Preface: the most famous UTF-8 attack was against unpatched web server.

Background: The most common users of Apache HTTP Server are from Small Businesses and the Information Technology & Services industry. Perhaps

How to Check the Apache Version?

1. Open terminal application on your Linux, Windows/WSL or macOS desktop.
2. Login to remote server using the ssh command.
3. To see Apache version on a Debian/Ubuntu Linux, run: apache2 -v.
4. For CentOS/RHEL/Fedora Linux server, type command: httpd -v.

Vulnerability details: The server didn’t correctly handle contents in the URL. So the contain contained invalid UTF-8 representation of the [/] character. Such an invalid UTF-8 escape is often referred to as an overlong sequence. Therefore it provide an opportunity to the attacker. On 6th Oct,2021, Apache released Apache HTTP 2.4.50 to fix an actively exploited path traversal vulnerability in version 2.4.49 (tracked as CVE-2021-41773). This flaw allows threat actors to view the contents of files stored on a vulnerable server. Please refer to the official website for announcements – https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013

Preface: BPF is available on most Unix-like operating systems and eBPF for Linux and for Microsoft Windows. In addition, if the driver for the network interface supports promiscuous mode, it allows the interface to be put into that mode so that all packets on the network can be received, even those destined to other hosts.

Background: The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic (and eBPF is an extended BPF JIT virtual machine in the Linux kernel). It provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received.

Vulnerability details: CVE-2021-29249 prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel through 5.14.9 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.

In 32-bit architecture, the result of sizeof() is a 32-bit integer so the expression becomes the multiplication between two 32-bit integers which can potentially leads to integer overflow. As a result, bpf_map_area_alloc() allocates less memory than needed.

Remedy: Correct this by casting 1 operand to u64 (See attached picture for details).

Point of view: More than 20 years ago, the firewall function was independent, excluding the firewall policy service and vpn function.
The advantage is that when the firewall box is compromised. Nothing else will be found in the box by the attacker.
Over time, the trend of unified threat management has grown. From a technical point of view, it is a multifunctional service.
Maybe it’s hardening. But we can’t say that it is a state machine model (Bell-LaPadula model).

Having said that, the specific design responds to more and more technological developments in the world.
But it is hard to avoid vulnerability occurs due to design weakness.
This time an alert annouced by Sonicwall that an improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. This defect can do a DoS attack.

One of the possibilities encounter this defect: Incorrect configuration of aliases may allow an attacker to read files stored outside the target folder. For more details, please refer to attached diagram.

Official announcement: Please refer to link – https://www.sonicwall.com/support/product-notification/security-notice-critical-arbitrary-file-delete-vulnerability-in-sonicwall-sma-100-series-appliances/210819124854603/

Preface: Cryptocurrency look like myth. Someone avoid to use. But somebody like it. If Cryptocurrency only provide payment function. That is no investment value. Furthermore if someone going to transfer money will be know who is sender and recipient. If it come true, what is the result?

Background: BTCPay Server is an open source, P2P payment processor for Bitcoin and other cryptocurrencies where users can self-host their own server and effectively process their own payments.

Quick and easy setup (for individual and retail business): You just open an account on BTCpayserver. it is web GUI and internet everywhere. So, your customer can pay to you by cryptocurrency.

Users have even built web based point of sales payment solutions using the project. Physical stores can leverage the PoS app for accepting crypto payments. BTCPay Server is code, not a company. There is no third-party between a merchant and a customer. The merchant is always in full control of their funds. There are no processing or subscription fees.

Vulnerability details: BTCpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’). So called Cross-site Scripting, btcpayserver” stored XSS, also known as persistent XSS. In stored XSS, the malicious code is stored on the server of the application. Stored XSS is possible only when the application is designed to store user input. The attacker would inject the code through requests to the application.

Cause: During page generation, the application does not prevent the data from containing content that is executable by a web browser, hsuch as JavaScript, HTML tags, HTML attributes. For details of vulnerability , please refer to attached diagram.

Official details: – https://nvd.nist.gov/vuln/detail/CVE-2021-3830

Preface: Rapid7 Labs estimates there are over 2,700 vulnerable vCenter servers exposed to the public internet.

Background: As of May 1 2020, the Pivotal Telemetry program is governed by VMware’s Customer Experience Improvement Program.
Data and continuous feedback loops play an important role in shaping the way Pivotal builds software.

VMware analytics service consists of components that gather and upload telemetry data from various vSphere components to the VMware Analytics Cloud and manage the Customer Experience Improvement Program (CEIP).

Vulnerability details: CVE-2021-22005 (CVSS score of 9.8) – It is an arbitrary file upload vulnerability in the Analytics service, which can be used to execute commands and software on the vCenter Server Appliance. A malicious actor with network access to port 443 on vCenter Server could exploit it by uploading a specially crafted file.

Observation: Since it can upload telemetry data by analytics service. So, attacker might do the following:

Unauthenticated OVA File Upload RCE – Exploits an unauthenticated OVA file upload and path traversal in vCenter Server to write a JSP payload to a web-accessible directory.

Official announcement – VMware has disclosed a critical bug in its flagship vSphere and vCenter products and urged users to drop everything and patch it. The virtualization giant also offered a workaround. For more details, please refer to the link – https://www.vmware.com/security/advisories/VMSA-2021-0020.html