Preface: vSphere 6.5 – introduction of several new REST APIs included in the vCenter Server Appliance (VCSA).

Background: You can use vRealize Business for Cloud to manage the following VMware products and services: vCenter Server,vCloud Director,vRealize Automation & vRealize Operations Manage. Through the REST API. To get access VCSA appliance. The corresponding API endpoint for available updates are under the [/]rest[/]appliance[/]update section.If you run the API explorer, you will get the following result. Endpoint shows UP_TO_DATE, while VAMI shows 5 available updates.

Vulnerability details: Attackers can exploit this security flaw using management interface (VAMI) upgrade APIs to gain access to unpatched vRealize Business for Cloud Virtual Appliances.

Remedy – Official announcement : https://www.vmware.com/security/advisories/VMSA-2021-0007.html

Background: DBUtil_2_3. Sys is a Windows driver. A driver is a small software program that allows your computer to communicate with
hardware or connected devices. This means that a driver has direct access to the internals of the operating system,
hardware etc.

Vulnerability details: Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges,
denial of service, or information disclosure. Local authenticated user access is required. Vendor plans to release proof of concept code for CVE-2021-21551 on 1st June 2021, said Dell computer.
But we can do the imagination before they announce the update. For details, please refer to diagram.

Official announcement – https://www.dell.com/support/kbdoc/zh-hk/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability

Preface: US Homeland security urge their local country computer users should stay alert of multiple vulnerabilities matter on Pulse Secure product. Perhaps all the world should be aware of it.

Synopsis: As times goes by, Pulse secure acquired juniper SSL VPN product for few years. Perhaps we can remember that Juniper is the active player on telecommunication services provider. Around the world including enterprise firm, they are satisfy with Juniper SSL VPN services.

Security focus: Product Affected by vulnerabilities (PCS: 9.1Rx and 9.0Rx)
CVE-2021-22894 – Buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows a remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.
CVE-2021-22899 – allows a remote authenticated users to perform remote code execution via Windows File Resource Profiles.
CVE-2021-22900 – allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

Details please refer to link – https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/

Technical background: A Samba file server enables file sharing across different operating systems over a network. It lets you access your desktop files from a laptop and share files with Windows and macOS users.

Vulnerability details: Unprivileged users can delete files in network shares that they shouldn’t access.
However, vendor stated that they conduct analysis of the code paths but not yet confirm the specify way for a remote user to be able to trigger this flaw reproducibly.
Perhaps you may have luck to find out the root causes. For more details, please refer to attached diagram .

Official details (CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids()) – https://www.samba.org/samba/security/CVE-2021-20254.html

Protecting an unpatched Samba server: The easiest way is to use the “Host Allow” and “Host Deny” options in the Samba configuration [smb.conf] file to only allow access to your server from a specific range of hosts. The example is shown below:

[]hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24[]
[]hosts deny = 0.0.0.0/0[]

Preface: People say that when you walk through rough roads. A brand new road is waiting for you.

Synopsis: Due to the small size of IoT devices, the main component chips will include memory and storage. Even WiFi function. Technically, hardware resembles a car. Therefore, the software (OS) is equivalent a car driver. If the driver is healthy, the entire journey will become smoother. RTOS a key componet on IoT device platform. A reinvented RTOS for IoT needs to support industry-leading communications standards and protocols such as CAN, Bluetooth, Continua, ZigBee, Wi-Fi, and Ethernet, and deliver high-perfor- mance networking capabilities out of the box.

Security Focus: A simple way to describe what is integer overflow. If 2147483647 is stored in the int variable, adding one will become -2147483648. This is similar as integer overflow.

Status: Due to different RTOS platform encounter integer overflow vulnerability. Therefore CISA Releases ICS Advisory on Real-Time Operating System Vulnerabilities. An integer overflow with software programming mistake will amplifier the risk level. The worst case is let attacker conduct remote code execution.

Official announcement: Refer link – https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04

Preface: BIND is the most commonly used DNS software on the Internet today. DNS servers that use BIND as server software account for about 90% of all DNS servers. BIND is now developed and maintained by the ISC(Internet Systems Consortium).

Background: The ISC BIND server contained the vulnerable code within the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) component, but ISC did not merge the patch at that time. After 15 years, ISC patched the bug in BIND and assigned it CVE-2020-8625. However, A second new vulnerability was happend in “BIND” again. It is CVE-2021-25216.

Vulnerability details: This vulnerability situation is very complicated. Please refer to the official announcement – https://kb.isc.org/docs/cve-2021-25216

Ref: GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is an extension to the TSIG DNS authentication protocol for secure key exchange. It is a GSS-API algorithm which uses Kerberos for passing security tokens to provide authentication, integrity and confidentiality.
GSS-TSIG uses TKEY records for key exchange between the DNS client and server in GSS-TSIG mode. For authentication between the DNS client and Active Directory.

Preface: According to market statistic, 152 companies that use Apache OFBiz. The companies using Apache OFBiz are most often found in United States and in the Computer Software industry.

Background: Apache OFBiz is a suite of business applications flexible enough to be used across any industry. OFBiz is an open source enterprise resource planning (ERP) system. A common architecture allows developers to easily extend or enhance it to create custom features.

Vulnerability focus: Expert found that lack of file extension check at catalog/control. Therefore it is able to allow to uploading a webshell jsp script. Meanwhile, if the vulnerable system run on top of Amazon Elastic Compute Cloud . It can retrieve the user credential due to AWS design principle.

Reserved set of security-credentials in AWS?

Instance-identity – security credentials are that can be generated using the metadata instance on every EC2 instance in AWS, even when no role is attached to the instance.

Official announcement – https://issues.apache.org/jira/browse/OFBIZ-12080

Preface: Graphics card not detected in Device Manager, BIOS – It’s possible that your graphics card isn’t properly connected, or this is usually caused by incompatible drivers.

Background: The DxgkDdiEscape function shares information with the user-mode display driver. This can be called directly from the user mode and accepts arbitrary data that is parsed and processed in a vendor-specific way. This design weakness found by Google project Zero team long time ago.
The GPU manufacturer had official announcement this month.

Vulnerability details: NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the program dereferences a pointer that contains a location for memory that is no longer valid, which may lead to code execution, denial of service, or escalation of privileges.

Remedy: Security Bulletin: NVIDIA GPU Display Driver – April 2021 – https://nvidia.custhelp.com/app/answers/detail/a_id/5172

Preface: Similar design concepts rely on OpenSSL, and it is not news to encounter vulnerabilities. This time it was just a “Old wine in new bottles“.

Background: MySQL source build on WINDOWS using Mingw. therefore it find themselves looking at sub-directories of ‘C:/usr/local’, which may be world writable, which enables untrusted users to modify OpenSSL’s default configuration insert CA certificates, modify (or even replace) existing engine modules, etc.

For OpenSSL 1.0.2, ‘/usr/local/ssl’ is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds.

Vulnerability details: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. For more details, please refer to the following link https://kb.cert.org/vuls/id/567764

Reference: The latest release of MySQL (version 8.0) has several new features including the incorporation of a transaction data dictionary that stores information about database objects. In addition, Atomic DDL or (Atomic data definition statements) allows statements to combine data diction updates, storage engine operations and binary log write associated with a DDL operation into a single, atomic transaction.