Merge branch 'wagov:main' into main

.github/workflows/codeql.yml

@@ -49,7 +49,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@5cf07d8b700b67e235fbb65cbc84f69c0cf10464 # v3.25.14
+        uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -59,7 +59,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@5cf07d8b700b67e235fbb65cbc84f69c0cf10464 # v3.25.14
+        uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -72,7 +72,7 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5cf07d8b700b67e235fbb65cbc84f69c0cf10464 # v3.25.14
+        uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           category: "/language:${{matrix.language}}"
 

.github/workflows/scorecard.yml

@@ -42,7 +42,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -73,6 +73,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5cf07d8b700b67e235fbb65cbc84f69c0cf10464 # v3.25.14
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           sarif_file: results.sarif

docs/advisories/20240718003-Cisco-Security-Advisories.md

@@ -21,10 +21,11 @@ The WA SOC has been made aware of a number of critical-to-medium vulnerabilites
 
 ## What has been observed?
 
+The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described for CVE-2024-20419.
 There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
 
 ## Recommendation
 
-The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)):
 
 - [Cisco Security](https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2024%2F07%2F17&firstPublishedEndDate=2024%2F07%2F17&lastPublishedStartDate=2024%2F07%2F17&lastPublishedEndDate=2024%2F07%2F17&pageNum=1&isRenderingBugList=false)

docs/advisories/20240801001-Digicert-Certificate-Revocations.md

@@ -0,0 +1,17 @@
+# CISA Releases Advisory Addressing DigiCert Certificate Revocations - 20240801001
+
+## Overview
+
+CISA has released an advisory related to DigiCert certificate revocations.
+
+DigiCert, a certificate authority (CA) organization, is revoking a subset of transport layer security (TLS) certificates due to a non-compliance issue with domain control verification (DCV). Revocation of these certificates may cause temporary disruptions to websites, services, and applications relying on these certificates for secure communication. DigiCert has notified affected customers and provided instructions on how to replace non-compliant certificates.
+
+## Recommendation
+
+The WA SOC recommends administrators review relevant advisories and apply the recommended actions where relevant.
+
+- CISA article: <https://www.cisa.gov/news-events/alerts/2024/07/30/digicert-certificate-revocations>
+
+## Additional References
+
+- The Hacker News article: <https://thehackernews.com/2024/07/digicert-to-revoke-83000-ssl.html>

docs/advisories/20240801002-CISA-ICS-Advisory.md

@@ -0,0 +1,15 @@
+# CISA Releases New ICS Advisories - 20240801002
+
+## Overview
+
+CISA has released an advisory for Industrial Control Systems (ICS) related vendors.
+
+## What is vulnerable?
+
+| Industry                     | Vendor  | Advisory                                                                                   |
+| ---------------------------- | ------- | ------------------------------------------------------------------------------------------ |
+| Healthcare and Public Health | Philips | [ICSMA-24-200-01](https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-200-01) |
+
+## Recommendation
+
+The WA SOC recommends administrators review relevant advisories and apply the recommended actions to all affected devices.

docs/advisories/20240801003-Progress-Software-MOVEit-Advisory.md

@@ -0,0 +1,21 @@
+# Progress Software Releases Security Advisory - 20240801003
+
+## Overview
+
+Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.
+
+## What is vulnerable?
+
+| Product(s) Affected | Version(s)                                                                              | CVE                                                             | Severity | CVSS |
+| ------------------- | --------------------------------------------------------------------------------------- | --------------------------------------------------------------- | -------- | ---- |
+| MOVEit Transfer     | - 2023.0 before 2023.0.12 </br> - 2023.1 before 2023.1.7 </br> - 2024.0 before 2024.0.3 | [CVE-2024-6576](https://nvd.nist.gov/vuln/detail/CVE-2024-6576) | **High** | 7.3  |
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)):
+
+- Progress Community article: <https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576>
+
+## Additional References
+
+- Cyber Security News article: <https://securityonline.info/progress-software-issues-security-alert-for-moveit-transfer-users-cve-2024-6576/>

docs/advisories/20240801004-SMTP-Server-Spoofing-Vulnerabilities.md

@@ -0,0 +1,24 @@
+# Multiple SMTP Servers Vulnerable to Spoofing Attacks - 20240801004
+
+## Overview
+
+The WA SOC has been made aware of an article released by the Coordination Center (CERT/CC) at Carnegie Mellon University disclosing vulnerabilities in multiple hosted, outbound SMTP servers. The vulnerabilities affect the authentication and verification mechanisms provided by the Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM).
+
+An authenticated attacker using network or SMTP authentication can spoof the identity of a shared hosting facility, circumventing any DMARC policy and sender verification provided by a domain name owner.
+
+## What is vulnerable?
+
+| CVE                                                             | CVSS | Severity | Description                                                                                                                                                                                        |
+| --------------------------------------------------------------- | ---- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [CVE-2024-7208](https://nvd.nist.gov/vuln/detail/CVE-2024-7208) | TBD  | TBD      | Hosted services do not verify the sender of an email against authenticated users, allowing an attacker to spoof the identify of another user's email address.                                      |
+| [CVE-2024-7209](https://nvd.nist.gov/vuln/detail/CVE-2024-7209) | TBD  | TBD      | A vulnerability exists in the use of shared SPF records in multi-tenant hosting providers, allowing attackers to use network authorization to be abused to spoof the email identify of the sender. |
+
+## What has been observed?
+
+The WA SOC has been made aware of exploitation in the wild for these vulnerabilities. There is no evidence exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- Carnegie Mellon University article: <https://kb.cert.org/vuls/id/244112>

docs/advisories/20240802001-Bitdefender-Releases-Critical-Security-Updates.md

@@ -0,0 +1,25 @@
+# Bitdefender Releases Critical Security Updates - 20240802001
+
+## Overview
+
+Bitdefender has released an update to fix a critical vulnerability in GravityZone Update Server product.
+
+## What is vulnerable?
+
+| Product(s) Affected | Version(s)                                       | CVE                                                             | CVSS | Severity     |
+| ------------------- | ------------------------------------------------ | --------------------------------------------------------------- | ---- | ------------ |
+| GravityZone Console | Versions before 6.38.1-5 running only on premise | [CVE-2024-6980](https://nvd.nist.gov/vuln/detail/CVE-2024-6980) | 9.2  | **Critical** |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- Bitdefender Advisory: <https://www.bitdefender.com/support/security-advisories/verbose-error-handling-in-gravityzone-update-server-proxy-service/>
+
+## Additional References
+
+- SecurityOnline article: <https://securityonline.info/bitdefender-patches-critical-vulnerability-in-gravityzone-update-server/>

docs/advisories/20240802002-CISA-New-ICS-Advisories.md

@@ -0,0 +1,18 @@
+# CISA Releases New ICS Advisories - 20240802002
+
+## Overview
+
+CISA has released an advisory for Industrial Control Systems (ICS) related vendors.
+
+## What is vulnerable?
+
+| Vendor                | Advisory Link(s)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Johnson Controls Inc. | [ICSA-24-214-01 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-01) </br> [ICSA-24-214-02 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-02) </br> [ICSA-24-214-03 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-03) </br> [ICSA-24-214-04 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-04) </br> [ICSA-24-214-05 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-05) </br> [ICSA-24-214-06 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-06) |
+| AVTech                | [ICSA-24-214-07 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-07)                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| Vonets                | [ICSA-24-214-08 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-08)                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| Rockwell Automation   | [ICSA-24-214-09 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-09)                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+
+## Recommendation
+
+The WA SOC recommends administrators review relevant advisories and apply the recommended actions to all affected devices.

docs/advisories/20240809001-Cisco-Releases-Critical-Update.md

@@ -0,0 +1,27 @@
+# Cisco Releases Critical Update - 20240809001
+
+## Overview
+
+A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.
+
+## What is vulnerable?
+
+| Product(s) Affected                                                                            | Version(s)                  | CVE                                                               | CVSS | Severity     |
+| ---------------------------------------------------------------------------------------------- | --------------------------- | ----------------------------------------------------------------- | ---- | ------------ |
+| Cisco SSM On-Prem and Cisco SSM Satellite (the same product with different naming conventions) | All versions below 8-202212 | [CVE-2024-20419](https://nvd.nist.gov/vuln/detail/CVE-2024-20419) | 10.0 | **Critical** |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- CISCO Advisory: <https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy>
+
+## Additional References
+
+- SecurityOnline article: <https://securityonline.info/cisco-warns-of-public-poc-exploit-code-of-critical-cve-2024-20419-cvss-10-flaw/#google_vignette>
+
+- Bleeping Computer article: <https://www.bleepingcomputer.com/news/security/exploit-released-for-cisco-ssm-bug-allowing-admin-password-changes/>

docs/advisories/20240813001-RunZero-Demonstrate-SSH-Vulnerabilities.md

@@ -0,0 +1,18 @@
+# RunZero Demonstrates Numerous SSH Vulnerabilities - 20240813001
+
+## Overview
+
+RunZero has published an article titled "runZero Research Uncovers Surprising Exposures in SSH Affecting Critical Network Security Devices and Applications".
+
+## What is vulnerable?
+
+The article details new research on Secure Shell (SSH) exposures and unveiled a corresponding open source tool named SSHamble which helps security teams validate SSH implementations by testing for uncommon, but dangerous misconfigurations and software bugs.
+
+## Recommendation
+
+The WA SOC highly recommends administrators review the article and apply the methodologies to assess their environments for identifying misconfigurations and/or vulnerabilities.
+
+Additionally, the WA SOC recommends administrators review the ASD article "*Secure Administration*" for guidance on implementing security controls and best practices:
+
+- RunZero article: <https://www.runzero.com/newsroom/runzero-research-uncovers-exposures-in-ssh/>
+- ASD article: <https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-administration/secure-administration>