Vivinavi

Security Update: CMS Hybrid Cloud Launches the 2024 Q4 CMS Enterprise Security Campaign

CMS Hybrid Cloud Launches the 2024 Q4 CMS Enterprise Security Campaign








CMS Cloud


CMS Hybrid Cloud Launches the 2024 Q4 CMS Enterprise Security Campaign

________________________________________________________________________



Summary: 

Starting *November 5th, 2024*, the CMS Hybrid Cloud Team began the Q4 2024 CMS Enterprise Security Campaign.

Any findings will be tracked via Jira tickets [ https://jiraent.cms.gov/secure/Dashboard.jspa ] and assigned to the respective teams to remediate risks. The Q4 CMS Enterprise Security Campaign is targeting a list of ten (10) Common Vulnerabilities and Exposures (CVEs) sourced from Cybersecurity & Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog.

In consideration of Open Enrollment change moratoriums, Marketplace accounts will have additional time after Open Enrollment to address their findings. Additional guidance for Marketplace accounts will be communicated via Jira tickets.

On *November 20th, 2024*, new AWS Security Hub Guardrails will be added to *Non-Marketplace accounts* to prevent reintroduction of certain findings back into the CMS environment.

Benefits

Resolving findings in customers' Jira tickets [ https://jiraent.cms.gov/secure/Dashboard.jspa ] ensures CMS systems remain secure. Participating in proactive, routine security activities, such as this CMS Enterprise Security Campaign, reduces the risk of unauthorized and/or malicious activity.

The CMS Enterprise Security Campaign will target and identify the following CVEs from CISA's KEV catalog:

Targeted Known Exploited Vulnerabilities (KEVs)

*CVE* *Plugin ID* *Description* *Severity*

CVE-2023-20198  [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-20198 ]



184452



Cisco IOS XE Unauthenticated Remote Command Execution



Critical



CVE-2022-1388 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1388 ]



160726



F5 BIG-IP RCE (CVE-2022-1388)



Critical



CVE-2024-21302 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21302 ]

CVE-2024-29995 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-29995 ]

CVE-2024-37968 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37968 ]



205447



KB5041773: Windows 10 Version 1607 / Windows Server 2016 Security Update (August 2024)



Critical



CVE-2019-18935 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18935 ]



135970



Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability



Critical



CVE-2024-36979 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-36979 ]

CVE-2024-38538 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-38538 ]

CVE-2021-47018 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47018 ]



205214



RHEL 8: kernel (RHSA-2024:5101)



High



CVE-2022-1011 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1011 ]

CVE-2024-36971 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-36971 ]



 

205433

 



 

RHEL 7: kernel (RHSA-2024:5259)

 



High



CVE-2013-3900 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3900 ]



166555



WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation (EnableCertPaddingCheck)



High



CVE-2024-38200 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-38200 ]

CVE-2024-38170 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-38170 ]

CVE-2024-38171 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-38171 ]



206023



Security Updates for Microsoft Office Products C2R (Aug 2024)



High



CVE-2023-45871 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45871 ]

CVE-2024-1086 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1086 ]

CVE-2024-26602 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26602 ]

 



192963



RHEL 7: kernel (RHSA-2024:1249)



High



CVE-2024-20399 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-20399 ]



201218



Cisco NX-OS Software CLI Comm Injection (cisco-sa-nxos-cmd-injection-xD9OhyOP)



Medium



"*Note:* "Operating System (OS)-level findings are remediated by the CMS Hybrid Cloud Team for customers who receive regular CMS Gold Image patching services. Please note that CMS customers are responsible for patching any software installed on top of the provided CMS Gold Image.


* For *Non-Marketplace accounts*, CMS Hybrid Cloud will deploy auto-remediation for the following Security Hub controls:
* Guardrails / auto-remediations (Security Hub controls):
* EC2.18 [ https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-18 ] - Security groups should only allow unrestricted incoming traffic for authorized ports
* We will also manually ticket for these since it is stricter than EC2.19 (which was in 2024 Q3).

* S3.8 [ https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-8 ] - S3 general purpose buckets should block public access.
* This was ticketed in Q3 2024, thus new tickets will not be created for Q4.


* CMS customer teams with existing findings for these Security Hub controls will receive a Jira ticket.
* Teams will either need to resolve the finding or obtain an exemption [ https://cloud.cms.gov/exemption-policy-guide-aws-security-hub ].

Expected Actions

* CMS customer teams with findings will receive a Jira ticket [ https://jiraent.cms.gov/secure/Dashboard.jspa ].
* If you would like to obtain an exemption, you will need to complete an attestation [ https://cloud.cms.gov/compliance-attestations ].

* CMS customers should resolve all received Jira tickets as soon as possible.
* For help, please refer to the "Questions or Concerns" section below for instructions on how to submit a Hybrid Cloud Support Ticket [ https://jiraent.cms.gov/plugins/servlet/desk/portal/22 ].

* Failure to resolve findings can lead to compromised systems that result in greater risks for unauthorized and/or malicious activity.
* Unresolved system flaws will result in Plan of Action and Milestones (POA&Ms) being issued against the Federal Information Security Modernization Act (FISMA) boundary.

Timeline

* *November 5th, 2024**:* CMS Customers with findings will receive Jira tickets [ https://jiraent.cms.gov/secure/Dashboard.jspa ] for the finding noted in the "Benefits" section above.
* *November 20th, 2024: *CMS Hybrid Cloud will add new AWS Security Hub GuardRails to *Non-Marketplace accounts *to protect CMS systems from reintroducing findings back into the environment.
* *Open Enrollment*: Given the security campaign overlaps with Open Enrollment, Marketplace accounts will have additional time after Open Enrollment to address their findings.

Additional Information

* Learn about Security Hub Campaigns [ https://cloud.cms.gov/cms-cloud-security-campaigns ]
* Exemption Policy Guide [ https://cloud.cms.gov/exemption-policy-guide-aws-security-hub ]

Questions or Concerns

We look forward to helping you and your team. Reach out to your CMS Hosting Coordinator with any questions. 

For further help on this issue, please fill out a Hybrid Cloud Support ticket [ https://jiraent.cms.gov/plugins/servlet/desk/portal/22 ] specifying *Service *as "Security Hub" and *Request* as "Security Hub Findings".



Office of Information Technology




You are subscribed to receive email messages about CMS Cloud Operations, Changes, and Outages from the Centers for Medicare & Medicaid Services (CMS).

To update your subscription(s), preferences or to stop receiving messages from the CMS Cloud Operations, Changes, and Outages Updates- distribution list, please go to our Subscriber Preferences Page [ https://public.govdelivery.com/accounts/USCMS/subscriber/new?category_id=USCMS_C176 ].

________________________________________________________________________

This email was sent to mshinji3056@gmail.com using GovDelivery Communications Cloud 7500 Security Boulevard · Baltimore MD 21244


body .abe-column-block { min-height: 5px; } table.gd_combo_table img {margin-left:10px; margin-right:10px;} table.gd_combo_table div.govd_image_display img, table.gd_combo_table td.gd_combo_image_cell img {margin-left:0px; margin-right:0px;} table.govd_hr {min-width: 100%;}