Preface: Maybe users who use SharePoint have similar feelings to me. Although SharePoint user permissions are complicated. In addition, the details of the vulnerability also give users a complex feeling!
Background: CVE-2021-43976 was published 30th Dec, 2021. However, the vulnerability details has been released by Microsoft on 16th Nov, 2021. Perhaps, official details not described in details of the vulnerability. But we can find the hints for the official article. Since CVE-2021-43976 consists of multiple vulnerabilities to the SharePoint products. But CVE-2021-42309 is a navigation to let us know what is happening of the matter.
Vulnerability details: CVE-2021-43976 – Certain versions of Microsoft SharePoint Enterprise Server from Microsoft contain the following vulnerability: Microsoft SharePoint Elevation of Privilege Vulnerability. Because Microsoft did not provide technical details. I believe that the specific CVE record is similar to the following scenario.
The vulnerability allows a user to elevate and execute code in the context of the service account. An attacker would need “Manage Lists” permissions on a SharePoint site, but by default, any authorized user can create their own new site where they have full permissions. This bug allows an attacker to bypass the restriction against running arbitrary server-side web controls. This is similar to the previously patched CVE-2021-28474.
Additional information: For a successful attack, the attacker needs SPBasePermissions.ManageLists permissions for a SharePoint site. By default, authenticated SharePoint users can create sites/subsites and will have all necessary permissions.
Preface: Traditional, there is service ID account installed in web server side since it require connecting to DB server and update the data into database.
Background: Apache log4j vulnerability wide spread in digital world. Additionally, industry area also involved to this design flaw. Enterprise industrial manufacturer Siemens published security advisory that Apache Log4j Vulnerability (CVE-2021-44832) combine usage of JDBC Appender might impact to their customer. The announcement is shown in the link below.
This advisory informs about the impact of CVE-2021-44832 to Siemens products and the corresponding remediation and mitigation measures. The vulnerability is different from other JNDI lookup vulnerabilities, the impact of which is documented in SSA-661247 . The announcement is shown in the link below.
CVE-2021-44832 -Vulnerability details: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
When an attacker exploits these vulnerabilities, the following requirements need to be met.
The JDBC Appender configured with a DataSource requires JNDI support so as of release 2.17.1 this appender will not function unless log4j2[.]enableJndiJdbc=true is configured as a system property or environment variable.
Remedy: This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. The announcement is shown in the link below.
Preface: The main advantage of object storage is that you can group devices into large storage pools, and distribute those pools across multiple locations.
Background: Object storage is a technology that manages data as objects. All data is stored in one large repository which may be distributed across multiple physical storage devices, instead of being divided into files or folders. An “object” includes the data itself, some metadata, and a unique identifier. This data can be immediately accessed through APIs or http/https. In this way, the object storage safeguards the data. This data can also be replicated to multiple datacenters if needed.
MinIO offers high-performance, S3 compatible object storage. Native to Kubernetes, MinIO is the only object storage suite available on every public cloud, every Kubernetes distribution, the private cloud and the edge. MinIO is software-defined and is 100% open source under GNU AGPL v3.
Vulnerability details: The user create API endpoint was accepting a policy field. This API is used to update a user’s secret key and account status, and allows a regular user to update their own secret key. The policy update is also applied though does not appear to be used by any existing client side functionality.
Workaround: Changing passwords can be disabled as a workaround for this issue by adding an explicit “Deny” rule to disable the API for users.
Remedy: Users are advised to upgrade to RELEASE.2021-12-27T07-23-18Z – https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z
Preface: When the Gamer PC is invaded by an attacker. The inherent risk is not limited to the local PC itself. From a technical point of view, the victim site will be transformed into a weapon to attack other peers.
Background: GeForce Experience is the companion application to your GeForce graphics card. It keeps your drivers up to date, automatically optimizes your game settings, and let you share your gaming moments with friends. GeForce Experience makes it easy to live broadcast gameplay from your entire PC library using the live streaming service of your choice. GeForce Experience supports live broadcasting with Facebook Live, YouTube Live, and Twitch.
GameStream gives you the power to access your favorite games from your GeForce® GTX-powered PC on your SHIELD TV or SHIELD Tablet. Jump directly into Steam® Big Picture mode from the Steam app on SHIELD.
Vulnerability details: The vulnerability allows a local user to escalate privileges on the system. The flaw exists due to improper access restrictions where GameStream does not correctly apply individual user access controls for users on the same device. A local user can run a specially crafted program to escalate privileges on the system. GameStream does not correctly apply individual user access controls for users on the same device, which, with user intervention, may lead to escalation of privileges, information disclosure, data tampering, and denial of service.
Preface: In 2021, there are more than 10 billion active IoT devices.WiFi connection is part of the IoT device.It cannot lack this feature.
Background: The Realtek RTL8195AM is a highly integrated single-chip with a low-power-consumption mechanism ideal for IoT (Internet of Things) applications. It combines an ARM®Cortex™-M3 MCU, WLAN MAC, a 1T1R capable WLAN baseband /RF and NFC in a single chip. It provides useful high-speed connectivity interfaces, such as USB 2.0 host, USB 2.0 device, SDMMC HS, SDIO device, and Ethernet MII/RMII interfaces.
To get started with using MQTT, you can follow the basic example guide here for the RTL8195 development board. This example uses the MQTT protocol to allow for control of an LED over the internet. Source code for the example can be found at AmebaIoT’s GitHub repository.
Vulnerability details: A stack buffer overflow was discovered on Realtek RTL8195AM device before 2.0.10, it exists in the client code when an attacker sends a big size Authentication challenge text in WEP security.
Reference 1: In Shared Key authentication, the WEP key is used for authentication in a four-step challenge-response handshake:
1.The client sends an authentication request to the Access Point. 2.The Access Point replies with a clear-text challenge. 3.The client encrypts the challenge-text using the configured WEP key and sends it back in another authentication request. 4.The Access Point decrypts the response. If this matches the challenge text, the Access Point sends back a positive reply.
Reference 2: The access point responds by generating a sequence of characters called a challenge text for the computer. The computer encrypts the challenge text with its WEP key and transmits the “message” back to the access point.
Preface: CVE Numbering Authorities (CNAs) release published vulnerability details for MesaLabs Amega version 3.0 on 12/21/2021. Perhaps the criticality of the design flaw will be impacted whole world including Hospitals, Blood Banks, Pharmaceutical, Laboratories,… As a matter of fact, the related details has been released on HIPAA report on June this year.
Background: AmegaView Environmental Monitoring system (CMS) 3.0 was released on 2015. The AmegaView CMS, consists of a robust hardware package and Mesa’s user-friendly software. AmegaView is used to monitor parameters including Temperature, Humidity, CO2, O2, Differential Pressure, Leak Detection, Voltage, Door Switches, Switch Closures, Air Flow, Refrigerators, Freezers…… In addition, due to its function, it is used in various industries, such as hospitals, blood banks, pharmaceuticals, laboratories,..etc.
CVE-2021-27447 – CVSS 10/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute arbitrary code. CVE-2021-27449 – CVSS 9.9/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute commands in the web server. CVE-2021-27445 – CVSS 7.8/10 – Insecure file permissions which could be exploited to elevate privileges on the device. CVE-2021-27451 – CVSS 7.3/10 – Improper authentication due to passcodes being generated by an easily reversible algorithm, which could allow an attacker to gain access to the device. CVE-2021-27453 – CVSS 7.3/10 – Authentication bypass issue that could allow an attacker to gain access to the web application.
If you are interested in possible attack scenarios, please refer to the attached drawings for reference.
Preface: Sometimes misconfiguration or abuse will be transformed as a vulnerability.
Background:Apache Module mod_lua (Official note) -This module holds a great deal of power over httpd, which is both a strength and a potential security risk. It is not recommended that you use this module on a server that is shared with users you do not trust, as it can be abused to change the internal workings of httpd.
The basic module loading directive is shown as follow: LoadModule lua_module modules/mod_lua[.]so. Remark: mod_lua provides a handler named lua-script, which can be used with a SetHandler or AddHandler directive.
Vulnerability details: CVE-2021-44790 A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Comment: According to point 1. The official warning informs Apache system owners to be careful with mod_lua modules. So we can say on behalf of Apache that this is a configuration abuse defect.
Preface: CISA urges vigilance on the VMware Workspace ONE UEM console.
Background: The aim of configure the httphandler for display blobs (Binary Large Object) such as an image, a video or a file. In a nutshell the blobhandler allows us to get an URL to diplay a blob stored in our database.Whether is there any cyber security on this method? As far as we know, it is possible to Call HTTPhandler from jQuery, Pass data and retrieve in JSON format. A vulnerability remediation has been released by vendor last Friday (16th Dec, 2021). A Server Side Request Forgery (SSRF) vulnerability in VMware Workspace ONE UEM console was privately reported to VMware. Patches and workarounds are available to address this vulnerability in affected VMware products. The issue has been mitigated for VMware-hosted Workspace ONE consoles. For more details, please refer the link – https://www.vmware.com/security/advisories/VMSA-2021-0029.html
Observation: A workaround has been given by vendor. When the request has a “url” query parameter, the solution is to block any access to the BlobHandler.ashx endpoint. After applying the workaround, any request with blocking mode should result in a 404 Not Found response. For more details. please refer to link – https://kb.vmware.com/s/article/87167
Not sure whether is there another regular expression embedded in web server side? Otherwise, VMware administrator should be careful about the case sensitive matter.
Preface: The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications.
Background: The Auth0 Next. js SDK is a library for implementing user authentication in Next[.] js applications. Auth0 offers two ways to implement login authentication for your applications:
Universal Login where users log in to your application through a page hosted by Auth0.
Embedded Login where users log in to your application through a page you host.
Vulnerability details: If you are using nextjs-auth0 Authorization solution. The client application redirects the user authentication to Auth0 server , who handles all the required authentication and authorization logic (sign-up, sign-in, MFA, consent, and so on). Once users log in, Auth0 redirects them to your application with an Authorization Code in the query string. The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability.
The open redirect vulnerability can manipulates users and redirects them from one site to another. The potential risk of this vulnerability is that when attacker doing the exploition. He can combines with other vulnerabilities (For example: server-side request forgery, XSS-Auditor bypass and Oauth vulnerability) to increasing the risk of impact.