Preface: Similar design concepts rely on OpenSSL, and it is not news to encounter vulnerabilities. This time it was just a “Old wine in new bottles“.

Background: MySQL source build on WINDOWS using Mingw. therefore it find themselves looking at sub-directories of ‘C:/usr/local’, which may be world writable, which enables untrusted users to modify OpenSSL’s default configuration insert CA certificates, modify (or even replace) existing engine modules, etc.

For OpenSSL 1.0.2, ‘/usr/local/ssl’ is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds.

Vulnerability details: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. For more details, please refer to the following link https://kb.cert.org/vuls/id/567764

Reference: The latest release of MySQL (version 8.0) has several new features including the incorporation of a transaction data dictionary that stores information about database objects. In addition, Atomic DDL or (Atomic data definition statements) allows statements to combine data diction updates, storage engine operations and binary log write associated with a DDL operation into a single, atomic transaction.

Background: OA Framework is based on J2EE technology called BC4J (Business Components for Java) The OA Framework is a Model-view-controller (MVC) framework built using J2EE (Java 2 Platform, Enterprise Edition) technologies.

Vulnerability details: According to CVE-2021-2200, the vulnerability occurs on the homepage. For the benefit of the customer, Oracle will not announce the root cause to the public. However, it remind me that a design weakness had occurred in the same place in past (see below):

“If the ICX session expires before the Jserv session, the user will be presented with a login page even though the Jserv session is still active. If the user logs back in before the Jserv session expires, they will see the old state of their middle-tier transaction.”

Perhaps this new vulnerability is different. It had high CVSS score (9.1). Meanwhile it is allow Remote Exploit without Auth. But vendor do not provide the root cause. So we must waiting for official announcement.

Oracle security-alerts, please refer to link – https://www.oracle.com/security-alerts/cpuapr2021.html

Reference: ICX: Session Timeout – Use this profile option to enforce an inactivity time-out. If a user performs no Oracle E-Business Suite operation for a time period longer than the time-out value (specified in minutes), the user’s session is disabled. The user is provided an opportunity to re-authenticate and re-enable a timed-out session. If re-authentication is successful, the session is re-enabled and no work is lost. Otherwise, Oracle E-Business Suite exits without saving pending work. If this profile option is set to 0 or NULL, then user sessions will never time out due to inactivity.

Preface: From a security perspective, what is the difference between configuration errors and vulnerabilities? Perhaps the potential impact are the same if it is involves privileges control function.

Product background: NSX-T Data Center supports cloud-native applications, bare metal workloads, multi-hypervisor environments, public clouds, and multiple clouds. NSX-T aim to protect applications with workload-level micro-segmentation and sophisticated security. Regardless of the physical network topology within and between the data center and the native public cloud, the network and security principles can be managed in a consistent manner.

Vulnerability details: Official announcement said that a privilege escalation vulnerability in VMware NSX-T was privately reported to VMware. However when you read the old version of document. The document written down that For Cloud environment with NSX, guest user accounts are displayed as cloud_admin and cloud_audit, are inactive, and have Cloud Admin and Cloud Operator default roles. This is correct. Or is that right?

The official details link is here – https://www.vmware.com/security/advisories/VMSA-2021-0006.html

Preface: The DNS Client is capable of resolving the IP address of a host from the host’s name. It does this by sending DNS requests to a DNS Server. The IP address of a DNS Server is specified in the network interface configuration file or can be obtained from the DHCP Server for the Local Area Network.

Product background: Nucleus RTOS is a proven, reliable, and fully optimized RTOS. Nucleus has been used successfully deployed in highly demanding markets with rigorous safety and security requirements such as industrial systems, medical devices, airborne systems, automotive and more.

Vulnerability details: The DNS domain name label parsing functionality does not properly validate the names in DNS-responses. When DNS packet compression offset such that src jumps back to the same compression pointer, the TCP/IP stack will reach a Denial-of-Service condition. For more details, please refer to official announcement – https://cert-portal.siemens.com/productcert/pdf/ssa-705111.pdf

Workarounds: Avoid using DNS client of affected versions. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs)

As usual, because of vendor decision, vendor not going to release the details of design weakness. From my opinion that understand the details will be enhanced your system and infrastructure defense mechanism. Below is my personal comment according to this specifics vulnerability.

Vulnerability details: CVE-2021-21481 – The MigrationService, which is part of SAP NetWeaver, does not perform an authorization check allowing an unauthorized attacker to access configuration objects, including such that grant administrative privileges.

Since SAP uses an explicit authorization model, an authority checks must be coded in order to be executed. If an explicit check is not coded, all users have access.

Reference: Explicit authentication bypass (whitelist). The filter architecture will, by default, provide an “always-on” authentication approach. This sets up the system for an explicit whitelist.

Impact: Since the failure is related to incorrect authorization, the risk will depend on the environment.

Official announcement: Please refer to link – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649

Preface: A named pipe is just a file on the filesystem used for I/O through SMB.

Background: Outlook Web App is hosted on the Client Access Server role for Exchange Server and integrated with IIS. An Internet Information Services (IIS) worker process is a Windows process (w3wp.exe) which runs web applications, and is responsible for handling requests sent to a web Server for a specific application pool. Suppose an attacker uses a web application, uploads a web shell, and executes a simple ping command.
– The execution process should be as follows:
– Services.exe – spawn svchost.exe (with -k iissvcs)
– Svchost.exe – spawn w3wp.exe (with parameters calling the application pool, config file, etc)
– W3wp.exe – spawn cmd.exe

Direction v2 – Remediation of MS exchange vulnerabilities:
On April 13, 2021, Microsoft released a software update to mitigate significant vulnerabilities that affect on-premises Exchange Servers 2013, 2016, and 2019. These vulnerabilities are different from the ones disclosed and fixed in March 2021 – the security updates released in March 2021 will not remediate against these vulnerabilities. So you should pay attention of Microsoft announcement. When patch release, it is recommend to do this patching.

Official details: https://cyber.dhs.gov/ed/21-02/#supplemental-direction-v2

Status update: Released: April 2021 Exchange Server Security Updates – https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2021-exchange-server-security-updates/ba-p/2254617

Preface: RIOT is a low-memory operating system suitable for IoT devices. It is an open source software released under LGPLv2.

Background: RPL (Routing Protocol for Low-Power and Lossy Networks) is a routing protocol for wireless networks with low power consumption and generally susceptible to packet loss. It is a proactive protocol based on distance vectors and operates on IEEE 802.15.

Vulnerability details: RPL is a distance vector routing protocol based on the construction of a directed acyclic graph (DAG). Existing Routing Protocols for Low Power and Lossy Networks (RPL) are considered lightweight and secure routing protocols for IoT devices, which offer a slight safeguard against innumerable forms of RPL routing attacks. Unfortunately of design weakness. There are total of 3 potential risk of vulnerabilities was found in RPL function. All the vulnerability will be trigger buffer overflow. For more details, please refer to the link below:

CVE-2021-27697 RIOT-OS 2021.01 contains a buffer overflow vulnerability in sys/net/gnrc/routing/rpl/gnrc_rpl_validation.c
through the gnrc_rpl_validation_options() function. – https://nvd.nist.gov/vuln/detail/CVE-2021-27697

CVE-2021-27698 RIOT-OS 2021.01 contains a buffer overflow vulnerability in /sys/net/gnrc/routing/rpl/gnrc_rpl_control_messages.c
through the _parse_options() function – https://nvd.nist.gov/vuln/detail/CVE-2021-27698

CVE-2020-27357 RIOT-OS 2020.01 contains a buffer overflow vulnerability in /sys/net/gnrc/routing/rpl/gnrc_rpl_control_messages.c – https://nvd.nist.gov/vuln/detail/CVE-2021-27357

Preface: ezXML – XML Parsing C Library version 0.8.5 ezXML is a C library for parsing XML documents inspired by simpleXML for PHP.
According to the statistis by W3Techs, PHP is use by 79.2% of all websites primary server-side programming language.

Background: In an XML file, there are both tags and text. The tags provide the structure to the data. The text in the file that you wish to store is surrounded by these tags, which adhere to specific syntax guidelines. XML parser is a software library or a package that provides interface for client applications to work with XML documents. It checks for proper format of the XML document and may also validate the XML documents.

Vulnerability details: An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_internal_dtd(), while parsing a crafted XML file, performs incorrect memory handling, leading to a NULL pointer dereference while running strcmp() on a NULL pointer.

Consequences: Running a program that contains a NULL pointer dereference generates an immediate segmentation fault error. This defect may manifest itself as a program crash, or be transformed into a software exception that can be caught by program code.

For more details, please refer to link https://nvd.nist.gov/vuln/detail/CVE-2021-30485

Preface: The two main changes to the CONNACK message between MQTTv3.1.1 and MQTTv5 are the enhanced reason codes and the properties field.

Background: MQTT is an OASIS standard messaging protocol for the Internet of Things (IoT). It is designed as an extremely lightweight publish/subscribe messaging transport that is ideal for connecting remote devices with a small code footprint and minimal network bandwidth. Furthermore, the MQTT CONNECT and response messages (CONNACK) have been greatly enhanced in MQTTv5 with the addition of the properties field. The properties field allows for a large increase in the information that can be exchanged between client and server on connection establishment compared to MQTT v3.1.1.

Vulnerability details: In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur. Null-pointer dereferences result in the crash of the process. But if an attacker can intentionally trigger a null pointer dereference, the attacker might be able to use the resulting exception to bypass security logic.

Official announcement: Please refer to link – https://bugs.eclipse.org/bugs/show_bug.cgi?id=572608