VMware has released security updates to address vulnerabilities in ESXi, Workstation, and Fusion. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisories VMSA-2019-0020 and VMSA-2019-0021 and apply the necessary updates.

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

• Animate CC 2019 APSB19-34
• Illustrator CC APSB19-36
• Media Encoder APSB19-52
• Bridge CC APSB19-53

Intel has released security updates to address vulnerabilities in multiple products. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates:

• BMC Advisory INTEL-SA-00313
• UEFI Advisory INTEL-SA-00280
• SGX and TXT Advisory INTEL-SA-00220
• Processor Security Advisory INTEL-SA-00240
• CSME, Intel SPS, Intel TXE, Intel AMT, Intel PTT and Intel DAL Advisory INTEL-SA-00241
• Graphics Driver for Windows Advisory INTEL-SA-00242
• Ethernet 700 Series Controllers Advisory INTEL-SA-00255
• SGX Advisory INTEL-SA-00293
• Proset/Wireless Wifi Software Security Advisory INTEL-SA-00288
• WIFI Drivers and Intel® PROSet/Wireless WiFi Software Extension DLL Advisory INTEL-SA-00287

For updates addressing medium severity vulnerabilities, see the Intel Security Advisories page.

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s November 2019 Security Update Summary and Deployment Information and apply the necessary updates.

As this holiday season approaches, the Cybersecurity and Infrastructure Security Agency (CISA) encourages users to be aware of potential holiday scams and malicious cyber campaigns, particularly when browsing or shopping online. Cyber actors may send emails and ecards containing malicious links or attachments infected with malware or may send spoofed emails requesting support for fraudulent charities or causes.

CISA encourages users to remain vigilant and take the following precautions:

• Avoid clicking on links in unsolicited emails and be wary of email attachments (see Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams).
• Use caution when shopping online (see Shopping Safely Online).
• Verify a charity’s authenticity before making donations. Review the Federal Trade Commission's page on Charity Scams for more information.

Cisco has released security updates to address vulnerabilities in Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities see the Cisco Security Advisories webpage.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

• Cisco Prime Infrastructure and Evolved Programmable Network Manager Remote Code Execution Vulnerability
• Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Command Injection Vulnerability
• Cisco TelePresence Collaboration Endpoint and RoomOS Software Denial of Service Vulnerabilities
• Cisco TelePresence Collaboration Endpoint, TelePresence Codec, and RoomOS Software Privilege Escalation Vulnerability
• Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerabilities
• Cisco Wireless LAN Controller HTTP Parsing Engine Denial of Service Vulnerability
• Cisco Web Security Appliance Unauthorized Device Reset Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has launched Cyber Essentials, an effort to assist small organizations in understanding and addressing cybersecurity risks. Developed in partnership with small businesses and small state, local, tribal, and territorial (SLTT) governments, Cyber Essentials aims to equip these organizations with basic steps and resources to improve their cybersecurity resilience.

CISA’s Fall 2019 Cyber Essentials infographic includes a list of six actions organizations can take to reduce cyber risks:

• Drive cybersecurity strategy, investment, and culture;
• Develop security awareness and vigilance;
• Protect critical assets and applications;
• Ensure only those who belong on your digital workplace have access;
• Make backups and avoid the loss of information critical to operations; and
• Limit damage and quicken restoration of normal operations.

CISA encourages small organizations to review CISA’s Cyber Essentials page to learn more about improving their cybersecurity resilience. 

U.S. Cyber Command has released seven malware samples to the malware aggregation tool and repository, VirusTotal. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review U.S. Cyber Command’s VirusTotal page to view the samples. CISA also recommends users and administrators review the CISA Tip on Protecting Against Malicious Code for best practices on protecting systems and networks against malware.

The Cybersecurity and Infrastructure Security Agency (CISA) has released version 9.2 of its Cyber Security Evaluation Tool (CSET). CSET is a desktop software tool that guides asset owners and operators through a consistent process for evaluating control system networks as part of a comprehensive cybersecurity assessment that uses recognized government and industry standards and recommendations.

CSET 9.2 includes the following feature enhancements and upgrades:

• Web-based diagram editor
• Enhanced reporting
• New capability maturity model for financial sector customers
• National Credit Union Administration (NCUA) Automated Cybersecurity Examination Tool (ACET) Standard
• Financial sector risk assessment wizard
• New analysis for network diagram questions
• Transportation Security Administration (TSA) 2018 Pipeline security standard
• International Society of Automation (ISA)/International Electrotechnical Commission (IEC) 62443 standards  

CISA encourages users to update to CSET version 9.2, available at https://github.com/cisagov/cset/wiki.

November is National Critical Infrastructure Security and Resilience Month. The Nation’s critical infrastructure (CI) relies on a highly interdependent environment, in which physical and cyber systems converge. CI plays a vital role in keeping our Nation and communities safe and secure. Everyone is involved in the mission to protect CI and can help by using cybersecurity best practices, reporting cybersecurity incidents and phishing attempts, and submitting malware for review.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages critical infrastructure owners and operators to download the Critical Infrastructure Security and Resilience Month Toolkit and to visit CISA’s Critical Infrastructure Security and Resilience Month resource page throughout November for information and updates.