In today’s episode, we explore a critical GitHub Enterprise Server vulnerability (CVE-2024-4985) that allows authentication bypass and the necessary updates for protection (https://thehackernews.com/2024/05/critical-github-enterprise-server-flaw.html), EPA’s enforcement actions against water utilities lacking cybersecurity measures (https://www.cybersecuritydive.com/news/epa-enforcement-water-utilities-cyber/716719/), and newly discovered security flaws in the Python package llama_cpp_python (CVE-2024-34359) and Firefox’s PDF.js library (CVE-2024-4367), highlighting potential risks and the importance of vigilant security practices (https://thehackernews.com/2024/05/researchers-uncover-flaws-in-python.html).

00:00 Cybersecurity Threats to US Water Utilities

01:02 Deep Dive into Water Utility Cybersecurity Flaws

03:26 Strategies for Enhancing Cybersecurity in Water Utilities

04:49 EPA’s Enforcement Actions and the Importance of Cybersecurity

06:38 GitHub Enterprise Server’s Critical Security Flaw

08:00 Emerging Cybersecurity Threats and Updates

Tags: GitHub, Enterprise Server, CVE, SAML SSO, cybersecurity, vulnerability, GitHub updates, EPA, cyberattacks, water utilities, vulnerabilities, security enforcement, Checkmarx, Llama Drama, Mozilla, PDF.js

Search Phrases:

1. GitHub Enterprise Server CVE-2024-4985 vulnerability
2. SAML SSO security breach in GitHub
3. How to secure GitHub Enterprise Server
4. EPA cyberattack vulnerabilities in water utilities
5. Steps to mitigate water utility cyber threats
6. Llama Drama security flaw in llama_cpp_python
7. High-severity vulnerability in Mozilla PDF.js
8. Protecting systems from PDF.js exploits
9. Checkmarx reports on Llama Drama
10. Latest cybersecurity vulnerabilities December 2023

May22

The EPA has announced that over 70% of us water utilities inspected are vulnerable to cyber attacks due to outdated security measures like default passwords and single log-ins.

What specific vulnerabilities put major water utilities at risk. And how is the EPA planning to address them?

A high severity vulnerability in Mozilla’s PDF dot JS have been uncovered allowing threat actors to execute arbitrary code and. Compromise millions of systems globally. What methods can users implement to help protect their systems from these vulnerabilities?

And finally an alarming get hub enterprise server vulnerability now threatens unauthorized administrative access through.

SAML single sign-on prompting crucial updates. From GitHub to prevent exploitation.

How can organizations secure their get hub enterprise server instances against this vulnerability?

You’re listening to the daily decrypt.

The environmental protection agency or EPA announced that the majority of us water utilities.

The inspected are vulnerable to cyber attacks due to using default passwords and single log-ins.

And to get a little more specific over 70% of water utilities that were inspected since September of last year, failed to comply with the safe drinking water act. By commonly using single log-ins for multiple employees. And not revoking access for former employees.

So being a cybersecurity professional, it’s really hard for me to even imagine using the same login as somebody else. This is such a terrible idea for many reasons.

Some of which are obvious and some of which might not be like, first of all, multiple people know your password.

Which is kept. Under wraps. Like if it’s kept locked down, that’s not a huge issue, but it’s not being kept locked down. If this is a practice it’s not being kept, locked down.

So what if one of the people who’s using that log in?

Already has that password memorized and they decide to use it on a different site.

Maybe even with that same email address and that site gets breached.

And the email address is probably water company related.

So any attacker that comes across these credentials will instantly have access to.

The water utilities.

Infrastructure.

So say someone gets into the water utilities, infrastructure using those credentials. It will be impossible to go back and look at logs and see where the error was. It could be across many different people. So they’re not even able to identify the root cause of the breach. Logging is essential. So you want to make sure that you know exactly who is doing what actions on which computer. Sharing credentials makes that impossible.

You can also lock down different permissions by each user account.

And then monitor.

Uh,

activities based on those permissions. So if you see an account, that’s trying to do something that they shouldn’t be doing. It’s an indicator of compromise.

So, how do I know what this account that’s being shared across multiple people should be doing? Can you be logged in, in multiple places at once? Is one of the people using that account in Nigeria. Who knows. Right? So this is just terrible.

And then the second issue is former employees. Credentials are not being revoked.

They’re not being closed down. So that means that if anybody comes across the username and password, Of a former employee, they can access the system. That includes the former employee. What if they got fired?

What, if they have a malicious intent against their boss, they can log in after being terminated or leaving the job and mess things up for the company.

Now I understand that these two things take resources to fix. It’s going to take a bigger it team. It’s going to take some automation tools.

But I cannot stress this enough. Uh, compromise. Will cost more.

Then the tools use to prevent it.

So if you’re maintaining one of these infrastructures, Please talk to your boss every day. Schedule an email.

Talk to your investors, talk to the board, make sure they understand that if this place gets compromised, it’s going to cost them way more than hiring another it person or buying a tool that can automate this process.

And if you’re feeling ambitious,

One of the other things you can do with former employees accounts is to create a decoy account. Which is essentially a honeypot. So say someone does come up. Upon these credentials and they try to log in. You have already set up alerting that no one should be logging in with these credentials. But if an attacker is in the environment and finds these credentials, they will see a history of usage, which makes those credentials more enticing. And that’s something you can’t get with just a brand new account. It turned into a decoy. So it’s recommended to repurpose every former employees account as a decoy set up an alert. Nobody should be logging in.

Nobody should be touching these credentials or even attempting to log in with these credentials, if they are. You’ve been breached. It’s one of the easiest ways to detect a breach.

Alright, lecture aside. Let’s finish up this news. The EPA has taken more than 100 enforcement actions. Against the community water systems since 2020 and plans to increase future inspections. Criminal enforcement may occur. If there’s imminent danger.

So you can be prosecuted as a criminal for neglecting to secure your network.

If you work for a water plant or in a water agency. Because. Imminent danger is upon us. If you don’t secure our network, right? What are the consequences for a compromise at the source of our water? Well, we don’t get water and what do we need to live water?

In fact, in recent months, Iran, China and Russia, as well as criminal ransomware gangs have targeted us and UK. Water treatment facilities.

And they will continue to target these facilities because they are critical infrastructure for the United States. Right. The president needs water. The Congress needs water police force needs water, military needs. Everyone needs water. So it’s going to be a top target and we don’t have the funding to secure it.

So according to. SISA.

95% of the 150,000 water utilities in the us do not have a cybersecurity professional on staff.

And that sounds like a staggering amount, but it’s pretty expensive to have a cybersecurity professional on staff. We get paid a lot of money. Um,

And what I’d like to know is if any of these. Water treatment facilities are contracting out to cybersecurity professionals. So.

There are companies out there that will provide advice for a fee. So you don’t have to have someone on your staff. There are also companies out there that will monitor your networks for a fee. So you don’t have to build out your own security operation center.

If you’d like recommendations on either of these services or to be pointed in the right direction, feel free to shoot us a DM on Instagram or YouTube. And we will get back to you.

All right. There is a new maximum severity flaw in get hub enterprise server that could allow attackers to bypass authentication protections.

This flaw score is a perfect 10 out of 10 on the CVSs scale. Which indicates it’s extremely critical.

And so as mentioned, the vulnerability allows unauthorized access by forging a SAML response to provision or gain access to a user with admin privileges, but only in instances using SAML single sign-on with optional encrypted assertions.

The issue affects all G H G S versions prior to 3.1 3.0. Get hub has released patches. And in some versions of 3.9, three point 10, three point 11 and three point 12. So if you’re using these versions or earlier, Please go update.

Instances without SAML SSO or those using SAML SSO without encrypted assertions are not affected by this flaw.

If your setup doesn’t involve encrypted assertions, you’re in the clear.

But encrypted assertions, improve security by encrypting messages from the SAML identity provider during authentication. However. This feature led to the discovered vulnerability when not properly updated. So just keep your crap up to date. I know it’s tough.

And finally researchers have uncovered a severe security flaw in the Lama CPP Python package tracked as CVE 20 24 3 4 3 5 9 with a CVSs score of 9.7.

So. Pretty dang critical. This. Vulnerability is named llama drama. And can enable threat actors to execute arbitrary code, potentially compromising data and operations. The vulnerability stems from the misuse of the Jinja two template engine. Leading to server-side template injection.

The flaw has been patched in version 0.2 0.72. And if you’re using this package, you should update immediately.

Additionally Mozilla discovered a high severity flaw in the PDF dot JS JavaScript library used by Firefox. This flaw allows arbitrary JavaScript execution. When a maliciously crafted PDF document is opened inside of Firefox. The issue has been resolved in Firefox 1 26 or Firefox ESR, one 15 dot 11.

So make sure to update your browser as soon as possible. As well as any related software. To their latest versions.

This has been the Daily Decrypt. If you found your key to unlocking the digital domain, show your support with a rating on Spotify or Apple Podcasts. It truly helps us stand at the frontier of cyber news. Don’t forget to connect on Instagram or catch our episodes on YouTube. Until next time, keep your data safe and your curiosity alive.