Part of EnergyBiz® Network »
Utility Management Group
Senior decision-makers come together to connect around strategies and business trends affecting utilities.
Shared Link
NPCC Security Bulletin Publicly available: Zoho ManageEngine ServiceDesk Plus Vulnerability
Just what we needed on the heels of the Log4j vulnerability, another remote code execution (RCE) vulnerability - see link below.
It feels like we are drowning in vulnerabilities and the life rafts are scarce. The energy industry could benefit greatly by following the advice of EEI and require software vendors to provide SBOM's as apart of the procurement contract negotiations. Once an SBOM is in hand a software customer can follow the NATF Security Assessment Model and NIST SP 800-161 R2 Appendix F guidelines for supply chain risk assessment best practices using SBOM, see this Energy Central article for details.
Never trust software, always verify and report!™
NPCC Security Bulletin Publicly available: Zoho ManageEngine ServiceDesk Plus Vulnerability
Zoho ManageEngine ServiceDesk Plus Vulnerability On Thursday, December 2, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigations (FBI) reported a new campaign targeting ManageEngine ServiceDesk Plus servers (on-premises) that are vulnerable to CVE-2021-44077. CVE-2021-44077 is an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus affecting all versions of ServiceDesk Plus up to, and including, version 11305. Following initial exploitation of CVE-2021-44077 on a targeted system, the threat actors have been observed uploading executable files and placing web shells that enable post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.
Source: www.npcc.org
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
- Gas-Electric Harmonization Initiative in NAESB is on track to succeed
- FERC commissioners pursue market, non-market answers to ISO-NE’s ‘dire’ winter reliability risks
- Utilities That Lack a Data Analytic Platform are Driving Blind and at Risk
- OMB Memo Identifies Best Practices for Software Supply Chain Protections
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
No discussions yet. Start a discussion below.
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.
Your access to Member Features is limited.
Sign in to Participate