Prefect: People prefer Veeam because the interface is easier, and Data Protector is difficult in comparison.

Product details: Data protector is a backup and disaster recovery solution for large, complex, and heterogeneous IT environments.

Vulnerability details: A potential vulnerability has been identified in Micro Focus Data Protector. The vulnerability could be exploited by a low-privileged user to execute a custom binary with higher privileges.

Our comment:
Above vulnerability might focus on Data protector server installed on Linux OS platform.
If authorized user exploit the power of SUID/GUID files on Linux, they can enable a file to have one of those bits, to shared the privileges. If a file has a SUID bit to run as root, it has the power to do everything that root can.

Reference: The omniresolve command reads the filesystem structures locating the physical disks (on Windows)
or volumes (on UNIX)on which a filesystem object resides. If the files reside on a logical volume which is a part of a volume group(diskgroup),all volumes in a volume group are displayed.

Status & remedy: versions 10.00, 10.01, 10.02, 10.03, 10.04, 10.10, 10.20, 10.30, 10.40 are affected. Require update Micro Focus Data protector to 2019.08 (A.10.50) or a higher version.

Product background: The Modicon Quantum Ethernet I/O (QEIO) automation platform is designed to meet the requirements of both the industrial automation and process industries.

Vulnerability details: An Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability exists, which could cause denial of service when the module receives an IP fragmented packet with a length greater than 65535 bytes. The module then requires a power cycle to recover.

Additional info: The maximum packet length for IPv4 = 65,535 bytes but the size is limited due to the physical layers MTU( 1500 for Ethernet). So to send larger packets it would require fragmentation.

IP fragmentation is an Internet Protocol (IP) process that breaks packets into smaller pieces (fragments), so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host.

Remark: Scapy is a tool to generate your own packets.

Affected Product – Quantum 140 NOE771x1 version 6.9 and earlier.

Remediation: This vulnerability is fixed in version 7.0

Background: Appletalk support allows your Linux machine to interwork with Apple networks. Below components conduct the specified functions.

• sysctl_net_atalk.c: sysctl interface to net AppleTalk subsystem.
• ddp.c: AppleTalk DDP protocol for Ethernet ELAP (ethertalk).
• atalk_proc.c: proc support for Appletalk

The Use-After-Free vulnerability is related to above three components. Even though you do not use ApplyTalk, attacker by sending a request that submits malicious input to the targeted system. A successful exploit could allow the attacker to execute arbitrary code.

In the Linux kernel version 2.6.23, the /proc/sys/vm/mmap_min_addr tunable was introduced to prevent unprivileged users from creating new memory mappings below the minimum address. To enable it, add or amend the following entry in the /etc/sysctl.conf file: vm.mmap_min_addr = 4096

Security Focus: What is NULL pointer dereference flaws in the Linux? NULL pointer dereference flaws in the Linux kernel can often be abused by a local, unprivileged user to gain root privileges by mapping attacker-controlled data to low memory pages.

But above adjustment cannot resolve these vulnerabilities. It was because if alloc_disk fails in pcd_init_units, cd->disk will be NULL, however in pcd_detect and pcd_exit, it’s not check this before free.It may result a NULL pointer dereference.

Remedy: Kernel.org has released remedy at the following link – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6377f787aeb945cae7abbb6474798de129e1f3ac

Preface: Quite a lot of cyber security expertise provides their explanation on vulnerability on Exim (A local or remote attacker can execute programs with root privileges). I will do a quick and dirty way to explain. Should you have interested, please refer below:

a. Connect to Exim with TLS and send an SNI that ends with backslash-null.
*unescaped-backslash bug in string_printing2()

b. We exploit the backslash-null bug in string_interpret_escape().

Hints: Brainstorm on above matter
When you do a malloc, it gives you a pointer to a block of memory in the heap
char *p=malloc(2048) – Virtual memory allocated 2048
strcpy(p,”123”) – Although only 3 bytes are used, the memory still allocates 2048 bytes of physical memory for it.
free(p) – Through the virtual address, find the physical page corresponding to it, release the physical page, and release the linear region.use this heap overflow to overwrite the header of a free malloc chunk.

c. use this heap overflow to overwrite the header of a free malloc chunk.

d. allocate this enlarged malloc chunk, and use it to overwrite large parts of the heap (the already-allocated malloc chunks) with arbitrary data:

e. Overwrite the “id” string: (by overwriting “id” with “/../../../../../../../../etc/passwd”)

Official announcement:

Download and build a fixed version:

    Tarballs: https://ftp.exim.org/pub/exim/exim4/
    Git:      https://github.com/Exim/exim.git
              - tag    exim-4.92.2
              - branch exim-4.92.2+fixes

Preface: Quite a number of people think that Mainframe computer no longer exist anymore. However they are still alive.

Background: A 3270 Emulator is a terminal emulator that duplicates the functions of an IBM 3270 mainframe computer terminal on a PC or similar microcomputer.

Vulnerability details: There is Missing SSL Certificate Validation in the pw3270 terminal emulator before version 5.1.

Impact: TLS/SSL certificate validation flaw, leading to attackers in a MitM position being able to affect confidentiality, integrity and availability of traffic between the client and host, including credentials used.

Remedy: Upgrade to version 5.1. For more information, please visit the following URL – https://pkgs.org/download/pw3270

Preface: No matter “WAF” or a traditional Layer 3 firewall. The SSH service daemon will be installed because such service is not uncommon.

Vulnerability details: Memory corruption in PAN-OS 7.1.24 and earlier, PAN-OS 8.0.19 and earlier, PAN-OS 8.1.9 and earlier, and PAN-OS 9.0.3 and earlier will allow a remote, unauthenticated user to craft a message to Secure Shell Daemon (SSHD) and corrupt arbitrary memory.

Additional:

In the current version of the NDcPP there is a cryptographic Security Functional Requirement (SFR) called FCS_SSH*_EXT.1.8.
If your solution involves an OpenSSH server or client, you might be surprised to find out that OpenSSH’s “RekeyLimit” option does not actually fulfill this requirement according to the Application Note. OpenSSH’s RekeyLimit’s volume limiter will rekey on data volume only when one of the incoming or outgoing meets or exceeds the defined limit. It does not check the aggregate.

From technical point of view, attacker is able to consume ssh service daemon memory resources. For instance when using OpenSSH as client, simply enter ~R (capital R!) and rekeying will take place. If they intend to increase the re-key times, the specify process will be in trouble!

Remedy: Only accept SSH connection with trust IP address and trust network.