NSA, FBI, CISA Statement on Russian SVR Activity

What does it mean for your business?

Summary of the Statement

Last week, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a joint statement on five different vulnerabilities that the Foreign Intelligence Service of the Russian Federation (SVR RF) is known to be exploiting currently.

How does this affect your business?

Even if your business is not a target of the SVR RF, other threat actors such as ransomware gangs, are taking advantage of the same vulnerabilities. Therefore, if you have been using any of the affected product versions, you should take them offline, upgrade to the most recent version, and begin an incident response process to verify your servers are not compromised. Additionally, Raxis recommends performing the same process on other recently exploited products such as SolarWinds Orion and Microsoft Exchange Server.

Affected Product Versions & Associated CVEs

Fortinet FortiGate VPN

• Version: Fortinet FortiOS6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
• CVE: CVE-2018-13379

Synacor Zimbra Collaboration Suite

• Version: Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10
• CVE: CVE-2019-9670

Pulse Secure Pulse Connect Secure VPN

• Version: Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
• CVE: CVE-2019-11510

Citrix Application Delivery Controller and Gateway

• Version: CitrixADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b
• CVE: CVE-2019-19781

VMware Workspace ONE Access

• Version: VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 -3.3.3 on Linux, VMware Identity Manager Connector 3.3.1-3.3.3 and 19.03, VMware Cloud Foundation 4.0-4.1, and VMware Vrealize Suite Lifecycle Manager8.x
• CVE: CVE-2020-4006

Remediation

If your business is running any of the aforementioned product versions, upgrade immediately to the most recent versions following the guides for each product below:

Fortinet FortiGate VPN

• https://docs.fortinet.com/vm

Synacor Zimbra Collaboration Suite

• https://zimbra.github.io/zimbra-9/upgrade.html

Pulse Secure Pulse Connect Secure VPN

• https://support.pulsesecure.net/product-service-policies/eol/software/pulse-connect-secure-software-dates-milestones/
• https://docs.pulsesecure.net/Content/A_PCS/Release_Notes.htm

Citrix Application Delivery Controller and Gateway

• Upgrading: https://support.citrix.com/article/CTX267027
• Check for Vulnerability: https://github.com/cisagov/check-cve-2019-19781

VMware Workspace ONE Access

• https://www.vmware.com/security/advisories/VMSA-2020-0027.html

Solarwinds Orion

• https://www.solarwinds.com/sa-overview/securityadvisory

Microsoft Exchange

• Version Details: https://www.bleepingcomputer.com/news/security/microsoft-fixes-actively-exploited-exchange-zero-day-bugs-patch-now/

Additionally, Raxis recommends beginning an incident response process on any servers exposed to the internet that are running these product versions, as they are actively being exploited in the wild.

Associated Links

NSA, FBI & CISA Statement: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/

CVE Links:

• CVE-2018-13379 Fortinet FortiGate VPN: https://nvd.nist.gov/vuln/detail/CVE-2018-13379
• CVE-2019-9670 Synacor Zimbra Collaboration Suite: https://nvd.nist.gov/vuln/detail/CVE-2019-9670
• CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN: https://nvd.nist.gov/vuln/detail/CVE-2019-11510
• CVE-2019-19781 Citrix Application Delivery Controller and Gateway: https://nvd.nist.gov/vuln/detail/CVE-2019-19781
• CVE-2020-4006 VMware Workspace ONE Access: https://nvd.nist.gov/vuln/detail/CVE-2020-4006