Stay alert to Trend Micro products – 30th Jul 2021

Preface: In order to expand business development, software products sometimes use similar engineering designs. When vulnerabilities occur, their effects seem to be interrelated.

Privilege Escalation Attack Techniques: A low-privileged process from being escalated via a token stolen from a process with greater privileges. This technique is often used in tandem with another vulnerability to successfully deliver and run an attacker’s malicious code with system permissions.

Perhaps attacker not use this way now. But in past, Scheduled tasks can also be used to bypass User Account Control (UAC) and escalate privileges, when misusing system actions such as antivirus update for example. As this command is marked with auto-elevating, it will run with elevated privileges without prompting the user through UAC. The key is that it uses a user controlled environment variable as part of the path, which can be manipulated.

Vulnerability details:

CVE-2021-32464 – An incorrect permission assignment privilege escalation vulnerability in Trend Micro Apex One and Apex One as a Service could allow an attacker to modify a specific script before it is executed.
CVE-2021-32465 – An incorrect permission preservation vulnerability in Trend Micro Apex One and Apex One as a Service could allow a remote user to perform an attack and bypass authentication on affected installations.
CVE-2021-36741 – An improper input validation vulnerability in Trend Micro Apex One and Apex One as a Service allows a remote attached to upload arbitrary files on affected installations.
CVE-2021-36742 – A improper input validation vulnerability in Trend Micro Apex One and Apex One as a Service allows a local attacker to escalate privileges on affected installations.

Remedy by vendor:

Security Bulletin for Worry-Free Business Security – https://success.trendmicro.com/solution/000287820

Security Bulletin for Trend Micro Apex One and Apex One as a Service – https://success.trendmicro.com/solution/000287819

CISA security advisory: KUKA KR C4 Controller (27th Jul 2021)

Preface: The computer behind the robots performance is the Programmable Logic Controllers (PLCs). PLCS are able to control the robots and help them do their job at very specific times and points in the production process.

Product background: The KR C4 software architeture integrates Robot Control, PLC Control, Motion Control (e.g. KUKA.CNC) and Safety Control. All controllers share a database and infrastructure.

KUKA System Software (KSS)
In the case of the KR C4 compact robot controller, safety options such as SafeOperation are only available via the Ethernet safety interface from KSS/VSS 8.3 onwards. From KSS 8.3 and from motherboard D3236-K onwards: Board Package USB stick in the USB port.

Vulnerability details: Multiple vulnerabilities in KUKA KR C4

Vulnerable software versions
– KSS: All versions
– KR C4: before 8.7 (hardware)

For the possibility of this vulnerability, please refer to the attached diagram.

CISA security advisory: Please refer to the link – https://us-cert.cisa.gov/ics/advisories/icsa-21-208-01

Workaround: If you are not able to do the any corrective action immediately. You should following vendor recommendation to install the antivirus to enforce the protection. Ikarus antivirus is the only one tested with kuka they don’t recommend any others due to testing.

CVE-2021-34432 Do not kill mosquitto (27th July, 2021)

Preface: Internet of Things (IoT) and machine-to-machine (M2M) technologies need to use a messaging and connectivity protocol in order to exchange information from a remote location.

Background: MQTT is a binary-based protocol and has command and command acknowledgement format. So every time a client sends a command to the broker, the broker sends an acknowledgement. This communication protocol is actually based on the TCP/IP protocol. So first there will be a TCP connection establishment and then there will be MQTT connection establishment and then the data transfer will occur. After which TCP connection will be terminated.

An MQTT broker is a server that receives all messages from the clients and then routes the messages to the appropriate destination clients.

Vulnerability details: In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.

Remedy: The design weakness was patched in version 2.08.

Client library: Fix mosquitto_{pub|sub}_topic_check() functions not returning MOSQ_ERR_INVAL on topic == NULL.

Causes: Under following condition, it will returns MOSQ_ERR_INVAL if the topic string is too long.

Elasticsearch ECE 7.13.3 Database Disclosure (27th Jul 2021)

Preface: 3431 companies reportedly use Elasticsearch in their tech stacks, including Uber, Shopify, and Udemy.

Background: Elasticsearch is based on Lucene, very fast and scalable for searching operations. Elasticsearch is good for data analysis, logging and error monitoring and alerting so can be used to search all kinds of documents.
Remark: Apache Lucene is a free and open-source search engine software library, originally written completely in Java by Doug Cutting.

Elasticsearch Service on Google Cloud Platform (GCP) availabe in 2017, allowing customers to deploy the latest versions of Elasticsearch, Kibana, and our continually expanding set of features (such as security, machine learning, Elasticsearch SQL, and Canvas) and solutions for logging and infrastructure.

Vulnerability details: All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

Remedy: Vendor announcement, please refer to the link – https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180

Vulnerability found by Apple on Feb, 2021. However such vulnerability awaken digital world consider whether to continue using LibTIFF. (26th July, 2021)

Preface: Multiple vulnerabilities have been found in libTIFF, the worst of which may allow execution of arbitrary code. It is talking about 5 years ago (2016)! Has it become the focus of manufacturers’ attention now?

Background: TIFF offers support for tag extensions allowing for more tags than the standard TIFF specification. For example: Code, 326 (hex 0x0146). Name, BadFaxLines. Used in the TIFF-F standard, denotes the number of ‘bad’ scan lines encountered by the facsimile device.

Reference: Tag code 326 (BadFaxLines) – When using this tag in LibTIFF it is possible to have a type confusion vulnerability where LibTIFF attempts to read a mistyped argument off of the variable argument list.

Vulnerability details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. Crafted data in a TIFF image can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

Remark: By reading the TIFF-pages as BufferedImages, you essentially decompress the stored images, which might need a lot of memory depending on the size of the images: Every pixel will take up 3 (RGB) or 4 (ARGB) bytes.

Vulnerability exploit path: Exploiting this vulnerability requires user interaction, and the target must visit a malicious page or open a malicious file.

Existing status: ZDI notified the vendor of the intention to publish the case as a 0-day advisory on 07/22/21.

Stay alert! IPython code execution (23-7-2021)

Preface: IPython offers an enhanced read-eval-print loop (REPL) environment particularly well adapted to scientific computing. In other words, IPython is a powerful interface to the Python language.

Background: IPython provides a rich toolkit to help you make the most out of using Python, with:

  • Powerful Python shells (terminal and Qt-based).
  • A web-based notebook with the same core features but support for code, text, mathematical expressions, inline plots and other rich media.
  • Support for interactive data visualization and use of GUI toolkits.
  • Flexible, embeddable interpreters to load into your own projects.
  • Easy to use, high performance tools for parallel computing.

Vulnerability details: IPython could allow a remote attacker to execute arbitrary code on the system, caused by improper permission assignment.
By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code from the
current working directory.

Remedy: No remedy available as of July 22, 2021.

32-bit design limitation (0x7ffffffff). Another episode of Y2K. (23-07-2021)

Preface: Because humans have destroyed the environment. Therefore, natural disasters resemble God’s punishment. In the digital world, the situation is the same. The reason for the penalty is the design weakness of the software.

Background: Perhaps the younger generation has not experienced “Y2K” technical problems because they are still children. The millennium bug is about 22 years until today. I think many people have forgotten. The digital world disaster is similar to the Old Testament description of the earth flood, and God instructed to build an ark to save the species.

Fundamental design weakness: On a 32-bit Linux system, the maximum value that time_t can represent is 0x7ffffffff. When time_t takes the maximum value, it means that the system time is 2038-01-19 03:14:07, but when the clock keep going, time_t will overflow and become A negative value. At this time, the system time will start over and the operating system and upper-layer software will run incorrectly.

IoT current status 2021: The trend by today – 8-bit and 16-bit MCUs had been the hardware of choice for IoT devices, but 32-bit MCUs are now becoming increasingly popular, leading to many manufacturers using two different powered processes in devices. Therefore, your RTOS should be scalable in order to manage any future MCU upgrades.

Reports indicate that there will be 35.82 billion IoT devices installed worldwide by 2021 and 75.44 billion by 2025.

Remedy: In order to remedy this technical limitation. Software developer require to use GNU C Library 2.32 and Musl libc 1.2 to build user space for 64-bit time_t.
Musl, a C standard library, is mainly used on operating systems based on the Linux kernel. The target is embedded systems and mobile devices. It is released under the MIT license. The author is Rich Felker. The purpose of developing this library is to write a clean, efficient, and standard-compliant C standard library.

Expectation: We pass a new challenge token to the younger generation, because they have grown up now. It’s your turn.

Design flaws sometimes involve risks, but sometimes they are unknown (CVE-2021-33909)

Preface: A series of sequential read functions for seq operations are defined in fs/seq_file.c. These functions were first introduced in 2001, but have not been used much in the kernel before, and after the 2.6 kernel, many / The seq function is heavily used in proc’s read-only files.

Synopsis: Linux kernel 5.13 initially supports Apple’s M1 processor, supports the Landlock security module, is used to create a security sandbox to reduce the security impact of various flaws in user space applications, the ability to handle ASN.1 trusted keys, and preliminary support are applicable AMD Radeon “Aldebaran” GPU series.

Background: About There are numerous ways for a device driver (or other kernel component) to provide information to the user or system administrator. One useful technique is the creation of virtual files, in debugfs, /proc or elsewhere. Virtual files can provide human-readable output without any special utilities. The Linux kernel’s seq_file interface produces virtual files that contain sequences of records.

Vulnerability details: s/seq_file[.]c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user. For more information on this matter, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2021-33909

A flaw that awakens security vendors – free after use vulnerability (CVE-2021-32589) – 20th July, 2021.

Preface: If you have fgfmsd (TCP/541 / TCP/542) public-facing and have not upgraded to a fixed release, perhaps you should consider the workaround by vendor.

Background: The FGFM protocol runs over SSL (Secure Sockets Layer) using TCP port 541 under IPv4. Both FortiGate and FortiManager units have a ‘FGFM’ daemon running exclusively for FortiGate to FortiManager communication. The FortiManager unit listens on TCP port 541 for an incoming session request. The FortiGate unit establishes an SSL session with the FortiManager. Both units use TCP port 541 for sending and receiving messages.

You can add FortiAnalyzer devices to FortiManager and manage them. When you add a FortiAnalyzer device to FortiManager, FortiManager automatically enables FortiAnalyzer features. FortiAnalyzer and FortiManager must be running the same OS version, at least 5.6 or later.

Vulnerability details: The vulnerability exists due to a use-after-free error within the fgfmsd daemon. A remote non-authenticated attacker can send a specially crafted request to port 541/tcp (IPv4) or 542/tcp (IPv6), trigger a use-after-free error and execute arbitrary code on the system with root privileges.

Workaround: Disable FortiManager features on the FortiAnalyzer unit using the command below:
– config system global
– set fmg-status disable <— Disabled by default.
– end

Official announcement https://www.fortiguard.com/psirt/FG-IR-21-067

Closer look of VMware Thinapp design weakness (CVE-2021-22000) – 18th July 2021

Preface: Secure loading of libraries to prevent DLL preloading attacks, said Microsoft.

Background: When an application dynamically loads a dynamic link library (DLL) without specifying a fully qualified path, Windows tries to locate the DLL by searching a well-defined set of directories. If an attacker gains control of one of the directories, they can force the application to load a malicious copy of the DLL instead of the DLL that it was expecting. These attacks are known as “DLL preloading attacks” and are common to all operating systems that support dynamically loading shared DLL libraries. Even experts discovered that malware exploit similar method to inject code into system process.

Closer look of the POC details:

Design weakness in VMware-ThinApp-Enterprise-5.2.9-17340778[.]exe.
The method is that this vulnerability allows non-privileged users to create directories (C[:]\DummyTLS), copy a malicious dll file and rename it to dummyTLS[.]dll in the same place.It will trigger the specify vulnerability.

The steps are as follows:

  1. Run “C[:]\Program Files (x86)\VMware\VMware ThinApp\Setup Capture[.]exe”.
    Then C[:]\DummyTLS\dummy TLS.dll will be loaded simultaneously.
  2. Code injection completed.

In additional, other exe files like log_monitor[.]exe and snapshot[.]exe had similar vulnerability occur.

VMware security advisory – https://www.vmware.com/security/advisories/VMSA-2021-0015.html