CVE-2021-3903 vim is vulnerable to Heap-based Buffer Overflow, Apple may also have encountered this design weakness (27th Oct, 2021)

Preface: Generally speaking, heap buffer overflow unlike stack overflow, there is no such thing as ret on the heap that can change the program flow, so at most, the data is overwritten. It seems that there is little risk, but in fact it is not the case.

Background: Vim comes standard with most modern Linux distributions, but some of the minimal installation doesn’t include vim editor default. Vim is a vi-like editor but is more advanced and powerful than the original Vi.

Vulnerability details: Certain versions of vim is vulnerable to Heap-based Buffer Overflow. Found design weakness in raw file (move.c) programming syntax. Invalid memory access when scrolling without a valid screen.

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Buffer overflows generally lead to crashes.

Remedy: Do not set VALID_BOTLINE in w_valid.

Affected Vendor/Software: vim/vim version < 8.2.3564

Reference: In C++, new/delete should be preferred over malloc()/free() where possible. (In C, new/delete is not available, so the choice would be obvious there.)
The main difference between both these languages is C is a procedural programming language and does not support classes and objects, while C++ is a combination of both procedural and object-oriented programming languages.
Usually C compiler doesn’t add boundaries check for memory access. Sometimes due to code error, there is read or write from outside the buffer, such an error is usually hard to detect.

CVE-2021-41172 Maybe there was an impact, or nothing happened (26th Oct, 2021)

Preface: We install and configure a caching plugin which will speed up the delivery of page assets to your visitors, since these content will have been generated beforehand. The result will be a faster loading page, and reduced wait times for all operations.

Background: A caching plug-in will speed up the web application response. For websites with very high traffic (load balancing),
we install and configure object caching plugins, such as Redis or Memcache.

Vulnerability details: Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. AS_Redis is an AntSword plugin for Redis. The Redis Manage plugin for AntSword prior to version 0.5 is vulnerable to Self-XSS due to due to insufficient input validation and sanitization via redis server configuration. Self-XSS in the plugin configuration leads to code execution. This issue is patched in version 0.5.

How does Self-XSS work? Self-XSS operates by tricking users into copying and pasting malicious content into their browsers’ web developer console. Usually, the attacker posts a message that says by copying and running certain code, the user will be able to hack another user’s account.

Question: With reference to the attached picture, do you think it is really a self-xss vulnerability?

Official CVE announcement – https://nvd.nist.gov/vuln/detail/CVE-2021-41172

CVE-2021-41035 : Which products will be affected? (25th Oct, 2021)

Preface: The Eclipse OpenJ9 virtual machine (VM) implements the Java Virtual Machine Specification. Most Java applications should run on an OpenJDK that contains the OpenJ9 VM without changing anything. However, because it is an independent implementation there are some differences compared to the HotSpot VM, which is the default OpenJDK VM and is also included in an Oracle JDK.

Background: OpenJ9 is a high performance, scalable, Java™ virtual machine (VM) implementation that is fully compliant with the Java Virtual Machine Specification.

Building OpenJDK with OpenJ9

$ git clone https://github.com/ibmruntimes/openj9-openjdk-jdk9
$ cd openj9-openjdk-jdk9
$ bash ./get_source.sh
$ bash ./configure –with-freemarker-jar=freemarker.jar
$ make images
$ cd build/linux-x86_64-normal-server-release/images/
$./jdk/bin/java -version

The VM has connections into the rest of the JDK
To build OpenJDK with OpenJ9 requires patches

  • Build process
  • Class libraries

Vulnerability details: In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods.

Risk rating: NVD score not yet provided.

Official announcement – https://bugs.eclipse.org/bugs/show_bug.cgi?id=576395

CISA urges developer to update to patched version 2.7.9 (Discourse package) or later (24th Oct, 2021)

Preface: If you have already integrated the Discourse API with the AWS API, you should be vigilant about this.

Background: Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and consumers). Publishers communicate asynchronously with subscribers by sending messages to a topic, which is a logical access point and communication channel. Clients can subscribe to the SNS topic and receive published messages using a supported endpoint type, such as Amazon Kinesis Data Firehose, Amazon SQS, AWS Lambda, HTTP, email, mobile push notifications, and mobile text messages (SMS).

Discourse is the open source discussion platform built for Internet usage . Use it as a mailing list, discussion forum, long-form chat room, and more! Discourse supports the latest, stable releases of all major browsers and platforms:Microsoft Edge, Google Chrome, Mozilla Firefox & Apple Safari.

Vulnerability details: In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. But what is the exact consequence, it is unknown in the moment. But the risk level of this vulnerability will be based on the adjacent component. For example: AWS Lambda is a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. So if there is design limitation on Lambda. This remote code execution power will be boosted. See whether the information displayed in attached diagram will awaken your thinking of this vulnerability?

Workaround: To workaround the issue without updating, requests with a path starting [/]webhooks[/]aws path could be blocked at an upstream proxy.

Official announcement: Vendor has released a security advisory to address a critical remote code execution (RCE) vulnerability (CVE-2021-41163) in Discourse versions 2.7.8 and earlier. —https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwq

CISA urges to be vigilant! About GPS Daemon (GPSD) Rollover Bug (21st Oct, 2021)

Preface: If you are using a security token (fobs or software), when there is a problem with the NTP time source. This is unforeseen. Maybe there is nothing wrong with it. Or, in the worst case, similar you mistaken reset the NTP server time setting. Therefore, all your tokens should be suspended.

Background: Because in the original GPS protocol, only 10 bits were used to represent the week number. If there are 10 bits, it will overflow after counting to 1023, so it can only indicate about 19.6 years. Since the GPS time epoch (epoch) began in the early 1980s, there have been two rollover events (in 1999 and 2019, respectively). In April 2019, Headline News (The Register) announced this vulnerability to the public. It indicates that if you do not or cannot update, there will be a problem. Over time, the deadline has arrived.

Vulnerability details: Due to the design of the GPS protocol, time rollback (or technically termed “GPS Week Rollover”) can be anticipated and usually closely monitored by manufacturers. The next occurrence should have been in November 2038 , but a bug in some sanity checking code within GPSD would cause it to subtract 1024 from the week number on October 24, 2021. This would mean NTP servers using the bugged GPSD version would show a time/date of March 2002 after October 24, 2021.

Official details for reference: https://isc.sans.edu/forums/diary/Keeping+Track+of+Time+Network+Time+Protocol+and+a+GPSD+Bug/27886/

CVE-2021-41135 Cosmos-SDK up to 0.44.1 xauthz Module ValidateBasic unusual condition (21st Oct, 2021)

Preface:To date, more than 240 applications have been built on the Cosmos mainnet. The main categories of applications include finance, infrastructure, privacy, and social interactions.

Background: The Cosmos SDK is a framework for building blockchain applications. Tendermint Core (BFT Consensus) and the Cosmos SDK are written in the Golang programming language. Cosmos SDK is used to build Gaia, the first implementation of the Cosmos Hub.

Vulnerability details: Affected versions of the SDK (up to 0.44.1) were vulnerable to a consensus halt due to non-deterministic behaviour in a ValidateBasic method in the x/authz module. The MsgGrant of the x/authz module contains a Grant field which includes a user-defined expiration time for when the authorization grant expires. In Grant.ValidateBasic(), that time is compared to the node’s local clock time. Any chain running an affected version of the SDK with the authz module enabled could be halted by anyone with the ability to send transactions on that chain. Recovery would require applying the patch and rolling back the latest block. Users are advised to update to version 0.44.2.

Remedy: Upgrading to version 0.44.2 eliminates this vulnerability. Applying the patch 68ab790a761e80d3674f821794cf18ccbfed45ee is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Security focus: Oracle Critical Patch Update Advisory (October 2021)

Preface: The design weakness was disclosed by the apache organization on January 14, 2021. Design limitations on Xmlbeans have been fixed. Developer suggest to use 3.0.1, instead of Xmlbeans 2.6.0.

Background: PS/nVision – a PeopleTools software that you use to design and create Microsoft Excel spreadsheet reports for PeopleSoft data. nVision selects data from your PeopleSoft database using ledgers, trees, and queries. Queries are useful for extracting data from sources other than ledgers.
nVision works in three modes:OpenXML mode, Excel Automation mode and Cross Platform mode.

  • nVision uses the OpenXML mode on the batch server that uses Microsoft’s OpenXML SDK to generate Excel-compatible documents.
  • nVision continues using the operation mode called Excel automation mode that automates the Excel application to generate spreadsheet documents in PeopleTools PIA architecture
  • nVision uses the Cross Platform mode to generate spreadsheet documents in PeopleTools PIA architecture

Vulnerability details: CVE-2021-23926 PeopleSoft Enterprise PeopleTools (nVision (XML Beans)) – The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.

Reference: The XML entity extension injection attack uses valid and well-formed xml blocks to expand exponentially until the resources allocated by the server are exhausted. This is because XML parsers used by XMLBeans did not set the properties needed to protect the user from malicious XML input.

Official announcement: Oracle Critical Patch Update Advisory (October 2021) – https://www.oracle.com/security-alerts/cpuoct2021.html

BlackMatter Ransomware – Stay Alert (18th Oct, 2021)

Preface: Ransomware common deploying malicious actions is the automatically propagation. Their target will be included ADMIN$, C$, SYSVOL, and NETLOGON default setup.

Common infection technique: Believe it or not, quite a lot of ransomware developers will use simple technique.
Deploy encryptors across the environment using Windows batch files (mount C$ shares, copy the encryptor, and executed it with PsExec tool).
Please refer to the official website for details – https://us-cert.cisa.gov/ncas/alerts/aa21-291a

Strengthen your prevention, detection and corrective control: If PsExec is utilized in an environment, disabling the admin (ADMIN$) share can restrict the capability for this tool to be utilized to remotely interface with endpoints. In addition, you should perform system hardening. For example. Modify the registry value to disable administrative sharing on workstations and servers.

Perhaps BlackMatter ransomware not use this technique. But this is a baseline protection. According to the suggestion by US-cert. Define new rules in your IDS is the effective way to mitigate the risk. Please refer to attached diagram for details.

Since it is hard to avoid design limitation. For example: Disabling PowerShell Remoting does not prevent local users from creating PowerShell sessions on the local computer or for sessions destined for remote computers. As a result, it provides a way for attackers.

Long time ago, SIEM vendor (Splunk) recommend using sysmon to detect ransomware attack. I agree that this is the effective solution. The concept is shown as below:

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

ClearPass Policy Manager Multiple Vulnerabilities. Does your infrastructure fall into this design weakness? (18-10-2021)

Preface: Sometimes, a low to medium risk rating vulnerability will be transformed into potential risk.

Background: Aruba’s ClearPass Policy Manager, part of the Aruba 360 Secure Fabric, provides role- and device-based secure network access control for IoT, BYOD & corporate devices.

The ClearPass Policy Manager is the only policy solution that centrally enforces all aspects of enterprise-grade mobility and NAC for any industry. Granular network access enforcement is based on a user’s role, device type and role, authentication method, EMM/MDM attributes, device health, location, and time-of-day.

Vulnerability details: Publication Date: 2021-Oct-12 (see below):

CVE-2021-37736, CVE-2021-37737, CVE-2021-37738,     CVE-2021-37739, CVE-2021-40986, CVE-2021-40987,      CVE-2021-40988, CVE-2021-40989, CVE-2021-40990,      CVE-2021-40991, CVE-2021-40992, CVE-2021-40993,      CVE-2021-40994, CVE-2021-40995, CVE-2021-20996,      CVE-2021-40997, CVE-2021-40998, CVE-2021-40999.

Multiple vulnerabilities have occurred. The focus area of this topic will focus on CVE-2021-40988 (path traversal). From a technical point of view, once this type of vulnerability persists. It will amplify other potential risks. Perhaps our description is one of the possibilities. The goal is to provide you with tips for consideration.

Images are loaded via some HTML, the loadImage URL takes a filename parameter and returns the contents of the specified file. The image files themselves are stored on disk. Thus, attacker allow the application reads from the web page reachable file path. If the web application has path traversal vulnerability encounters, so an attacker can request additional path to retrieve an arbitrary file from the server’s filesystem. See the attached drawings for details.

Official announcement: ClearPass Policy Manager Multiple Vulnerabilities – https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-018.txt

Old defects, new records – CVE-2021-42340 (14th Oct, 2021)

Preface: A Java EE server is a server application that the implements the Java EE platform APIs and provides the standard Java EE services. Java EE servers are sometimes called application servers, because they allow you to serve application data to clients, much like web servers serve web pages to web browsers.

Background: The difference between WildFly and Tomcat:
WildFly is a full Java EE application Server, while Tomcat is a Java servlet container and web server and, since because it doesn’t come with an implementation of the full JEE stack.

Tomcat uses JMX MBeans as the technology for implementing manageability of Tomcat. The descriptions of JMX MBeans for Catalina are in the mbeans-descriptors. xml file in each package. You will need to add MBean descriptions for your custom components in order to avoid a “ManagedBean is not found” exception.

Vulnerability details: The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Remedy: Users of the affected versions should apply one of the following
mitigations:

  • Upgrade to Apache Tomcat 10.1.0-M6 or later
  • Upgrade to Apache Tomcat 10.0.12 or later
  • Upgrade to Apache Tomcat 9.0.54 or later
  • Upgrade to Apache Tomcat 8.5.72 or later

Technical reference: When using the WebSocket client to connect to server endpoints, the number of HTTP redirects that the client will follow is controlled by the userProperties of the provided javax.websocket.ClientEndpointConfig. The property is org.apache.tomcat.websocket.MAX_REDIRECTIONS. The default value is 20. Redirection support can be disabled by configuring a value of zero.