Preface: HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way.

Background: After the initial configuration of Workspace ONE Access is complete, administrator can go to the Workspace ONE Access console pages to install certificates, manage passwords, and download log files. You can also update the database, change the Workspace ONE Access FQDN, and configure an external syslog server.

How do I access VMware Identity Manager?
You can log in to the VMware Identity Manger console from your Workspace ONE portal page. To log in directly to the console,
VMware Identity Manager admin users can enter the following URL [/]SAAS[/]login[/]0.

Vulnerability details: The vulnerability exists due to insufficient validation of user-supplied input in the [/]cfg web app and diagnostic endpoints. A remote attacker can send a specially crafted HTTP request with a modified HTTP Host header to port 443[/]TCP and access the[ /]cfg web application, available at port 8443. As a result, a remote non-authenticated attacker can gain access to services in the internal network.

Official announcement – Please refer to the link https://www.vmware.com/security/advisories/VMSA-2021-0016.html

Preface: Alert by CISA. Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks.

Background: Because NTLM has basic design weaknesses. If cyber criminals take advantage of NTLM’s design weaknesses. The design weaknesses of converting NTLM coexist with the EfsRpcOpenFileRaw method. It such made a powerful tool to corrupt windows architecture.

Vulnerability details: Code running on any domain-joined system can trigger this function to be called on a domain controller without needing to know the credentials of the current user or any other user in an Active Directory. And because the EfsRpcOpenFileRaw method authenticates as the machine dispatching the request, this means that a user of any system connected to an AD domain can trigger an NTLM authentication request as the domain controller machine account to an arbitrary host, without needing to know any credentials. This can allow for NTLM relay attacks.

Observation: While NTLM is still supported by Microsoft, it has been replaced by Kerberos as the default authentication protocol in Windows 2000 and subsequent Active Directory (AD) domains. Should be confirm of your authenticaiton method on Share Point server. Do not use NTLM.

Official technical articles – Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks – https://kb.cert.org/vuls/id/405600

Preface: JSON is a text-based data format following JavaScript object syntax. Even though it closely resembles JavaScript object literal syntax,
it can be used independently from JavaScript, and many programming environments feature the ability to read (parse) and generate JSON.

Background: Java application developer oftentimes need to combine objects into a single one which contains all the individual properties of its constituent parts. This operation is called merging. The two most common ways of doing display below:

• Using the spread operator (…)
• Using the Object.assign() method

Perhaps, developers may using another tool. For example: Deepmergefn
Alernative to deepmerge and Lodash_.merge.

Vulnerability details: JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

Workaround:

– Avoid using unsafe recursive merge functions.
-Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

Status: There is no fixed version release yet.

Preface: In order to expand business development, software products sometimes use similar engineering designs. When vulnerabilities occur, their effects seem to be interrelated.

Privilege Escalation Attack Techniques: A low-privileged process from being escalated via a token stolen from a process with greater privileges. This technique is often used in tandem with another vulnerability to successfully deliver and run an attacker’s malicious code with system permissions.

Perhaps attacker not use this way now. But in past, Scheduled tasks can also be used to bypass User Account Control (UAC) and escalate privileges, when misusing system actions such as antivirus update for example. As this command is marked with auto-elevating, it will run with elevated privileges without prompting the user through UAC. The key is that it uses a user controlled environment variable as part of the path, which can be manipulated.

Vulnerability details:

CVE-2021-32464 – An incorrect permission assignment privilege escalation vulnerability in Trend Micro Apex One and Apex One as a Service could allow an attacker to modify a specific script before it is executed.
CVE-2021-32465 – An incorrect permission preservation vulnerability in Trend Micro Apex One and Apex One as a Service could allow a remote user to perform an attack and bypass authentication on affected installations.
CVE-2021-36741 – An improper input validation vulnerability in Trend Micro Apex One and Apex One as a Service allows a remote attached to upload arbitrary files on affected installations.
CVE-2021-36742 – A improper input validation vulnerability in Trend Micro Apex One and Apex One as a Service allows a local attacker to escalate privileges on affected installations.

Remedy by vendor:

Security Bulletin for Worry-Free Business Security – https://success.trendmicro.com/solution/000287820

Security Bulletin for Trend Micro Apex One and Apex One as a Service – https://success.trendmicro.com/solution/000287819

Preface: The computer behind the robots performance is the Programmable Logic Controllers (PLCs). PLCS are able to control the robots and help them do their job at very specific times and points in the production process.

Product background: The KR C4 software architeture integrates Robot Control, PLC Control, Motion Control (e.g. KUKA.CNC) and Safety Control. All controllers share a database and infrastructure.

KUKA System Software (KSS)
In the case of the KR C4 compact robot controller, safety options such as SafeOperation are only available via the Ethernet safety interface from KSS/VSS 8.3 onwards. From KSS 8.3 and from motherboard D3236-K onwards: Board Package USB stick in the USB port.

Vulnerability details: Multiple vulnerabilities in KUKA KR C4

Vulnerable software versions
– KSS: All versions
– KR C4: before 8.7 (hardware)

For the possibility of this vulnerability, please refer to the attached diagram.

CISA security advisory: Please refer to the link – https://us-cert.cisa.gov/ics/advisories/icsa-21-208-01

Workaround: If you are not able to do the any corrective action immediately. You should following vendor recommendation to install the antivirus to enforce the protection. Ikarus antivirus is the only one tested with kuka they don’t recommend any others due to testing.

Preface: Internet of Things (IoT) and machine-to-machine (M2M) technologies need to use a messaging and connectivity protocol in order to exchange information from a remote location.

Background: MQTT is a binary-based protocol and has command and command acknowledgement format. So every time a client sends a command to the broker, the broker sends an acknowledgement. This communication protocol is actually based on the TCP/IP protocol. So first there will be a TCP connection establishment and then there will be MQTT connection establishment and then the data transfer will occur. After which TCP connection will be terminated.

An MQTT broker is a server that receives all messages from the clients and then routes the messages to the appropriate destination clients.

Vulnerability details: In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.

Remedy: The design weakness was patched in version 2.08.

Client library: Fix mosquitto_{pub|sub}_topic_check() functions not returning MOSQ_ERR_INVAL on topic == NULL.

Causes: Under following condition, it will returns MOSQ_ERR_INVAL if the topic string is too long.

Preface: 3431 companies reportedly use Elasticsearch in their tech stacks, including Uber, Shopify, and Udemy.

Background: Elasticsearch is based on Lucene, very fast and scalable for searching operations. Elasticsearch is good for data analysis, logging and error monitoring and alerting so can be used to search all kinds of documents.
Remark: Apache Lucene is a free and open-source search engine software library, originally written completely in Java by Doug Cutting.

Elasticsearch Service on Google Cloud Platform (GCP) availabe in 2017, allowing customers to deploy the latest versions of Elasticsearch, Kibana, and our continually expanding set of features (such as security, machine learning, Elasticsearch SQL, and Canvas) and solutions for logging and infrastructure.

Vulnerability details: All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

Remedy: Vendor announcement, please refer to the link – https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180

Preface: Multiple vulnerabilities have been found in libTIFF, the worst of which may allow execution of arbitrary code. It is talking about 5 years ago (2016)! Has it become the focus of manufacturers’ attention now?

Background: TIFF offers support for tag extensions allowing for more tags than the standard TIFF specification. For example: Code, 326 (hex 0x0146). Name, BadFaxLines. Used in the TIFF-F standard, denotes the number of ‘bad’ scan lines encountered by the facsimile device.

Reference: Tag code 326 (BadFaxLines) – When using this tag in LibTIFF it is possible to have a type confusion vulnerability where LibTIFF attempts to read a mistyped argument off of the variable argument list.

Vulnerability details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. Crafted data in a TIFF image can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

Remark: By reading the TIFF-pages as BufferedImages, you essentially decompress the stored images, which might need a lot of memory depending on the size of the images: Every pixel will take up 3 (RGB) or 4 (ARGB) bytes.

Vulnerability exploit path: Exploiting this vulnerability requires user interaction, and the target must visit a malicious page or open a malicious file.

Existing status: ZDI notified the vendor of the intention to publish the case as a 0-day advisory on 07/22/21.