Synopsis: The package xmlhttprequest before 1.7.0 had vulnerability occurs. The CVE-2020-28502 was published on 5th March, 2021.

Background: node-XMLHttpRequest is a wrapper for the built-in http client to emulate the browser XMLHttpRequest object.
This can be used with JS designed for browsers to improve reuse of code and allow the use of existing libraries.

Vulnerability details: This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Official details: https://nvd.nist.gov/vuln/detail/CVE-2020-28502

Current status: There is no fixed version for org.webjars.npm:xmlhttprequest-ssl.

Hints: Enhance preventive and detective control.Using something like filter (example ^\w+) base on speical chars will be allowed. Such as regular expression.

Preface: F5 network products are commonly deployed in data center and on-premises Internet facing infrastructure.

Background: F5 Network’s Traffic Management Operating System (TMOS) is not a separate operating system. It is the software foundation for all of F5’s network or traffic (not data) products including both physical or virtual platform. TMM is the core component of TMOS as it handles all network activities and communicates directly with the network switch hardware (or vNICs for VE (Virtual Edition)). TMM also controls communications to and from the HMS. Local Traffic Manager (LTM) and other modules run within the TMM.

Vulnerability details: Vulnerability found allow attacker use of uninitialized memory. Uninitialized memory means reading data from the buffer that was allocated but not filled with initial values. It means that the data are starting to be used before they are initialized. Finally using `wrapped_umem_alloc` for heap allocations, it will also lead to a direct crash of the TMM due to the heap buffer overflow.

Official announcement: https://support.f5.com/csp/article/K56715231

Preface: From technical point of view, attacker cast the returned void* to an int* and start using it. It is one of the modern cyber attack technique.

Background: Attacker would have to overwrite the return address to an address such as ”…………….“ where there would be a “JMP RSP” instruction, and continue with their shellcode after this address. In such a way let some hardening system appliance also become vulnerable. Can we say this is a design weakness of coding? Or whether is the memory protection not been enough.

Technical details: The F5 BIG-IP offers many programmable interfaces, from control-plane to data-plane.
iControl REST – REST-based API for imperative configuration and service control of BIG-IP from remote applications.
iControl (SOAP) – SOAP-based API for imperative configuration and service control of BIG-IP from remote applications.

Vulnerability details:

CVE-2021-22986 – The iControl REST interface has an unauthenticated remote command execution vulnerability. CVSS score: 9.8 (Critical)
CVE-2021-22987 – When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 9.9 (Critical)

Official announcement: https://support.f5.com/csp/article/K02566623

Preface: In SAP Business Client history, rare to offer a Chromium web browser control based on CefSharp (CEF – Open Source Version of Google Chrome) as an alternative rendering engine to Microsoft IE. In 2018, the dream come true happened.

SAP business clinet software technical background: If local client web browser not work, SAP client software will enforce the default browser control falls back to Internet Explorer. Unfortunately, Chrome Vulnerability is being exploited in the wild. According to CVE-2021-2116, a remote attacker could exploit some of these vulnerabilities to trigger denial of service, remote code execution, security restriction bypass and sensitive information disclosure on the targeted system.

Reference: When Chrome OS is vulnerable to malicious extensions by bad 3rd party apps programming. It can also put your system at risk if you choose to run an extension “unsandboxed.”

Official announcement : (SAP Security Patch Day – March 2021) – please refer to the link – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107

Preface: SaltStack was acquired by VMware on October 13, 2020. All SaltStack commercial information can be found on VMware.com. For the Salt open source project, visit saltproject.io

Background: SaltStack is a configuration management and orchestration tool. It uses a central repository to configure new servers and other IT infrastructure in Cloud computing environment. It can make changes to existing servers and computing devices and install software in the system environment. It allow to manage and scale cloud infrastructure with no downtime or interruptions.
There are 139 companies reportedly use Salt in their tech stacks, including Robinhood, Lyft, and LinkedIn.

Official announcement: All related vulnerabilities and remediation can be found in this link – https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Security Focus: Modern system architecture design will simplifies the synchronization process in order to update the whole system infrastructure. For example: Blockchain will relies on Atomic Broadcast update all the network. Furthermore, SaltStack can be synchronizing all (minions) of this command (salt * saltutil.sync_all). If access control not in correct way. It will impact by vulnerability found on this time. CVE-2021-25281 – salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. So we must staying alert!

Preface: In computing, ioctl (an abbreviation of input/output control) is a system call for device-specific input/output operations and other operations which cannot be expressed by regular system calls.

Background: The ioctl design for public is considered bad for numerous reasons. And therefore some people suggest replace ioctl with Netlink. Netlink is a very good way for two-way data transmission between the kernel and user applications. Therefore, Infrastructure to provide async events from transports to userspace via netlink. Users can send files associated with Netlink messages and iSCSI, the maximum length of which is the maximum length of Netlink messages.

Vulnerability details: Per user instruction, netlink message require to reference the “structures struct”, “msghdr”, “struct nlmsghdr”, and “struct iovec” when sending netlink messages using the function sendmsg. After completing the steps, the message can be sent directly through the following statement: sendmsg (fd, & msg, 0). However fault found existing design provide ability of an unprivileged user to craft Netlink messages. There are total 3 different vulnerabilities found.CVE-2021-27364 , CVE-2021-27363 and CVE-2021-27365.

Impact: No vendor announcing that their products involves to these design weakness. Perhaps we keep our eye open, see whether is there any related information update will be issued by vendor in future.

Preface: Snort is an open-source, free and lightweight network intrusion detection.The Snort Subscriber Ruleset is developed, tested, and approved by Cisco Talos.

Background: Sourcefire, Inc was a technology company that developed network security hardware and software. The company’s Firepower network security appliances were based on Snort. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger —
which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system.

Vulnerability details: CVE-2021-1285 can be exploited by an unauthenticated, adjacent attacker. The attacker is on the same layer 2 domain as the victim — to cause a device to enter a DoS condition by sending it specially crafted Ethernet frames. A successful exploit could allow the attacker to exhaust disk space on the affected device. Whereby it create denial of service attack.

Official Announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-ethernet-dos-HGXgJH8n

Background: On July last year (2020), Secret Service warned that since MSPs service a large number of organizations at the same time
through remote administration tools, cyber criminals are specifically targeting MSPs to conduct their attacks at scale to infect multiple companies through the same vector.

Incident details: CompuCom began contacting customers to alert them that their company system facilities had been encountered cyber attack. However, the details did not mentioned what type of cyber attack occurred . An unofficial new let the people know perhaps it was ransomware.

Reference: Maze ransomware relies on CVE-2018-8174. This ransomware aim to receive the user credentials before proceed Reconnaissance. By prediction, the attacker collecting the user credential through guessing default/weak passwords or spear-phishing through a targeted mail with a .docx attachment containing a malicious macro. When an attacker compromises the system and uses the vulnerability to escalate privileges. Upon completion, it will perform ransomware encryption operations.

Headline News: CompuCom Issues Statement Regarding Malware Incident – https://finance.yahoo.com/news/compucom-issues-statement-regarding-malware-212400889.html