It is not mystery. The findings address that an original function for CEIP feature is able to misuse (CVE-2021-22005) – 22nd Sep, 2021

Preface: Rapid7 Labs estimates there are over 2,700 vulnerable vCenter servers exposed to the public internet.

Background: As of May 1 2020, the Pivotal Telemetry program is governed by VMware’s Customer Experience Improvement Program.
Data and continuous feedback loops play an important role in shaping the way Pivotal builds software.

VMware analytics service consists of components that gather and upload telemetry data from various vSphere components to the VMware Analytics Cloud and manage the Customer Experience Improvement Program (CEIP).

Vulnerability details: CVE-2021-22005 (CVSS score of 9.8) – It is an arbitrary file upload vulnerability in the Analytics service, which can be used to execute commands and software on the vCenter Server Appliance. A malicious actor with network access to port 443 on vCenter Server could exploit it by uploading a specially crafted file.

Observation: Since it can upload telemetry data by analytics service. So, attacker might do the following:

Unauthenticated OVA File Upload RCE – Exploits an unauthenticated OVA file upload and path traversal in vCenter Server to write a JSP payload to a web-accessible directory.

Official announcement – VMware has disclosed a critical bug in its flagship vSphere and vCenter products and urged users to drop everything and patch it. The virtualization giant also offered a workaround. For more details, please refer to the link – https://www.vmware.com/security/advisories/VMSA-2021-0020.html

Closer look – CVE-2021-25751 (21-09-2021)

Preface: As we know that Kubernetes (K8s) is a container orchestration tool and Docker helps to create a container that is managed by us using Kubernetes.

Background: What is subPath in volume mount?
Subpath references files or directories that are controlled by the user, not the system. Volumes can be shared by containers that are brought up at different times in the Pod lifecycle, including by different Pods.
Kubernetes passes host paths to the container runtime to bind mount into the container.

Vulnerability details: A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.

The root cause of the problem: K8S doesn’t use the mount syscall directly but it uses the mount command, and the default behavior of utils-linux mount is to resolve symlink.

Highlight: Don’t canonicalize paths. The mount command canonicalizes all paths (from command line or fstab) by default.

Remediation: To mitigate this vulnerability without upgrading kubelet, you can disable the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove any existing Pods making use of the feature. Please refer to the attached picture for details.

Reference: Feature gates are a set of key=value pairs that describe Kubernetes features. You can turn these features on or off using the –feature-gates command line flag on each Kubernetes component.

Security Focus on Microsoft windows CMD Stack Buffer Overflow (19-09-2021)

Preface: Twenty years ago, content filter firewalls were not popular. A quick way to harden the Microsoft Internet Information server is to delete all cmd commands to avoid network attacks.

Background: If you would like to run cmd in privileged mode. You have to do the following:

  1. type “CMD” you can hit Ctrl+Shift+Enter to open as administration
  2. Explorer – Hold Shift and right click on a folder, and choose “Open command window here”

To use multiple commands for , separate them by the command separator && and enclose them in quotation marks.

Vulnerability details: Expert found that special crafted payload will trigger a Stack Buffer Overflow in the NT Windows “cmd[.]exe” commandline interpreter. Furthermore, running file type especially [dot]cmd or [bot]bat will be risky. However, when cmd[.]exe accepts arguments using /c /k flags which execute commands specified by string, that will trigger the buffer overflow condition.

Above attack only exploit in local workstation. Do you think it can do it remotely? As far as I remember, if the situation is available. For example, Windows OS server encounter zero day or not patched.The netcat tool can do a remote command execution by CMD. Refer to attached diagram, if the stack buffer overflow run by tool to exploit by concept. Therefore this vulnerability will become more risky.

Observation: If your are using application firewall. It will drop the malicious traffic including netcat command automatically. Since this idea is still in concept stage. So, no need to worries.

CVE-2021-22941 – May be it is not related, or else was getting the User Enumeration incident waiting to happen (17-09-2021)

Preface: With storage zones controllers, the ShareFile Software-as-a-Service (SaaS) cloud storage also offers private storage for ShareFile data, which is known as storage zones.

What is the difference between Dropbox and ShareFile?
The goal of ShareFile is to help your team easily share, sync and store large files from any device without compromising important data. And unlike Dropbox, ShareFile provides the security, visibility and access your business needs from a single cloud-based dashboard.

Background: What is user enumeration?

User enumeration allows attackers to conduct dictionary attacks against systems and reveals information about who has access to them.

Since below services are commonly accessible from the Internet, and often use the organisation’s internal Active Directory (AD) for authentication, this creates a situation where an attacker on the Internet can easily identify usernames from an internal Windows domain.

  • Office 365 ActiveSync
  • Active Directory Federated Services (ADFS) single sign-on

Without a user enumeration flaw to receive a list of users, these attacks become difficult. Attacker make use of nmap in common way (e.g. $ nmap -p139,445 –script smb-enum-users )

Additional: Other than that, CVE-2021-22941 is the hottest matter this week . A security issue has been identified in Citrix ShareFile storage zones controller which, if exploited, would allow an unauthenticated attacker to remotely compromise the storage zones controller. The official announcement can be find in this link – https://support.citrix.com/article/CTX328123

Ref: The flaws (user enumeration) have been exposing internal corporate networks to attacks for years, yet are undetected by leading vulnerability scanners.

IS there any related security matter of session (CVE-2021-37535)?

Preface: Did you check your JMS Security Authorization, fix your JMS application immediately.

Background: The basic building blocks of a JMS application are:

  • Administered objects: connection factories and destinations
  • Connections
  • Sessions
  • Message producers
  • Message consumers
  • Messages

The JMS Connector Service is an enterprise messaging system that provides a way for business applications to exchange data
without needing to be directly connected to each other. The communication is obtained using messages. It allows different
message models like Point-to-Point Messaging or Publish-Subscribe scenarios.

Vulnerability details: Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service)
The JMS Security Mechanism can helps you to protect your JMS application. By defining JMS actions for some API methods (such as createProducer(), createConsumer(), and so on) and assign permission to different user roles. In fact, it can minimize the risk.
In order to avoid unforseen issue happen in future. It is highly recommended to following vendor instruction to do the patching as early as possible.

Affected products – SAP NetWeaver Application Server Java (JMS Connector Service) , Versions – 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

Official announcement – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405

Forcedentry vulnerability break through iPhone steel door 13th Sep 2021

Preface: These aren’t objects in the “ object-oriented programming” sense of the word; instead, they are the building blocks on which PDF stands. There are nine types of objects: null, Boolean, integer, real, name, string, array, dictionary, and stream.

Background: The Pegasus spy program created by NSO uses a zero-day vulnerability in Apple’s operating system to fear entering the iPhone. Apple’s mobile phone nation has urgently updated all operating system platforms affected by the vulnerability.

Vulnerability details: The exploit uses PDF data disguised as GIF files to circumvent Apple’s “BlastDoor” sandbox for message content. The exploit has been given the CVE identifier CVE-2021-30860.

Ref: The exploit works by exploiting an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics).

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Additional: CVE-2021-30858 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

For the above details, please refer to the official announcement. – https://support.apple.com/en-us/HT212807

Other reference: https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/

Unkown backdoor run on TCP 7614, virtual patching is one of the protective control methods (12th Sep, 2021)

Preface: Virtual patching acts as a safety measure against threats that exploit known and unknown vulnerabilities. Virtual patching works by implementing layers of security policies and rules that prevent and intercept an exploit from taking network paths to and from a vulnerability.

Background: This is so called Evasion Techniques. One of the first techniques that attackers use to avoid antivirus detection. The idea used by malware authors is do reverse engineering the software design. The goal is to obfuscate the defense mechanism detection. The files using de-assembly method for landing the victim workstation.

Create a hidden worksheet. Use a base 64 encoded to convert the exe to text. Store that text in worksheet cells on the hidden worksheet. Since there is a limit on the number of characters in a cell (32,767), cyber criminals need to break the string into chunks.

Security Focus: A Backdoor program (Backdoor.Win32.Wollf.h) was found in victim workstation. It has been rated as critical. Affected by this issue is some unknown functionality of the component Service Port 7614. Wollf backdoor creates a service named “wrm” and listens on TCP port 7614, there is no authentication allowing anyone to take over the infected system.

Workaround: Addressing this vulnerability is possible by firewalling or MSSP can be used to assist in implementing virtual patches to solve this problem.

Infection channel: Excel file with malicious code embedded in email attachment.

Security Focus, CVE-2021-28701 on Citrix Hypervisor (9th Sep, 2021)

Preface: You can use Citrix Hypervisor in an unlicensed state. However, you do not have access to some features. To access Citrix hypervisor is easy, go through XenCenter then input user ID and password.

Background: Citrix Hypervisor is a high-performance hypervisor optimized for virtual app and desktop workloads and based on the Xen Project hypervisor. Citrix Hypervisor is optimized for both Windows and Linux virtual servers. It functions lets you create VMs, take VM disk snapshots, and manage VM workloads.

What is Xen Project hypervisor? The Xen Project hypervisor is an open-source type-1 or bare-metal hypervisor. It allows many instances of an operating system or different operating systems to run in parallel on a single machine (or host).

Two components contribute to the memory footprint of the Citrix Hypervisor server. First, the memory consumed by the Xen hypervisor itself. Second, there is the memory consumed by the Control Domain of the host.

Vulnerability details: Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes.

Mitigation: Running only PV guests will avoid this vulnerability. Suppressing use of grant table v2 interfaces for HVM or PVH guests will also avoid this vulnerability.

Citrix Hypervisor Security Update – https://support.citrix.com/article/CTX325319

OpenStack Neutron (CVE-2021-40797) – 8th Sep, 2021

Preface: OpenStack Neutron is an SDN networking project focused on delivering networking-as-a-service (NaaS) in virtual compute environments. Neutron has replaced the original networking application program interface (API), called Quantum, in OpenStack.

Background: The Web Server Gateway Interface (WSGI) is a simple calling convention for web servers to forward requests to web applications or frameworks written in the Python programming language. The current version of WSGI, version 1.0. Router uses routes.middleware.RoutesMiddleware to map requests to WSGI applications.
In object-oriented programming, a singleton class is a class that can have only one object (an instance of the class) at a time. The Singleton is a useful Design Pattern for allowing only one instance of your class, but common mistakes can inadvertently allow more than one instance to be created.

Ref: When using “singleton=True” (default value), a routes._RequestConfig() is always created [1]. This object has a thread safe variable to store the context information for each request.

Vulnerability details: an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.

Remedy: Don’t use singleton in routes.middleware.RoutesMiddleware – https://review.opendev.org/c/openstack/neutron/+/807638

U.S. Homeland Security Alert (CVE-2021-40444) – 7th Sep, 2021

Preface: Windows RCE vulnerabilities have targeted Office users, and Microsoft urgently provides mitigation instructions.

Background: The MS web browser COM control adds browsing, document, viewing, and downloading capabilities to your applications. Parsing and rendering of HTML documents in the WebBrowser control is handled by the MSHTML component which is an Active Document Dynamic HTML (DHTML) object Model hosting ActiveX Controls and script languages.

Unicode is a standard encoding system that is used to represent characters from almost all languages. Every Unicode character is encoded using a unique integer code point between 0 and 0x10FFFF .

Vulnerability details: Lookback Microsoft expert found vulnerability on 2002. Hacker mimic a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated.
As times goes by, in 2021 another critical flaw occurs with similarity. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document, said Microsoft. For mitigation and solutions, please refer to the link – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

antihackingonline.com