Security News
The vulnerabilities range from Remote Code Execution to SQL Injection, to Denial of Service and impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall products. Multiple advisories published by FortiGuard Labs this month and in January 2021 mention various critical vulnerabilities that Fortinet has been patching in their products.
Email security company Mimecast has disclosed today that a "Sophisticated threat actor" compromised one of the certificates the company issues for customers to securely connect Microsoft 365 Exchange to their services. "Microsoft recently informed us that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor," Mimecast said earlier today.
A group of researchers has detailed a new timing vulnerability in Transport Layer Security protocol that could potentially allow an attacker to break the encryption and read sensitive communication under specific conditions. Dubbed "Raccoon Attack," the server-side attack exploits a side-channel in the cryptographic protocol to extract the shared secret key used for secure communications between two parties.
Cisco has warned of an active zero-day vulnerability in its router software that's being exploited in the wild and could allow a remote, authenticated attacker to carry out memory exhaustion attacks on an affected device. "An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device," Cisco said in an advisory posted over the weekend.
Starting today, the lifespan of new TLS certificates will be limited to 398 days, a little over a year, from the previous maximum certificate lifetime of 27 months. The lifespan of SSL/TLS certificates has shrunk significantly over the last decade.
When that software requires SSL, you can enable a snake oil SSL key for testing purposes. I cannot tell you how many times I've installed a web-based application for testing purposes, only to find that application requires SSL to function.
Sometimes admins need to be able to test a web-based solution before deciding it's worth using. When that software requires SSL, you can enable a snake-oil SSL key for testing purposes.
Recent studies have shown that cybercriminals building phishing sites now use SSL as well, complicating efforts by enterprises to keep their employees safe. The Menlo Security research revealed that while 96.7% of all user-initiated web visits are being served over https, only 57.7% of the URL links in emails turn out to be https, which means that web proxies or firewall will be oblivious to the threats unless enterprises turn on SSL inspection.
Starting with 20:00 UTC, today, the non-profit certificate authority Let's Encrypt will begin it's effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software. "The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let's Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let's Encrypt."
Let's Encrypt, a free, automated, and open certificate signing authority from the nonprofit Internet Security Research Group, has said it's issued a billion certificates since its launch in 2015. Since late last year, Let's Encrypt has issued at least 1.2 million certificates each day.