it.ucsf.edu

Security

Security related

Synonyms

security

Security Update:Researchers have identified flaws in the hardware-based encryption of Solid State Drives (SSDs) made by Samsung and Crucial

Status Type

Security Update

Date and Time

Thursday, November 8, 2018 - 15:50

Reason

Security update

Impact

Samsung and Crucial SSDs users

WHAT HAPPENED

Researchers at Radboud University in the Netherlands have identified several flaws in the hardware-based encryption of Solid State Drives (SSDs) made by Samsung and Crucial. These flaws can allow access to encrypted data without authorization. The default behavior of Microsoft’s BitLocker encryption does NOT protect against this vulnerability. Computers with the affected drives - using SSD hardware-based encryption or BitLocker - will need to take action to protect their data.

 

For a description of the vulnerabilities and affected systems, visit:

 

AFFECTED SYSTEMS

Please note that this is not an all-inclusive list of affected systems. Contact your vendor(s) to determine if this vulnerability affects your system(s) and to obtain updates for your products or recommendations for mitigating this vulnerability.

Affected models include, but are not limited to:

  • Crucial MX100, MX200, and MX300 internal solid state disks
  • Samsung T1, T3, and T5 USB external solid state disks
  • Samsung 840 EVO and 850 EVO internal solid state disks
  • Other drive models with hardware-based encryption from these or other manufacturers may also be affected, but this has not been yet been demonstrated or announced.

Users who have an affected drive model but are using DDPE from UCSF to encrypt that drive are NOT susceptible to this vulnerability.

 

 

WHAT’S THE PROBLEM?

An attacker with physical access to an affected encrypted drive could gain unauthorized and complete access to encrypted data. Microsoft BitLocker encryption provides no additional protection to encrypted data on affected drives when using the default settings in Windows 8.1, 10, Server 2012, Server 2016, or Server 2019.

 

 

WHAT DO I NEED TO DO?

 

1.Determine if Your Computer is Affected

Users who have an affected drive model but are using DDPE from UCSF are NOT susceptible to this vulnerability.

If you are using BitLocker encryption on a Windows computer, you should apply firmware updates for your drive as available and also determine if BitLocker is using hardware-based or software-based encryption.

To determine whether BitLocker is using hardware-based encryption or software-based encryption:

  1. Run "manage-bde.exe -status" in an administrator command prompt.
  2. If the "Encryption Method" starts with "Hardware Encryption", then BitLocker is using the drive’s hardware-based encryption. You will need to take additional action to secure your data. These steps are detailed below.
  3. If the "Encryption Method" states something other than "Hardware Encryption", such as "AES-128" or "XTS AES-256 with Diffuser", then BitLocker is using software-based encryption and you do not need to take additional action.
 

2.Update Your Drive Firmware

UCSF recommends making a full backup of all data on a drive before updating firmware.

Crucial already released firmware updates for MX100 and MX200 drives in May 2018. A firmware update for MX300 drives is expected to be available after November 13, 2018 to address this vulnerability. Contact Crucial support for more information at http://www.crucial.com/usa/en/support-ssd

Samsung has recommended that users with external SSDs (such as the T1, T3, and T5 products) should update the firmware on these products. For more details, see: https://www.samsung.com/semiconductor/minisite/ssd/support/consumer-notice/ . You may also be able to use software-based encryption products on these drives to encrypt data.
 

Samsung has not indicated that they will release a firmware update for 840 EVO and 850 EVO internal SSDs; users of these drives will need to switch to a software-based encryption method as detailed below.

 

3.Switch to Software-Based Encryption

If you are using hardware-based disk encryption on a non-Windows computer, apply firmware updates as available and/or switch to software-based encryption. As a reminder, any device used for UCSF work or study must be encrypted to comply with the UCSF Minimum Security Standard (http://tiny.ucsf.edu/mss).

Samsung has recommended that users with internal SSDs install and use software-based encryption to encrypt data on their drives.

UCSF recommends that users with internal Samsung SSDs using either hardware-based encryption and/or BitLocker should:

  1. Make a full backup of all data on the drive
  2. Decrypt BitLocker and any hardware-based encryption on the drive
  3. If you plan on using BitLocker to encrypt again, you must disable hardware-based encryption for BitLocker. This step requires editing local Group Policy on Windows and should not be done lightly. You do not need to perform this step if you use a software-based encryption product such as DDPE instead of BitLocker.


Edit local Group Policy to disable hardware-based encryption for BitLocker as described at:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hdefxd

WARNING: Serious problems may occur if you edit Group Policy settings incorrectly or edit Group Policy settings other than the one specified. These problems may require that you reinstall Windows and/or may carry serious and non-obvious negative implications for the usability, confidentiality, availability, and integrity of your computer and data. There is no guarantee that these problems can be diagnosed or solved in a timely manner.

Edit Group Policy at your own risk.
UCSF IT Field Services and the UCSF IT Service Desk may not be able to assist you with editing Group Policy settings on BYOD or unsupported computers.

 

  1. Re-encrypt the drive with BitLocker OR

Re-encrypt the system using a software-based encryption product such as DDPE.

 

DDPE is available for free to the UCSF community at https://software.ucsf.edu and support for it is available 24/7 via the IT Service Desk at http://help.ucsf.edu or at 415-514-4100.
Other software-based encryption products can also be used to secure data.

 

RELATED LINKS

 

Security Update:The Apache Software Foundation has released an IMPORTANT security advisory to address vulnerabilities in Apache Tomcat JK Connectors

Status Type

Security Update

Date and Time

Tuesday, November 6, 2018 - 14:46

Reason

Security update

Impact

Apache users

WHAT HAPPENED?

The Apache Software Foundation has released an IMPORTANT security advisory to address vulnerabilities in Apache Tomcat JK Connectors.

 

Advanced Users: For a complete description of the security advisory go to:

 

AFFECTED SYSTEMS:

  • Apache Tomcat JK mod_jk Connector 1.2.0 to 1.2.44

 

WHAT’S THE PROBLEM?

Exploitation of one of these vulnerabilities could allow an attacker to obtain sensitive information.

 

HOW DO I PROTECT MY WEB SITE

  • Users and administrators are encouraged to review the Apache Security advisories listed above.

RELATED LINKS

Security Update:Cisco has released a security advisory to address a HIGH vulnerability effecting multiple products

Status Type

Security Update

Date and Time

Tuesday, November 6, 2018 - 14:43

Reason

Security Update

Impact

Cisco users

WHAT HAPPENED

Cisco has released a security advisory to address a HIGHvulnerability effecting multiple products.

 

Advanced Users: For a complete description of the vulnerabilities and effected systems, visit:

 

WHAT’S THE PROBLEM?

A remote attacker could exploit some of these vulnerabilities to cause a denial-of-service condition.

 

WHAT DO I NEED TO DO?

Users and administrators are encouraged to go to the link listed above and review the Cisco Security Advisory.

 

RELATED LINKS

Security Update:Mozilla has released security updates to address 2 Critical, 3 High, and 1 Low vulnerability in Thunderbird ESR

Status Type

Security Update

Date and Time

Tuesday, November 6, 2018 - 11:57

Reason

Security Update

Impact

Thunderbird ESR users

WHAT HAPPENED?

Mozilla has released security updates to address 2 Critical, 3 High, and 1 Low vulnerabilityin Thunderbird ESR.

 

Advanced Users: For a complete description of the security enhancement and affected software refer to:

 

AVAILABLE UPDATES FOR:

  • Thunderbird below 60.3

WHAT'S THE PROBLEM?

Exploitation of the vulnerability may allow an attacker to take control of an affected system.

 

HOW DO I PROTECT MY COMPUTER?

Update your software

1. If you are supported by ITFS or have different IT support, no action on your part is required.

2. If you do not have IT support or they do not support your computer:

  • Thunderbirdis setup by default to auto update.

 

RELATED LINKS

Security Update:The Apache Software Foundation has released a security advisory to address a vulnerability in Apache Struts

Status Type

Security Update

Date and Time

Tuesday, November 6, 2018 - 11:48

Reason

Security update

Impact

Apache Struts users

WHAT HAPPENED?

The Apache Software Foundation has released a security advisory to address a vulnerability in Apache Struts.

 

Advanced Users: For a complete description of the security advisory go to:

 

AFFECTED SYSTEMS:

  • Struts 2.3.36 and prior

 

WHAT’S THE PROBLEM?

Exploitation of this vulnerability could allow an attacker to take control of an affected system.

 

HOW DO I PROTECT MY WEB SITE

  • Upgrade to Struts 2.3.36and upgrade to the latest released version of Commons File Upload library, which is currently 1.3.3.

 

RELATED LINKS

 

Security Update:Apple has released security updates to address vulnerabilities in multiple products

Status Type

Security Update

Date and Time

Tuesday, October 30, 2018 - 15:50

Reason

Security update

Impact

Apple users

WHAT HAPPENED?

Apple has released security updates to address vulnerabilities in multiple products.

 

Advanced Users: For a complete description of the security enhancements and affected software refer to Apple’s:

 

AFFECTED SYSTEMS:

  • Safari 12.0.1
  • iCloud for Windows 7.8
  • iTunes 12.9.1
  • watchOS 5.1
  • iOS 12.1
  • tvOS 12.1
  • macOS Mojave 10.14.1
  • High Sierra

 

WHAT'S THE PROBLEM?

A remote attacker could exploit this vulnerability to take control of an affected system.

 

HOW DO I PROTECT MY COMPUTER?

Update your software

  1. If IT Field Services or you have other IT support, no action on your part is required.
  2. If you do not have IT support, for update information refer to refer to Apple’s Security Updates listed above

 

RELATED LINKS

Security Update:Cisco has released a security update to address a HIGH vulnerability affecting Cisco Webex Productivity Tools and the Cisco Webex Meetings Desktop App.

Status Type

Security Update

Date and Time

Friday, October 26, 2018 - 09:25

Reason

Security Update

Impact

Cisco Webex users

WHAT HAPPENED

Cisco has released a security update to address a HIGH vulnerability affecting Cisco Webex Productivity Tools and the Cisco Webex Meetings Desktop App.

 

Advanced Users: For a complete description of the vulnerabilities and effected systems, visit:

 

AFFECTED SYSTEMS:

  • Cisco Webex Meetings Desktop App releases prior to 33.6.0
  • Cisco Webex Productivity Tools Releases 32.6.0 and later prior to 33.0.5, when running on a Microsoft Windows end-user system

 

WHAT’S THE PROBLEM?

A remote attacker could exploit some of these vulnerabilities to take control of an effected system.

 

WHAT DO I NEED TO DO?

Users and administrators are encouraged to go to the link listed above, review the Cisco Security Advisory and apply the appropriate updates..

 

RELATED LINKS

Security Update:NIST has published a CRITICAL CVE to announce a vulnerability in the libssh library that impacts multiple products across various vendors

Status Type

Security Update

Date and Time

Wednesday, October 24, 2018 - 13:46

Reason

Security update

Impact

libssh library users

WHAT HAPPENED

NIST has published CVE-2018-10933 to announce a CRITICAL vulnerability in the libssh library that impacts multiple products across various vendors, including Cisco, F5, Red Hat, Ubuntu, and Debian.

 

Advanced Users: For a complete description of the vulnerabilities and affected systems, visit:

 

AFFECTED SYSTEMS:

Please note that this is not an all-inclusive list of impacted systems. Contact your vendor(s) to determine if this vulnerability affects your system(s) and to obtain updated versions of products.

 

WHAT’S THE PROBLEM?

A remote attacker could exploit this vulnerability to gain unauthenticated access to vulnerable servers.

 

WHAT DO I NEED TO DO?

Consult vendor support resources to determine if a vulnerable version of libssh is used in systems that you are responsible for or manage. If you have a system which is vulnerable, update the system to a non-vulnerable version.

If you use the libssh library in a service or application that you support or maintain, verify the version of libssh in use. If necessary, update your service or application to use libssh versions 0.7.6, 0.8.4, or later.

 

RELATED LINKS

Security Update:Drupal has released a MODERATLY CRITICAL security advisory to address vulnerabilities in Drupal 7.x and 8.x.

Status Type

Security Update

Date and Time

Tuesday, October 23, 2018 - 14:40

Reason

Security update

Impact

Drupal users

WHAT HAPPENED?

Drupal has released a MODERATELY CRITICAL security advisory to address vulnerabilities in Drupal 7.x and 8.x.

 

Advanced Users: For the full Public Announcement refer to:

 

AFFECTED SYSTEMS:

  • Drupal 7.x and 8.x

 

WHAT'S THE PROBLEM?

If exploited, this vulnerability may allow an attacker to take control of an affected system.

 

WHAT DO YOU NEED TO DO?

Upgrade to the most recent version of Drupal 7 or 8 core.

 

RELATED LINKS

 

Security Update:Cisco has released several updates to address HIGH and MEDIUM vulnerabilities effecting multiple products

Status Type

Security Update

Date and Time

Thursday, October 18, 2018 - 10:28

Reason

Security update

Impact

Cisco users

WHAT HAPPENED

Cisco has released several updates to address HIGH and MEDIUM vulnerabilities effecting multiple products.

 

Advanced Users: For a complete description of the vulnerabilities and effected systems, visit:

 

WHAT’S THE PROBLEM?

A remote attacker could exploit some of these vulnerabilities to take control of an effected system.

 

WHAT DO I NEED TO DO?

Users and administrators are encouraged to go to the link listed above and review the Cisco Security Advisories.

 

RELATED LINKS

Pages