Mediaboss Marketing

VMware has released security updatesto address a zero-day vulnerability inVMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.

The vulnerabilityis a command injection bug tracked asCVE-2020-4006 and publicly disclosed two weeks ago.

While it did not issue any security updates at the time it disclosed the zero-day, VMware provided a workaround to help admins mitigatethe bug on affected devices.

If successfully exploited, the vulnerabilityenables attackers to escalate privileges and execute commands on the host Linux and Windows operating systems.

The full list of VMware product versions affected by thezero-day includes:

While initially, the company didn't disclose the identity of the organization or researcher who reported the vulnerability, VMware acknowledged the US DefenseDepartment'sintelligence agency contribution in an update to the security advisory made on Thursday.

VMware also lowered the bug'sCVSSv3 base score to 7.2/10 and the maximum severity rating from 'Critical' to 'Important.'

CVE-2020-4006 exists intheadministrative configurator of some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector.

"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," the advisory explains.

"This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006."

Threat actors can obtain the password needed to exploit the vulnerability using techniques documented in the MITRE ATT&CK database.

VMware released security updates that fully mitigate the vulnerability on devices running one of the affected products.

Information onpatch deployment steps, expected changes, and how to confirm that the patch has been applied are available within the patch files.

Links to download security updates forCVE-2020-4006 are available in the table embedded below.

DHS-CISAencouragedadmins and users on Thursday to apply the patchissued by VMware to thwart attackers' attempts to take over vulnerable systems.

Admins who can't immediately download and deploy the patch can still use the temporary workaroundthat fully removes the attack vector on impacted systems and prevents CVE-2020-4006 exploitation.

Details on how to implement and revert the workaroundonLinux-based appliances andWindows-based servers are available HERE.

However, once the workaround is applied, "configurator-managed setting changes will not be possible" asVMware explains.

More:
VMware fixes zero-day vulnerability reported by the NSA - BleepingComputer

Researchers at Forescout this morning released a report on a set of TCP/IP vulnerabilities theyre calling AMNESIA:33, the 33 referring to the number of vulnerabilities theyve found. Four they consider critical, and in general the issues are believed to broadly and deeply affect Internet-of-things devices. SC Magazine says that the US Department of Homeland Security is expected to release a report on the vulnerabilities soon, perhaps as early as today.

Both Haaretz and the Guardian are reporting on Forbidden Stories Cartel Project, which describes the ways in which Mexican police, users of NSO Groups lawful intercept products, have allegedly been reselling that technology to drug cartels, which in turn have used the spyware to monitor journalists and other third-parties. Some of the allegations are attributed to sources in the US Drug Enforcement Agency.

According to the Washington Post, despite the prospect of a Presidential veto, the US House appears ready to pass the National Defense Authorization Act (NDAA). CyberScoop summarizes the significant cybersecurity measures the NDAA ("biggest cyber bill ever") includes.

ZDNet reports that 2,732 PickPoint package delivery lockers across Moscow were opened by a criminal who hacked the PickPoint app. Landlords and guards responded quickly to keep an eye on obviously malfunctioning lockers. Russian security organizations (and by implication law enforcement organizations) take a lot of stick in these pages (see, for example, yesterdays warning from NSA that Russian intelligence services are actively exploiting a VMware bug), but this is one case where we wish the Militia good hunting.

View original post here:
AMESIA:33 IoT device vulnerabilities. Mexican police alleged to pass spyware to cartels. The US NDAA nears passage. Hacking lockers. - The CyberWire

The National Sheep Association (NSA) has received an increase in reports of attacks on sheep by dogs over recent weeks, most likely linked to continuing Covid-19 restrictions including several regional and national lockdowns across the UK.

Consequently, it is urging the public to take responsibility for their actions when in the countryside, and especially near livestock.

A spokesperson said: "First and foremost, dog owners must keep their animals under control and on a lead when walking near sheep. Not only do dogs pose a threat of injury to sheep, but at this time of year, when most ewes are already or soon to be in lamb the stress of being chased can lead to the pregnant sheep losing their lambs.

"Sheep are a hugely valuable asset to the farmer, and any damage to the flock can have detrimental effects. Likewise, sheep worrying is also a hugely traumatic experience for the shepherd, with several studies carried out by NSA showing that the risk of a potential attack happening causes significant stress and anxiety to farmers.

"Recent cases of sheep worrying have resulted in dogs being shot as a last resort option to halt a serious attack. This, of course, is never an action carried out by a farmer with ease but the law states that a farmer is in his/her rights to shoot an animal if it is found to be in the act of worrying livestock and dog owners should be aware of the potential danger they put their pet dog in if they are not responsible whilst out walking."

Read next: Loose dog kills flock of 16 sheep overnight

NSA chief executive Phil Stocker said: It must be stressed to owners who allow their dogs to chase, attack and potentially kill livestock that it is a criminal act and for very good reason. Few people would understand the stress and anger that a farmer or shepherd goes through by finding a dog attacking and killing sheep and very occasionally this can result in dogs being shot. We appreciate how distressing this would be for a dog owner but very few farmers would do this out of choice and anyone driven to do this would be highly distressed by the action as well I am certain.

Attacks on dogs often cause huge financial cost for the farmer but for most the initial stress and anxiety is equally impactful. The only way to avoid incidents like this is for dog owners to take proper responsibility for the dogs know where they are at all times and keep them on leads anywhere in the vicinity of livestock.

NSA is also urging dog walkers as well as others enjoying the countryside at this time to be aware of their responsibility in terms of the Covid-19 pandemic. When passing through farmland and farmyards walkers must be vigilant and consider that touching gates, fence posts, and stiles could potentially contaminate them which in turn could increase the viral spread to farmers and other walkers. Contact with these objects should be minimised and hands sanitised or washed as often as possible.

More here:
NSA warns livestock worrying is on the rise - South West Farmer

On 6th November, a special police team in Madhya Pradesh had raided a gambling den owned by Congress leader Gajendra Sonkar alias Gajju and recovered many illegal weapons and live ammunition. Out of the 17 recovered pistols, two were found to be licensed in the name of an employee at his stone crusher plant. Police have arrested the employee and initiated the process of cancelling the license.

During the search at his house, 17 illegal weapons, including two carbines, 19 magazines, and 1478 different cartridges, were recovered. Two of them were registered in the name of one Prashant Patial, a resident of Modivada Cantt. During the investigation, the special team found that Patial works at Sonkars stone crusher as a supervisor at a monthly salary of 15,000 rupees.

In the initial interrogation, police found out that Sonkar got the license in Patials name as there were criminal cases registered against him. Sonkars arms license was cancelled in 2014. SP Sidharth Bahuguna said that they had initiated the process to cancel the license of the two pistols.

On 6th November, Madhya Pradesh Police raided the house of former MP Congress Committee secretary and Congress leader Gajendra Sonkar. During the house search, they recovered a large cache of weapons, including 17 pistols that included two carbines, 1478 live cartridges, 19 magazines, an axe, and more. The police arrested 41 gamblers and recovered 42 mobile phones, playing cards, and 7.4 lakh cash as well.

SP Siddharth Bahuguna said on 6th November that they had booked Gajendra Sonkar, his brother Mahendra Sonkar alias Monu, his father Rajkumar Sonkar alias Babu Nati, manager Rajneesh Verma, Bhailal Patel, and Omkar alias Babua Sonkar in the case. While the police arrested Gajendra and Mahendra, others are still absconding. Police have announced Rs.5000 bounty on the absconding accused.

The illegal weapons and other incriminating material were recovered when the special police team had raided a gambling den run by Sonkar on November 6. 41 gamblers were caught in the act and over 7 lakh rupees in cash was also found.

As per the reports, the District Magistrate and Collector Karmaveer Sharmas court imposed the National Security Act on the Sonkar brothers on Friday based on the report submitted by SP Bahuguna. Gajendra has 12 cases registered against him under the Prevention of Gambling Act, assault, Arms Act, attempt to murder, Explosive Substances Act, etc. His brother Mahendra has five cases under assault, theft, arms act, gambling registered against him. As the NSA has been imposed on the brothers, they will remain in Central Jail even after their remand period is over.

Other accused in the cases, Gajendra Sonkars father Nati Babu Sonkar, manager Rajnish Varma, associates Bhailal Patel and Omkar Sonkar are absconding. The district police has declared rewards of Rs 5000 each on them.

Gajendra Sonkar is a Congress leader and has been seen with senior party leaders in the past. His Twitter account says that he had been spearheading party membership campaigns in the area. He had shared photographs of himself with Rahul Gandhi and Kamal Nath.

In another news, Jabalpur Police has raided an illegal arms manufacturing factory. As per the reports, long-distance slingshots used during CAA-NRC protests and riots were manufactured here. The infamous slingshots were made with the help of YouTube tutorials and were highly accurate even at 150-200 meter range. During the protests, they were in high demand in Hanumanatal, Gohalpur, Adhartal region.

Police have recovered six swords, airguns, and other weapons during the raid. Hanumanatal police station in-charge of Umesh Golhani said that the factory belonged to Shahnawaz alias Ravi Ansari, resident of Thakkar village. According to CSP, Akhilesh Gaur said that Ansari has been manufacturing arms for a long time. He had manufactured many custom-made weapons for criminals in the past. Police are now making a list of his customers for further action.

The rest is here:
Madhya Pradesh: Raid on Congress leaders gambling den unearths illegal weapons and ammunition, booked under NSA - OpIndia

In a tersely-worded letter to the Maryland Department of Transportation, the U.S. Navy served notice that the state should not plan on gaining control of any military property in Bethesda for the widening of the Capital Beltway (I-495).

The letter also took the agency to task for not considering transit alternatives and the impacts of the pandemic on commuting patterns.

The Nov. 4 correspondence is among thousands of comments provided to MDOT during a just-completed public feedback period on the Hogan administrations plan to add four express toll lanes to Interstates 495 and 270.

During testimony before a legislative panel on Friday, Transportation Secretary Greg Slater called the Navys objections pretty significant and serious. An influential local official agreed.

The two-page letter was signed by Capt. Mary S. Seymour, the Commanding Officer at Naval Support Activity Bethesda, a base whose main tenant is the Walter Reed National Military Medical Center. A sprawling property across from the National Institutes of Health, NSA Bethesda fronts on MD 355 and borders the Beltway.

The Navy raises several objections to the states proposal to add four lanes to the two highways.

The letter chides MDOT for continuing to assert that it will take NSA Bethesda property for the project.

As previously stated in multiple letters from the installation to MDOT, the Navy will not cede any property for the construction of this toll road, Seymour writes. Doing so would compromise Antiterrorism/Force Protection guidelines and impact the NSA Bethesda Mission. The Navy requests the project remove the property acquisition from consideration in the analysis.

The letter notes an ongoing disagreement between the state and Department of Defense over right-of-way and fence line impacts and finds MDOTs analysis of the construction footprint to be woefully inadequate.

The information in the [Draft Environmental Impact Statement] shows disruption to mission critical infrastructure on the northeast corner of the installation without providing any technical information on the potential size and duration of those impacts, Seymour wrote.

Impacts to those facilities and infrastructure will cause an immediate degradation of installation support services to Walter Reed Military Medical Center and mission critical construction. This is a direct contradiction to the DEIS assumption that impacts to any individual facility would not alter access to or use of the hospital facilities.

Echoing complaints from state legislators, local officials and members of the public, the Navy faults the state for failing to consider the potential benefits of increased transit. This document is supposed to analyze a multi-modal transportation system, yet focuses exclusively on toll roads.

In addition, the letter urged greater analysis of the impact of COVID-19 on both road and transit use. These impacts are changing commuter behavior and should be reflected in this document, Seymour told MDOT.

In an appearance before a House Transportation and Environment subcommittee on Friday, Slater, the states transportation chief, told lawmakers he had read the Navys letter.

I think certainly some of the concerns that theyve raised are pretty significant and serious, he said. And we want to work through that with them and really talk through all of those [concerns] with them.

The consensus-oriented secretary, who is popular with officials from both parties, said he took issue with the tone of the Navys letter, which he described as kind of a not-super-productive dialogue.

He said he has urged his project team to reach out to NSA Bethesda officials in the near future.

While the substance of the Navys objections mirrored those that have been raised for many months by environmentalists, Democratic officials and homeowners near the two highways, several officials said it was striking for DOD to be raising the same issues.

There now seems to be a pretty unified wall of opposition to this project, said Montgomery County Planning Board Chairman Casey Anderson, whose agency has clashed with MDOT staff during project discussions.

I didnt really feel there was going to be a solid, almost-unanimous opposition among all the relevant entities that own property or have some legal role in approving this, he added. I feel a little better about this than I did six months ago.

Del. Marc Korman (D-Montgomery), the chair of the T&E subcommittee on capital spending, called the Navys objections significant.

The meat of the letter is them saying and Im paraphrasing youre not taking any of our land, for national security reasons, and stop pretending you are, he said in an interview.

Ben Ross, head of the Maryland Transit Opportunities Coalition and a vocal critic of the project, called the Navys objections a big obstacle for the state.

The Navy repeatedly raised this issue with MDOT during DEIS preparation, and MDOT did not modify its plan to use Navy property, he said in an email. I cant see U.S. DOT approving something that requires land from the Navy that the Navy says it needs for mission-critical reasons.

Efforts to get reaction from supporters of the project on Friday were not successful.

[emailprotected]

See more here:
US Navy Strongly Opposed To Capital Beltway Widening Project - Josh Kurtz