Eight vulnerabilities were identified in the Bitrix24 business management service. To date, all of them have been eliminated, they claim in 1C-Bitrix.
Information about the vulnerabilities appeared in the Data Bank on Threats to Information Security of the Federal Service for Technical and Export Control (FSTEC). The bank was created by the regulator to raise awareness about security threats.
1C-Bitrix told RBC that in March the company eliminated all vulnerabilities identified by FSTEC. The report on these vulnerabilities was not published until November (the threats were originally discovered by Singapore-based STAR Labs), as white hat hackers often give the organization time to fix the problems.
According to a representative of 1C-Bitrix, all cloud versions of Bitrix24 “have been updated for a long time and are protected against these vulnerabilities.” You need to update boxed versions installed on customer computers. At the same time, according to a company representative, the organization did not receive a single request from customers who could be affected by information about vulnerabilities.
Aleksey Lukatsky, a business information security consultant at Positive Technologies, was the first to draw attention to the regulator’s data. He notes that FSTEC’s area of responsibility includes the technical protection of confidential information in the country. Also in the department’s field of vision are government agencies and owners of critical information infrastructure.
“If the regulator has published data on vulnerabilities, then, according to the FSTEC documents, these vulnerabilities must be eliminated. For critical vulnerabilities the elimination period is 24 hours. For the less critical, from seven to 30 days,” Lukatsky explained.
Vulnerabilities are entered into a database to set a deadline for the company to take action.
Previously, the Big Data Association, which includes large Russian technology companies, developed the concept of an industrial standard for data protection. In particular, it involves carrying out an independent audit of compliance with these standards.
Author:
Natalia Gormaleva
Source: RB
I am a professional journalist and content creator with extensive experience writing for news websites. I currently work as an author at Gadget Onus, where I specialize in covering hot news topics. My written pieces have been published on some of the biggest media outlets around the world, including The Guardian and BBC News.
