Another wave of IoT vulnerability storm – CISA releases ICS advisory on RTOS vulnerabilities – 29th Apr 2021

Preface: People say that when you walk through rough roads. A brand new road is waiting for you.

Synopsis: Due to the small size of IoT devices, the main component chips will include memory and storage. Even WiFi function. Technically, hardware resembles a car. Therefore, the software (OS) is equivalent a car driver. If the driver is healthy, the entire journey will become smoother. RTOS a key componet on IoT device platform. A reinvented RTOS for IoT needs to support industry-leading communications standards and protocols such as CAN, Bluetooth, Continua, ZigBee, Wi-Fi, and Ethernet, and deliver high-perfor- mance networking capabilities out of the box.

Security Focus: A simple way to describe what is integer overflow. If 2147483647 is stored in the int variable, adding one will become -2147483648. This is similar as integer overflow.

Status: Due to different RTOS platform encounter integer overflow vulnerability. Therefore CISA Releases ICS Advisory on Real-Time Operating System Vulnerabilities. An integer overflow with software programming mistake will amplifier the risk level. The worst case is let attacker conduct remote code execution.

Official announcement: Refer link – https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04

Are you a victim of this newly discovered vulnerability (CVE-2021-25216)? – 28th Apr, 2021

Preface: BIND is the most commonly used DNS software on the Internet today. DNS servers that use BIND as server software account for about 90% of all DNS servers. BIND is now developed and maintained by the ISC(Internet Systems Consortium).

Background: The ISC BIND server contained the vulnerable code within the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) component, but ISC did not merge the patch at that time. After 15 years, ISC patched the bug in BIND and assigned it CVE-2020-8625. However, A second new vulnerability was happend in “BIND” again. It is CVE-2021-25216.

Vulnerability details: This vulnerability situation is very complicated. Please refer to the official announcement – https://kb.isc.org/docs/cve-2021-25216

Ref: GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is an extension to the TSIG DNS authentication protocol for secure key exchange. It is a GSS-API algorithm which uses Kerberos for passing security tokens to provide authentication, integrity and confidentiality.
GSS-TSIG uses TKEY records for key exchange between the DNS client and server in GSS-TSIG mode. For authentication between the DNS client and Active Directory.

CVE-2021-29200 – Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack (27th Apr 2021)

Preface: According to market statistic, 152 companies that use Apache OFBiz. The companies using Apache OFBiz are most often found in United States and in the Computer Software industry.

Background: Apache OFBiz is a suite of business applications flexible enough to be used across any industry. OFBiz is an open source enterprise resource planning (ERP) system. A common architecture allows developers to easily extend or enhance it to create custom features.

Vulnerability focus: Expert found that lack of file extension check at catalog/control. Therefore it is able to allow to uploading a webshell jsp script. Meanwhile, if the vulnerable system run on top of Amazon Elastic Compute Cloud . It can retrieve the user credential due to AWS design principle.

Reserved set of security-credentials in AWS?

Instance-identity – security credentials are that can be generated using the metadata instance on every EC2 instance in AWS, even when no role is attached to the instance.

Official announcement https://issues.apache.org/jira/browse/OFBIZ-12080

CVE-2021-1075 – To protect your system, download and install this software update – 26th Apr 2021

Preface: Graphics card not detected in Device Manager, BIOS – It’s possible that your graphics card isn’t properly connected, or this is usually caused by incompatible drivers.

Background: The DxgkDdiEscape function shares information with the user-mode display driver. This can be called directly from the user mode and accepts arbitrary data that is parsed and processed in a vendor-specific way. This design weakness found by Google project Zero team long time ago.
The GPU manufacturer had official announcement this month.

Vulnerability details: NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the program dereferences a pointer that contains a location for memory that is no longer valid, which may lead to code execution, denial of service, or escalation of privileges.

Remedy: Security Bulletin: NVIDIA GPU Display Driver – April 2021 – https://nvidia.custhelp.com/app/answers/detail/a_id/5172

MySQL for Windows is vulnerable to privilege escalation due to OPENSSLDIR location – 25th Apr 2021

Preface: Similar design concepts rely on OpenSSL, and it is not news to encounter vulnerabilities. This time it was just a “Old wine in new bottles“.

Background: MySQL source build on WINDOWS using Mingw. therefore it find themselves looking at sub-directories of ‘C:/usr/local’, which may be world writable, which enables untrusted users to modify OpenSSL’s default configuration insert CA certificates, modify (or even replace) existing engine modules, etc.

For OpenSSL 1.0.2, ‘/usr/local/ssl’ is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds.

Vulnerability details: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. For more details, please refer to the following link https://kb.cert.org/vuls/id/567764

Reference: The latest release of MySQL (version 8.0) has several new features including the incorporation of a transaction data dictionary that stores information about database objects. In addition, Atomic DDL or (Atomic data definition statements) allows statements to combine data diction updates, storage engine operations and binary log write associated with a DDL operation into a single, atomic transaction.

Security Focus – CVE-2021-2200: Oracle Applications Framework Homepage component vulnerability. 21st Apr 2021

Background: OA Framework is based on J2EE technology called BC4J (Business Components for Java) The OA Framework is a Model-view-controller (MVC) framework built using J2EE (Java 2 Platform, Enterprise Edition) technologies.

Vulnerability details: According to CVE-2021-2200, the vulnerability occurs on the homepage. For the benefit of the customer, Oracle will not announce the root cause to the public. However, it remind me that a design weakness had occurred in the same place in past (see below):

“If the ICX session expires before the Jserv session, the user will be presented with a login page even though the Jserv session is still active. If the user logs back in before the Jserv session expires, they will see the old state of their middle-tier transaction.”

Perhaps this new vulnerability is different. It had high CVSS score (9.1). Meanwhile it is allow Remote Exploit without Auth. But vendor do not provide the root cause. So we must waiting for official announcement.

Oracle security-alerts, please refer to linkhttps://www.oracle.com/security-alerts/cpuapr2021.html

Reference: ICX: Session Timeout – Use this profile option to enforce an inactivity time-out. If a user performs no Oracle E-Business Suite operation for a time period longer than the time-out value (specified in minutes), the user’s session is disabled. The user is provided an opportunity to re-authenticate and re-enable a timed-out session. If re-authentication is successful, the session is re-enabled and no work is lost. Otherwise, Oracle E-Business Suite exits without saving pending work. If this profile option is set to 0 or NULL, then user sessions will never time out due to inactivity.

VMware announcement – guest1 and guest2 user accounts design weakness (CVE-2021-21981) – 20th Apr, 2021

Preface: From a security perspective, what is the difference between configuration errors and vulnerabilities? Perhaps the potential impact are the same if it is involves privileges control function.

Product background: NSX-T Data Center supports cloud-native applications, bare metal workloads, multi-hypervisor environments, public clouds, and multiple clouds. NSX-T aim to protect applications with workload-level micro-segmentation and sophisticated security. Regardless of the physical network topology within and between the data center and the native public cloud, the network and security principles can be managed in a consistent manner.

Vulnerability details: Official announcement said that a privilege escalation vulnerability in VMware NSX-T was privately reported to VMware. However when you read the old version of document. The document written down that For Cloud environment with NSX, guest user accounts are displayed as cloud_admin and cloud_audit, are inactive, and have Cloud Admin and Cloud Operator default roles. This is correct. Or is that right?

The official details link is here https://www.vmware.com/security/advisories/VMSA-2021-0006.html

The design weakness of DNS module causes Siemens Nucleus Products involves WRECK loophole – 19th April, 2021.

Preface: The DNS Client is capable of resolving the IP address of a host from the host’s name. It does this by sending DNS requests to a DNS Server. The IP address of a DNS Server is specified in the network interface configuration file or can be obtained from the DHCP Server for the Local Area Network.

Product background: Nucleus RTOS is a proven, reliable, and fully optimized RTOS. Nucleus has been used successfully deployed in highly demanding markets with rigorous safety and security requirements such as industrial systems, medical devices, airborne systems, automotive and more.

Vulnerability details: The DNS domain name label parsing functionality does not properly validate the names in DNS-responses. When DNS packet compression offset such that src jumps back to the same compression pointer, the TCP/IP stack will reach a Denial-of-Service condition. For more details, please refer to official announcement – https://cert-portal.siemens.com/productcert/pdf/ssa-705111.pdf

Workarounds: Avoid using DNS client of affected versions. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs)

About WRECK DNS vulnerabilities – 15th Apr 2021

Background: DNS security awareness awaken by expert conduct a simple DNSsteal to do a demonstration show how to exploit unknown function feature on DNS function in few years ago.
On April 2021, cyber security product vendor with security experts announce that a unknown TCP/IP Stack weakness in IoT.
The difference in between DNS misuse function (DNSsteal) and techincal problem announced by vendor this month was that this time it is a design weakness of IoT TCP/IP stack.

Vulnerability details: So called WRECK, it affects at least four common TCP/IP stacks—FreeBSD, IPNet, NetX, and Nucleus NET—that are used in Internet of Things (IoT). The specify flaws could be abused to perform denial of service (DoS) attacks, to execute code remotely and or take victim devices offline. For details, please refer to link – https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/

My Comment: This IoT vulnerabilities crisis awaken IoT vendor to enhance their IoT access control function. Build trust connection function to external peer. So it will avoid the abnormalis traffic connect to your device and reduce the risk. Perhaps DNS protection should provides from service provider simultaneously.

Security Focus – About SAP Releases April 2021 Security Updates – 15th Apr 2021

As usual, because of vendor decision, vendor not going to release the details of design weakness. From my opinion that understand the details will be enhanced your system and infrastructure defense mechanism. Below is my personal comment according to this specifics vulnerability.

Vulnerability details: CVE-2021-21481 – The MigrationService, which is part of SAP NetWeaver, does not perform an authorization check allowing an unauthorized attacker to access configuration objects, including such that grant administrative privileges.

Since SAP uses an explicit authorization model, an authority checks must be coded in order to be executed. If an explicit check is not coded, all users have access.

Reference: Explicit authentication bypass (whitelist). The filter architecture will, by default, provide an “always-on” authentication approach. This sets up the system for an explicit whitelist.

Impact: Since the failure is related to incorrect authorization, the risk will depend on the environment.

Official announcement: Please refer to link – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649