Background: You can refer to Amazon’s Creating an IAM User in Your AWS Account page to create this IAM user. Once this is done, you can add new credentials of type Aws Credentials (specifying your Access key ID and a Secret access key).Whereby it can store Amazon IAM access keys (AWSAccessKeyId and AWSSecretKey) within the Jenkins Credentials.

Vulnerability details: Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.

One of the possible reasons: In Java, the java. lang. NullPointerException is thrown when a reference variable is accessed (or de-referenced) and is not pointing to any object. This error can be resolved by using a try-catch block or an if-else condition to check if a reference variable is null before dereferencing it.

Impact: the attacker might be able to use the resulting exception to bypass security logic.

Official announcement – https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2032

Preface: The Secure Development Lifecycle – From requirements to design, coding to test, the SDL strives to build security into a product or application at every step in the development process.

Background: VMware View Planner is a workload generator that simulates typical user operations such as typing in Microsoft Word, playing a PowerPoint slideshow, reading Outlook emails, browsing PDF and Web pages and watching video.

Vulnerability details: The VMware View Planner Web management interface has an entry for uploading log function files.
The path of the log file written without authentication is user-controllable.
By overwriting the uploading log function file by crafted python script, RCE can be realized.

Remedy: Official details refer to link – https://www.vmware.com/security/advisories/VMSA-2021-0003.html

Synopsis: The package xmlhttprequest before 1.7.0 had vulnerability occurs. The CVE-2020-28502 was published on 5th March, 2021.

Background: node-XMLHttpRequest is a wrapper for the built-in http client to emulate the browser XMLHttpRequest object.
This can be used with JS designed for browsers to improve reuse of code and allow the use of existing libraries.

Vulnerability details: This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Official details: https://nvd.nist.gov/vuln/detail/CVE-2020-28502

Current status: There is no fixed version for org.webjars.npm:xmlhttprequest-ssl.

Hints: Enhance preventive and detective control.Using something like filter (example ^\w+) base on speical chars will be allowed. Such as regular expression.

Preface: F5 network products are commonly deployed in data center and on-premises Internet facing infrastructure.

Background: F5 Network’s Traffic Management Operating System (TMOS) is not a separate operating system. It is the software foundation for all of F5’s network or traffic (not data) products including both physical or virtual platform. TMM is the core component of TMOS as it handles all network activities and communicates directly with the network switch hardware (or vNICs for VE (Virtual Edition)). TMM also controls communications to and from the HMS. Local Traffic Manager (LTM) and other modules run within the TMM.

Vulnerability details: Vulnerability found allow attacker use of uninitialized memory. Uninitialized memory means reading data from the buffer that was allocated but not filled with initial values. It means that the data are starting to be used before they are initialized. Finally using `wrapped_umem_alloc` for heap allocations, it will also lead to a direct crash of the TMM due to the heap buffer overflow.

Official announcement: https://support.f5.com/csp/article/K56715231

Preface: From technical point of view, attacker cast the returned void* to an int* and start using it. It is one of the modern cyber attack technique.

Background: Attacker would have to overwrite the return address to an address such as ”…………….“ where there would be a “JMP RSP” instruction, and continue with their shellcode after this address. In such a way let some hardening system appliance also become vulnerable. Can we say this is a design weakness of coding? Or whether is the memory protection not been enough.

Technical details: The F5 BIG-IP offers many programmable interfaces, from control-plane to data-plane.
iControl REST – REST-based API for imperative configuration and service control of BIG-IP from remote applications.
iControl (SOAP) – SOAP-based API for imperative configuration and service control of BIG-IP from remote applications.

Vulnerability details:

CVE-2021-22986 – The iControl REST interface has an unauthenticated remote command execution vulnerability. CVSS score: 9.8 (Critical)
CVE-2021-22987 – When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 9.9 (Critical)

Official announcement: https://support.f5.com/csp/article/K02566623

Preface: In SAP Business Client history, rare to offer a Chromium web browser control based on CefSharp (CEF – Open Source Version of Google Chrome) as an alternative rendering engine to Microsoft IE. In 2018, the dream come true happened.

SAP business clinet software technical background: If local client web browser not work, SAP client software will enforce the default browser control falls back to Internet Explorer. Unfortunately, Chrome Vulnerability is being exploited in the wild. According to CVE-2021-2116, a remote attacker could exploit some of these vulnerabilities to trigger denial of service, remote code execution, security restriction bypass and sensitive information disclosure on the targeted system.

Reference: When Chrome OS is vulnerable to malicious extensions by bad 3rd party apps programming. It can also put your system at risk if you choose to run an extension “unsandboxed.”

Official announcement : (SAP Security Patch Day – March 2021) – please refer to the link – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107

Preface: SaltStack was acquired by VMware on October 13, 2020. All SaltStack commercial information can be found on VMware.com. For the Salt open source project, visit saltproject.io

Background: SaltStack is a configuration management and orchestration tool. It uses a central repository to configure new servers and other IT infrastructure in Cloud computing environment. It can make changes to existing servers and computing devices and install software in the system environment. It allow to manage and scale cloud infrastructure with no downtime or interruptions.
There are 139 companies reportedly use Salt in their tech stacks, including Robinhood, Lyft, and LinkedIn.

Official announcement: All related vulnerabilities and remediation can be found in this link – https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Security Focus: Modern system architecture design will simplifies the synchronization process in order to update the whole system infrastructure. For example: Blockchain will relies on Atomic Broadcast update all the network. Furthermore, SaltStack can be synchronizing all (minions) of this command (salt * saltutil.sync_all). If access control not in correct way. It will impact by vulnerability found on this time. CVE-2021-25281 – salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. So we must staying alert!