Preface: The Kalay platform contains a major vulnerability that will allow hackers to remotely access IoT devices.

Background: Kalay Platform 2.0
This newly developed decentralized structure simplifies the role of the primary server to work as an intermediary transmitter,
which reduces the chances of a server being compromised or data being intercepted. Kalay 2.0 is designed using a two-factor UID
and end-to-end encryption to support multi-factor authentication and dynamic key-pairing, the new solution ensures protection
for the end-user’s data and transmission.

It will trigger the vulnerability in the following situations.

• The device firmware that does not use AuthKey when IOTC is connected.
• The firmware that uses the AVAPI module but the
  DTLS mechanism is not enabled.
• The firmware that uses the RDT module or P2PTunnel.

Basically, when vendor conducted its own security review in 2018, the vulnerability was discovered and patched, that is, the SDK version 3.1.10 released at that time has been patched.

However security consulting company “Fireye” discovered that some network surveillance cameras have security vulnerabilities, and these devices are still using the old version of TUTK SDK before 3.1.4. Therefore, the CVE-2021-32934 vulnerability was announced.

Vulnerability details:

CISA encourages users and administrators to review the ICS Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01

FireEye Mandiant blog: https://www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html

Preface: BlackBerry OS was discontinued after the release of BlackBerry 10. BlackBerry 10 is based on QNX, a Unix-like operating system that was originally developed by QNX Software Systems until the company was acquired by BlackBerry in April 2010. It supports the application framework Qt (version 4.8) and in some later models features an Android runtime to run Android applications.

Background: The runtime library is that library that is automatically compiled in for any C program you run. The version of the library you would use depends on your compiler, platform, debugging options, and multithreading options.

The calloc() in C is a function used to allocate multiple blocks of memory having the same size. It is a dynamic memory allocation function that allocates the memory space to complex data structures such as arrays and structures and returns a void pointer to the memory.

The free() function frees the memory space pointed to by ptr, which must have been returned by a previous call to malloc(), calloc() or realloc(). Otherwise, or if free(ptr) has already been called before, undefined behavior occurs.

Vulnerability details : An integer overflow vulnerability in the calloc() function of the C runtime library in affected versions of the BlackBerry QNX Software Development Platform (SDP)version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety1.0.1 earlier that could potentially allow a successful attacker to perform a denial of service orexecute arbitrary code. BlackBerry is not aware of any exploitation of this vulnerability. For more details, please refer to the link below for reference.

Official announcement: https://support.blackberry.com/kb/articleDetail?articleNumber=000082334

CISA alert: https://us-cert.cisa.gov/ncas/alerts/aa21-229a

Headline News: https://www.zdnet.com/article/cisa-releases-alert-on-badalloc-vulnerability-in-blackberry-products/

Preface: Gobot is a framework for robotics, drones, and the Internet of Things (IoT), written in the Go programming language. The design goal of the decompression library is for embedded devices, because the flash memory capacity is limited and the processing speed is slow.

Background: Package unarr is a decompression library for RAR, TAR, ZIP and 7z archives.

Vulnerability details: Vulnerability occurred in unarr, which will lead to path traversal vulnerability. What is traversal attack? A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder.

Use the “go unarr” tool to decompress the malicious zip file. It will decompress the malicious file simultaneously. However, if you use other tools, such as tar. The malicious folder cannot be decompressed to the destination.By triggering the path traversal vulnerability, an attacker can store any file in any privileged place (which means that remote code execution can be caused under root privileges).

Workaround: No

Affected version: unarr 0.1.1

Remedy: Not yet announcement. Therefore not suggest to use until it fixed.

Preface: Since xml data is irregular and verbose, it can impact both query processing and data exchange.

Background: XMill is a tool for compressing XML data efficiently. It is based on a regrouping strategy that leverages the effect of highly-efficient compression techniques in compressors such as gzip (Please refer to attached diagram for details).

The architecture od XMill is based on the 3 principles:
– The XML file is parsed by a SAX parser that sends tokens to the path processor.
– Every XML token (tag, attribute, or data value) is assigned to a container.
– Tags and attributes forming the XML structure, are senf to the structure container. Data values are send to various data containers.

Vulnerability details: Xmill contains four heap-based buffer overflow vulnerabilities: TALOS-2021-1290 (CVE-2021-21825), TALOS-2021-1291 (CVE-2021-21826 – CVE-2021-21828), TALOS-2021-1292 (CVE-2021-21829) and TALOS-2021-1293 (CVE-2021-21830). These could all be exploited by an adversary to gain the ability to execute code on the victim machine. Since XMill tool contains multiple vulnerabilities. Please refer to Cisco Talos official link for details – https://blog.talosintelligence.com/2021/08/vuln-spotlight-att.html

Additional details: Only a subset of these Xmill vulnerabilities directly affects Schenider’s Control Expert software:
TALOS-2021-1290, TALOS-2021-1291, TALOS-2021-1292 and TALOS-2021-1293, which all directly affect Control Expert and are based around XML decompression within the software.

Reference: EcoStruxure Control Expert is a unique software platform to increase design productivity and performance of your Modicon M340, M580 and M580 Safety, Momentum, Premium, Quantum applications.

Preface: Type the following command and hit Enter. mklink /J “path to junction link” “path to target folder”. The junction link is thus created.

Background: By creating a new folder structure, changing the user’s shell folder registry key, and placing a connection point in the hierarchy,
you can open any other UsrClass[.]dat file on the system through this process.

Vulnerability details: Microsoft Windows User Profile Service Directory Junction Privilege Escalation Vulnerability (CVE-2021-34484).

An authenticated attacker who successfully exploits this vulnerability could leverage the Windows User Profile Service (ProfSvc) to load registry hives that are associated with other user accounts and potentially run programs with elevated permissions. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.

Official details: Please refer to the link – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34484

Preface: Software Development Life Cycle is the application of standard business practices to building software applications. It’s typically divided into six to eight steps: Planning, Requirements, Design, Build, Document, Test, Deploy, Maintain.

Background: The SAP NetWeaver development infrastructure combines the features and advantages of a local development environment (usually provided in a Java environment) and a server-based development environment, which can provide development teams with a consistent development environment and support software throughout its life cycle Development.

Component Build Service (CBS): Central build of the source files in the DTR based on the component model.

Vulnerability details: CVE-2021-33690 – Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service)

Affected Products – SAP NetWeaver Development Infrastructure (Component Build Service), Versions – 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.

Description: SSRF lets attackers send requests from the server to other resources, both internal and external, and receive responses.

Reference: If you are interested in knowing my understanding of this matter. Please refer to the picture above. The official details can be found in the link – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806

Preface: Public key infrastructure (PKI) governs the issuance of digital certificates to protect sensitive data, provide unique digital identities for users, devices and applications and secure end-to-end communications.

Technical background: From a technical point of view, application software is installed on the host and provides functions (listening to data on open ports or sending data to the LAN or the Internet). Protect online data transmission based on compliance. It will deploy PKI technology. If the SSL certificate installed on the host is not verified, it may allow an attacker to deceive trusted entities by interfering with the communication path between the host and the client. The software may connect to a malicious host and think it is a trusted host, or the software may be tricked into accepting spoofed data that appears to be from a trusted host.

Vulnerability details: A vulnerability in PKI Security Solution of Dream Security could allow arbitrary command execution. This vulnerability is due to insufficient validation of the authorization certificate. An attacker could exploit this vulnerability by sending a crafted HTTP request an affected program. A successful exploit could allow the attacker to remotely execute arbitrary code on a target system.

Please refer to the link – https://boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36174

Preface: The following companies use Btrfs in production: Facebook (testing in production as of 2014/04, deployed on millions of servers as of 2018/10) Jolla (smartphone) Lavu (iPad) point of sale solution.

Background: Btrfs is an advanced file system, jointly developed by an organization, and now specific Synology NAS models support this file system.Btrfs is now the Default Filesystem on Fedora 33.

Vulnerability details: (CVE-2019-16089) It was discovered that the btrfs file system implementation in the Linux kernel did not properly validate file system metadata in some situations. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash).

Cause: If process B allocated a new system chunk and process A is waiting on process B to finish creation of the respective system block group. However before process B ends its transaction handle and finishes the creation of the system block group, it attempts to allocate another chunk (like a data chunk for an fallocate operation for a very large range). process B will be unable to progress and allocate the new chunk.

*The default operation (i.e., mode is zero) of fallocate() allocates the disk space within the range specified by offset and len (off is used to pass an offset and len is used to pass a length)

Remedy: btrfs fix deadlock with concurrent chunk allocations – Refer to link: https://github.com/torvalds/linux/commit/1cb3db1cf383a3c7dbda1aa0ce748b0958759947

Preface: HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way.

Background: After the initial configuration of Workspace ONE Access is complete, administrator can go to the Workspace ONE Access console pages to install certificates, manage passwords, and download log files. You can also update the database, change the Workspace ONE Access FQDN, and configure an external syslog server.

How do I access VMware Identity Manager?
You can log in to the VMware Identity Manger console from your Workspace ONE portal page. To log in directly to the console,
VMware Identity Manager admin users can enter the following URL [/]SAAS[/]login[/]0.

Vulnerability details: The vulnerability exists due to insufficient validation of user-supplied input in the [/]cfg web app and diagnostic endpoints. A remote attacker can send a specially crafted HTTP request with a modified HTTP Host header to port 443[/]TCP and access the[ /]cfg web application, available at port 8443. As a result, a remote non-authenticated attacker can gain access to services in the internal network.

Official announcement – Please refer to the link https://www.vmware.com/security/advisories/VMSA-2021-0016.html