Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label HP. Show all posts

Latest SEC Cyber Rules Raise 'Head Scratching' Breach Disclosures

SEC Disclosure

SEC disclosure mandate

The Securities and Exchange Commission's recently implemented cybersecurity regulations have prompted some breach disclosures from publicly traded firms, such as Microsoft and Hewlett Packard Enterprise.

Among other things, the guidelines mandate that a "material" cybersecurity event be reported to the SEC within four days of its classification as such. The SEC states that they were meant to give investors timely and “decision-useful” cybersecurity information; nevertheless, experts point out that several of the early disclosures only included rudimentary breach details, raising significant concerns that remain unaddressed.

According to Scott Kimpel, a partner at Hunton Andrews Kurth, "Some of these disclosures, I think, are question-begging." "They just provide us with superficial, newsworthy details about the occurrence.

SEC disclosure for companies: What does it mean?

Companies must assess an incident's materiality "without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination," according to SEC regulations.

The incident's "material impact or reasonably likely material impact," as well as its material features of nature, scope, and chronology, must all be disclosed.

"Norms have not yet been established because we're early in the process," stated Richard Marcus, head of information security at cloud-based risk management startup AuditBoard. Therefore, Companies ask themselves, "How much can I get away with here? What exactly are my stockholders hoping to get? I believe that businesses are benchmarking against each other quite a bit."

Without mentioning any particular businesses, Kimpel claimed that some have submitted puzzling incident disclosures, in which they discuss a breach that hasn't yet had a major impact on their business operations and might or might not ultimately have a material impact on their financial situation. 

According to Kimpel, one argument is that these businesses might be disclosing a breach that they considered significant from a "qualitative" as opposed to a "quantitative" standpoint. Financial injury is one type of qualitative material impact, he said, while reputational harm and the possibility of future legal or regulatory problems are among the "almost endless list of possibilities" that make up quantitative material consequences.

Small companies exempted

Except for smaller reporting companies, all covered firms had to abide by the revised breach disclosure requirements as of December 18. As of June 5, smaller reporting organizations will have to comply with them.

Microsoft revealed in an Item 1.05 Form 8-K filing in January that a "nation-state associated threat actor" had obtained access to and exfiltrated data from a "very small percentage" of employee email accounts, comprising staff members in the company's legal, cybersecurity, and senior leadership teams, among other departments.

Among the businesses that have used similar language in breach disclosures submitted to the SEC following the new cybersecurity regulations are HP Enterprise and Prudential Financial.

What next?

As the Wall Street Journal reported in January, Microsoft notified the SEC of the breach even though, at the time of its regulatory filing, the company's investigation had not revealed any consequences that would have exceeded the agency's material damage criteria. The corporation stated, "But because the law is so new, we wanted to make sure we honor the spirit of the law," as stated in the Journal article.

According to Kimpel, SEC filings may create investor confusion when businesses disclose breaches that don't seem to be as serious as they claim, sometimes without explaining their actions.

HP's Defense From Emerging Cybercrime


Cybersecurity is constantly evolving, so cybercrime's scope and consequences have grown significantly over time. Cybersecurity is a concern in the workplace and at the highest levels of government given the rise of ransomware.

With defined supply chains and markets, the cybercrime business has undergone a major shift or one that is more professional and industrialized. According to HP's senior malware expert Alex Holland, cybercrime has grown to be a significant industry. On contrary, as per HP's study, the dark web is encouraging cybercriminals to cooperate, exchange goods, support one another's operations, and even profit from them.

Maintaining its staff throughout the epidemic and after it, with the advent of hybrid work, has been one of the urgent concerns in this transforming landscape, as far as firms are concerned. "That's generated a lot of issues for organizations because they need to set up their devices remotely, manage their devices remotely, and we realize that endpoint visibility - in terms of security and identifying threats - has been a concern for the enterprise. Enterprises must also be able to defend against and recover from such attacks, should the worst happen," Holland adds.

Additionally, there is a significant risk for organizations because of the blurring of the barriers between an employee's personal and professional lives. 71% of employees, as per research HP published in May, claim they use computers at home more frequently and to access more company data. Office workers are also increasingly utilizing their work devices for personal tasks, in fact, 70% of them admit to doing so, such as checking their emails.

"We notice that utilizing work devices—especially for risky tasks like opening webmail. Email is effectively a direct line into the organization, as we continually observe from the data we examine in my team. Once an endpoint has been taken over, an attacker is free to move about or do a lot of harm," Holland claims.

By incorporating security into hardware, which is reinforced by the Endpoint Security Controller hardware chip, Holland claims HP wants to combat these threats. This secure-by-design strategy depends on a solid framework and system integrity verification. The maker offers a wide range of security systems, including firmware security, memory virus detection, and isolating dangerous tasks. 

HP offers services to provide a firm's desired security configuration right off the manufacturing line, which is the opposite side of the issue when it comes to configuring devices before they are dispatched to employees.










HP Bug Left Unpatched for a Year

Six high-severity software flaws have been known since July 2021, they cause a range of vulnerabilities in HP products used in enterprise settings and are not yet patched.

Firmware defects can result in malware infections that last even after an OS re-installation or allow long-term breaches that would not be detected by regular security techniques, making them extremely dangerous.

Although some of the weaknesses were made public by Binarly at Black Hat 2022 a month ago, the manufacturer hasn't delivered security upgrades for all afflicted models, leaving many customers vulnerable to attacks.

Binarly contributed to the resolution of six serious flaws that not only affect these devices but also numerous other HP product lines. This disclosure, which details arbitrary code execution flaws linked to System Management Mode, was coordinated with the HP PSIRT team (HPSBHF03806) (SMM).

SMM is a component of the UEFI firmware, which offers system-wide features including power management and low-level device control. Since this SMM sub-system has greater privileges than the operating system kernel (ring 0), vulnerabilities affecting the SMM can render security mechanisms ineffective.

According to Binarly, HP has not fixed the following six vulnerabilities for months:
  • Stack-based buffer overflow resulting in unauthorized code execution is CVE-2022-23930. Score for CVSS v3: 8.2 'High'
  • Out-of-bounds write on CommBuffer, which permits evading some validation, is CVE-2022-31644. Score for CVSS v3: 7.5 'High'
  • Out-of-bounds write on CommBuffer due to failure to verify the size of the pointer given to the SMI handler, CVE-2022-31645. Score for CVSS v3: 8.2 'High'
  • Out-of-bounds writing using the direct memory manipulation API feature can result in privilege elevation and arbitrary code execution, according to CVE-2022-31646. Score for CVSS v3: 8.2 'High'
  • CVE-2022-31640 - Inadequate input validation gives attackers access to the CommBuffer data and creates a conduit for unauthorized changes. Score for CVSS v3: 7.5 'High'
  • Callout vulnerability in the SMI handler that allows for arbitrary code execution is CVE-2022-31641. Score for CVSS v3: 7.5 'High'
Patch fix updates

Three security advisories have been posted by HP acknowledging the aforementioned vulnerabilities, and an equal number of BIOS updates have been released to remedy the problems for some of the vulnerable models; with the exception of thin client PCs, which received security updates on August 9, 2022. 

While CVE-2022-31640 and CVE-2022-31641 were fixed during August, the most recent update was released on September 7, 2022, and many HP workstations are still vulnerable. Furthermore, CVE-2022-23930 was patched on all impacted systems in March 2022.

The BIOS is a crucial component that guarantees compatibility between updated software and legacy hardware. Before installing Windows 10, make certain that your computer has the most recent BIOS installed.

The Windows update may fail and roll back due to an outdated graphics driver. Before beginning the update procedure, it is advised to check and make sure the most recent Graphics drivers are installed on your computer.


HP Fixes UEFI Flaws Affecting 200+ Computers

 

HP released updates for two high-severity flaws in the UEFI firmware of more than 200 laptops, workstations, and other products on Wednesday. 

CVE-2021-3808 and CVE-2021-3809 are the two flaws, which have a CVSS score of 8.8. HP credited Aruba Threat Labs' Nicholas Starke and a researcher going by the online handle "yngweijw" with reporting the issues but did not disclose technical details on either of the flaws. 

The company did, however, provide a list of affected products, which includes a variety of corporate notebooks and desktop PCs, as well as desktop workstations, retail point-of-sale devices, and thin client PCs. 

“Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities,” HP notes in its advisory. 

According to Starke, HP took almost six months to fix CVE-2021-3809, the issue he disclosed. He adds that the security flaw is due to a SMI (System Management Interrupt) handler called from System Management Mode (SMM), a highly privileged x86 processor execution mode. The SMI handler, according to Starke, may be triggered from a kernel execution context like a Windows Kernel Driver, enabling an attacker to determine the memory location of a specific function and overwrite it in physical memory to refer to attacker code. 

“This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privileges over the host to further carry out attacks,” Starke added.

While the majority of the vulnerable devices have already received firmware updates, a handful has yet to receive them. Users can check HP's advisory for more information on the impact and upgrades. HP also released warnings this week that outline the updates Intel have released to address several firmware and software vulnerabilities affecting its CPUs and chipsets, as well as HP products.

HPE: Sudo Flaw Grants Attackers Root Privileges to Aruba Platform

 

A vulnerability in Sudo, open-source software used within HP's Aruba AirWave management platform, can enable any unprivileged and unauthorized local user to acquire root privileges on a vulnerable host, as warned by Hewlett Packard Enterprise (HPE). 

According to a recent HPE security advisory, the Sudo vulnerability may be part of a "chained attack." An attacker gains a foothold with fewer rights via another flaw and then exploits this to escalate privileges. 

The Aruba AirWave management platform for wired and wireless infrastructures is HPE's real-time monitoring and security warning system. In January, researchers at Qualys discovered the Sudo issue (CVE-2021-3156) and think it affects millions of endpoint devices and systems. 

According to the Sudo license, Sudo is software used by various platforms that allows a system admin to distribute power to give particular users (or groups of users) the ability to perform certain (or all) commands as root or another user.” 

Mehul Revankar, Qualys' VP of Product Management and Engineering, defined the Sudo bug as "perhaps the most significant Sudo vulnerability in recent memory (both in terms of scope and impact) and has been hiding in plain sight for nearly 10 years" in a research note at the time it was discovered. 

For HPE, the company officially reported the issue last week, stating that it impacted the AirWave management platform prior to version 8.2.13.0, released on June 18, 2021. 

According to the security bulletin, “A vulnerability in the command line parameter parsing code of Sudo could allow an attacker with access to Sudo to execute commands or binaries with root privileges.” 

The Sudo vulnerability has been termed "Baron Samedit" by Qualys researchers, who claim the flaw was introduced into the Sudo code in July 2011. The problem was first thought to primarily affect Linux and BSD operating systems, including Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33. (Sudo 1.9.2). 

Since then, further security advisories have been issued by other companies. HPE isn't the first company to report a Sudo dependency in its code, and it probably won't be the last. 

However, in February, an Apple security advisory warned that the Sudo vulnerability was present in macOS (macOS Big Sur 11.2, macOS Catalina 10.15.7, macOS Mojave 10.14.6). Following the announcement, Apple released a Sudo patch (Sudo version 1.9.5p2) to fix the vulnerability. 

Mitigate The Risk

According to experts, the flaw may be exploited to carry out privilege escalation attacks in the context of the Aruba AirWave management platform Sudo's flaw is a heap-based buffer overflow that allows any local user to deceive Sudo to operate in shell mode. 

Researchers explain that when Sudo is executed in shell mode, it "escapes special characters in the command's parameters with a backslash." Then, a policy plug-in eliminates any escape characters before deciding on the Sudo user's permissions.” 

Users should upgrade to version 8.2.13.0 or above of HPE's AirWave management platform to mitigate the potential risk, according to HPE. Sudo issued a fix earlier this year as well, for HPE AirWave, a technical fix is also available:

“To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for AirWave be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above,” as per HPE.

HP Enterprise Suffers Critical Bug, Requests Users To Update

 

Experts had already alarmed that HPE's (Hewlett Packard Enterprise) unpatched Edgeline Infrastructure Manager versions were vulnerable to remote authentication bypass breach. HP is requesting its customers to patch one of the company's top-class application management software that lets hackers launch a remote authentication bypass attack and gain access to customer's cloud infrastructure. The bug with a CVSS score of 9.8, is rated critical. It impacts all variants of HPE's EIM (Edgeline Infrastructure Manager) ahead of variant 1.21. 

The edge computing management suite of HPE, EIM is two years old. Users are advised to immediately install HPE EIM AV1.22 or later updates for bug fixes. In a security bulletin posted recently, HPE Product Security Response Team wrote, “a security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to the execution of arbitrary commands, gaining privileged access, causing a denial of service, and changing the configuration." 

About the bug 

Remote authentication-bypass vulnerability is related to a problem linked to how HPE manages reset passwords for admin accounts. If a user logs in for the first time with a default password for an active administrator account, he is asked to change the password for the account. It is carried out by sending a request to URL redfish/v1/SessionService/ResetPassword/1. But, when the password is changed, a malicious remote hacker can exploit the same URL to change the password for an administrator account. Next, the hacker has to simply log in with the updated admin account password by sending a request to a URL. 

After that, hackers can change the password of the OS root account by sending a request to URL /redfish/v1/AccountService/Accounts/1. "It allows the attacker to SSH to the EIM host as root. SSH stands for Secure Shell or Secure Socket Shell and is a network protocol that is most often used by system administrators for remote command-line requests, system logins, and also for remote command execution," reports threat post. Cybersecurity firm Tenable has also uploaded proof of the attack.

HP Issues Advisory Informing Users to Expect SSD Failure around October 2020


Computer enterprise company HP (Hewlett Packard Enterprise) warns its customers about a bug that it has recently found in its SSD (Solid State Drives). The company HP has made a new firmware patch to prevent some of its hard drives from crashing after 40,000 hours of consumer use. In a firmware incident last week, HP informed its consumers about a bug in some of its hard drives that will cause them to stop working after 40,000 hours of use, which is around four years and 200 days. SAS SSDs (Serial-Attached SCSI solid-state drives) is the model of the hard drives that are likely to be affected by this firmware bug.


According to HP, the hard disks manufactured during that period will crash around October this year, and these will be among the earliest failures. To solve this issue, HP has released some firmware updates to fix this bug last week. It has asked the companies to update to the latest firmware updates, and if they fail to do so, the companies might risk losing both the SSD and the data. If the SSD crashes, users can't restore their data, says HP in its security advisory.

This firmware bug incident is similar to another hard drive crash incident that happened in November last year. In the latter event, the HPE SAS SSDs crashed after nearly three years and 270 days of use. This time, however, this bug will affect far fewer SSDs than it did last year. According to HP, the company learned about this issue from a different SSD company that uses HP's SSDs, similar to last year. The list of SAS SSD models affected by the bug is available on HP's customer support website.

"This HPD8 firmware is considered a critical fix and is required to address the issue detailed below. HPE strongly recommends the immediate application of this crucial fixture. Neglecting to update to SSD Firmware Version HPD8 will result in drive failure and data loss at 32,768 hours of operation and require restoration of data from the backup in non-fault tolerance, such as RAID 0 and fault tolerance RAID mode if more drives fail than what is supported by the fault tolerance RAID mode logical drive," reads HP's notification.

Vulnerability In HP Takes Into Consideration Remote Code Execution



Vulnerability has been found in HPE Integrated Lights-Out 4 (iLO 4) servers, which could take into consideration remote code execution. In spite of the fact that it was first discovered on February 2017, yet was released with patches in August 2017.

HPE iLO 4 is an embedded server management tool utilized for out-of-band administration. The fruitful exploitation of this vulnerability is said to bring about remote code execution or even at times authentication bypass, as well as extraction of plaintext passwords, addition of an administrator account, execution of malicious code, or replacement of iLO firmware.

This vulnerability in iLO cards can be utilized to break into numerous organizations' networks and perhaps access exceptionally delicate or restrictive data as these devices are, to a great degree prominent among the small and the large enterprises alike.

The trio of security researchers, who found the vulnerability CVE-2017-12542 a year ago, say that it can be exploited remotely, by means of an Internet connection, putting all iLO servers exposed online in danger.

Additionally including later that it is essentially a verification sidestep that permits attackers access to HP iLO consoles and this access can later be utilized to remove cleartext passwords, execute noxious code, and even supplant iLO firmware. Execution of the vulnerability requires the attacker to cURL to the influenced server, trailed by 29 "A" characters.

Researchers published two GIFs showing how easy are to bypass iLO authentication with their method, and how they were able to retrieve a local user's password in cleartext.



Extra subtle elements on the vulnerability and exploit code were as of late distributed in different open-source media reports, and a Metasploit module was also made accessible, altogether expanding the hazard to vulnerable systems.

In any case, iLO server proprietors do not have any reason to panic as since security research team found this vulnerability path back in February 2017 they notified HP with the assistance of the CERT division at Airbus.

What's more, as far as it concerns HP released patches for CVE-2017-12542 in August a year ago, in iLO 4 firmware version 2.54. System administrators who're in the propensity for frequently fixing servers are undoubtedly secured against this bug for quite a long time.