Industry News Roundup

The Biden administration has decided to block all new sales of Kaspersky Labs products and services un the United States. Allegations have been made that the Russian company has strong ties to Russia s nation-state cyber offensives. The Department of Commerce s Bureau of Industry and Security (BIS) stated that Kaspersky will no longer be able to, sell its software within the US or provide updates to software already in use. The prohibition applies to the company s US subsidiary Kaspersky Labs, Inc., will be enforced on its affiliates, subsidiaries, and parent companies, the statement added. The risk factors considered in the review included threats posed by Russia, vulnerabilities that Kaspersky s ICTS products create for US national security and the impact of Russia exploiting the vulnerabilities presented. IT professionals can identify deployed instances of the Kaspersky software by using the software asset management tools in their IT asset management software.

The Confluence Data Center and Server patches addresses six security defects, all of which were disclosed this year. The most severe of these flaws (tracked as CVE-2024-22257) is a broken access control issue in the Spring Framework. That vulnerability could allow unauthenticated attackers to expose assets for which they should not have access. Three server-side request forgery vulnerabilities, tracked as CVE-2024-22243, CVE-2024-22262, and CVE-2024-22259. Were also resolved. Atlassian also issued patches for two out-of-bounds write bugs in Apache Commons Configuration. These bugs could allow unauthenticated attackers to cause a denial-of-service (DoS) condition. Patches for all vulnerabilities are included in Confluence Data Center and Server versions 8.9.3, 8.5.11 (LTS), and 7.19.24 (LTS).

The Microsoft Outlook security defect ( tracked as CVE-2024-30103) allows attackers to bypass Outlook registry block lists and create malicious DLL files. The Morphisec researchers who discovered the bug consider it critical and warned that attackers might soon start exploiting it as it does not require user interaction. The cybersecurity firm noted that, Execution initiates when an affected email is opened. This is notably dangerous for accounts using Microsoft Outlook s auto-open email feature. This Microsoft Outlook vulnerability can be circulated from user to user and doesn t require a click to execute. The company advised users to update their Outlook clients as soon as possible. Microsoft also released patches for over a dozen remote code execution vulnerabilities, including a critical-severity flaw in Microsoft Message Queuing. IT managers can utilize their IT asset management tools to identify unpatched or vulnerable systems.

Microsoft recently advised Windows administrators to prioritize patches for a critical remote code execution vulnerability in the Microsoft Message Queuing (MSMQ) software. The vulnerability, (tracked as CVE-2024-30080) has a CVSS severity score of 9.8/10. It can be exploited by an attacker sending specially crafted malicious MSMQ packets to a MSMQ server, resulting in remote code execution. The company also released patched for over 51 security defects across a range of Windows OS, components and services. A company s IT asset management tools can be used to easily identify unpatched or vulnerable systems.

Successful exploitation of the vulnerability requires that the attacker has the privileges required for adding new macro languages, and to upload a malicious language file. According to Atlassianthe issue was introduced in Confluence version 5.2.

Flexera recently released its 2024 State of ITAM report. This document is an annual research survey conducted by Flexera which evaluates the status of the ITAM industry. For this report the company surveyed 503 IT professionals from various industries and organizations, worldwide. Some key points include the rising Influence of ITAM, the impact of ServiceNow on ITAM, the ongoing audit challenges, the limited involvement in cloud governance: and the continued Relevance of hardware asset management.

Microsoft has stated that WordPad will be removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025. Users will not be able to avoid losing WordPad when the 24H2 update is distributed to Windows 11 systems. The only way for users to keep WordPad is not to take the 24H2 update when it s released. Users can continue to use 23H2 through November 2025 when support will be discontinued. However, Windows 11 24H2 will be a major update, changing the underpinnings of the OS with a new platform, which ushers in performance and security benefits under the hood. IT managers can utilize their IT asset management solution to identify WordPad users and plan a transition to Notepad, which will replace WordPad.

Hot on the heels of Broadcom s announcement of the end of perpetual licences for VMware it has given customers barely a week to download any keys for licenses from its portal with expired support. This is due to Broadcom migrating all licence keys from the VMware portal into its own software management portal.

According to the open letter, published by CEO, Jeff Abbott, Ivanti is planning a transformation of its security operating model. The effort will include revamping core engineering, security, and vulnerability practices. The letter notes that Ivanti plans to optimize its products for security which includes accelerating the stack modernization of its Network Security products. Critical vulnerabilities include heap overflow (CVE-2024-21894 and CVE-2024-22053), Null Pointer Dereference (CVE-2024-22052), and XML entity expansion or XXE (CVE-2024-22023) flaws. These vulnerabilities coukld allow interaction-less RCE and DoS attacks. The criticality for these flaws ranges from 5.3 to 8.2 CVSS. As a result, the US government agencies took Ivanti VPN products offline as ordered by the US Cybersecurity and Infrastructure Security Agency (CISA).

The company put the Adobe Commerce vulnerabilities in the critical-severity category. It noted that successful exploitation could result in arbitrary code execution. Adobe also rolled out patches for Adobe Experience Manager (AEM), The Adobe Media Encoder, memory leaks in Adobe After Effects and Adobe Protoshop and Adobe InDesign (Windows and macOS affected); and denial-of-service and code execution issues in the Adobe Animate software. IT managers can utilize their IT asset management tools to identify vulnerable and un-patched systems.

Shadowserver Foundation researchers recently identified thousands of internet-exposed Ivanti VPN appliances lwhich are impacted by a vulnerability leading to remote code execution. The vulnerability, labeled CVE-2024-21894 (is described as a heap overflow bug in the IPSec component of Ivanti Connect Secure and Policy Secure. The bug can be exploited by remote, unauthenticated attackers to cause a denial-of-service condition or to execute arbitrary code. Ivanti has released software updates to address this flaw and three other vulnerabilities in its two VPN appliances. The patch impacts all supported versions of Connect Secure and Policy Secure. Ivanti has urged all users to update their affected systems.

Cisco has issued a warning about a cross-site scripting (XSS) vulnerability in its end-of-life RV series small business routers. Tracked as CVE-2024-20362 the flaw impacts the small business RV016, RV042, RV042G, RV082, RV320, and RV325 routers. These models have been discontinued and security patches are not published. Cisco has stated that it is not aware of this vulnerability being exploited in the wild, there are no workarounds for the bug. Users are advised to migrate to a supported product. Discontinued Cisco networking devices have been exploited in attacks. Network managers can use their It asset management tools to identify obsolete equipment.

Tech stacks can benefit from a decluttering exercise, especially if a company does not have a regular software review cycle. A software review can be a major undertaking and may result in major savings. An in-place IT asset management solution can speed the process. For example, last year a major bank retired several hundred legacy apps in an effort to simplify its technology infrastructure. A complex tech stack can create a world of problems, and having several disjointed systems that aren t integrated can make work harder and be a waste of employee time and financial resources. Karl Threadgold, managing director at Threadgold Consulting noted that The key thing is not having that single source of truth. Rather than determining a one-time software clean out, organizations should maintain a continuous cycle of analyzing what software applications are used and how. An IT asset management system creates that single source of truth and provides key information to support a regular software clean-out process.

Over 22,000 exposed Palo Alto GlobalProtect firewall devices are likely vulnerable to the CVE-2024-3400 flaw. The flaw is a critical command injection vulnerability that has been actively exploited in attacks since March of 2024. CVE-2024-3400 impacts specific Palo Alto Networks' PAN-OS versions in the GlobalProtect feature that allows unauthenticated attackers, using command injection triggered by arbitrary file creation, to execute commands with root privileges. Patches were made available between April 14 and 18, 2024 meaning that post-disclosure risks lasted two to six days. Palo Alto's mitigation of disabling telemetry would not protect devices and that the only solution was to apply the security patches. IT managers can utilize their IT asset management solutions to identify vulnerable and unpatched devices.

Back in February threat actors breached the Cybersecurity and Infrastructure Security Agency's (CISA) systems using Ivanti product vulnerabilities. Suspicious activity was identified, and two systems were taken offline. It is not clear who was behind the incident and whether any data was accessed or stolen. The Infrastructure Protection Gateway and the Chemical Security Assessment Tool (CSAT) were the two systems taken offline. CISA recommends that organizations review an advisory it released in February regarding three Ivanti vulnerabilities, identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. CISA also reported that the Ivanti ICT failed to detect compromise in incident response engagements.

According to a Dynatrace survey of over 1,200 CIOs, cloud-based data output overwhelms human management capacity. Over 80% of respondents notes that the technology stack has become more complex over the past year. About 50% of them expect the complexity to worsen. Multicloud technology platforms often include a dozen different platforms and services. according to the majority of respondents, the rising complexity hinders security and customer experience. An IT asset management tool capable of reporting and analyzing cloud usage and contracts can assist in reigning in cloud-complexity.

A Deloitte survey of 300 business leaders found that fifty percent of businesses cite technology infrastructure challenges as the top obstacle to bringing costs under control. That number is up from just over 30% in a 2023 study. The report showed that legacy technology infrastructure is an obstacle to adopting new technology. Legacy technology can also impact internal business conditions and limit companies ability to boost profit margins. Despite issues with legacy technology, 80% of companies are embracing generative AI and machine learning to boost efficiency and improve customer and employee experiences. A robust IT asset management solution can help identify legacy technology and their interaction with other systems.

A report compiled by Vertice showed that businesses spend an average of 385 hours a year on meetings regarding SaaS and cloud contract purchases and renewals. In developing the report Vertice analyzed procurement processes at more than 1,000 companies. Staff responsible for SaaS purchases and renewals often spent over half of their working year on the end-to-end process of reviewing and renewing software contracts. The time burden disproportionately affects IT and finance departments. Vertice CEO and founder Eldar Tuvey said that Finance and tech leaders need the time to focus on high-value strategic initiatives rather than being stuck in endless meetings and email chains to buy and renew software. An IT asset management solution that can report and analyze SaaS usage and contracts can assit in the review and acquisition process.

Users will benefit from, and contribute to, a community focused on timely ITAM industry news and analysis, detailed and industry-responsive training, resources to successfully overcome workplace challenges, events that are focused on knowledge sharing and networking and future focused thought leadership.

While the IT devices controlling the OT devices are usually Windows and Linux systems that are frequently patched, no such process applies to the majority of OT devices. Instead, the report noted, vulnerability patching is often an add-on to an already expensive support contract. A robust IT asset management solution, that does not impact the configuration of FDA approved devices, can aid in identifying vulnerable systems.

Microsoft recently labeled two HyperV vulnerabilities (CVE-2024-21407 and CVE-2024-21408)_ with its highest critical-severity rating. The company encouraged users to prioritize these fixes. Not doing so could expose the companies to code execution and denial-of-service attacks. Microsoft warned HyperV users that This vulnerability would require an authenticated attacker on a guest VM to send specially crafted file operation requests on the VM to hardware resources on the VM which could result in remote code execution on the host server. The software publisher also identified a serious flaw in Open Management Infrastructure (OMI) that should receive for urgent attention. The CVE-2024-21334 bug carries a CVSS severity score of 9.8 out of 10. The March patches also provide remedies for code execution issues in Microsoft Exchange Server and a Microsoft Azure Kubernetes bug that opens the door for attackers to steal credentials. IT managers can utilize their IT asset management tools to identify unpatched and vulnerable systems.

According to a new survey recently published by Oomnitza, almost 50% of organizations have experienced a significant increase in their audit budget expenditures due to poor IT inventory data. Nearly 60% of companies reported that the data accuracy of their CMDB was only less than 90% and that they had insufficient levels of process automation. These are the results of a new snapshot survey on IT Compliance and Technology Audits. The research, which was conducted by YouGov, surveyed over 200senior level information technology professionals in companies with 1,000 to 10,000 employees across multiple industries in the United States.

Flexera recently announced the release of its Flexera 2024 State of the Cloud Report. The report explores the opinions of over 750 respondents from a survey conducted in 2023. It highlights ongoing changes to help identify trends. The respondents, which included cloud decision-makers and users from a worldwide sample, noted their experiences and insights about the public, private and multi-cloud market.

The U.S. National Security Agency (NSA) has confirmed that hackers exploiting flaws in Ivanti s enterprise VPN appliance and have targeted organizations across the U.S. defense sector. NSA spokesperson Edward Bennett confirmed that the U.S. intelligence agency is tracking and aware of the broad impact from the recent exploitation of Ivanti products, to include of the [sic] U.S defense sector. Confirmation that the NSA is tracking these cyberattacks follows a report that Chinese espionage hackers have made mass attempts to exploit multiple vulnerabilities impacting Ivanti Connect Secure.

The integration of personal computing devices into organizational networks has become a common practice. Called bring your own device (BYOD), the practice provides numerous benefits and challenges for IT professionals. Although it supports flexibility and productivity, it also presents concerns regarding security, privacy, and data management. As employees access company information using their personal devices, the risk of data breaches and unauthorized access increases. To reduce risks, organizations must establish robust policies to govern the connection of personal mobile devices to their networks. In addition, firms must be able to assess the vulnerability of those devices. A robust IT asset management solution can determine I f personal devices meet corporate configuration standards.

Microsoft recently announced patches for more than 70 vulnerabilities, including two flaws that have been exploited in attacks as zero-days, two of which have been described as security feature bypasses. Microsoft noted that these vulnerabilities impact Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11. They can be exploited by convincing the targeted user to open a specially crafted file designed to bypass displayed security checks. IT managers can use their IT asset management tools to identify unpatched and vulnerable devices.

Adobe recently called made users aware of critical flaws in the Adobe Acrobat and Reader, Adobe Commerce and Magento Open Source, Substance 3D Painter, and FrameMaker. The company documented over twelve serious security defects covered in the Adobe Acrobat and Reader update. It warned that both Windows and macOS users are at risk. Adobe said that unpatched installations are at risk of arbitrary code execution, security feature bypass and application denial-of-service. The company issued fixes for code execution bugs in Adobe Substance 3D Painter, Adobe FrameMaker Publishing Server, Adobe Audition, and Adobe Substance 3D Designer. A robust IT asset management tool can be used to identify unpatched and vulnerable devices.

As cloud adoption spreads, cost concerns and optimization initiatives follow, Firms are combining previously discrete budgeting categories into a single line-item of tech spending. IT managers are working to maintain cost controls while maintaining adoption. according to Zylo, over 90% of IT and software asset management professionals now include SaaS into broader cloud cost governance efforts. Last year companies neglected billions in savings by not taking advantage of built-in hyperscaler savings plans and discounts. Infosys found that over $300 billion in pre-paid cloud credits lying dormant in enterprise accounts. In a separate study Zylo found that more than half of licensed SaaS applications go unused. Despite these numbers, the average organization added six applications each month last year. A robust IT asset management solution that can analyze clous software usage can be a valuable tool in elimination software spend waste.

Organisations are encouraged to take immediate action to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893, CVE-2024-22024), and follow the latest vendor advice.

On the 15th February, Flexera confirmed it had completed the acquisition of Snow Software. Flexera has long admired Snow s great products, customer value realization, talented employees, partner ecosystem, and active customer community. Flexera and Snow share harmonious company cultures, missions, and long-term strategies. Together, we will continue to deliver market leading solutions that address optimizing spend in a world of inflating costs, minimizing risks despite increasing threats and new regulations, and navigating ongoing uncertainty.