Are you ready for PCI DSS v4.0

Are you ready for PCI DSS v4.0

/in ,
Read more

Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

/in ,

An out-of-bounds write flaw was found in the Linux kernel’s seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations.

From PCI DSS point of views, primary concerns are operating system user account security.  Verification on the necessities of allowing access given to System, restrict only the mandatory rights to login with logging, ePBF etc. Patch management, especially critical, should be complete in 30 days.


  • PCI DSS Requirements 2.1 : Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.  Verify /etc/password have proper settings, delete or set to “nologin”, preventing non mandatory users can login using vulnerability to compromise the system.
  • PCI DSS Requirements 6.2 : Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

Verify Operating System vendors have releasing relate patch and complete patch update within 1 month.  If there are no updates from the vendors, necessary mitigation process should be in place.


Patch updates resolving this vulnerability (CVE-2021-33909) noted by Qualys Security Research Team, see following form for Patch listing:


SourceRisk level
NESSUS
https://www.tenable.com/cve/CVE-2021-33909		CVSS (v2) 7.2
NIST NVD
https://nvd.nist.gov/vuln/detail/CVE-2021-33909		CVSS (v3) 7.8
Redhat
https://access.redhat.com/security/cve/cve-2021-33909		CVSS (v3) 7.0
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909		Source: MITRE

Update on 2021/09/10

Qualys Security Research Team has proven vulnerability by accessing root rights in vulnerable OS of : Ubuntu 20.04、Ubuntu 20.10、Ubuntu 21.04、Debian 11 and Fedora 34 Workstation.  Other Linux OS may result in I.O.C. generate from this vulnerability.  Linux Servers patch fix as follow:


Operating SystemSecurity patch link
Redhathttps://access.redhat.com/security/cve/cve-2021-33909
CentOShttps://centosfaq.org/centos/its-been-six-days-since-cvd-2021-33909-was-patched-in-rhel-whats-the-holdup-for-stream-8/

https://centos.pkgs.org/8-stream/centos-baseos-x86_64/kernel-4.18.0-326.el8.x86_64.rpm.html

SUSEhttps://www.suse.com/security/cve/CVE-2021-33909.html
ubuntuhttps://ubuntu.com/security/CVE-2021-33909

Update on 2021/09/10

If there are no updates from the vendors, necessary mitigation process should be in place.

sysctl kernel.unprivileged_userns_clone=1   # unprivileged_userns_clone set as 0

sysctl kernel.unprivileged_bpf_disabled=1   # unprivileged_bpf_disabled set as 1

For technical details, please refer to below link:

https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt


Max Tsai

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

• Payment Card Industry Security, IT Security Management, Cloud Service Management
• Professional certification: PCI DSS QSA, CISSP, ISMS LA



Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.



You might also like


PCI DSS v4.0

Who need PCI DSS Compliance?

first time PCI DSS Compliance

PCI DSS Compliance for dummies

What is your SAQ Type?

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

PCI 3DS 驗證 3 步驟_Max

PCI DSS Compliance Process and Requirements

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.


Payment Security Market to Reach $24.6 Billion by 2022: Driven by the Need to Adhere to PCI DSS Guidelines & the Rise in Fraudulent Activities in Ecommerce

/in

The Payment Security Market by Solution, Service, Organization Size, Industry Vertical, and Region in 2022

The global payment security market size is expected to grow from USD 11.39 Billion in 2017 to USD 24.63 Billion by 2022, at a Compound Annual Growth Rate (CAGR) of 16.7%. The major growth drivers of the market include increased adoption of digital payment modes, need to adhere to PCI DSS guidelines, and rise in fraudulent activities in Ecommerce. The payment security market is segmented by component (solution and service), organization size, industry vertical, and region. The solutions segment in the market is expected to have a larger market size than the services segment during the forecast period. The reason behind the high growth rate is the increased need to secure online business sensitive transactions from advanced cyber-attacks.

The support services segment is expected to grow at a higher CAGR during the forecast period with the largest market size. The large enterprises segment is expected to account for a larger market size in 2017. However, the Small and Medium-Sized Enterprises (SMEs) segment is expected to grow at a higher CAGR during the forecast period, as SMEs are mainly adopting payment security solutions to protect the customer-sensitive bank account data from network vulnerabilities and attacks.

Payment security solutions and services are deployed across various industry verticals, including retail; travel and hospitality; IT and telecom; healthcare; education; media and entertainment; and others. The education vertical is expected to grow at the highest CAGR during the forecast period. However, the retail vertical is expected to have the largest market size in 2017, as retailers are using various interesting ways such as, offers and discounts to attract customers for online shopping. Therefore, the adoption of the payment security solutions is increasing in the retail sector.

On the basis of regions, the global payment security market has been segmented into North America, Europe, Asia Pacific (APAC), Middle East and Africa (MEA), and Latin America to provide a region-specific analysis. The North American region, followed by Europe, is expected to be the largest revenue-generating region for payment security service vendors in 2017. In the developed economies of the US and Canada, there is a high focus on innovations obtained from Research and Development (R&D) and payment security technologies. The APAC region is expected to be the fastest-growing region in the market. The growth in this region is primarily driven by the increasing adoption of advanced payment technologies within organizations to perform business transactions.

 

 

 

 

Research and Market, dated 1 August 1, 2017
http://www.researchandmarkets.com