Preface: In order to expand business development, software products sometimes use similar engineering designs. When vulnerabilities occur, their effects seem to be interrelated.

Privilege Escalation Attack Techniques: A low-privileged process from being escalated via a token stolen from a process with greater privileges. This technique is often used in tandem with another vulnerability to successfully deliver and run an attacker’s malicious code with system permissions.

Perhaps attacker not use this way now. But in past, Scheduled tasks can also be used to bypass User Account Control (UAC) and escalate privileges, when misusing system actions such as antivirus update for example. As this command is marked with auto-elevating, it will run with elevated privileges without prompting the user through UAC. The key is that it uses a user controlled environment variable as part of the path, which can be manipulated.

Vulnerability details:

CVE-2021-32464 – An incorrect permission assignment privilege escalation vulnerability in Trend Micro Apex One and Apex One as a Service could allow an attacker to modify a specific script before it is executed.
CVE-2021-32465 – An incorrect permission preservation vulnerability in Trend Micro Apex One and Apex One as a Service could allow a remote user to perform an attack and bypass authentication on affected installations.
CVE-2021-36741 – An improper input validation vulnerability in Trend Micro Apex One and Apex One as a Service allows a remote attached to upload arbitrary files on affected installations.
CVE-2021-36742 – A improper input validation vulnerability in Trend Micro Apex One and Apex One as a Service allows a local attacker to escalate privileges on affected installations.

Remedy by vendor:

Security Bulletin for Worry-Free Business Security – https://success.trendmicro.com/solution/000287820

Security Bulletin for Trend Micro Apex One and Apex One as a Service – https://success.trendmicro.com/solution/000287819

Preface: The computer behind the robots performance is the Programmable Logic Controllers (PLCs). PLCS are able to control the robots and help them do their job at very specific times and points in the production process.

Product background: The KR C4 software architeture integrates Robot Control, PLC Control, Motion Control (e.g. KUKA.CNC) and Safety Control. All controllers share a database and infrastructure.

KUKA System Software (KSS)
In the case of the KR C4 compact robot controller, safety options such as SafeOperation are only available via the Ethernet safety interface from KSS/VSS 8.3 onwards. From KSS 8.3 and from motherboard D3236-K onwards: Board Package USB stick in the USB port.

Vulnerability details: Multiple vulnerabilities in KUKA KR C4

Vulnerable software versions
– KSS: All versions
– KR C4: before 8.7 (hardware)

For the possibility of this vulnerability, please refer to the attached diagram.

CISA security advisory: Please refer to the link – https://us-cert.cisa.gov/ics/advisories/icsa-21-208-01

Workaround: If you are not able to do the any corrective action immediately. You should following vendor recommendation to install the antivirus to enforce the protection. Ikarus antivirus is the only one tested with kuka they don’t recommend any others due to testing.

Preface: Internet of Things (IoT) and machine-to-machine (M2M) technologies need to use a messaging and connectivity protocol in order to exchange information from a remote location.

Background: MQTT is a binary-based protocol and has command and command acknowledgement format. So every time a client sends a command to the broker, the broker sends an acknowledgement. This communication protocol is actually based on the TCP/IP protocol. So first there will be a TCP connection establishment and then there will be MQTT connection establishment and then the data transfer will occur. After which TCP connection will be terminated.

An MQTT broker is a server that receives all messages from the clients and then routes the messages to the appropriate destination clients.

Vulnerability details: In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.

Remedy: The design weakness was patched in version 2.08.

Client library: Fix mosquitto_{pub|sub}_topic_check() functions not returning MOSQ_ERR_INVAL on topic == NULL.

Causes: Under following condition, it will returns MOSQ_ERR_INVAL if the topic string is too long.

Preface: 3431 companies reportedly use Elasticsearch in their tech stacks, including Uber, Shopify, and Udemy.

Background: Elasticsearch is based on Lucene, very fast and scalable for searching operations. Elasticsearch is good for data analysis, logging and error monitoring and alerting so can be used to search all kinds of documents.
Remark: Apache Lucene is a free and open-source search engine software library, originally written completely in Java by Doug Cutting.

Elasticsearch Service on Google Cloud Platform (GCP) availabe in 2017, allowing customers to deploy the latest versions of Elasticsearch, Kibana, and our continually expanding set of features (such as security, machine learning, Elasticsearch SQL, and Canvas) and solutions for logging and infrastructure.

Vulnerability details: All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

Remedy: Vendor announcement, please refer to the link – https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180

Preface: Multiple vulnerabilities have been found in libTIFF, the worst of which may allow execution of arbitrary code. It is talking about 5 years ago (2016)! Has it become the focus of manufacturers’ attention now?

Background: TIFF offers support for tag extensions allowing for more tags than the standard TIFF specification. For example: Code, 326 (hex 0x0146). Name, BadFaxLines. Used in the TIFF-F standard, denotes the number of ‘bad’ scan lines encountered by the facsimile device.

Reference: Tag code 326 (BadFaxLines) – When using this tag in LibTIFF it is possible to have a type confusion vulnerability where LibTIFF attempts to read a mistyped argument off of the variable argument list.

Vulnerability details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. Crafted data in a TIFF image can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

Remark: By reading the TIFF-pages as BufferedImages, you essentially decompress the stored images, which might need a lot of memory depending on the size of the images: Every pixel will take up 3 (RGB) or 4 (ARGB) bytes.

Vulnerability exploit path: Exploiting this vulnerability requires user interaction, and the target must visit a malicious page or open a malicious file.

Existing status: ZDI notified the vendor of the intention to publish the case as a 0-day advisory on 07/22/21.

Preface: A series of sequential read functions for seq operations are defined in fs/seq_file.c. These functions were first introduced in 2001, but have not been used much in the kernel before, and after the 2.6 kernel, many / The seq function is heavily used in proc’s read-only files.

Synopsis: Linux kernel 5.13 initially supports Apple’s M1 processor, supports the Landlock security module, is used to create a security sandbox to reduce the security impact of various flaws in user space applications, the ability to handle ASN.1 trusted keys, and preliminary support are applicable AMD Radeon “Aldebaran” GPU series.

Background: About There are numerous ways for a device driver (or other kernel component) to provide information to the user or system administrator. One useful technique is the creation of virtual files, in debugfs, /proc or elsewhere. Virtual files can provide human-readable output without any special utilities. The Linux kernel’s seq_file interface produces virtual files that contain sequences of records.

Vulnerability details: s/seq_file[.]c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user. For more information on this matter, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2021-33909

Preface: If you have fgfmsd (TCP/541 / TCP/542) public-facing and have not upgraded to a fixed release, perhaps you should consider the workaround by vendor.

Background: The FGFM protocol runs over SSL (Secure Sockets Layer) using TCP port 541 under IPv4. Both FortiGate and FortiManager units have a ‘FGFM’ daemon running exclusively for FortiGate to FortiManager communication. The FortiManager unit listens on TCP port 541 for an incoming session request. The FortiGate unit establishes an SSL session with the FortiManager. Both units use TCP port 541 for sending and receiving messages.

You can add FortiAnalyzer devices to FortiManager and manage them. When you add a FortiAnalyzer device to FortiManager, FortiManager automatically enables FortiAnalyzer features. FortiAnalyzer and FortiManager must be running the same OS version, at least 5.6 or later.

Vulnerability details: The vulnerability exists due to a use-after-free error within the fgfmsd daemon. A remote non-authenticated attacker can send a specially crafted request to port 541/tcp (IPv4) or 542/tcp (IPv6), trigger a use-after-free error and execute arbitrary code on the system with root privileges.

Workaround: Disable FortiManager features on the FortiAnalyzer unit using the command below:
– config system global
– set fmg-status disable <— Disabled by default.
– end

Official announcement – https://www.fortiguard.com/psirt/FG-IR-21-067

Preface: Secure loading of libraries to prevent DLL preloading attacks, said Microsoft.

Background: When an application dynamically loads a dynamic link library (DLL) without specifying a fully qualified path, Windows tries to locate the DLL by searching a well-defined set of directories. If an attacker gains control of one of the directories, they can force the application to load a malicious copy of the DLL instead of the DLL that it was expecting. These attacks are known as “DLL preloading attacks” and are common to all operating systems that support dynamically loading shared DLL libraries. Even experts discovered that malware exploit similar method to inject code into system process.

Closer look of the POC details:

Design weakness in VMware-ThinApp-Enterprise-5.2.9-17340778[.]exe.
The method is that this vulnerability allows non-privileged users to create directories (C[:]\DummyTLS), copy a malicious dll file and rename it to dummyTLS[.]dll in the same place.It will trigger the specify vulnerability.

The steps are as follows:

1. Run “C[:]\Program Files (x86)\VMware\VMware ThinApp\Setup Capture[.]exe”.
   Then C[:]\DummyTLS\dummy TLS.dll will be loaded simultaneously.
2. Code injection completed.

In additional, other exe files like log_monitor[.]exe and snapshot[.]exe had similar vulnerability occur.

VMware security advisory – https://www.vmware.com/security/advisories/VMSA-2021-0015.html