Authorization bypass in Cortex XSOAR (palo alto networks) REST API – CVE-2021-3044

Preface: REST API has similar vulnerabilities as a web application. The possibilities will be from various threats, such as Man-in-the-Middle attacks, lack of XML encryptions, insecure endpoints, API URL parameters, ..etc.

Technical background: Cortex XSOAR is the Security Orchestration, Automation and Response (SOAR) solution from Palo AltoNetworks. Cortex XSOAR (formerly Demisto) is able to configuration with active API Key integrations. In Cortex XSOAR Server, you can add Integration.

1. Go to Cortex XSOAR, then to Settings -> Integrations, search for iLert integration and click on the Add instance button.

2. On the modal window, name the instance, paste the iLert API Key that that you generated in iLert and click on the Save & exit button.

Vulnerability details: The vulnerability exists due to an error in the REST API. A remote attacker can bypass authentication process and gain unauthorized access to the application.

Note: This vulnerability affects only to Cortex XSOAR configurations with active API key integrations.

Ref: Perhaps it can exploit IDOR vulnerability. For instance – The attacker simply modifies the ‘acct’ parameter in their browser to send whatever account number they want. If the application does not perform user verification, the attacker can access any user’s account or other methods.

Official announcements and remedies – https://security.paloaltonetworks.com/CVE-2021-3044

CVE-2021-32994 – OPC UA C++ SDK is vulnerable to a denial of service 17th June, 2021

Preface: OPC UA Stack is not only vulnerable but also has a range of significant fundamental problems.

Background: The UA SDK is a C++ library that supports you in writing portable C++ OPC UA Servers and Clients. The UA SDK actually consists of two SDKs, a Server SDK and a Client SDK. Both use the same UA Base Library which does all the C++ encapsulation of the raw ANSI C types
that are defined in the OPC UA Communication Stack by the OPC Foundation.

Vulnerability details: OPC UA C++ SDK is vulnerable to a denial of service, caused by improper restriction of operations within
the bounds of a memory buffer. A remote attacker could exploit this vulnerability to cause the system to crash.

In the OPC UA Stack. OPC Foundation developers provide libraries that are essentially a set of exported functions based on a specification, similar to an API.
In this vulnerability, the exported library functions don’t properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations.

Remedy: Click here to download the latest software package from the Softing website. https://industrial.softing.com/products/opc-ua-and-opc-classic-sdks.html

ICS Advisory (ICSA-21-168-02) – https://us-cert.cisa.gov/ics/advisories/icsa-21-168-02

Digital world situation similar ambush from all sides. Chrome Releases updates (CVE-2021-30554) – 17th June 2021.

Preface: The new Edge and Chrome are very similar, as both are built on the same Chromium platform. Meanwhile, Microsoft Edge is based on the Chromium open-source project. Furthermore, when chrome has vulnerability occurs, perhaps Microsoft browser (edge) will be get involves.

Background: WebGL enables web content to use an API based on OpenGL ES 2.0 to perform 2D and 3D rendering in an HTML canvas
in browsers that support it without the use of plug-ins.

Vulnerability details: Just days after having issued patches for (14) Google Chrome vulnerabilities, zero day found again. The issue is that cyber criminals can exploit the flaw (Use after free) in WebGL. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation.

Ref 1: Vulnerability found on 15th June, 2021 – Type confusion in V8 in Google Chrome before 91.0.4472.101 allowed a remote malicious user to potentially exploit heap corruption via a crafted HTML page. The CVE-2021-30551 insect is noted by Google as kind complication in V8,
implying that JavaScript safety can be bypassed for running unapproved code. Google’s V8 open-source JavaScript and WebAssembly engine.

Ref 2: Enable WebGL – In your Chrome URL bar, go to chrome://flags
Ensure that WebGL is enabled, and not disabled (You’ll need to relaunch Chrome for any changes to take effect)

Announcement by Microsoft – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-30554

Announcement by Google – https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html

Reduce e-waste and achieve environmental protection: ​outdated iphone models – Security updates (14-06-2021)

Preface: To protect the safety of customers, Apple will not disclose, discuss or confirm security issues until the investigation is completed and patches or updated versions are provided.

My observations on CVE-2021-30737:

Background: PKINIT is a preauthentication mechanism for Kerberos 5 which uses X.509 certificates to authenticate the KDC to clients and vice versa.
PKINIT requires an X.509 certificate for the KDC and one for each client principal which will authenticate using PKINIT.

Vulnerability details:
A memory corruption issue in the ASN.1 decoder was addressed by removing the vulnerable code.
The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 Generalized Time decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.

Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution.

Official announcement: https://support.apple.com/en-us/HT212548

Another alert in the medical industry (ZOLL Defibrillator Dashboard design weakness) 15th Jun 2021

Preface: A defibrillator is a device that gives a high energy electric shock to the heart of someone who is in cardiac arrest.

What is Defibrillator Dashboard ? A Web-based application provides ability to login. The Dashboard contained monitoring the defibrillators function.

Vulnerability details: The U.S. Department of Homeland Security urges the medical industry to be vigilant about design weaknesses in ZOLL products (defibrillator dashboards). The official articles can be found in following url – https://us-cert.cisa.gov/ics/advisories/icsma-21-161-01

Security Focus: According to attached diagram, CVE-2021-27489 contain critical risk. Medical environment especially hospital will be installed the medical equipment in a separate network. In order to prevent unknown cyber attack, their solution most likely do not provide internet access function. To avoid cyber criminals to exploit the vulnerability of this product. Perhaps stop internet function on workstation not enough. The hospital should setup alert (correlations firing rules) in their SIEM. When anonymous host connect, it should do the monitoring. Because the anonymous host might be capable of gateway function and let vulnerable products becomes victims.

Workaround: If it is urgent to use the monitoring function remotely. It is highly recommended to use VPN. Detailed information about protection. Please refer to the CISA article.

Closer to reality: one of the ways of ransomware infection (15th June, 2021)

Preface: Ransomware infection not merely boots by vulnerability of the windows OS and or products components. Web site programming technique is the accomplice. Perhaps we can say, how successful of ransomware attacks will depends on the total number of compromised web server. What I call the trigger point.

Background: Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Ransomware is a type of malware attack. The encryption process will performs a key exchange with the Command and Control Server, using the encryption key to scramble all files discovered during the Execution step. It also locks access to the data. For cyber criminals view point, it is not possible to rent a web hosting service. Therefore, the possible way is find the online web portal which contained vulnerability. If they can compromised the online web. They can setup the phishing attack and evade traditional domain black list filter. So they can do their job silently.

Traditional corrective control not address the problem in effective way: A corrective control is an aftermath of detective and preventive. You can only restore from a backup after an incident. According to historical of attack, ransomware will be exploit operation system and or component vulnerability to conducting the infection. So traditional full backup may not use here because victim will be concerning what is exact time they receiving the attack. As a matter of fact, the correct way to proceed the restore procedure is wait for the digital forensic investigation result. Till today such attack still bother the whole world.

Maybe when something happens, the term phishing is on your side. See if you can learn more with the attached diagram.

Rising Ransomware Threat To Operational Technology Assets, US (CISA) urge to critical facilities to tighten their cyber security incident management and protection. 10-6-2021

Preface: When the TCP/IP network protocol replaces the classic MODBUS protocol on a large scale. At the same time, there is a large demand for the deployment of Windows operating system servers and workstations. From the perspective of cyber security, information technology and operational technology are the same.

Synopsis: On May (9th May 2021), 2017, the WannaCry ransomware attack show to the world of their power. They can easily halted the entire DHS medical service in England. Recently, Ransomware attack shuts down biggest U.S. gasoline pipeline.

Contingency plan focus: In fact, according to official recommendations, payment of ransom is not recommended. This is because even if you pay, there is no guarantee that your system and data will be 100% fully restored. Therefore, an effective backup solution combined with business contingency plans is the correct way to solve this problem. However, the service interruption caused by ransomware is different from the traditional disaster recovery concept. The traditional DR concept assuming hardware or software failure. But it can resume operation through hot standby or cold standby facilities.

A gap was found here: In fact, the contingency plan for ransomware attacks is slightly different from the traditional disaster recovery plan. Because traditional DR will replicate two equivalent functional sites for DR. However, if the DR site contains design weaknesses similar to the production site. Maybe your DR environmental risk level will increase! Because it is a ransomware attack.

CISA recommends based on this matter: https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Rising_Ransomware_Threat_to_OT_Assets_508C.pdf

Security Focus : CVE-2021-27610 – Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform (8th Jun, 2021)

Preface: The proof of concept for this vulnerability has been announced. As usual, vendors use their patch release cycle. Therefore, an announcement was issued today (June 8, 2021).

Background: SAP NetWeaver is a software stack for many of SAP SE’s applications. It can be used for custom development and integration with other applications and systems, and is built primarily using the ABAP programming language, but also uses C, C++, and Java.

Vulnerability details: [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform Product – SAP NetWeaver AS ABAP and ABAP Platform Versions – 700,701,702,731,740,750,751,752,753,754,755,804.
An ABAP server could not 100% correctly identify, if communication via RFC (TCP 3300-3399) or HTTP (8000) is between the application servers of the same SAP system or with servers outside the same system.

For official details, please refer to the URL – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999

CVE-2021-20292 – Flaw found in Nouveau DRM subsystem (8th June 2021)

Preface: Nouveau is a free and open source graphics card driver. It is written for Nvidia’s graphics card and can also be used in the NVIDIA Tegra series of system chips. This driver is written by a group of independent software engineers. Nvidia sometimes will be assistance.

Background: What is DRM subsystem? The Direct Rendering Manager (DRM) is a subsystem of the Linux kernel responsible for interfacing with GPUs of modern video cards. DRM exposes an API that user-space programs can use to send commands and data to the GPU and perform operations such as configuring the mode setting of the display.

Vulnerability details:

There is a flaw reported in the Linux kernel in versions before 5.9 in drivers[/]gpu[/]drm[/]nouveau[/]nouveau_sgdma[.]c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel. For example, if this is a virtual system environment. Fundamentally, nouveau is a free and open source graphics card driver. It is written for Nvidia’s graphics card and can also be used in the NVIDIA Tegra series of system chips.The potential impact of this vulnerability depends on the attack in where to take place.

Workaround: Kernel with CONFIG_SLAB_FREELIST_HARDENED=y option enabled should not be affected with this flaw.

Remedy: This was fixed for Fedora with the 5.7.16 stable kernel updates.

CVE-2021-28091 – Lasso incorrect assertion validation and verification – Published: 01 June 2021

Preface: This vulnerability affects other vendors’ use of this product for their single sign-on function.

Background: Lasso is a free software C library aiming to implement the Liberty Alliance standards; it defines processes for federated identities, single sign-on and related protocols.Lasso is built on top of libxml2, XMLSec and OpenSSL and is licensed under the GNU General Public License (with an OpenSSL exception).

Vulnerability details: Lasso incorrect assertion validation and verification. When AuthnResponse messages are not signed (which is permitted by the specification), all assertion’s signatures should be checked, but currently after the first signed assertion is checked all following assertions are accepted without checking their signature, and the last one is considered the main assertion.

IMPACT:

  • SOGo and PacketFence packages use the vulnerable Lasso library so it was impacted.
  • Cisco (Adaptive Security Appliance (ASA), Content Security Management Appliance (SMA), Email Security Appliance (ESA), FXOS software, Web Security Appliance (WSA), and Firepower Threat Defense (FTD) as being affected)

Reference URLhttps://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html

antihackingonline.com