China Enacts New Law Mandating Vendors to Report Zero-Day Vulnerabilities to Authorities

On July 17, 2021, the Cyberspace Administration of China (CAC) introduced stricter regulations regarding vulnerability disclosure. Under the new “Regulations on the Management of Network Product Security Vulnerability,” software and networking vendors are required to report critical flaws directly to government authorities within two days of identification. Set to take effect on September 1, 2021, these regulations aim to standardize the processes of discovering, reporting, and addressing security vulnerabilities while mitigating associated risks. Article 4 of the regulation prohibits any organization or individual from exploiting network security vulnerabilities for malicious activities and bans the illegal sale, collection, or publication of such information. The new rules also prevent the public disclosure of previously unknown security weaknesses.

China Enacts New Law Mandating Prompt Disclosure of Zero-Day Vulnerabilities

On July 17, 2021, the Cyberspace Administration of China (CAC) introduced stringent regulations regarding the disclosure of cybersecurity vulnerabilities. Under the newly established “Regulations on the Management of Network Product Security Vulnerability,” software and networking vendors are now required to report critical flaws directly to government authorities within two days of detection. This law is set to take effect on September 1, 2021, and aims to create a standardized procedure for the identification, reporting, remediation, and public announcement of security vulnerabilities, thereby mitigating potential security threats.

The regulations explicitly state that no individual or organization may exploit these security vulnerabilities for actions that could jeopardize network safety. Furthermore, entities are prohibited from illegally collecting, selling, or disseminating information regarding unreported vulnerabilities. This both reinforces the gravity of cybersecurity responsibilities and aims to curb the underground market for undisclosed weaknesses.

While the implications of these laws have raised concerns among vendors about increased government oversight, they are also seen as a proactive step toward better security management in China’s burgeoning technology sector. The emphasis on rapid disclosure signifies the government’s commitment to bolstering national cybersecurity standards and safeguarding digital infrastructures.

The potential fallout for software vendors is significant. Companies will need to recalibrate their disclosure protocols to align with these legal requirements, ensuring timely reporting to governmental bodies without risking penalties. This shift underscores a growing trend, wherein national regulations play a critical role in shaping corporate cybersecurity behaviors and policies.

In terms of the tactics and techniques involved with vulnerabilities of this magnitude, the MITRE ATT&CK framework can provide valuable insight. Adversary tactics such as initial access may be exploited through various means, including phishing attacks or by leveraging undisclosed software flaws. Persistence tactics could be employed to maintain access to compromised systems, while privilege escalation techniques might allow attackers to gain higher-level permissions, facilitating deeper infiltration.

As companies adjust to this new regulatory landscape in China, it will be crucial for them to foster robust internal processes for vulnerability management and to enhance their cybersecurity awareness. The stakes are high, and as the cyber threat landscape evolves, timely compliance with such regulations will be pivotal for organizations aiming to protect their digital assets and maintain operational integrity.

In summary, this newly enforced legislation in China marks a significant shift towards stringent cybersecurity regulations, compelling vendors to prioritize proactive measures in vulnerability management. As the industry absorbs these changes, understanding the associated adversary tactics will be essential for navigating the increasingly complex challenges of cybersecurity in today’s interconnected environment.

Source link

Related Posts

Researcher Reveals Yet Another Unpatched Vulnerability in Windows Printer Spooler

Date: July 19, 2021

Just days after Microsoft raised alarms about an unpatched security flaw in the Windows Print Spooler service, yet another potential zero-day vulnerability has surfaced, marking the fourth printer-related issue identified in recent weeks. Will Dormann from the CERT Coordination Center noted in an advisory on Sunday that “Microsoft Windows allows non-admin users to install printer drivers through Point and Print.” He highlighted that printers installed this way can load arbitrary libraries by the privileged Windows Print Spooler process. Security researcher Benjamin Delpy, known for creating Mimikatz, has disclosed an exploit for this vulnerability. #printnightmare – Episode 4

Millions of HP, Samsung, and Xerox Printers Vulnerable Due to 16-Year-Old Security Flaw

July 20, 2021

A serious security vulnerability has come to light in a software driver used by HP, Xerox, and Samsung printers, lingering undetected since 2005. Assigned CVE-2021-3438 (CVSS score: 8.8), this issue involves a buffer overflow in the “SSPORT.SYS” print driver installer, which could allow for remote privilege escalation and arbitrary code execution. Hundreds of millions of printers worldwide may be affected, although there is currently no evidence of real-world exploitation. The vulnerability, first identified by SentinelLabs researchers on February 18, 2021, was disclosed in an advisory in May, noting its potential to elevate privileges in certain HP LaserJet and Samsung printer models. Fixes for the impacted devices were made available on May 19, 2021.

New Vulnerabilities in Windows and Linux Grant Attackers Elevated System Privileges

July 21, 2021

Recent findings have uncovered a local privilege escalation vulnerability in Microsoft’s Windows 10 and the soon-to-be-released Windows 11, enabling users with limited permissions to access critical system files. This loophole, referred to as “SeriousSAM,” allows unauthorized individuals to potentially reveal the operating system installation password and decrypt private keys.

According to a vulnerability note from the CERT Coordination Center (CERT/CC), since Windows 10 build 1809, non-administrative users have had access to the SAM, SYSTEM, and SECURITY registry hive files, which could lead to local privilege escalation (LPE). The affected operating system configuration files include:

  • c:\Windows\System32\config\sam
  • c:\Windows\System32\config\system
  • c:\Windows\System32\config\security

Microsoft, which has assigned the identifier CVE-2021-36934 to this vulnerability, has acknowledged the issue but has not yet released a patch.