or network manipulation.

What Questions Should TPRM Professionals Ask Vendors About the DrayTek Routers Vulnerability?

To mitigate the risk associated with CVE-2020-15415, TPRM professionals should consider asking vendors the following questions:

1. Have you applied the firmware update released by DrayTek for Vigor3900, Vigor2960, and Vigor300B routers to address CVE-2020-15415?
2. Are you limiting remote administrative access to trusted IP addresses using an Access Control List (ACL)?
3. Have you disabled remote administration on affected devices if it is not necessary?
4. What monitoring procedures are in place to detect any unusual or malicious activity on your DrayTek routers?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using DrayTek routers should follow these remediation steps:

• Firmware Update: Upgrade to the latest firmware (1.5.1.1 or later) to patch the vulnerability.
• Disable Remote Access: If immediate upgrading is not feasible, disable remote access to the affected routers or restrict access using ACLs.
• Use Secure Remote Administration: Switch to secure methods such as VPN or VigorACS for remote device administration.
• Monitor Device Activity: Regularly monitor traffic and system logs for unusual activity that may indicate an attempted or successful exploit.
• Regular Firmware Checks: Ensure that firmware is kept up to date across all DrayTek devices to mitigate exposure to future vulnerabilities.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite provides valuable insights by identifying vendors using potentially vulnerable DrayTek routers affected by CVE-2020-15415. The FocusTag for DrayTek routers was published on September 30, 2024, offering actionable intelligence on vulnerable assets, including device IP addresses and configurations. By leveraging this data, TPRM professionals can quickly narrow down at-risk vendors and prioritize outreach to those most vulnerable to attack.

CVE-2024-47070: Authentik Authentication Bypass Vulnerability

What Is the Authentik Authentication Bypass Vulnerability?

CVE-2024-47070 is a critical vulnerability in Authentik, an open-source Identity Provider (IdP) and Single Sign-On (SSO) platform. The flaw exists due to improper handling of the X-Forwarded-For HTTP header in reverse proxy setups. Attackers can manipulate this header by sending an unparsable value (e.g., “a”), which tricks Authentik into bypassing password authentication policies. This allows unauthorized access to user accounts if the attacker knows the login or email address, bypassing the need for the correct password.

This vulnerability has a CVSS score of 9.0, marking it as critical. It affects Authentik versions up to and including 2024.8.2 and 2024.6.4. While no active exploitation or PoC has been publicly released, the risk remains significant, especially in environments where Authentik is accessible without a properly configured reverse proxy.

Why Should TPRM Professionals Care About the Authentik Vulnerability?

TPRM professionals should be highly concerned about CVE-2024-6386 due to its potential impact on WordPress sites using the WPML plugin. WordPress is a widely adopted content management system, and any vulnerability that allows for remote code execution poses a substantial risk. An attacker exploiting this vulnerability could gain unauthorized control over a website, execute malicious code, manipulate content, steal sensitive data, or even deface the site. In environments where WordPress sites are used for critical business functions, such a compromise could lead to significant data breaches, reputational damage, and operational disruptions. It is crucial for TPRM professionals to ensure that their vendors using WordPress and the WPML plugin are aware of this vulnerability and have implemented appropriate measures to mitigate the risk.

What Questions Should TPRM Professionals Ask Vendors About the Authentik Vulnerability?

To address the risk posed by CVE-2024-47070, TPRM professionals should ask vendors the following questions:

1. Have you upgraded to Authentik version 2024.6.5 or 2024.8.3 to address CVE-2024-47070?
2. Is your reverse proxy correctly configured to set valid X-Forwarded-For headers, ensuring that this vulnerability cannot be exploited?
3. What measures are in place to monitor and detect suspicious activity related to authentication bypass attempts in your system?
4. Have you disabled direct internet exposure of Authentik where possible, or applied proper access controls if external access is required?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using Authentik should follow these remediation steps:

• Apply Patches: Upgrade to Authentik versions 2024.6.5 or 2024.8.3, which include the fixes for CVE-2024-47070.
• Configure Reverse Proxy: Ensure that the reverse proxy is set to properly handle and validate the X-Forwarded-For header.
• Limit Direct Exposure: Avoid exposing Authentik directly to the internet without a secure reverse proxy configuration.
• Manual Workaround: If patching is not immediately possible, set the “Failure result” option on policy bindings to “Pass” to prevent authentication policy bypass, though this is a temporary and less secure workaround.
• Monitor Traffic: Continuously monitor network and authentication logs for unusual activities that may indicate exploitation attempts.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite enables TPRM professionals to swiftly identify vendors using vulnerable versions of Authentik through its FocusTag system. The FocusTag for Authentik was published on October 1, 2024, providing comprehensive intelligence on at-risk vendors, including specific vulnerable assets. With this information, TPRM teams can prioritize remediation efforts, focusing on vendors using outdated or misconfigured Authentik systems.

CVE-2024-9194: Octopus Deploy SQL Injection Vulnerability

What Is the Octopus Deploy SQL Injection Vulnerability?

CVE-2024-9194 is a high-severity SQL injection vulnerability in Octopus Server. This vulnerability is due to improper parameter handling within the REST API, which allows attackers to execute arbitrary SQL commands. By exploiting this flaw, attackers could gain unauthorized access to the database, potentially exposing sensitive project data and deployment configurations.

This vulnerability has a CVSS score of 8.7. Although there is no active exploitation or available PoC, the critical nature of SQL injection vulnerabilities makes this a significant concern. The vulnerability was discovered in October 2024, and organizations using affected versions of Octopus Server are strongly advised to prioritize patching.

Why Should TPRM Professionals Care About the Octopus Deploy Vulnerability?

SQL injection vulnerabilities can have a significant impact on an organization, as they may allow attackers to access or manipulate sensitive data. Octopus Server is commonly used to manage application deployments, and unauthorized access to its configurations could lead to major disruptions in the deployment process. Additionally, sensitive data related to projects and infrastructure could be exposed.

For TPRM professionals, this vulnerability poses a risk to any vendors relying on Octopus Deploy for their DevOps and deployment workflows. Unauthorized access to these systems could result in data leakage, malicious code injection, or compromised deployments, which could directly impact business operations.

What Questions Should TPRM Professionals Ask Vendors About the Octopus Deploy Vulnerability?

To mitigate the risks associated with CVE-2024-9194, TPRM professionals should ask vendors the following questions:

1. Have you upgraded to the fixed versions of Octopus Server (2024.1.13038, 2024.2.9482, or 2024.3.12766) to address CVE-2024-9194?
2. If patching is not immediately possible, have you disabled the “Guest” feature to reduce the risk of exploitation?
3. What measures are in place to monitor and log database access for unusual or suspicious activity?
4. How are you ensuring the security of deployment configurations to prevent unauthorized access or modification?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using Octopus Deploy should follow these remediation steps:

• Apply Patches: Upgrade to the fixed versions (2024.1.13038, 2024.2.9482, or 2024.3.12766) as soon as possible to mitigate the vulnerability.
• Disable Guest Access: Temporarily disable the “Guest” feature if patching is not immediately feasible.
• Monitor Database Access: Implement continuous monitoring of database logs and activities to detect any unusual access patterns.
• Review Deployment Security: Regularly review and update deployment configurations to ensure they are secure and inaccessible to unauthorized users.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite provides detailed intelligence on vendors affected by CVE-2024-9194, helping TPRM professionals identify and prioritize remediation efforts. The FocusTag for Octopus Deploy was published on October 2, 2024, offering insights into vulnerable assets, including details about affected versions and system configurations. This allows organizations to quickly assess their third-party risks and focus on ensuring that vendors using Octopus Deploy have patched their systems.

Black Kite’s asset-based approach enables TPRM teams to operationalize this data, reducing the time and effort needed to address the vulnerability. By providing specific asset information, Black Kite makes it easier for professionals to take immediate action to mitigate the risks posed by this SQL injection vulnerability.

Maximizing TPRM Effectiveness With Black Kite’s FocusTags™

In the ever-evolving cybersecurity landscape, Black Kite’s FocusTags™ are instrumental in enhancing Third-Party Risk Management (TPRM) strategies. By offering real-time insights into emerging vulnerabilities, these tags enable TPRM professionals to stay ahead of potential risks and make informed decisions regarding vendor security.

Here’s how Black Kite’s FocusTags™ empower organizations to effectively manage vulnerabilities like those in Zimbra, DrayTek Routers, Authentik, and Octopus Deploy:

• Dynamic Risk Identification: Instantly highlight vendors impacted by critical vulnerabilities, allowing for rapid response and mitigation efforts.
• Risk-Based Prioritization: Enable the prioritization of vulnerabilities based on the severity of the risk and the importance of the affected vendors, ensuring resources are allocated efficiently.
• Enhanced Vendor Engagement: Provide TPRM teams with the necessary tools to engage vendors in meaningful discussions about their security posture and remediation strategies.
• Strengthening Cybersecurity Posture: Deliver a comprehensive view of the current threat landscape, supporting the development of stronger and more adaptive cybersecurity strategies.

By transforming complex vulnerability data into actionable intelligence, Black Kite’s FocusTags™ make it easier for organizations to tackle critical vulnerabilities and safeguard their third-party ecosystems. With real-time updates and deep insights into vendor exposures, Black Kite helps TPRM professionals mitigate risks proactively and effectively.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

• Zimbra: CVE-2024-45519, Remote Command Execution Vulnerability in Zimbra.
• DrayTek Routers: CVE-2020-15415, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
• Authentik: CVE-2024-47070, Authentication Bypass Vulnerability in Authentik.
• Octopus Deploy: CVE-2024-9194, SQL Injection Vulnerability in Octopus Server.
• pgAdmin: CVE-2024-9014, OAuth2 Authentication Vulnerability in pgAdmin.
• Keycloak: CVE-2024-8698, CVE-2024-8883, SAML Signature Validation Bypass and Session Hijacking Vulnerability in Keycloak.
• Navidrome: CVE-2024-47062, SQL Injection Vulnerability in Navidrome.
• PAN-OS Cleartext: CVE-2024-8687, Cleartext Exposure Security Flaw in PAN-OS, GlobalProtect, Prisma Access.
• FileCatalyst Workflow: CVE-2024-6633, CVE-2024-6632, Insecure Default Configuration and SQL Injection Vulnerability in Fortra FileCatalyst Workflow.
• WPML: CVE-2024-6386, Critical Remote Code Execution Vulnerability via Twig Server-Side Template Injection in WPML Plugin
• SonicWall Firewalls: CVE-2024-40766, Critical Improper Access Control Vulnerability in SonicWall Firewalls
• Dahua IP Camera: CVE-2021-33045, CVE-2021-33044, Critical Authentication Bypass Vulnerabilities in Dahua IP Camera Systems
• Microsoft Privilege Escalation Vulnerability: CVE-2024-38193, CVE-2024-38106, CVE-2024-38107, Critical Privilege Escalation Vulnerabilities in Microsoft Windows
• SolarWinds WHD: CVE-2024-28986, Critical Remote Code Execution Vulnerability in SolarWinds Web Help Desk
• Zimbra LFI: CVE-2024-33535, Local File Inclusion Vulnerability in Zimbra Collaboration Suite
• Exchange Server RCE: CVE-2021-31196, CVE-2021-34473, Remote Code Execution Vulnerabilities in Microsoft Exchange Server

References

https://nvd.nist.gov/vuln/detail/CVE-2024-45519

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://blog.projectdiscovery.io/zimbra-remote-code-execution

https://github.com/p33d/CVE-2024-45519

https://nvd.nist.gov/vuln/detail/CVE-2020-15415

https://www.draytek.co.uk/support/security-advisories/kb-advisory-jun20

https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-remote-code-injection/execution-vulnerability-(cve-2020-14472)

https://github.com/CLP-team/Vigor-Commond-Injection

https://nvd.nist.gov/vuln/detail/CVE-2024-47070

https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7

https://advisories.octopus.com/post/2024/sa2024-09

https://nvd.nist.gov/vuln/detail/CVE-2024-9194

The post FOCUS FRIDAY: THIRD-PARTY RISK INSIGHTS ON ZIMBRA, DrayTek ROUTERS, AUTHENTIK, AND OCTOPUS DEPLOY VULNERABILITIES appeared first on Black Kite.

Written by: Gizem Toprak & Müzeyyen Gökçen Tapkan

What is OSFI?

The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Government of Canada that is responsible for the supervision and regulation of banks, insurance companies, and trust and loan companies. OSFI reports to the Canadian Minister of Finance.

The Role of OSFI in Financial Regulation

Supervision of Financial Institutions

OSFI supervises financial institutions through regular reviews, risk assessments and ongoing monitoring. It allows OSFI to detect potential risks early and take corrective measures to reduce them. By maintaining strict oversight, OSFI increases confidence in the financial system by ensuring that financial institutions operate safely and comply with regulatory requirements.

Setting Regulatory Standards

OSFI sets regulatory standards to ensure the stability, efficiency and resilience of Canada’s financial sector. These standards cover a wide range of areas such as capital adequacy, corporate governance and risk management. By establishing clear and comprehensive guidelines, OSFI contributes to the overall stability of the financial system by helping financial institutions effectively manage their risks and maintain strong financial health.

Crisis Management

OSFI plays a critical role in crisis management by implementing contingency plans and coordinating with other regulatory agencies. OSFI’s crisis management framework includes early intervention measures and resolution strategies to address challenges faced by troubled financial institutions. This proactive approach helps reduce the impact of financial crises, protect the interests of depositors and policyholders, and maintain confidence in the financial system.

Enforcement

OSFI’s enforcement activities ensure that financial institutions comply with regulatory standards and operate within the legal framework. This involves investigating potential violations, imposing penalties, and taking corrective actions against non-compliant entities. Through diligent enforcement, OSFI upholds the integrity of the financial system, deters misconduct, and promotes a culture of accountability and transparency within the financial sector.

OSFI-B13: Cybersecurity and Technology Risk

OSFI B-13 guidance to help Federally Regulated Financial Institutions (FRFIs) mitigate cybersecurity and technology risks. OSFI B-13 introduces new management requirements for the organizational structure of IT departments, encompassing all operational units and technology control owners. The guidance mandates that financial institutions develop a clear cybersecurity strategy that aligns with their overall organizational strategy. Additionally, it emphasizes the need to assess third-party vendor risk and integrate cybersecurity practices into their project management and systems development lifecycles.

Key Highlights of OSFI-B13

Cyber Security

Will employ a secure technology posture that protects the confidentiality, integrity and availability of FRFI’s technology assets.

Governance and Oversight

It requires FRFI’s to manage technology and cyber risks through clear responsibilities and frameworks.

Technology Operations and Resilience

FRFI’s technology environment is expected to be maintained “up to date” and supported by sustainable technology operating processes.

OSFI-B10 and Third-Party Risk Management

OSFI B-10 aims to expand the definition of third parties to include any person or entity that has a relationship with your financial institution, such as sponsors, spokespeople, or charities. This significantly impacts the way organizations identify, assess and mitigate third-party risks. It also addresses the risk of concentration and requires organizations to evaluate the risk of relying on a single vendor for multiple services both before and during the deal. This assessment helps determine appropriate risk mitigation levels. Calls for standardization of contracts to clearly define and manage relationships with third parties.

Key Highlights of OSFI – B10

Third Parties

It calls for standardized contracts to reduce potential risks associated with third-party relationships.

Risk Assessment

Risk assessment ensures that organizations remain alert and can promptly resolve any issues that arise with third-party service providers.

Due Diligence

This includes assessing the regulatory compliance and overall risk profile of third-party service providers.

Third-Party Risk Management Framework (TPRMF)

Most federally regulated financial institutions (FRFIs) have policies addressing specific third-party regulations, such as outsourcing and auditing, but often lack an integrated third-party risk management framework (TPRMF). The revised OSFI B-10 requires FRFIs to develop a TPRMF to assess, risk rate, classify, and manage all third-party relationships across the enterprise. This framework should cover the entire lifecycle of third-party orchestrations, from sourcing to exit; It should enable FRFIs to identify, assess, manage, mitigate, monitor and report third-party risks, including concentration risk, which is difficult to manage in a single environment.

How Similar Are OSFI B-13 and NIST CSF ?

Scope

• OSFI B-13 Mandatory for Canadian financial institutions; highly specific to the financial sector.

• NIST CSF Voluntary and intended for use by organizations in any sector globally.

Compliance

• OSFI B-13 Sets out mandatory requirements for compliance with Canadian financial regulations.

• NIST CSF Provides guidelines and best practices without mandatory compliance requirements, although it can be adapted to meet regulatory needs.

Structure

• OSFI B-13 Prescriptive and detailed, with specific requirements for governance, risk assessment, incident response, and third-party management.

• NIST CSF Structured around five core functions (Identify, Protect, Detect, Respond, Recover) and is designed to be flexible and adaptable.

Strategy

• OSFI B-13 Requires alignment of cybersecurity strategy with the overall business strategy of financial institutions.

• NIST CSF Encourages integration of cybersecurity into organizational risk management processes but is more flexible regarding how this is achieved.

Vendor and Third-Party Risk Management

• OSFI B-13 Specifically addresses the need for assessing and managing third-party vendor risks in detail.

• NIST CSF Includes third-party risk management as part of its broader risk management guidelines but is less prescriptive.

Conclusion: Strengthening Financial Institutions Through Comprehensive Risk Management

In conclusion, OSFI’s B-10 and B-13 guidelines are critical frameworks for ensuring the safety, resilience, and compliance of Canadian financial institutions in today’s increasingly complex and interconnected digital landscape. By addressing both technology and third-party risks, these regulations empower financial institutions to take a proactive approach to risk management. While OSFI B-13 focuses heavily on cybersecurity and the integration of IT practices into broader business strategies, OSFI B-10 sharpens its lens on third-party relationships, urging financial institutions to establish robust frameworks for managing vendor risks. Together, these guidelines not only strengthen the operational integrity of financial institutions but also reinforce the confidence of stakeholders, ensuring the long-term stability of Canada’s financial system. As regulatory landscapes continue to evolve, financial institutions that align their practices with these standards will be better equipped to navigate risks and maintain resilience in the face of emerging challenges.

How Black Kite Can Help with AI

Black Kite’s UniQuE™ Parser, the industry’s first cyber-aware AI engine, enables organizations to automate the extraction and analysis of vendor contracts and security documentation, ensuring compliance with regulatory requirements while saving time and resources. You can quickly identify gaps, evaluate vendor alignment with OSFI guidelines, and gain a complete, centralized view of your third-party risk landscape. Learn more about automating compliance.

The post Understanding OSFI B-10 and B-13 For Financial Institutions appeared first on Black Kite.