Preface: Generally, when it comes to interconnection in the SAP system environment, remote function call (RFC) is one of the main communication protocols used.

Observation: About CVE-2021-27610 – SAP resolved the design weakness of the server-side RFC protocol in July 2021. According to the official announcement, a remote attacker can make a special request through a given user identity, which can exploit this vulnerability, leading to the bypass of authentication in the SAP kernel. In the worst case, this can lead to highly privileged system access and ultimately allow the attack The person has full control of the target application server.

According to the official announcement, Security Note 3007182 covers almost all the correction instructions for maintaining the kernel version, and many network security experts speculate that the vulnerability has been hidden for many years. For my observations and tips, I wrote down the details in the attached drawings. If you are interested, please read the details.

Vulnerability details: An improper authentication vulnerability exists in SAP NetWeaver Application Server ABAP. ABAP Server and ABAP Platform do not create information about internal and external RFC user in distinguished and consistent format, which may be exploited by malicious users to obtain illegitimate access to the system.

CVE-2021-27610 – Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform (Authentication Bypass) – https://nvd.nist.gov/vuln/detail/CVE-2021-27610

Official announcement – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506

Preface: (DLL) side-loading is an increasingly popular cyber attack method that takes advantage of how Microsoft Windows applications handle DLL files.

Background:

Where is the Citrix VDA?
By default, the supportability MSI is installed in C:\Program Files (x86)\Citrix\Supportability Tools\ . You can change this location on the Components page of the VDA installer’s graphical interface, or with the /installdir command-line option.

Vulnerability Details: A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM.

One of the possibilities: What if the C:\Program File\Citrix\ICA Client directory is configured with incorrect permissions and allows any user add file? A malicious version of the DLL file could be planted in this directory, allowing a local attacker to execute arbitrary code in the context of any other user who would run this application. Although that’s DLL searh order hijacking, the first variant is also sometimes rightly or wrongly called DLL Sideloading. It is mostly used by malwares but it cab also be used for privileges escalation.

Official details: https://support.citrix.com/article/CTX319750

Preface: As a digital identity decision maker in your organization, you already know that in today’s new reality are the cyber security challenges. Centrally manage access permissions to meet best practices in identity management.

Product Background: ForgeRock Access Manager/OpenAM supports a wide range of authentication modules (see diagram) that can be configured together using authentication chains, and authentication nodes that can be configured together using authentication trees. After you configure AM authentication, users can authenticate to AM using a browser or a REST API.

Vulnerability details: A pre-auth remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management software. Exploit a single GET/POST request can execute a code execution. The design weakness cause by unsafe Java object deserialization. The proof-of-concept tool can generating payloads that exploit unsafe Java object deserialization to shown the design weakness of ForgeRock Access Manager product. This vulnerability was patched in ForgeRock AM version 7.0 by entirely removing the “/ccvesion” endpoint, along with other legacy endpoints that use Jato. Furthermore Jato framework has not been updated for many years, so all other products that rely on it may still be affected. ForgeRock have provided a workaround for people still running 6.X.

AM Security Advisory #202104 – https://backstage.forgerock.com/knowledge/kb/article/a47894244

Preface: Microsoft has assigned CVE-2021-34527 to PrintNightmare. CVE-2021-1675 is similar but distinct from CVE-2021-34527.

Background: There is a vulnerability nickname PrintNightmare. PrintNightmare is not the same as CVE-2021-1675, which was fixed in the patch in June. there is currently no patch available for PrintNightmare.

Technical Details: The vulnerability numbered CVE-2021-34527 is the same RCE vulnerability in Print Spooler as CVE-2021-1675 that has attracted attention this week. Microsoft explained that it was caused by improper execution of the file by the Print Spooler service. To exploit this vulnerability, the attacker must be an authenticated user and execute RpcAddPrinterDriverEx(). Successful miners can execute arbitrary code with SYSTEM privileges.

Microsoft has addressed this issue in the updates for CVE-2021-34527. However, the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1. For this reason, please consider the workarounds before Microsoft release the patch.

Workaround: Microsoft has listed several workarounds in their advisory for CVE-2021-34527. For more details, please refer to link.https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Preface: Artificial intelligence (AI) has the potential to overcome the physical limitations of capital and labor and open up new sources of value and growth.

Background: Apache Jena is a free and open source Java framework for building semantic web and Linked Data applications. The framework is composed of different APIs interacting together to process RDF data. Apache Jena Fuseki – SPARQL server which can present RDF data and answer SPARQL queries over HTTP.

Apache Jena Fuseki is a SPARQL server. It can run as a operating system service, as a Java web application (WAR file), and as a standalone server.

RDF is a standard for data interchange that is used for representing highly interconnected data. Each RDF statement is a three-part structure consisting of resources where every resource is identified by a URI. Representing data in RDF allows information to be easily identified. And interconnected by AI systems.

Vulnerability details: A vulnerability classified as problematic has been found in Apache Jena Fuseki up to 4.0.0. Affected is an unknown code block of the component HTML Page Handler. The manipulation with an unknown input leads to a cross site scripting vulnerability.

Remediation: Users are advised to upgrade to Apache Jena 4.1.0 or later.