Preface: Microsoft has assigned CVE-2021-34527 to PrintNightmare. CVE-2021-1675 is similar but distinct from CVE-2021-34527.

Background: There is a vulnerability nickname PrintNightmare. PrintNightmare is not the same as CVE-2021-1675, which was fixed in the patch in June. there is currently no patch available for PrintNightmare.

Technical Details: The vulnerability numbered CVE-2021-34527 is the same RCE vulnerability in Print Spooler as CVE-2021-1675 that has attracted attention this week. Microsoft explained that it was caused by improper execution of the file by the Print Spooler service. To exploit this vulnerability, the attacker must be an authenticated user and execute RpcAddPrinterDriverEx(). Successful miners can execute arbitrary code with SYSTEM privileges.

Microsoft has addressed this issue in the updates for CVE-2021-34527. However, the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1. For this reason, please consider the workarounds before Microsoft release the patch.

Workaround: Microsoft has listed several workarounds in their advisory for CVE-2021-34527. For more details, please refer to link.https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Preface: Artificial intelligence (AI) has the potential to overcome the physical limitations of capital and labor and open up new sources of value and growth.

Background: Apache Jena is a free and open source Java framework for building semantic web and Linked Data applications. The framework is composed of different APIs interacting together to process RDF data. Apache Jena Fuseki – SPARQL server which can present RDF data and answer SPARQL queries over HTTP.

Apache Jena Fuseki is a SPARQL server. It can run as a operating system service, as a Java web application (WAR file), and as a standalone server.

RDF is a standard for data interchange that is used for representing highly interconnected data. Each RDF statement is a three-part structure consisting of resources where every resource is identified by a URI. Representing data in RDF allows information to be easily identified. And interconnected by AI systems.

Vulnerability details: A vulnerability classified as problematic has been found in Apache Jena Fuseki up to 4.0.0. Affected is an unknown code block of the component HTML Page Handler. The manipulation with an unknown input leads to a cross site scripting vulnerability.

Remediation: Users are advised to upgrade to Apache Jena 4.1.0 or later.

Preface: Similar vulnerability with another CVE record was announced on Feb 2021. Perhaps Citrix waiting for other vendor response and confirmation . Whereby, supculated that this is one of the possible factor of the announcement by the Citrix on Friday (25th June, 2021).

Background: How is memory allocated when recursive functions are called? Calling a function recursively is done just like any other function. So the memory will be allocated the same way as if you are calling any regular function.

Vulnerability Details: Two security issues (CVE-2021-3416 & CVE-2021-20257) have been identified in Citrix Hypervisor 8.2 LTSR, each of which may allow privileged code in a guest VM to cause the host to crash or become unresponsive. These issues only affect Citrix Hypervisor 8.2 LTSR.

Ref: A recursive function calls itself, so the memory for a called function is allocated on top of the memory allocated for calling the function. Remember, a different copy of local variables is created for each function call.
How is memory allocated when recursive functions are called?
Each recursive call pushes a new stack frame in that manner, then pops it when it returns. If the recursion fails to reach a base case, the stack will rapidly be exhausted leading to the eponymous Stack Overflow crash.

Official announcement – https://support.citrix.com/article/CTX316325

Preface: An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as `openssl[.]cnf’ in an unrestricted directory which would allow code to be executed with elevated privileges,” VMware said.

Background:

VMware App Volumes provides a system to deliver applications to desktops through virtual disks. Installing App Volumes involves installing the App Volumes Manager, App Volumes agents, and related components.
The installers for VMware Tools for Windows is built into VMware Workstation as ISO image files. The new features of VMware Tools for Windows (11.2.6) including OpenSSL version has been updated to 1.1.1k.
VMware Remote Console Open-source components have been updated, including jansson 2.10, libjpeg-turbo 2.0.5, libgksu 2.0.13, openssl 1.1.1h, pcre 8.44, sqlite 3.23.3, and rsvg 2.40.21.

Vulnerability details: VMware Tools for Windows (11.x.y prior to 11.2.6), VMware Remote Console for Windows (12.x prior to 12.0.1) , VMware App Volumes (2.x prior to 2.18.10 and 4 prior to 2103) contain a local privilege escalation vulnerability.

One of the possibilities: The vmware-vdiskmanager (command line utility) work with libeay32.dll[.] OpenSSL default of “[/]usr[/]local[/]ssl” is used in linux, but in windows it translates to c:[\]usr[\]local[\]ssl.

If a low privilege user creates the directory structure c:[\]usr[\]local[\]ssl[\], copies an openssl.cnf file and malicious .dll library inside it will result is arbitrary code execution when the command line (vmware-vdiskmanger) is executed. Furthermore, VDDK working with some of DLLs (ssleay32.dll, libeay32.dll, diskLibPlugin.dll) because VDDK needs to maintain state information and callback functions. Therefore, the privileges escalation vulnerability will be occurred.

Official announcement (CVE-2021-21999) – https://www.vmware.com/security/advisories/VMSA-2021-0013.html

Ref: There is another vulnerability on other products. VMware Carbon Black App Control update address authentication bypass (CVE-2021-21998) – https://www.vmware.com/security/advisories/VMSA-2021-0012.html

Preface: REST API has similar vulnerabilities as a web application. The possibilities will be from various threats, such as Man-in-the-Middle attacks, lack of XML encryptions, insecure endpoints, API URL parameters, ..etc.

Technical background: Cortex XSOAR is the Security Orchestration, Automation and Response (SOAR) solution from Palo AltoNetworks. Cortex XSOAR (formerly Demisto) is able to configuration with active API Key integrations. In Cortex XSOAR Server, you can add Integration.

1. Go to Cortex XSOAR, then to Settings -> Integrations, search for iLert integration and click on the Add instance button.

2. On the modal window, name the instance, paste the iLert API Key that that you generated in iLert and click on the Save & exit button.

Vulnerability details: The vulnerability exists due to an error in the REST API. A remote attacker can bypass authentication process and gain unauthorized access to the application.

Note: This vulnerability affects only to Cortex XSOAR configurations with active API key integrations.

Ref: Perhaps it can exploit IDOR vulnerability. For instance – The attacker simply modifies the ‘acct’ parameter in their browser to send whatever account number they want. If the application does not perform user verification, the attacker can access any user’s account or other methods.

Official announcements and remedies – https://security.paloaltonetworks.com/CVE-2021-3044

Preface: OPC UA Stack is not only vulnerable but also has a range of significant fundamental problems.

Background: The UA SDK is a C++ library that supports you in writing portable C++ OPC UA Servers and Clients. The UA SDK actually consists of two SDKs, a Server SDK and a Client SDK. Both use the same UA Base Library which does all the C++ encapsulation of the raw ANSI C types
that are defined in the OPC UA Communication Stack by the OPC Foundation.

Vulnerability details: OPC UA C++ SDK is vulnerable to a denial of service, caused by improper restriction of operations within
the bounds of a memory buffer. A remote attacker could exploit this vulnerability to cause the system to crash.

In the OPC UA Stack. OPC Foundation developers provide libraries that are essentially a set of exported functions based on a specification, similar to an API.
In this vulnerability, the exported library functions don’t properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations.

Remedy: Click here to download the latest software package from the Softing website. https://industrial.softing.com/products/opc-ua-and-opc-classic-sdks.html

ICS Advisory (ICSA-21-168-02) – https://us-cert.cisa.gov/ics/advisories/icsa-21-168-02