🔒 Microsoft Issues Major Security Update – 130 Vulnerabilities Patched!

/in ,

🔒 Microsoft Releases July 2025 Patch Tuesday Update — Fixes 130 Security Vulnerabilities Including Critical SQL Server Flaw

On July 9, 2025, Microsoft released this month’s Patch Tuesday update, addressing a total of 130 security vulnerabilities, including 10 rated as “Critical.” The updates span multiple key Microsoft products such as SQL Server, Windows, and Office (Word, PowerPoint, Excel).

Among the vulnerabilities, one is particularly relevant to PCI DSS compliance: CVE-2025-49719 (CVSS score: 7.5), an information disclosure vulnerability in Microsoft SQL Server. The flaw could potentially allow unauthorized attackers to read uninitialized memory, exposing sensitive data such as passwords or encryption keys.

 

According to Adam Barnett, Principal Software Engineer at Rapid7, while attackers might not immediately retrieve meaningful data, with skilled manipulation, it may be possible to extract critical information such as encryption keys.

Mike Walters, President of Action1, noted that the vulnerability may stem from insufficient input validation in SQL Server’s memory management, which allows access to uninitialized memory. This could lead to leakage of credentials, connection strings, or other sensitive information. Affected components include the SQL Server engine and applications using OLE DB drivers.

⚠️ Security experts strongly urge:
System administrators and IT teams should immediately deploy this update, especially for organizations running Microsoft SQL Server, to prevent the risk of widespread exploitation.

Source:

https://thehackernews.com/2025/07/microsoft-patches-130-vulnerabilities.html

https://krebsonsecurity.com/2025/07/microsoft-patch-tuesday-july-2025-edition/

#Microsoft #CyberSecurity #PatchTuesday #InfoSec #VulnerabilityManagement #PCI #SQLServer #WindowsSecurity

 

【Secure Vectors's Security Classroom】

📌 What is CVSS?

CVSS stands for the Common Vulnerability Scoring System. It’s a way to evaluate and rank reported vulnerabilities in a standardized and repeatable way. This score helps organizations prioritize their response to different security risks.
CVSS generates a score from 0 to 10 based on the severity of the vulnerability.
With 10 being the most critical, based on factors like how easily the vulnerability can be exploited, its potential impact on confidentiality, integrity, and availability, and the complexity of the attack.

ASV Vulnerability Scanning Service Announcement

/0 Comments/in , ,

Dear Valued Customer,

 

Thank you for your continued support and trust in SVITI (Secure Vectors International Technologies Inc.). To help your company efficiently complete quarterly PCI DSS ASV (Approved Scanning Vendor) vulnerability scans, SVITI offers ASV account setup and scanning services through the Qualys platform. This support is designed to alleviate challenges related to heavy workloads or managing large number of accounts.

 

Going forward, we will provide an ” Authorized Scanning Service Application & Consent Form” based on the current expiration date of each customer’s ASV account. This form will confirm the scan targets and complete the authorization process. Once this is finalized, SVITI will officially take over and perform the scans on your behalf. For accounts that have not yet expired, the current process will remain unchanged until the accounts have been converted.

 

The service process is described below:

  1. Provide and complete the “Authorized Scanning Service Application & Consent Form” to confirm the scanning targets for each quarter.
  2. The first scan will be conducted mid-quarter, with an initial report provided for reference.
  3. Clients must complete remediation within two weeks, after which a re-scan will be scheduled.
  4. If the remediation period exceeds two weeks or the number of re-scans exceeds two, additional fees will be charged.

 

We will continue to optimize our process and introduce more services tailored to our clients’ needs, aiming to provide your company with more comprehensive compliance support.

If you have any questions or require further clarification, please feel free to contact us at any time.

 

Best regards,

Secure Vectors Information Technologies Inc.

2025-06-01

PCI DSS v4.0

Who need PCI DSS Compliance?

/0 Comments/in

Service Provider & Merchant 

Any organization that stores, processes, or transmits cardholder data is required to comply with PCI DSS Standards. Depending on how an organization handles cardholder data, they are categorized into different types and levels.

PCI DSS

Service Provider 

“Service Provider” as defined by PCI DSS is an organization providing services that involve transmitting, processing, or storing payment cardholder data on behalf of merchants or other service providers.

This includes entities offering payment processing services, wallet providers, platforms integrating various payment channels, online marketplaces, and others impact security of cardholder data.

Additionally, data centers providing virtual hosting services and cloud service providers are not directly involved in transaction services; maybe impact cardholder data security to some extent and are also classified as service providers.

Unlike merchants, service providers are categorized into two levels. Using VISA as an example, the classification and compliance requirements are detailed as follows:

Level 1:

  • ● Processes over 300,000 transactions annually.
  • ● Annual on-site assessment by a QSA with submission of a Report on Compliance (ROC).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).

Level 2:

  • ● Processes less 300,000 transactions annually.
  • ● Annual submission of a Self-Assessment Questionnaire (SAQ).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).
PCI DSS Service Provider Level

Merchant

Level 1:

  • ● Processes over 6 million transactions annually.
  • ● Annual on-site assessment by a QSA with submission of a Report on Compliance (ROC).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).

Level 2:

  • ● Processes between 1 million and 6 million transactions annually.
  • ● Annual submission of a Self-Assessment Questionnaire (SAQ).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).

Level 3:

  • ● Processes between 20,000 and 1 million transactions annually.
  • ● Annual submission of a Self-Assessment Questionnaire (SAQ).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).

Level 4:

  • ● Processes up to 20,000 transactions annually.
  • ● Annual submission of a Self-Assessment Questionnaire (SAQ).
  • ● Submission of an Attestation of Compliance (AOC).
  • Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV) (optional).

For more details, refer to the VISA website
https://usa.visa.com/support/small-business/security-compliance.html
https://usa.visa.com/partner-with-us/pci-dss-compliance-information.html

Mastercard Level 2 Merchant change

In addition, In addition, Mastercard has specific requirements for Level 2 merchants that differ significantly. If a Level 2 merchant is required to complete SAQ A, SAQ A-EP, or SAQ D for Merchant, the assessment and completion must be conducted by an approved Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). This requirement has been effective since March 2021.

For more information, welcome to contact us.

first time PCI DSS Compliance

PCI DSS Compliance for dummies

/0 Comments/in ,

【PCI DSS Compliance for dummies】

Even Cybersecurity Beginners Can Achieve Compliance

Top 5 questions asked (2W3H), when 1st time required by an acquirer or supervisor to obtain PCI DSS certification.

As the booming growth of e-commerce, remote work, and delivery platforms continues into 2024, the usage of cross-border transactions and online payments has accelerated, making payment card information security increasingly critical.

To protect cardholder personal information, the Payment Card Industry Security Standards Council (PCI SSC) mandates that all entities storing, processing, or transmitting cardholder data must comply with PCI DSS requirements.

The 12 core requirements and their sub-requirements within PCI DSS are designed to protect cardholder data.

When your acquiring bank, regulatory authority or boss requires you to obtain PCI DSS certification, and you’re unsure where to start, you might ask the following five key questions (2W3H):

Table of Contents

What is PCI DSS ?

PCI DSS stands for Payment Card Industry Data Security Standards, which is established and managed by the international organization, Payment Card Industry Security Standard Council (PCI SSC). These standards are specially designed to protect payment card data from unauthorized access and misuse.

PCI SSC comprises major global credit card organizations, including American Express, Discover Financial Services, JCB, MasterCard, Visa Inc., and China UnionPay.

PCI DSS standards are a set of industry-wide guidelines, focused on securing cardholder information across these brands. These standards apply to all entities, which store, process, or transmit cardholder data. Merchants or service providers handling payment cards from these brands, regardless of their size or transaction volume, are all required to follow and comply with PCI DSS to ensure the security of cardholder information.

Who needs PCI DSS Certification?

Any organization that stores, processes, or transmits cardholder data is required to comply with PCI DSS Standards. Depending on how an organization handles cardholder data, they are categorized into different types and levels.

Step 1: To determine whether the entity is a Merchant or Service Provider.

Merchants

Organizations that accept payment cards in exchange for goods or services. This category includes physical stores, online stores, and those offering downloadable virtual goods or services.

Service Providers

Entities that transmit, process, or store payment cardholder data as part of services they offer, or that can control or influence the security of cardholder data, including third-party payment processors, payment gateway providers, wallet service providers, and online marketplaces. Data centers and cloud service providers offering virtual hosting services also belong to this category.

Step 2: Once determining whether your organization is a Merchant or a Service Provider, you can further identify the PCI DSS level.

Level 1 Merchants and Service Providers

require an on-site assessment by a Qualified Security Assessor (QSA), who will conduct the review and provide a report.

Level 2-4 Merchants and Level 2 Service Providers

can use the PCI DSS Self-Assessment Questionnaire (SAQ) to perform a self-assessment, or they can seek assistance from a QSA to ensure a faster and more accurate evaluation.

Service Provider & Merchant

Who can assist PCI DSS Certification?

For Level 1 Merchants or Service Providers undergoing their first PCI DSS assessment, it is advisable to seek professional guidance.

QSA (Qualified Security Assessor)

is a professional authorized by PCI SSC, trained and certified to conduct PCI DSS assessments and provide Reports on Compliance (ROC) and Attestations of Compliance (AOC). QSAs must regularly update their certification to stay current with the latest PCI DSS versions. If your organization is a Level 1 Merchant or Service Provider, an on-site assessment by a QSA is mandatory.

QSAC (Qualified Security Assessor Company)

employs QSAs and provides expert assessment and consulting services. QSAC can assist you in understanding the specific requirements of PCI DSS and guide you in establishing a secure Payment environment.

How to choose QSA and QSAC?

  1. Visit [PCI Security Standards Council] to verify the certified QSA and QSAC.

  2. Inquire peers or partners about their experience and recommendations that already completed PCI DSS Assessment.
  3. Review customer evaluations and case studies of potential QSAs and QSACs to ensure their experience and expertise.
  4. Consultation Services: Conduct initial consultations with multiple QSAs or QSACs to understand their service scope, fee, and work process.

By following these steps, you can find a suitable QSA or QSAC to assist your PCI DSS Assessment, ensuring the payment environment is secure and compliant.

How to do?

PCI DSS Compliance Assessment normally consists of 4 main stages:

1. Preparation Stage

Scope Confirmation and Consulting phase.

**Scope Confirmation**

  • Preliminary Assessment: Evaluate existing security measures to identify gaps and scope needing adjustment.
  • Define Assessment Scope: Determine systems, networks, and applications that need to comply with PCI DSS standards.

**Consultation Phase**

  • Engage Consultant or QSA: Select a Qualified Security Assessor (QSA) or Qualified Security Assessor Company (QSAC) to assist in verifying environment compliance, guiding remediation processes, and scheduling Assessment.
  • Security Training: Provide employees with relevant security training to enhance overall security awareness.

2. Data Preparation Phase

Preparation and Implementation of Necessary Controls

**Data Preparation**

● Policies and Procedures: Develop and update security policies and operational procedures to ensure PCI DSS compliance.
● Document Collection: Gather and organize all required documents and evidence to demonstrate compliance.

3. Assessment Phase

QSA Conducts On-Site Assessment.

**Audit Execution**

● Internal Assessment: Conduct internal reviews before formal Assessment to ensure all issues are addressed.

● On-Site Assessment: Conduct on-site Assessment led by QSA to verify consistency between actual operations and documented practices.

4. Report Phase

QSA Writes and Submits Compliance Reports and Certifications

● Report Writing: QSA writes Report on Compliance (ROC) and Attestations of Compliance (AOC).

● Report Submission: You can submit a report to the Payment Card Organization or Acquirer.

● Certification Issuance: You will receive compliance certifications indicating adherence to PCI DSS standards from QSAC.

How long does it take?

The overall timeline for achieving PCI DSS compliance certification, from initial environment verification to providing final reports, is about 3 to 5 months. Main stages of Compliance Certification Process are listed below:

  1. Preparation Stage(1-2 months):Environment Verification and Consultation Phase.

  2. Data Preparation Stage (1 month): Preparation and Implementation of necessary Control Measures.

  3. Assessment Stage (5-7 days): On-site Assessment conducted by QSA.

  4. Report Stage (0.5-1 month): QSA writes and submits Compliance Reports and Certifications.

PCI DSS Certification timeline

Actual timelines may vary due to the following factors:

  • Preparedness: The extent of preparation before certification can expedite the process.
  • Complexity of Systems and Operations: The complexity of IT environments, network architecture, and operational processes can affect certification timelines.
  • Resources invested by the company (including manpower, time, and budget) and efficiency in project management.


To ensure an efficient process, it is recommended to:

  • Begin preparation: As early as possible, especially organizing documents and policies.
  • Effective Communication: Maintain close communication with QSA throughout the certification process to promptly address any issues that arises.
  • Continuous monitoring: After certification, it is necessary to continue maintaining and improving security measures to ensure long-term compliance with PCI DSS requirements.

How much does it cost?

Estimated Additional Costs for 1st-time PCI DSS Compliance

A. System

Due to the high-security requirements of PCI DSS, certain systems may need to be separated to comply with requirements such as having only one primary function per system component (Req. 2.2.3). Previously, functions like Web Server, Application Server, and DB Server might have been on one machine but now need to be split, potentially requiring additional server equipment (virtual servers can be used).Additionally, security components like NTP Servers, FIM Servers (File Integrity Management), and Log Servers may be needed to meet compliance, potentially increasing the number of required machines compared to before.

B. Security Equipment

Meeting PCI DSS security requirements may necessitate purchasing additional security equipment such as Network Security Control devices (NSCs) like firewalls, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), and Web Application Firewalls (WAF).

C. Data Encryption Equipment

Organizations with high security and performance demands may opt for Hardware Security Modules (HSMs) to encrypt card data securely as required by PCI DSS.

D. Personnel Training

PPCI DSS mandates training for personnel including awareness training, secure coding training, and conducting drills for Incident Response Plans (IRP). If staff perform Vulnerability Scans or Penetration Tests, they will also require adequate security training, potentially increasing training costs.

E. Technical Test

PCI DSS requires various periodic technical tests including Internal Vulnerability Scans, External Vulnerability Scans (ASV), Internal and External Penetration Tests, Wireless Scans, Card Number Scans, and Code Reviews. This section typically incurs additional expenses.

F. Other

If you are a service provider, acquiring institutions or card organizations may require registration in their service provider registries like VISA Registry or MasterCard SDP (Service Provider Registration).

For a small to medium-sized Service Provider without prior PCI DSS compliance experience, the estimated additional expenses might include as listed below:

PCI DSS extra cost for first time

PCI DSS Certification Costs

In addition to the potential additional costs mentioned above, the cost of PCI DSS Assessment can be varied with the time required by PCI DSS QSAs to complete the Assessment and Report.

The estimated assessment time depends on the following factors:

  1. System Complexity: The number of hosts, types of operating systems used, components installed on systems, multiple OS configurations, and security configurations all affect the sampling required during audits and increase audit time.

  2. Security Equipment and Networks: The number of security devices within the assessment scope such as Firewalls, IPS, IDS, WAF, Switches, Routers, SIEM, DRP, etc., requires configuration, updates, access control checks, logging, and more, thereby increasing assessment time with more devices and complex network planning.

  3. Connections to Acquiring Institutions and Service Providers: More connections to acquiring institutions and service providers form more complex data flows (Dataflows), necessitating additional time for inspection.

  4. Database and Card Data Storage and Encryption Methods: Diverse card data flows and storage methods require more encryption or security measures, resulting in additional inspection items.

  5. Number of Operational Units: The number of stores, data centers, and operational offices increases the days required for Assessment, e.g., banks, telecom companies, and businesses with numerous stores and offices with extensive sampling. Moreover, backup data centers storing card data are also included in the scope.

Generally speaking, PCI DSS Assessment costs vary by region due to different annual fees set by the PCI SSC and varying salaries for QSAs in different regions. In Southeast Asia, e.g., a small to medium-sized service provider requires 3-5 days for on-site Assessment and around a week for report compilation. Excluding travel costs, PCI DSS certification costs typically range between NT$400,000 to NT$600,000.

However, an actual quotation depends on the complexity factors mentioned above.

Who needs PCI DSS Compliance?
Which SAQ Type?

Whether you are a cross-border e-commerce business, a third-party payment platform, or a service provider, adhering to PCI DSS compliance requirements is crucial. Implementing these compliance measures not only provides your acquiring bank and regulatory authorities with a certificate of compliance but also directly helps your business reduce the risk of data breaches and theft while enhancing consumer confidence in the security of their transactions.

PCI DSS compliance consists of over 400 requirements, covering everything from understanding and interpreting the standards, providing evidence, and obtaining certification, to maintaining compliance in the future. How do you ensure ongoing compliance?

It is recommended to consider hiring a QSAC (Qualified Security Assessor Company) to help you quickly and effectively achieve compliance in a short time.

After certification, you can utilize a compliance management system offering features such as automated monitoring, alerts, regular data submission, and real-time visual status updates. This ensures that your business remains compliant and secure at all times.

*For more information about PCI Compliance Services, please feel free to contact us.

What is your SAQ Type?

/0 Comments/in ,

What is your SAQ Type?

PCI DSS Self-Assessment Questionnaire (SAQ) is a self-assessment questionaire designed to evaluate the compliance status of payment systems. It applies to merchants of levels 2-4 and service providers of level 2.

SAQ assesses an organization’s compliance with various standards. For example, under Visa’s guidelines, merchants processing fewer than 6 million transactions annually or service providers processing fewer than 300,000 transactions annually qualify for the SAQ.

Table of Contents

5 Steps for PCI DSS SAQ Self-Assessment:

  1. Select the SAQ type applicable to you.
  2. Verify that the scope of your PCI DSS environment is accurate.
  3. Self-assess if
    your environment is compliant with PCI DSS requirements.
  4. Complete the SAQ documentation, including assessment information, the questionnaire, and supporting evidence.
  5. Submit the SAQ assessment results and the Attestation of Compliance (AOC) to the requesting organization (acquirer).
Most importantly, choose the SAQ type that suits your environment!

 

For e-commerce, these SAQ versions may apply:

  • Service Providers

SAQ D for Service Provider:

Applicable only to service providers, it includes the requirements from SAQ D for Merchants and adds criteria for documentation and customer policies, procedural reviews, configuration checks, alerts, penetration test records, and more, with a total of 259 questions.

  • Merchants

SAQ A:

For fully outsourced payment services (e.g., payment page using URL redirect or iFrame). SAQ A involves document checks, configuration checks, policy reviews, data retention and disposal, and external vulnerability scans. It’s the shortest SAQ version, with only 29 questions.

SAQ A-EP:

For merchants using an outsourced payment processor but managing their own payment page. SAQ A-EP covers SAQ A items and adds requirements for network management, host management, data security, vulnerability management, access control, and monitoring/testing, with significant additional requirements due to partial involvement in payment processing.

SAQ D for Merchant:

For merchants with an in-house payment system or those storing cardholder data electronically. SAQ D for Merchant has broader requirements than SAQ A-EP, covering all PCI DSS requirements for merchants.

There are 10 different types of PCI DSS SAQs, each determined by the type of payment services you provide. The appropriate SAQ type is typically identified by your acquiring bank or with assistance from a Qualified Security Assessor (QSA), who can review your Cardholder Data Environment (CDE), cardholder data processes (such as card number handling), and data flow to accurately determine the applicable SAQ type. Alternatively, you can refer to the following PCI DSS SAQ type descriptions for a preliminary assessment. For your preliminary assessment, refer to PCI DSS SAQ types provided below.

If you need more information about SAQ types and achieve PCI DSS compliance effectively and accurately, the professional advice from QSA or QSAC is highly recommended. Their expertise can provide valuable insights tailored to your specific needs and ensure your compliance in the most effective manner possible.

How to meet the additional requirement for Service Provider only by PCI DSS v4.0 provision 12.4.2?

/0 Comments/in ,
Read more

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

/0 Comments/in ,
Read more

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

/0 Comments/in ,

Microsoft Windows has recently updated, causing a high-risk Security Vulnerability (CVE-2021-36934) with a CVSS score of over 7 on July 23, 2021. This vulnerability is originated from the loose access policy for some system files, such as the Security Accounts Manager (SAM) databases. Users with malicious intent can use this vulnerability to elevate privileges to execute malicious code, view, change and even delete data, or create a new user account with full authority, etc.

From testing, the devices currently affected are mainly Windows 10 and Windows 11, however from the official information released by Microsoft, Windows Server 2019 is also affected. We must pay special attention to this issue, as there is currently no patch for this update that will safeguard against this vulnerability. As a short-term solution, there is an official workaround. For example, you can delete the affected Volume Shadow Copy Service. (Please refer to: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934)

Looking at this issue from the perspective of PCI DSS Compliance, the CVSS score of this vulnerability, which is 7.8 in Base Score Metrics, is of high-risk as it is a higher score than 7. This should be patched within 30 days if possible. Otherwise, other safeguard solutions must be found. If the ASV (Approved Scanning Vendor) external vulnerability scan encounters this problem, the vulnerability scan will not pass.

In addition, Windows 10 is commonly used as a springboard in the server room. Because of the Windows springboard, this may be assigned to different personnel. It is also important to pay attention whether there are ordinary users who will use this vulnerability for other purposes such as unauthorized activities.

This begs the question: How can one maintain the integrity of your security and systems with this vulnerability? We at Secure Vectors propose the following suggestions:

  1. Firstly, restrict access to specific system directories and delete backup copies from the Volume Shadow Copy Service (VSS). The reason for doing this is so that the system cannot be restored through backup/restoration tools. During this period while a patch is being developed, you can prevent the restoration operation from happening.
  2. Temporarily restrict “non-host management authority (Administrator)” personnel from logging into the host. General user accounts are usually able to access the core configuration files, SAM databases, etc. By doing this, non-host management authority personnel will not be able to access these files and thus your organization can avoid attacks from hackers through elevation of authority.
  3. Remember to update the scanning database of the internal vulnerability scanning tool to the latest version and perform a scan to check if the current tool can identify the problem.

Secure Vector consultant

Bryan Cheng

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

- Payment Card Industry Security, IT Security Management, Cloud Service Management
- Professional Certification:PCI DSS QSA, CISSP, ISO27001 LA, BS10012 LA, MCSE, MCITP, TUViT Privacy Protection Consultant

Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.

You might also like


🔒 Microsoft Issues Major Security Update – 130 Vulnerabilities Patched!

ASV Vulnerability Scanning Service Announcement

PCI DSS v4.0

Who need PCI DSS Compliance?

first time PCI DSS Compliance

PCI DSS Compliance for dummies

What is your SAQ Type?

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

【FortiOS】SSL-VPN Major Security Vulnerability (CVE-2023-27997) Have you fixed it?

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.



Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

/0 Comments/in ,

An out-of-bounds write flaw was found in the Linux kernel’s seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations.

From PCI DSS point of views, primary concerns are operating system user account security.  Verification on the necessities of allowing access given to System, restrict only the mandatory rights to login with logging, ePBF etc. Patch management, especially critical, should be complete in 30 days.


  • PCI DSS Requirements 2.1 : Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.  Verify /etc/password have proper settings, delete or set to “nologin”, preventing non mandatory users can login using vulnerability to compromise the system.
  • PCI DSS Requirements 6.2 : Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

Verify Operating System vendors have releasing relate patch and complete patch update within 1 month.  If there are no updates from the vendors, necessary mitigation process should be in place.


Patch updates resolving this vulnerability (CVE-2021-33909) noted by Qualys Security Research Team, see following form for Patch listing:


SourceRisk level
NESSUS
https://www.tenable.com/cve/CVE-2021-33909		CVSS (v2) 7.2
NIST NVD
https://nvd.nist.gov/vuln/detail/CVE-2021-33909		CVSS (v3) 7.8
Redhat
https://access.redhat.com/security/cve/cve-2021-33909		CVSS (v3) 7.0
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909		Source: MITRE

Update on 2021/09/10

Qualys Security Research Team has proven vulnerability by accessing root rights in vulnerable OS of : Ubuntu 20.04、Ubuntu 20.10、Ubuntu 21.04、Debian 11 and Fedora 34 Workstation.  Other Linux OS may result in I.O.C. generate from this vulnerability.  Linux Servers patch fix as follow:


Operating SystemSecurity patch link
Redhathttps://access.redhat.com/security/cve/cve-2021-33909
CentOShttps://centosfaq.org/centos/its-been-six-days-since-cvd-2021-33909-was-patched-in-rhel-whats-the-holdup-for-stream-8/

https://centos.pkgs.org/8-stream/centos-baseos-x86_64/kernel-4.18.0-326.el8.x86_64.rpm.html

SUSEhttps://www.suse.com/security/cve/CVE-2021-33909.html
ubuntuhttps://ubuntu.com/security/CVE-2021-33909

Update on 2021/09/10

If there are no updates from the vendors, necessary mitigation process should be in place.

sysctl kernel.unprivileged_userns_clone=1   # unprivileged_userns_clone set as 0

sysctl kernel.unprivileged_bpf_disabled=1   # unprivileged_bpf_disabled set as 1

For technical details, please refer to below link:

https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt


Max Tsai

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

• Payment Card Industry Security, IT Security Management, Cloud Service Management
• Professional certification: PCI DSS QSA, CISSP, ISMS LA



Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.



You might also like


🔒 Microsoft Issues Major Security Update – 130 Vulnerabilities Patched!

ASV Vulnerability Scanning Service Announcement

PCI DSS v4.0

Who need PCI DSS Compliance?

first time PCI DSS Compliance

PCI DSS Compliance for dummies

What is your SAQ Type?

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

【FortiOS】SSL-VPN Major Security Vulnerability (CVE-2023-27997) Have you fixed it?

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.