The Highs and Lows of Patch Tuesday

We face quite a bit of patching work this week.  Microsoft has released numerous patches addressing multiple vulnerabilities including some fairly serious issues with DHCP.  Cisco has released several patches including a specific patch addressing a “default password” vulnerability in CSPC – the platform collector for device management.  Adobe has also released multiple patches across their application suites including some patches specific to Photoshop.  To pile on a little more, WordPress has released patching in version 5.1.1 to address possible unauthenticated code execution flaws.

All of these updates and patches come on the heels of the recent Google Chrome update that so many had to address immediately due to “in the wild” exploits.

Please review your environments, including your third party applications and web server platforms, and patch accordingly.

Cisco Patches Two Dozen Serious Flaws in Nexus Switches

We all tend to get caught up in patching and updating our Windows environments and, when time permits, tackling the 3rd party patch needs that come with Adobe, Java and other add-on applications.  Don’t lose sight of your network infrastructure and the firmware that powers your network backplanes and critical edge devices.  Please review your environments and update your Cisco devices accordingly.

Krebs – FBI: Kindly Reboot Your Router Now, Please

Thank you to Mr. Krebs for the excellent coverage.  Whether this announcement by the FBI and Cisco is truly urgent or a little more cautious than necessary, the underlying security procedures are sound.  Please keep your firmware current.  Rotate all your system passwords and use stronger randomized values whenever possible.  These simple steps can provide better, long term security.

Russian APT Compromised Cisco Router in Energy Sector Attacks

The phrase I think you need to focus on in this article is “end of life”.  The Cisco router in question was end of life and therefore no longer capable of receiving security updates or patches*.  No level of diligence by downstream corporations or government agencies can defend against upstream entities running out of date and indefensible network components…or can they?  A mandatory vulnerability scan or penetration test against the vendor network in question would have revealed this weakness.

Two pieces of advice this morning:

  1. Maintain your hardware and software investments.  IT spends are not forever.  Hardware must be updated on a regular basis based on manufacturer support standards.  Software must be upgraded and regularly patched.  Do not roll the dice.  They always eventually come up snake eyes.
  2. Hold your vendors to a reasonable IT security standard.  Require and review periodic testing.  build enforceable language into your contracts and SLA’s.  You are only as strong as the weakest link in your supply chain!

*Point of clarification – Thank you to @MrJeffMan for reminding me that “end of life” technically means that patches and updates are no longer being developed.  Previously developed updates can be applied and special (often expensive) extended support options are often available for purchase.