Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

Microsoft Windows has recently updated, causing a high-risk Security Vulnerability (CVE-2021-36934) with a CVSS score of over 7 on July 23, 2021. This vulnerability is originated from the loose access policy for some system files, such as the Security Accounts Manager (SAM) databases. Users with malicious intent can use this vulnerability to elevate privileges to execute malicious code, view, change and even delete data, or create a new user account with full authority, etc.

From testing, the devices currently affected are mainly Windows 10 and Windows 11, however from the official information released by Microsoft, Windows Server 2019 is also affected. We must pay special attention to this issue, as there is currently no patch for this update that will safeguard against this vulnerability. As a short-term solution, there is an official workaround. For example, you can delete the affected Volume Shadow Copy Service. (Please refer to: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934)

Looking at this issue from the perspective of PCI DSS Compliance, the CVSS score of this vulnerability, which is 7.8 in Base Score Metrics, is of high-risk as it is a higher score than 7. This should be patched within 30 days if possible. Otherwise, other safeguard solutions must be found. If the ASV (Approved Scanning Vendor) external vulnerability scan encounters this problem, the vulnerability scan will not pass.

In addition, Windows 10 is commonly used as a springboard in the server room. Because of the Windows springboard, this may be assigned to different personnel. It is also important to pay attention whether there are ordinary users who will use this vulnerability for other purposes such as unauthorized activities.

This begs the question: How can one maintain the integrity of your security and systems with this vulnerability? We at Secure Vectors propose the following suggestions:

  1. Firstly, restrict access to specific system directories and delete backup copies from the Volume Shadow Copy Service (VSS). The reason for doing this is so that the system cannot be restored through backup/restoration tools. During this period while a patch is being developed, you can prevent the restoration operation from happening.
  2. Temporarily restrict “non-host management authority (Administrator)” personnel from logging into the host. General user accounts are usually able to access the core configuration files, SAM databases, etc. By doing this, non-host management authority personnel will not be able to access these files and thus your organization can avoid attacks from hackers through elevation of authority.
  3. Remember to update the scanning database of the internal vulnerability scanning tool to the latest version and perform a scan to check if the current tool can identify the problem.

Secure Vector consultant

Bryan Cheng

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

- Payment Card Industry Security, IT Security Management, Cloud Service Management
- Professional Certification:PCI DSS QSA, CISSP, ISO27001 LA, BS10012 LA, MCSE, MCITP, TUViT Privacy Protection Consultant

Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.


PCI DSS v4.0
first time PCI DSS Compliance
PCI 3DS 驗證 3 步驟_Max

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.



Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

An out-of-bounds write flaw was found in the Linux kernel’s seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations.

From PCI DSS point of views, primary concerns are operating system user account security.  Verification on the necessities of allowing access given to System, restrict only the mandatory rights to login with logging, ePBF etc. Patch management, especially critical, should be complete in 30 days.


  • PCI DSS Requirements 2.1 : Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.  Verify /etc/password have proper settings, delete or set to “nologin”, preventing non mandatory users can login using vulnerability to compromise the system.
  • PCI DSS Requirements 6.2 : Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

Verify Operating System vendors have releasing relate patch and complete patch update within 1 month.  If there are no updates from the vendors, necessary mitigation process should be in place.


Patch updates resolving this vulnerability (CVE-2021-33909) noted by Qualys Security Research Team, see following form for Patch listing:


SourceRisk level
NESSUS
https://www.tenable.com/cve/CVE-2021-33909
CVSS (v2) 7.2
NIST NVD
https://nvd.nist.gov/vuln/detail/CVE-2021-33909
CVSS (v3) 7.8
Redhat
https://access.redhat.com/security/cve/cve-2021-33909
CVSS (v3) 7.0
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909
Source: MITRE

Update on 2021/09/10

Qualys Security Research Team has proven vulnerability by accessing root rights in vulnerable OS of : Ubuntu 20.04、Ubuntu 20.10、Ubuntu 21.04、Debian 11 and Fedora 34 Workstation.  Other Linux OS may result in I.O.C. generate from this vulnerability.  Linux Servers patch fix as follow:


Operating SystemSecurity patch link
Redhathttps://access.redhat.com/security/cve/cve-2021-33909
CentOShttps://centosfaq.org/centos/its-been-six-days-since-cvd-2021-33909-was-patched-in-rhel-whats-the-holdup-for-stream-8/

https://centos.pkgs.org/8-stream/centos-baseos-x86_64/kernel-4.18.0-326.el8.x86_64.rpm.html

SUSEhttps://www.suse.com/security/cve/CVE-2021-33909.html
ubuntuhttps://ubuntu.com/security/CVE-2021-33909

Update on 2021/09/10

If there are no updates from the vendors, necessary mitigation process should be in place.

sysctl kernel.unprivileged_userns_clone=1   # unprivileged_userns_clone set as 0

sysctl kernel.unprivileged_bpf_disabled=1   # unprivileged_bpf_disabled set as 1

For technical details, please refer to below link:

https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt


Max Tsai

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

• Payment Card Industry Security, IT Security Management, Cloud Service Management
• Professional certification: PCI DSS QSA, CISSP, ISMS LA



Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.




PCI DSS v4.0
first time PCI DSS Compliance
PCI 3DS 驗證 3 步驟_Max

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.


PCI 3DS 驗證 3 步驟_Max

PCI DSS Compliance Process and Requirements

This article is an introduction to the latest PCI DSS compliance standards process in 2021, as well as an explanation of PCI DSS levels of compliance and their required costs.

PCI DSS Standards

The Payment Card Industry Data Standards (referred to as PCI DSS), is a global industry standard set up by the major international credit card organisations pertaining to the security of cardholder information that flows through their networks. All organisations, whether Merchants or Service Providers, that accept payments or Store, Process and Transmit card data from the major international card organisations must adopt the PCI DSS and protect cardholder information in accordance with the Security Standards.

The PCI DSS is created and managed by the PCI SSC (Payment Industry Security Standards Council and her members consist of VISA Inc., MasterCard, JCB, American Express and Discover.

PCI DSS Compliance Levels

The way to obtain the PCI DSS compliance status is usually via a PCI DSS Assessment. Both Merchants and Service Providers have different levels, which can be seen below (using the regulations provided by VISA)

  • Merchant Levels
LevelRequired Security Certification/Scans Required Personal/Items
1
Over 6M transactions per year
On-site PCI DSS audit every year and ASV Network Scan every quarterQualified Security Assessor Internal Audit Report Authorized Scanning Vendor
2
Over 1M transactions per year
Complete Self Assessment Questionnaire (SAQ) each year and ASV Network Scan every quarterMerchant
Approved Scan Vendor
3
Over 200K transactions per year
Complete Self Assessment Questionnaire (SAQ) each year and ASV Network Scan every quarterMerchant
Approved Scan Vendor
4
Less than 20K transactions per year
Complete Self Assessment Questionnaire (SAQ) each year and ASV Network Scan every quarterMerchant
Approved Scan Vendor
  • Service Provider Levels
LevelRequired Certification/ScansRequired Personal/Items
1
Over 300,000 transactions a year
Onsite PCI DSS audit every year and ASV network scan every quarterQualified Security Assessor Internal Audit Report Authorized Scanning Vendor
2
Below 300,000 transactions a year
Complete Self Assessment Questionnaire D (SAQ D) every year and perform ASV network scan every quarterMerchant
Approved Scan Vendor

When a Merchant or Service Provider is deemed as Level 1, they are required to obtain the services of a QSA (Qualified Security Assessor), which is an approved PCI DSS auditor. The QSA has to perform an on-site audit for the organization and provide a report after the review.

Merchants Level 2-4 or Service Providers Level 2 must fill up a PCI DSS SAQ (Self-Assessment Questionnaire), which can also be assisted by a QSA.

In order to determine the level and you are required to obtain, and the type of SAQ you are required to use, please contact your acquirer.

PCI DSS Audit Process

In general, the PCI DSS audit can be divided into the following phases below:

PCI DSS 認證 階段 時間

The initial preparation and consultation phase may take up to 3-5 months, depending on the readiness of the organization that is undergoing the review and the complexity of their systems and their processes.

PCI DSS related costs during and after the review

  1. Systems Related Costs

As PCI DSS will require strong security protection to be implemented such as “One Primary Function Per Server” (Req. 2.2.1), the Web Server, Application Server and DB Server will have to be isolated from each other, if they were put in the same location previously. Similarly, there may be greater hosting equipment requirements (Virtual Servers can be used)

Additionally, PCI DSS requires the establishment of security service components such as DNS Server, NTP Server, FIM Server (File Integrity Management), Log Server etc. therefore the organization may have to obtain more equipment than in the past in order to meet compliance requirements.

PCI DSS related costs during and after the review

  1. Systems Related Costs

As PCI DSS will require strong security protection to be implemented such as “One Primary Function Per Server” (Req. 2.2.1), the Web Server, Application Server and DB Server will have to be isolated from each other, if they were put in the same location previously. Similarly, there may be greater hosting equipment requirements (Virtual Servers can be used)

Additionally, PCI DSS requires the establishment of security service components such as DNS Server, NTP Server, FIM Server (File Integrity Management), Log Server etc. therefore the organization may have to obtain more equipment than in the past in order to meet compliance requirements.

2. Security Equipment Costs

Additional security equipment may need to be purchased (i.e. Firewalls, IPS, IDS, WAF)

3.  Data Encryption Costs

PCI DSS requires card data encryption. Organisations will typically use HSM (Hardware Secure Module) hardware encryption to ensure the security of the cardholder data stored.

4. Training Costs

PCI DSS requires employees to undergo Awareness Training, Secure Coding Training, and IRP (Incident Response Plan) drills. In addition, to perform Vulnerability Scans and Penetration Tests, your staff may also have to undergo sufficient technical training to operate these tools.

5. Technical Audit Costs

PCI DSS mandates a number of technical audits, including:

  • Card Number Scanning
  • Code Review
  • Internal Vulnerability Scan
  • ASV, External Vulnerability Scan
  • Internal Penetration Test
  • External Penetration Test
  • Wireless Scan

There may be some additional costs here.

6. Other Costs

If your organization is designated as a Service Provider, you will be required to register yourself, such as at VISA’s VISA Registry or MasterCard’s Service Provider Registration

Let us provide an example of a small-to-medium sized Service Provider, who is undergoing the PCI DSS compliance process for the first time. These are the estimated additional expenses:

SectionExpected Extra CostsRemarks
Systems5-6 more servers, one-time expenditure of US$15,000
Security EquipmentMore WAF, IPS and other systems required, one-time expenditure of US$15,000-20,000Assuming Intermediate WAF
Data Encryption EquipmentSpend up to US$30,000 in HSM costsHSM prices vary greatly, software encryption methods can also be used
TrainingTraining costs up to US$2,500 a yearCan conduct training internally
Technical AuditsBased on the needs of the servers and number of applications may cost between US$30,000-90,000 annually
OthersRegistration fees to the card organisations are about US$3,000-5,000 per year

PCI DSS Compliance Fees

In addition to the possible costs above, the PCI DSS Compliance fees and the time required by a QSA to complete the audit depend on the following factors as well.

  • System Complexity: The number of hosts, the type of OS used by the system, the number of components installed on the system, whether there are multiple OSs used at the same time, whether there are multiple security configurations.
  • Security Devices and Network Segments: How many security devices there are, such as Firewalls, IPS, IDS, WAF, Switches, Routers, SIEM, DRP etc. These security devices must be set up and updated with proper access controls and logs. We must also check and ensure that the records are kept, and the higher the number, the more complicated the network segment will be, which will increase the time required to audit.
  • The number of connected acquirers and service providers: The more acquirers there are, the more complicated the data-flows of the system.
  • Retention and encryption of database and card data: The more diverse the card data flows and the more diverse the types of card data storage, the more requirements there are for encryption and security protections, which leads to more items for auditing.
  • Number of operation units: The number of stores, number of server rooms used, and the number of offices will also increase the number of days required for review. Bank, telecommunications companies etc. will have a large number of storefronts and offices, which will lead to longer auditing periods required. Backup server rooms that store card data will also be included in the scope of review.

The costs of a PCI DSS audit will also differ by geography, as the PCI SSC has different annual costs for each region. The costs of a QSA is also different in each region. For example, a small-to-medium sized Service Provider in Southeast Asia will require around 3-5 days of on-site assessment and require about a week for the preparation of the report. Excluding transportation costs, a first-time PCI DSS certification may cost between 15,000 USD to 25,000 USD. Of course, the actual price must be estimated based on the variables mentioned above to determine the amount of time required for the audit.

Vincent Huang

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

- IT Security Management, Payment Card Industry Security, Data Center Security and Cloud Security

- Professional certification: DSS QSA, PCI 3DS Assessor, PIN Security QPA, CISSP, CEH, NSPA, ISMS LA, ITSM LA, Certified CSA STAR Auditor, Europrise Technical Expert

Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.

PCI DSS v4.0
first time PCI DSS Compliance
PCI 3DS 驗證 3 步驟_Max

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.