Preface: Since xml data is irregular and verbose, it can impact both query processing and data exchange.

Background: XMill is a tool for compressing XML data efficiently. It is based on a regrouping strategy that leverages the effect of highly-efficient compression techniques in compressors such as gzip (Please refer to attached diagram for details).

The architecture od XMill is based on the 3 principles:
– The XML file is parsed by a SAX parser that sends tokens to the path processor.
– Every XML token (tag, attribute, or data value) is assigned to a container.
– Tags and attributes forming the XML structure, are senf to the structure container. Data values are send to various data containers.

Vulnerability details: Xmill contains four heap-based buffer overflow vulnerabilities: TALOS-2021-1290 (CVE-2021-21825), TALOS-2021-1291 (CVE-2021-21826 – CVE-2021-21828), TALOS-2021-1292 (CVE-2021-21829) and TALOS-2021-1293 (CVE-2021-21830). These could all be exploited by an adversary to gain the ability to execute code on the victim machine. Since XMill tool contains multiple vulnerabilities. Please refer to Cisco Talos official link for details – https://blog.talosintelligence.com/2021/08/vuln-spotlight-att.html

Additional details: Only a subset of these Xmill vulnerabilities directly affects Schenider’s Control Expert software:
TALOS-2021-1290, TALOS-2021-1291, TALOS-2021-1292 and TALOS-2021-1293, which all directly affect Control Expert and are based around XML decompression within the software.

Reference: EcoStruxure Control Expert is a unique software platform to increase design productivity and performance of your Modicon M340, M580 and M580 Safety, Momentum, Premium, Quantum applications.

Preface: Type the following command and hit Enter. mklink /J “path to junction link” “path to target folder”. The junction link is thus created.

Background: By creating a new folder structure, changing the user’s shell folder registry key, and placing a connection point in the hierarchy,
you can open any other UsrClass[.]dat file on the system through this process.

Vulnerability details: Microsoft Windows User Profile Service Directory Junction Privilege Escalation Vulnerability (CVE-2021-34484).

An authenticated attacker who successfully exploits this vulnerability could leverage the Windows User Profile Service (ProfSvc) to load registry hives that are associated with other user accounts and potentially run programs with elevated permissions. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.

Official details: Please refer to the link – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34484

Preface: Software Development Life Cycle is the application of standard business practices to building software applications. It’s typically divided into six to eight steps: Planning, Requirements, Design, Build, Document, Test, Deploy, Maintain.

Background: The SAP NetWeaver development infrastructure combines the features and advantages of a local development environment (usually provided in a Java environment) and a server-based development environment, which can provide development teams with a consistent development environment and support software throughout its life cycle Development.

Component Build Service (CBS): Central build of the source files in the DTR based on the component model.

Vulnerability details: CVE-2021-33690 – Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service)

Affected Products – SAP NetWeaver Development Infrastructure (Component Build Service), Versions – 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.

Description: SSRF lets attackers send requests from the server to other resources, both internal and external, and receive responses.

Reference: If you are interested in knowing my understanding of this matter. Please refer to the picture above. The official details can be found in the link – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806

Preface: Public key infrastructure (PKI) governs the issuance of digital certificates to protect sensitive data, provide unique digital identities for users, devices and applications and secure end-to-end communications.

Technical background: From a technical point of view, application software is installed on the host and provides functions (listening to data on open ports or sending data to the LAN or the Internet). Protect online data transmission based on compliance. It will deploy PKI technology. If the SSL certificate installed on the host is not verified, it may allow an attacker to deceive trusted entities by interfering with the communication path between the host and the client. The software may connect to a malicious host and think it is a trusted host, or the software may be tricked into accepting spoofed data that appears to be from a trusted host.

Vulnerability details: A vulnerability in PKI Security Solution of Dream Security could allow arbitrary command execution. This vulnerability is due to insufficient validation of the authorization certificate. An attacker could exploit this vulnerability by sending a crafted HTTP request an affected program. A successful exploit could allow the attacker to remotely execute arbitrary code on a target system.

Please refer to the link – https://boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36174

Preface: The following companies use Btrfs in production: Facebook (testing in production as of 2014/04, deployed on millions of servers as of 2018/10) Jolla (smartphone) Lavu (iPad) point of sale solution.

Background: Btrfs is an advanced file system, jointly developed by an organization, and now specific Synology NAS models support this file system.Btrfs is now the Default Filesystem on Fedora 33.

Vulnerability details: (CVE-2019-16089) It was discovered that the btrfs file system implementation in the Linux kernel did not properly validate file system metadata in some situations. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash).

Cause: If process B allocated a new system chunk and process A is waiting on process B to finish creation of the respective system block group. However before process B ends its transaction handle and finishes the creation of the system block group, it attempts to allocate another chunk (like a data chunk for an fallocate operation for a very large range). process B will be unable to progress and allocate the new chunk.

*The default operation (i.e., mode is zero) of fallocate() allocates the disk space within the range specified by offset and len (off is used to pass an offset and len is used to pass a length)

Remedy: btrfs fix deadlock with concurrent chunk allocations – Refer to link: https://github.com/torvalds/linux/commit/1cb3db1cf383a3c7dbda1aa0ce748b0958759947

Preface: HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way.

Background: After the initial configuration of Workspace ONE Access is complete, administrator can go to the Workspace ONE Access console pages to install certificates, manage passwords, and download log files. You can also update the database, change the Workspace ONE Access FQDN, and configure an external syslog server.

How do I access VMware Identity Manager?
You can log in to the VMware Identity Manger console from your Workspace ONE portal page. To log in directly to the console,
VMware Identity Manager admin users can enter the following URL [/]SAAS[/]login[/]0.

Vulnerability details: The vulnerability exists due to insufficient validation of user-supplied input in the [/]cfg web app and diagnostic endpoints. A remote attacker can send a specially crafted HTTP request with a modified HTTP Host header to port 443[/]TCP and access the[ /]cfg web application, available at port 8443. As a result, a remote non-authenticated attacker can gain access to services in the internal network.

Official announcement – Please refer to the link https://www.vmware.com/security/advisories/VMSA-2021-0016.html

Preface: Alert by CISA. Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks.

Background: Because NTLM has basic design weaknesses. If cyber criminals take advantage of NTLM’s design weaknesses. The design weaknesses of converting NTLM coexist with the EfsRpcOpenFileRaw method. It such made a powerful tool to corrupt windows architecture.

Vulnerability details: Code running on any domain-joined system can trigger this function to be called on a domain controller without needing to know the credentials of the current user or any other user in an Active Directory. And because the EfsRpcOpenFileRaw method authenticates as the machine dispatching the request, this means that a user of any system connected to an AD domain can trigger an NTLM authentication request as the domain controller machine account to an arbitrary host, without needing to know any credentials. This can allow for NTLM relay attacks.

Observation: While NTLM is still supported by Microsoft, it has been replaced by Kerberos as the default authentication protocol in Windows 2000 and subsequent Active Directory (AD) domains. Should be confirm of your authenticaiton method on Share Point server. Do not use NTLM.

Official technical articles – Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks – https://kb.cert.org/vuls/id/405600