Preface: Who cares about spending all your money, maybe just yourself! Who cares about running out of your system resources, perhaps it is the system owner.

Background: VMware Tanzu Application Service is a modern application platform for enterprises that want to continuously deliver and run microservices across clouds. Release new features and updates to production daily. across clouds. Apply security patches and platform updates with near zero downtime.

A REST call requires the creation of a resource handler.
The resource handler represents the entry point for resource requests and is annotated with the @Path, context, and other information that is required to handle a request. Handlers are responsible for coordinating the client request. Handlers intercept calls, run required actions, and convert responses to a form consumable by the client by using standard
HTTP protocol elements.

Vulnerability Details: A denial-of-service vulnerability was found in one of the components of VMware (Tanzu Application Service for VM). Cloud Controller versions prior to 1.118.0 are vulnerable to unauthenticated denial of Service(DoS) vulnerability. The remote attacker can leverage this vulnerability to cause denial of service by using REST HTTP requests and generating an enormous SQL query leading to database (ccdb) unavailability.

Note: The design weakness notified by the supplier on manual before CVE record happens: (max_labels_per_resource) – Maximum number of labels allowed on any single resource. Too many labels may degrade performance of label selectors.
Default : 50

Remediation: upgrade to 2.12.1 (Release Date: 10/20/2021)
[Security Fix] CAPI – Cap label selectors at 50 in queries and improve label selector performance to mitigate DOS vulnerability (CVE-2021-22101) – https://www.vmware.com/security/advisories/VMSA-2021-0026.html

Preface: Every Windows system is vulnerable to a particular NTLM relay attack that could allow attackers to escalate privileges from User to Domain Admin.

Background: If your administration portal is a web application which protected by IWA (Integrated Windows Authentication). When client send a request to web server doing handshaking, the web server will be rejected the request and sends a response saying the user needs to be authenticated using NTLM. NTLM relaying is a well known technique that has long been abused by attackers.
Normally, NTLM relays need user intervention, so you have to trick the victim to authenticate to a resource under your control.

Vulnerability details: When using Integrated Windows Authentication (IWA), there are many possibilities for attacks. Perhaps the privilege escalation vulnerability in the Windows RPC protocol may be different from traditional methods. May be not the specify attack method of such vulnerability. But it will enrich your seen.

VMware vCenter Server IWA privilege escalation vulnerability (CVE-2021-22048): The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. The attacker with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group. US Homeland secuirty (CISA) encourages users and administrators to review VMware Security Advisory – https://www.vmware.com/security/advisories/VMSA-2021-0025.html

Workaround Instructions for CVE-2021-22048 – https://kb.vmware.com/s/article/86292

Preface: In the digital world, it always has unexpected problems.

Background: SAP kernel is the core component of any SAP system. It includes executable files on the SAP server, which are used to connect to the system and execute SAP programs. In the SAP system environment, remote function call (RFC) is one of the main communication protocols used.
Remark: Remote Function Call (RFC) is the standard SAP interface for communication between SAP systems. RFC calls a function to be executed in a remote system.

Vulnerability details (official): CVE-2021-40501 – Missing Authorization check in ABAP Platform Kernel
(Product – SAP ABAP Platform Kernel, Versions – 7.77, 7.81, 7.85, 7.86)

My observation: The server-side implementation of the proprietary RFC protocol. Remote attackers capable of crafting special requests may exploit this vulnerability to claim a given identity that causes an authentication bypass in the SAP kernel. Similar vulnerability not the 1st time discovered.

Reminder: Due to the criticality and the impact on systems beyond the vulnerable system, we strongly recommend applying the corresponding kernel patch.

Official announcement – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864

Preface: The Citrix ADC NITRO protocol allows you to configure and monitor the Citrix ADC appliance programmatically by using
Representational State Transfer (REST) interfaces. Therefore, NITRO applications can be developed in any programming language.
Additionally, for applications that must be developed in Java or .NET or Python, NITRO APIs are exposed through relevant libraries
that are packaged as separate Software Development Kits (SDKs).

Background: When it comes to network services, you can use remote procedure calls (RPC) and representational state transfer (REST) to create APIs for network communication. As with any programming problem, understanding the advantages of each method will help you choose the best solution to reduce technically unforeseen problems. Are you experienced “excessive resource usage” in jsonrpc technical matter? For more information on this matter, please refer to the attached picture. In addition, do you think the security focus of the Citrix announcement (CTX 330728) is on similar topics?

Vulnerability details:

CVE-2021-22955 – Unauthenticated denial of service
Affected Products – Citrix ADC, Citrix Gateway (Appliance must be configured as a VPN (Gateway) or AAA virtual server)
Possible cause: Uncontrolled Resource Consumption
Criticality – Critical

CVE-2021-22956 – Temporary disruption of the Management GUI, Nitro API and RPC communication
Affected Products: Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP Edition (Access to NSIP or SNIP with management interface access)
Possible cause: Uncontrolled Resource Consumption
Criticality – Critical

Official announcement – https://support.citrix.com/article/CTX330728

Preface: Directory traversal (path traversal) happens when the attacker is able to read files on the web server outside of the directory of the website. Directory traversal is only possible if the website developer makes mistakes.

Background: SIMATIC PCS 7 Web can be used to operate and monitor a
plant via Intranet or Internet. Extensive configuration options enable individualized and secure online access to the operator control and monitoring level of the production plant. This enables remote control room concepts to be realized. The new version expands the integration of mobile devices for plant monitoring even further.

Vulnerability details:

CVE-2021-40364
The affected systems store sensitive information in log files. An attacker with access to the log files could publicly expose the information or reuse it to develop further attacks on the system.

CVE-2021-40359
When downloading files, the affected systems do not properly neutralize special elements within the pathname. An attacker could then cause the pathname to resolve to a location outside of the restricted directory on the server and read unexpected critical files.

CVE-2021-40358
Legitimate file operations of the affected systems do not properly neutralize special elements within the pathname. An attacker could then cause the pathname to resolve to a location outside of the restricted directory on the server and read, write or delete unexpected critical files.

Official announcement: https://cve.report/CVE-2021-40364/e6b9d41.pdf

Preface: One aspect of the Microsoft-python server focuses on Python or Microsoft-developed tools. If you want to develop data science, security or games, then the Python Discord server is your best choice.

Background: Bots on Discord, the group messaging platform, are helpful artificial intelligence that can perform several useful tasks on your server automatically. Build a Discord Bot With Python is easy (see below):

1. pip install discord[.]py
2. If you don’t have a Discord account, then you’re going to want to create one.
3. Once you login, you are able to create New Application.

Discord servers are used in a wide range of applications, from basic mathematics to Python programming to more core data science concepts such as machine learning and artificial intelligence.

Vulnerability details: CVE-2021-41250 (Python Discord) : The token filtering function would exit early if it detected a URL within the message, but it made no extra checks to ensure there weren’t other tokens within that message that would trigger it.

Weakness Enumeration : Improper Input Validation

This issue has been resolved in commit: 67390298852513d13e0213870e50fb3cff1424e0 – https://github.com/python-discord/bot/commit/67390298852513d13e0213870e50fb3cff1424e0

Preface: Apple replaces bash with zsh as the default shell in macOS.

Background: According to the ZSH documentation on Startup/Shutdown Files, there are a number of files (located in the home directory $HOME or ~/):
[.]zprofile (login shell)
[.]zshenv (environment variables)
[.]zshrc (interactive shell)
[.]zlogin (login shell)
[.]zlogout (when the shell exits)

When zsh start, it looks for environment variables file (/etc/xxx[.]zshenv), If found, it runs command from file automatically.

Vulnerability details: The vulnerability is tracked as CVE-2021-30892 and was discovered in macOS Monterey 12.0.1 and Big Sur and Catalina updates.

So, for attackers  to perform arbitrary operations , find the specify path which process could take would be to create a malicious [.]zshenv file and then wait for system_installd to invoke zsh.

If you are interested in this matter, please refer to the URL

Preface: Android garbage collection is an automatic process which removes unused objects from memory. However, frequent garbage collection consumes a lot of CPU, and it will also pause the app.

Background: The garbage collection of Unix sockets first selects a set of candidate sockets that are only referenced from the flight (total_refs == inflight_refs). This condition is checked and marked once during the candidate collection phase. Although inflight_refs is protected by unix_gc_lock, total_refs (file count) is not protected.

Vulnerability details: Google described the one that attackers may be picking apart – CVE-2021-1048 – as caused by a use-after-free (UAF) vulnerability in the kernel.

Additional: CVE-2021-1048 is a use-after-free issue in the Kernel that allows for local privilege escalation but require attacker had local access right. Afterwards, the attacker can install rogue applications or use Internet Web applications to obtain malicious code (Javascript).
As a result, the attacker will escape the sandbox and abuse this kernel vulnerability.

Official announcement: Published November 1, 2021 | Updated November 2, 2021. There are indications that CVE-2021-1048 may be under limited, targeted exploitation.Please refer to the link for details – https://source.android.com/security/bulletin/2021-11-01

Preface: The open source Paho MQTT project for embedded C to connect and communicate with IoT Platform.

Background: MQTT is based on the client-server communication mode. MQTT server is called as MQTT Broker. Currently, there are many MQTT Brokers in the IIoT world. MQTT client libraries under different programming languages and platforms (see below):

Eclipse Paho C and Eclipse Paho Embedded C
Eclipse Paho Java Client
Eclipse Paho MQTT Go client
emqtt : Erlang mqtt client library provided by EMQ
MQTT.js Web & Node.js Platform MQTT Client
Eclipse Paho Python

The Paho MQTT project for embedded C includes three sub-projects:
– MQTTPacket: provides serialization and deserialization of MQTT data packets and some helper functions.
– MQTTClient: encapsulates the high-level C++ client program generated by MQTTPacket.
– MQTTClient-C: encapsulates the high-level C client program generated by MQTTPacket.

Vulnerability details: In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket.

Ref: The design weakness of  Eclipse Paho MQTT C Client was found 21st June 2017. Version 1.1 do a remedy. Developer confirm with success on 14th July, 2017. However, the versions prior to 1.1  has been identified as a vulnerability by a researcher and assigned CVE-2021-41036 on 2nd Nov, 2021.

Question: Do you think the vulnerable version of MQTT Client-C have chance attacking the MQTT Broker?

Official announcement: https://github.com/eclipse/paho.mqtt.embedded-c/issues/96

Preface: Mojo is a collection of runtime libraries providing a platform-agnostic abstraction of common IPC primitives, a message IDL format
, and a bindings library with code generation for multiple target language to facilitate convenient message passing across arbitrary inter – and intra-process boundaries.

Background:Chrome limits most of the attack surface of the web (e.g., DOM rendering, script execution, media decoding, etc) to sandboxed processes.

Vulnerability details: Multiple vulnerabilities have been discovered in Google Chrome. Remote attackers can use these vulnerabilities to trigger remote execution of arbitrary code on the target system.

Possibilities: Refer to attached diagram (point 4). The interface defines one method, FilterInstalledApps. In the generated C++ interface, this method take an extra argument which is a callback to invoke with the result. In javaScript, the function instead returns a Promise.
Remark: The Promise object represents the eventual completion (or failure) of an asynchronous operation and its resulting value.

If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Solution: Install the patch provided by the software vendor – https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html