HC3 TLP White Sector Alert: CISA and NSA Release Joint Cybersecurity Information Sheet on Selecting and Hardening VPNs

CYBERSECURITY VULNERABILITIES OF INTEREST TO THE HEALTH SECTOR

In August, 2020, a significant number of vulnerabilities in common information systems relevant to the healthcare sector have been disclosed to the public. These vulnerabilities are from Microsoft, Adobe, Intel, Oracle, Cisco, SAP, Apple, and Google. These vulnerabilities should be carefully considered for patching by any healthcare organization with special consideration to each vulnerability criticality category against the risk management posture of the organization.

MICROSOFT

On Tuesday, August 11, Microsoft announced 120 vulnerabilities, the third largest number of Patch Tuesday fixes ever, including two actively exploited zero-days and a total of 17 critical and 103 important fixes. The first zero day is CVE-2020-1380, a scripting engine memory corruption vulnerability in Internet Explorer 11 which can allow for remote code execution. The second zero day is CVE-2020-1464, a spoofing vulnerability in the Windows file signature validation system. Both of these zero-day vulnerabilities were rated “critical” by Microsoft. Also worth noting is a vulnerability called “GlueBall”, CVE-2020-1472, an elevation of privilege vulnerability that can be exploited if an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). Below are 17 Patch Tuesday vulnerabilities rated Critical.

View the entire report below