Forcedentry vulnerability break through iPhone steel door 13th Sep 2021

Preface: These aren’t objects in the “ object-oriented programming” sense of the word; instead, they are the building blocks on which PDF stands. There are nine types of objects: null, Boolean, integer, real, name, string, array, dictionary, and stream.

Background: The Pegasus spy program created by NSO uses a zero-day vulnerability in Apple’s operating system to fear entering the iPhone. Apple’s mobile phone nation has urgently updated all operating system platforms affected by the vulnerability.

Vulnerability details: The exploit uses PDF data disguised as GIF files to circumvent Apple’s “BlastDoor” sandbox for message content. The exploit has been given the CVE identifier CVE-2021-30860.

Ref: The exploit works by exploiting an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics).

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Additional: CVE-2021-30858 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

For the above details, please refer to the official announcement. – https://support.apple.com/en-us/HT212807

Other reference: https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/

Unkown backdoor run on TCP 7614, virtual patching is one of the protective control methods (12th Sep, 2021)

Preface: Virtual patching acts as a safety measure against threats that exploit known and unknown vulnerabilities. Virtual patching works by implementing layers of security policies and rules that prevent and intercept an exploit from taking network paths to and from a vulnerability.

Background: This is so called Evasion Techniques. One of the first techniques that attackers use to avoid antivirus detection. The idea used by malware authors is do reverse engineering the software design. The goal is to obfuscate the defense mechanism detection. The files using de-assembly method for landing the victim workstation.

Create a hidden worksheet. Use a base 64 encoded to convert the exe to text. Store that text in worksheet cells on the hidden worksheet. Since there is a limit on the number of characters in a cell (32,767), cyber criminals need to break the string into chunks.

Security Focus: A Backdoor program (Backdoor.Win32.Wollf.h) was found in victim workstation. It has been rated as critical. Affected by this issue is some unknown functionality of the component Service Port 7614. Wollf backdoor creates a service named “wrm” and listens on TCP port 7614, there is no authentication allowing anyone to take over the infected system.

Workaround: Addressing this vulnerability is possible by firewalling or MSSP can be used to assist in implementing virtual patches to solve this problem.

Infection channel: Excel file with malicious code embedded in email attachment.

Security Focus, CVE-2021-28701 on Citrix Hypervisor (9th Sep, 2021)

Preface: You can use Citrix Hypervisor in an unlicensed state. However, you do not have access to some features. To access Citrix hypervisor is easy, go through XenCenter then input user ID and password.

Background: Citrix Hypervisor is a high-performance hypervisor optimized for virtual app and desktop workloads and based on the Xen Project hypervisor. Citrix Hypervisor is optimized for both Windows and Linux virtual servers. It functions lets you create VMs, take VM disk snapshots, and manage VM workloads.

What is Xen Project hypervisor? The Xen Project hypervisor is an open-source type-1 or bare-metal hypervisor. It allows many instances of an operating system or different operating systems to run in parallel on a single machine (or host).

Two components contribute to the memory footprint of the Citrix Hypervisor server. First, the memory consumed by the Xen hypervisor itself. Second, there is the memory consumed by the Control Domain of the host.

Vulnerability details: Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes.

Mitigation: Running only PV guests will avoid this vulnerability. Suppressing use of grant table v2 interfaces for HVM or PVH guests will also avoid this vulnerability.

Citrix Hypervisor Security Update – https://support.citrix.com/article/CTX325319

OpenStack Neutron (CVE-2021-40797) – 8th Sep, 2021

Preface: OpenStack Neutron is an SDN networking project focused on delivering networking-as-a-service (NaaS) in virtual compute environments. Neutron has replaced the original networking application program interface (API), called Quantum, in OpenStack.

Background: The Web Server Gateway Interface (WSGI) is a simple calling convention for web servers to forward requests to web applications or frameworks written in the Python programming language. The current version of WSGI, version 1.0. Router uses routes.middleware.RoutesMiddleware to map requests to WSGI applications.
In object-oriented programming, a singleton class is a class that can have only one object (an instance of the class) at a time. The Singleton is a useful Design Pattern for allowing only one instance of your class, but common mistakes can inadvertently allow more than one instance to be created.

Ref: When using “singleton=True” (default value), a routes._RequestConfig() is always created [1]. This object has a thread safe variable to store the context information for each request.

Vulnerability details: an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.

Remedy: Don’t use singleton in routes.middleware.RoutesMiddleware – https://review.opendev.org/c/openstack/neutron/+/807638

U.S. Homeland Security Alert (CVE-2021-40444) – 7th Sep, 2021

Preface: Windows RCE vulnerabilities have targeted Office users, and Microsoft urgently provides mitigation instructions.

Background: The MS web browser COM control adds browsing, document, viewing, and downloading capabilities to your applications. Parsing and rendering of HTML documents in the WebBrowser control is handled by the MSHTML component which is an Active Document Dynamic HTML (DHTML) object Model hosting ActiveX Controls and script languages.

Unicode is a standard encoding system that is used to represent characters from almost all languages. Every Unicode character is encoded using a unique integer code point between 0 and 0x10FFFF .

Vulnerability details: Lookback Microsoft expert found vulnerability on 2002. Hacker mimic a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated.
As times goes by, in 2021 another critical flaw occurs with similarity. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document, said Microsoft. For mitigation and solutions, please refer to the link – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

Fortinet’s CVE makes you have questions? How many unknown vulnerabilities remain undiscovered in the REST API framework!(CVE-2021-2400 – 6th Sep 2021)

Preface: Dashboard, a popular design trend concept in the digital world.Dashboard, a popular design trend concept in the digital world.
As the cloud and the Internet of Things force the network to evolve. Even operational work and network security can be managed in the
same dashboard.

Background: Permission checks will typically use the authentication information in the request.user and request.auth properties to determine if the incoming request should be permitted.

One of the possibilities: If firewall administrator enable read-write JSON API access on FortiManager. As a result, it may encounter the following matter.
A slightly less strict style of permission would be to allow full access to authenticated users, but allow read-only access to unauthenticated users. This corresponds to the IsAuthenticatedOrReadOnly class in REST framework.

Vulnerability details: An improper access control vulnerability in FortiManager versions 6.4.0 to 6.4.3 may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL.

Vendor announcement – https://www.fortiguard.com/psirt/FG-IR-20-061

Interested topic last week (AWS “AKIA” discussion) – 5th Sep, 2021

Preface: On 2014, Amazon Web Services (AWS) is asking those that write code and use GitHub to go back and check their work to make sure they didn’t forget to remove login credentials. The warning comes as news is circulating about the availability of nearly 10,000 AWS keys in plain sight on GitHub just by running a simple query.

Background: Security expert found that search for it through source-code on the web, you can find further words by doing find the word ‘AKIA’ to find the Access Key and you can get the Secret key too, if you have found it you can do AWS Configuration.

GitHub does not allow searching of regular expressions in code, and thus the naive approach to search for such patterns is to create a clone of every repository – essentially a mirror of GitHub – and then search their contents for such patterns.

Ref:IAM access key IDs beginning with AKIA are long-term credentials, and access key IDs beginning with ASIA are temporary credentials. ASIA credentials are used with AWS Security Token Service (AWS STS) operations for temporary access to AWS services.

Best practice recommended by vendor:

-Note that we recommended against using the root user for everyday work in AWS.

-As a security best practice, we recommended that you regularly rotate (change) IAM user access keys.

-You can review the AWS access keys in your code to determine whether the keys are from an account that you own.

CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass (2nd Sep, 2021)

Preface: Big data analysis can understand data by discovering trends and patterns. Machine learning can accelerate this process with the help of decision-making algorithms. It can classify incoming data, recognize patterns, and transform the data to do the technology development. In addition, it is a way to develop artificial intelligence.

Background: What is Apache Zeppelin used for?

Apache Zeppelin is a new and upcoming web-based notebook which brings data exploration, visualization, sharing and collaboration features to Spark. It support Python, but also a growing list of programming languages such as Scala, Hive, SparkSQL, shell and markdown.

Web-based notebooks are files that contain the input code and output such as results and graphs from an interactive session. They also contain additional information, such as documentation, mathematical expressions, and media related to an interactive session. Therefore it is the key element of big data analytics.

Vulnerability details: Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions. The attack can only be initiated within the local network. No form of authentication is needed for a successful exploitation. Please refer to the link for details – https://seclists.org/oss-sec/2021/q3/150

CyberArk – CVE-2021-31798 (Quick and dirty way to understand the details) – 1st Sep, 2021

Preface: Cyberark provides the perfect authentication solution for enterprises. Because of their solutions, traditional authentication methods have evolved. However, there is no absolute anti-hacking solution in the world. The following explanation is to let you quickly understand this vulnerability. Even if this is not the right way, you will find out what they are doing.

Background: The CyberArk Vault uses a Shared Secret in order for the Server to identify a person. This Shared Secret can be a password or a combination of a password and another type of authentication. The Vault can enforce a password policy to avoid usage of passwords that can be easily guessed.

Vulnerability details: A vulnerability was found in CyberArk Credential Provider up to 12.0. An attack has to be approached locally.
Under certain conditions, the effective key space used to encrypt the cache is significantly reduced.
The effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious user can obtain the plaintext of cache files.

Remediation: Upgrading to version 12.1 eliminates this vulnerability.

Reference: The advisory is shared at korelogic.com – https://korelogic.com/Resources/Advisories/KL-001-2021-010.txt

Do you think CVE-2020-20486 (IEC104 v1.0) will impact your services? (31st Aug 2021)

Preface: IEC 60870-5-104 protocol (aka IEC 104) is a part of IEC Telecontrol Equipment and Systems Standard IEC 60870-5 that provides a communication profile for sending basic telecontrol messages between two systems in electrical engineering and power system automation.

Background: IEC 104 enables communication between control station and a substation via a standard TCP/IP network. The communication is based on the client-server model. The IEC104 protocol package has been tested in 2015 and is compatible with the following platforms, including stm32 (Arm® Cortex®-M processor) and linux platforms.In addition, iec104.c is a key component of the iec104 protocol package.

Vulnerability details: IEC104 v1.0 contains a stack-buffer overflow in the parameter Iec10x_Sta_Addr. This vulnerability is known as CVE-2020-18730 since 13th Aug, 2020. However, the vulnerability was released by NIST on August 23, 2021. The technical article state that a segmentation violation in the Iec104_Deal_I function of IEC104 v1.0 allows attackers to cause a denial of service (DOS). In addition, start from line 1175 of the iec104[.]c file. Experts discovered where the vulnerability occurred.

CVE-2020-18730 details can be found on this link – https://nvd.nist.gov/vuln/detail/CVE-2020-18730

Mitigation: Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice.