Preface: As we know, some tools in the digital world will jeopardize the Windows operating system. This week (November 8, 2022) when we shift our focus to Microsoft Security Alerts. There is an attack scenario similar to CVE-2022-41113. The vendor will not disclose details due to security reasons. But the technical details below will wake you up.

Background: Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.
Domain, local usernames, and passwords that are stored in the memory space of a process are named LSASS (Local Security Authority Subsystem Service).

Vulnerability details: This week (November 8, 2022) when we shift our focus to Microsoft Security Alerts. There is an attack scenario similar to CVE-2022-41113. The vendor will not disclose details due to security reasons. But the technical details below will wake you up.

Assigner: Microsoft
Published: 2022-11-09

Updated: 2022-11-09
Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability.

One of the possible paths an attacker would take.
Mimikatz, how it collect Windows passwords, credentials
One way to avoid being blocked by antimalware is to use the Invoke-Mimikatz PowerShell module, which enables an attacker running PowerShell, Microsoft’s task automation framework, to load and execute Mimikatz remotely without needing to write the executable to the targeted system’s disk.

Run Mimikatz and use the following commands to extract credentials from your LSASS Dump file:
mimikatz # sekurlsa::minidump lsass[.]DMP
mimikatz # log lsass[.]txt
mimikatz # sekurlsa::logonPasswords

Remedy:

• On x86-based or x64-based devices using Secure Boot and UEFI or not
• enable LSA protection on a single computer
• Using Local Group Policy on Windows 11, 22H2 (Configure LSASS to run as a protected process)

Official announcement: Please refer to the link for details – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41113

Preface: HTTP request smuggling exploits the inconsistency in parsing non-RFC-compliant HTTP requests via two HTTP devices (backend server and afront-end proxy). When attacker successful inject a malicious HTTP request into the web server, bypassing internal security controls. This can allow the attacker to:

• Gain access to protected resources, such as admin consoles
• Gain access to sensitive data
• Hijack sessions of web users
• Launch cross-site scripting (XSS) attacks without requiring any action from the user
• Perform credential hijacking

Background: RDP Proxy is capable providing RDP features. Users can access the remote desktops through the Citrix Gateway appliance.The design consists of the following:

1. Deployment through clientless VPN: In this mode the RDP links are published on the Gateway home page or portal, as bookmarks, through the add vpn url configuration or through an external portal. The user can click these links to get access to the Remote Desktop.
2. Deployment through ICA Proxy: In this mode a custom home page is configured on the Gateway VIP by using the wihome parameter.This home page can be customized with the list of Remote desktop resources that the user is allowed to access. This custom page can be hosted on Citrix ADC, or if external, it can be an iFrame in the existing Gateway portal page.

Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible.Design weakness impact the following product versions:

• Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
• Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
• Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
• Citrix ADC 12.1-FIPS before 12.1-55.289
• Citrix ADC 12.1-NDcPP before 12.1-55.289

Reference: The following are possible ways to mitigate the vulnerability (HTTP Request Smuggling Vulnerability)

• Ensuring that front-end and back-end servers only communicate using the HTTP/2 protocol can prevent most variants of this attack.
• Interpret HTTP headers consistently on front-end and back-end servers.

Official announcement: Please refer to the link for details – https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516

Preface: Total lunar eclipse and lunar occultation of Uranus on the evening of November 8 2022.

About: A larger block size will require higher transmission time compared to the smaller block size. A smaller block is more efficient but building too small a block will require higher block composition time to clear all the transactions. Both performance factors are contradictory to each other.

Background: The Lightning Network Daemon ( lnd ) – is a complete implementation of a Lightning Network node. lnd has several pluggable back-end chain services including btcd (a full-node), bitcoind , and neutrino (a new experimental light client).
The Lightning Network is a second layer added to Bitcoin’s blockchain that allows off-chain transactions, i.e. transactions between parties not on the blockchain network.

Vulnerability details: btcd before 0.23.2, as used in Lightning Labs lnd before 0.15.2-beta and other Bitcoin-related products, mishandles witness size checking.

Ref”: “maxWitnessItemSize” is the maximum allowed size for an item within an input’s witness data. This number is derived from the fact that for script validation, each pushed item onto the stack must be less than 10k bytes.

Remedy: The issue here is that the old checks for the maximum witness size, circa segwit v0 where placed in the wire package as well as the tx engine. This check should only be in the engine, since it’s properly gated by other related scrip validation flags.

The fix itself is simple: limit witnesses only based on the maximum block size in bytes, or ~4MB.

Official announcement: Please refer to the link for details – https://github.com/lightningnetwork/lnd/releases/tag/v0.15.2-beta

Preface: Is cloud computing in demand in 2022? Their latest forecast predicts the spending on public cloud services to jump from $257.5 billion in 2020 to $304.9 billion in 2022 as cloud services play a central role in helping businesses recover from the onslaughts of the pandemic.
The current version of NFS is also called NFS v4 but was implemented through RFC 3530. In 2003, it was published. Since then, compared to early NFS v4, NFS v4 has improved a lot in terms of optional features, such as protection, caching, locking, and message communication performance. While NFS has PC capabilities, it has often been treated as a file-oriented protocol rather than the PC environment for UNIX and Linux operating systems. Microsoft Azure, a popular public cloud service, offers Azure Files, a cloud-based distributed file which supports NFS 4.1 since September 2020, in the Azure Files premium tier only.

Background: NFS is an RPC-based protocol, with a client-server relationship between the machine having the filesystem to be distributed and the machine wanting access to that filesystem. Each version of the NFS RPC protocol contains several procedures. The basic procedures performed on an NFS server can be grouped into directory operations, file operations, link operations, and filesystem operations. The nfsd daemon runs on a server and handles client requests for file system operations. Each daemon handles one request at a time. Assign the maximum number of threads based on the load you expect the server to handle.

• NFS version 3 (NFSv3) supports safe asynchronous writes and is more robust at error handling than the previous NFSv2; it also supports 64-bit file sizes and offsets, allowing clients to access more than 2 GB of file data.
• NFS version 4 (NFSv4) works through firewalls and on the Internet, no longer requires an rpcbind service, supports Access Control Lists (ACLs), and utilizes stateful operations.

Vulnerability details:
CVE-2022-43945 – The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space.
Cause: One notable set of fixes addresses a subtle buffer overflow issue that occurs if a small RPC Call message arrives in an oversized RPC record. This is only possible on a framed RPC transport such as TCP. Because NFSD shares the receive and send buffers in one set of pages, an oversized RPC record steals pages from the send buffer that will be used to construct the RPC Reply message. NFSD must not assume that a full-sized buffer is always available to it; otherwise, it will walk off the end of the send buffer while constructing its reply.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-43945

Preface: If the supplier does not provide details. It’s hard to avoid that it’s not the exact answer.

Abuse code signing
-key compromise
-use of revoked or expired certificates
-code errors
-Systems compromise

Background: If you’re developing apps for iOS, you need to sign your builds in order to send them to the App Store. However, iOS code signing can be challenging for many. Code Signing is a way for iOS devices to know that the app to be install on the device is from a known source. There are 3 key components in code signing:

1) Certificates
2) Bundle IDs
3) Provisioning Profiles

Bundle IDs are unique strings that identify an app. Every app on your Apple devices have a Bundle ID. That’s how Apple and your devices separate your app from others.
For every app that needs to be signed, you need to register its Bundle ID to Apple’s Developer Portal.

In iOS 6, the first two components of the bundle ID are used to generate the vendor ID. If the bundle ID only has a single component, then the entire bundle ID is used.
In IOS 7, all components of the bundle except for the last component are used to generate the vendor ID. If the bundle ID only has a single component, then the entire bundle ID is used.
According to above, two different bundle ID names would appear to have the same vendor ID. This situation will favor cyber criminals, please refer to point no.6 shown on diagram.

Vulnerability details: An issue in code signature validation was addressed with improved checks. This issue is fixed in macOS Big Sur 11.7, macOS Ventura 13, iOS 16, iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6. An app may be able to bypass code signing checks.

Please refer to the link for details – https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor

Preface: The heap is an area of dynamically-allocated memory that is managed automatically by the operating system or the memory manager library. Memory on the heap is allocated, deallocated, and resized regularly during program execution, and this can lead to a problem called fragmentation.

Background:

For instance, when you download a c++ compiler for your platform, you, in fact, download the c++ frontend with the linux-amd64 backend. This coding architecture is extremely helpful, because it allows to port the compiler for another architecture without rewriting the whole parsing/optimizing thing.

When applications need memory, they have to request it from the operating system. This request from the kernel will naturally require a system call. You cannot allocate memory yourself in user mode. The malloc() family of functions is responsible for memory allocation in the C language. The question to ask here is whether malloc(), as a glibc function, makes a direct system call. There is no system call called malloc in the Linux kernel. However, there are two system calls for applications memory demands, which are brk and mmap.
By far the most widely used C library on Linux is the GNU C library, often referred to as glibc. The pathname /lib/libc[.]so[.]6 (or something similar) is normally a symbolic link that points to the location of the glibc library, and executing this pathname will cause glibc to display various information about the version installed on your system.

Vulnerability details: Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd[.]c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to sudo by entering a password of seven characters or fewer. The impact could vary depending on the compiler and processor architecture.

What is the difference between su and sudo?

• su allows to run commands with a substitute user and group ID.
• sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user’s real (not effective) user-ID is used to determine the user name with which to query the security policy.

Remedy: Please refer to the link for details – https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050

Preface: Few years ago, people know the following details:
io_service_open_extended is one of several undocumented MIG functions to communicate with IOKit drivers from user mode. This approach provides an opportunity for an attacker to perform kernel exploitation. Code writing in C-like languages can accidentally affect memory safety.

Background: Memory Tagging Extension (MTE) is designed to provide robustness against attacks attempting to subvert code processing malicious, attacker-provided, data. It does not address algorithmic vulnerabilities or malicious software. The core principle of type isolation is that after any particular address has been used for a given “type” of object, only objects of that type can ever exist at that address for the lifetime of the program.
Memory can broadly be categorized either as “control” or as “data.” Control is what lets a program structure and organize data. It includes things such as pointers, reference counts, lengths, and typing information like union tags. Almost everything else is data.
Apple also rarely shared the core technology of XNU, mainly the security upgrade of XNU memory, the first topic is the memory allocator kalloc_type.

Vulnerability details: A vulnerability classified as critical has been found in Apple iOS and iPadOS (Smartphone Operating System) (version unknown). Affected is an unknown function of the component Kernel. The manipulation with an unknown input leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-787. The software writes data past the end, or before the beginning, of the intended buffer. This is going to have an impact on confidentiality, integrity, and availability.

Affected: Versions prior to iOS 15.7.1 and iPadOS 15.7.1
Solutions: Apply fixes issued by the vendor: iOS 15.7.1 and iPadOS 15.7.1

Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-42827

Preface: A microframework is a term used to refer to minimalistic web application frameworks. It is contrasted with full-stack frameworks. Typically, a microframework facilitates receiving an HTTP request, routing the HTTP request to the appropriate controller, dispatching the controller, and returning an HTTP response. Microframeworks are often specifically designed for building the APIs for another service or application.

Background: Total js framework and Total js client-side UI library are without any 3rd party dependencies. Total.js framework is a server-side MVC framework written in pure JavaScript and fully optimized for Node js runtime. Software developers can use any NPM module (like PostgreSQL, MongoDB, REDIS, JWT, etc.) or existing client-side libraries (like D3, Chart js, FullCalendar, Vue, Angular, etc.).
Total js Platform supports three types of visual programming interfaces:

• Total js Flow targeted primary for IoT applications (alternative Node-red)
• Total js AppBuilder for creating rich server-side API applications
• Total js Designer for creating UI connected to 3rd party REST services

Vulnerability details: In Total js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter. Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-44019

Causes: The fact is that the server doesn’t sanitize correctly the input checking that the host provided is a legitimate one.

Ref: Even if the software developer sets the correct regular expressions. The following details also need to be considered.
The ping command returns an exit code on both operating systems. On Linux (Bash) you have $? to get the variable for this exit code, on Windows it’s %errorlevel%. The exit code is 0 on both operating systems when the ping is successful, and 1 otherwise. This value can be used to conditionally run your command.

Preface: PCMCIA Cards have been around for many years and can still be found in today’s technology. These cards are now classed as legacy products, as they were first introduced over 25 years ago.
PCMCIA cards come in 3 different types of memory; ATA, SRAM and Linear. The cards are still being made today to help support legacy products and applications, mainly aerospace, defence and transportation.

Background: Linux 5.4 was released on 24 November 2019. Although the PCMCIA subsystem will allocate resources for cards, it no longer marks these resources busy. This means that driver authors are now responsible for claiming your resources as per other drivers in Linux. You should use request_region() to mark your IO regions in-use, and request_mem_region() to mark your memory regions in-use.

PCMCIA design weakness recently (28th Oct 2022):
CVE-2022-44032 —–> A driver for the Omnikey PCMCIA smartcard reader CardMan 4040
An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs[.]c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach(). Please refer to the link for details – https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/
CVE-2022-44033 —–> A driver for the Omnikey PCMCIA smartcard reader CardMan 4040
An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs[.]c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().Please refer to the link for details –
https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/
CVE-2022-44034 —–> SCR24x PCMCIA Smart Card Reader Driver
An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs[.]c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove(). Please refer to the link for details –
https://lore.kernel.org/lkml/20220919101825.GA313940@ubuntu/

Remedy:
In order to avoid vulnerabilities, we recommend the following:
The dangling pointer errors can be avoided by initializing the pointer to the NULL value. If we assign the NULL value to the pointer, then the pointer will not point to the de-allocated memory. Assigning NULL value to the pointer means that the pointer is not pointing to any memory location.

Preface: The design weakness found on 2015. But till today, it looks the matter not been fixed. Perhaps you also read vendor statement. they will continue to update this advisory as additional information becomes available, said vendor.

NetApp Advisory ID: NTAP-20220616-0001 Version: 4.0 Last updated: 09/26/2022 – https://security.netapp.com/advisory/ntap-20220616-0001/
[SECURITY] Fedora 36 Update: 18 June 2022 – https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46KWPTI72SSEOF53DOYQBQOCN4QQB2GE/

Background: When you run python at the console or install a Python distribution from python.org, you are running CPython. CPython is one of the many Python runtimes, maintained and written by different teams of developers. The unique thing about CPython is that it contains both a runtime and the shared language specification that all Python runtimes use.
The mailcap format is documented in RFC 1524, “A User Agent Configuration Mechanism For Multimedia Mail Format Information”, but is not an internet standard. However, mailcap files are supported on most Unix systems. According to Python (CPython) techincal document. Mailcap files are used to configure how MIME-aware applications such as mail readers and Web browsers react to files with different MIME types. (The name mailcap'' is derived from the phrasemail capability”.) For example, a mailcap file might contain a line like “video/mpeg; xmpeg %s”. Then, if the user encounters an email message or Web document with the MIME type video/mpeg, “%s” will be replaced by a filename (usually one belonging to a temporary file) and the xmpeg program can be automatically started to view the file.

CPython is the standard Python software implementation or the default Python interpreter. The main purpose of CPython is to execute the programming language Python. CPython has great compatibility with various Python packages and modules.

Vulnerability details: Mailcap file handling in Python through 3.10.4
In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
if the filename contains Shell Commands they will be executed if they
are passed to os.system() as discribed in the docs.

Remedy: Filename should be quoted with quote(filename) to fix the bug. Please refer to the link for details – https://bugs.python.org/issue24778

Status: Deprecated since version 3.11, will be removed in version 3.13: The mailcap module is deprecated