Background: On July last year (2020), Secret Service warned that since MSPs service a large number of organizations at the same time
through remote administration tools, cyber criminals are specifically targeting MSPs to conduct their attacks at scale to infect multiple companies through the same vector.

Incident details: CompuCom began contacting customers to alert them that their company system facilities had been encountered cyber attack. However, the details did not mentioned what type of cyber attack occurred . An unofficial new let the people know perhaps it was ransomware.

Reference: Maze ransomware relies on CVE-2018-8174. This ransomware aim to receive the user credentials before proceed Reconnaissance. By prediction, the attacker collecting the user credential through guessing default/weak passwords or spear-phishing through a targeted mail with a .docx attachment containing a malicious macro. When an attacker compromises the system and uses the vulnerability to escalate privileges. Upon completion, it will perform ransomware encryption operations.

Headline News: CompuCom Issues Statement Regarding Malware Incident – https://finance.yahoo.com/news/compucom-issues-statement-regarding-malware-212400889.html

Preface: Vulnerabilities are inevitable! For instance , the injection vulnerability will be managed by detective control. As usually, conducting remediation is the preventive and corrective control. To cope with reality, found and fix concept will be reduce the effectiveness of Defense concept. Zero Trust solution will be applied soon or later especially endpoint environment.

Background: The market slogan will say, SIEM is used for log analysis. Nagios is used for continuous monitoring. However SIEM product since Arcsight can do the continuous monitoring very well. Perhaps we would say SIEM can do both continuous monitoring and log analysis. Since Nagios ready to use feature is his benefit. It is because it can do the implementation quickly. Whereby, Nagois product cover some sort of IT operations.

Vulnerability details: A design weakness found in plugin_output_len variable. The flaw is that it do not contain sanitize function and thus can give a way for attacker do command execution. The code location of the files is in the the following path: [/]usr[/]local[/]nagiosxi[/]html[/]includes[/]configwizards[/]windowswmi[/]windowswmi.inc.php

Remedy: The supplier has no announcement at this time. – http://nagios.com

Reference: In order to avoid the impact of command injection on software application design. Digital world is better to following the Zero Trust Security model. For more details, please refer to link.
https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF

Background: The earlier release of vRealize Operations Manager with vCenter Server was shipped with the NGC plugin. The new vRealize Operations Manager plugin in vCenter Server, provides a mechanism to provide specific metrics and high-level information about data centers, datastores, VMs, and hosts, for the vCenter Server and vSAN. The plugin is supported only in the HTML5 version of the vSphere Client.

Reminder: If an administrator installs a plug-in in an instance of the vSphere Web Client, the plug-in can execute arbitrary commands with the privilege level of that administrator.

Vulnerability details: The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin.

Scenario: Perhaps attacker can make us of tool written by python and create a zip file that contains files with directory traversal characters in their embedded path. If a program and/or library does not prevent directory traversal characters then tool can be used to generate zip files that, once extracted, will place a file at an arbitrary location on the target system.

Workaround: The affected vCenter Server plugin for vROPs is available in all default installations. It is recommended to disabled immediately. Official recommendation: https://kb.vmware.com/s/article/82374

Remediation: To remediate CVE-2021-21972 apply the updates. Please refer to link – https://www.vmware.com/security/advisories/VMSA-2021-0002.html

Background: Remote Procedure Call (RPC) TCP port 135 is used for client-server communications by Microsoft Message Queuing (MSMQ) as well as other Microsoft Windows/Windows Server software.Allowing unrestricted RPC access on TCP port 135 can increase opportunities for malicious activities such as hacking (backdoor command shell).

Recent RCP-related vulnerabilities in software product:
CVE-2020-11635: The Zscaler Client Connector prior to 3.1.0 did not sufficiently validate RPC clients, which allows a local adversary to execute code with system privileges or perform limited actions for which they did not have privileges.

Current status: This vulnerability could allow an attacker who has local access to the user’s machine to elevate privileges and potentially compromise the user’s machine. There are no known instances of this vulnerability being exploited at this time and this vulnerability is not remotely exploitable.

Official announcement and remedy solution – https://trust.zscaler.com/posts/7316

Preface: Bitbucket’s advantage over GitHub used to be that both Git and Mercurial repository hosting were available with Bitbucket.

Background: If you are a Jira user, you can import your existing Git repositories into Bitbucket. Jira Software and Bitbucket does integrate and will work with third party builders like Jenkins. However, the deepest integrations are with Bamboo and using Jira Software and Bitbucket.

Vulnerability details: Atlassian Bitbucket on Windows is vulnerable to privilege escalation due to weak ACLs. For more details, please refer to link or attached diagram – https://kb.cert.org/vuls/id/240785

Remedy: https://jira.atlassian.com/browse/BSERV-12753

Ref: DLLSpy (Dynamic) – DLLSpy scans the loaded modules figure out loaded module list. Then it checks if any of those modules could be hijacked by trying to write to their file location on disk and then checking if they could be overwritten. This happens after the duplication of the access token for browser, which is a weak token. Attacker do that in order to test whether he have write permission to the DLL location and the DLL itself as a regular user.

Preface: CarrierWave provides a simple and extremely flexible way to upload files from Ruby applications. Ruby On Rails Companies Websites are popular. It covered all your familiar areas – Airbnb, Groupon, GitHub, Twitter, Zendesk, Bloomberg…

Background: CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability.

Vulnerability details: The “#manipulate!” method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). For more details, please refer to diagram.

Workaround: It is recommended to stop supplying untrusted input to #manipulate!’s mutation option.

Remedy: upgrade to 2.1.1 or 1.3.2.

Reference: RubyGems is a package manager for Ruby. It provides a standard format “gem” for distributing Ruby programs and libraries. It is designed to conveniently manage gem installation tools and servers for distributing gems. This is similar to Python’s pip.

Preface: Embedded TCP/IP stacks have memory corruption vulnerabilities (Vulnerability Note VU#815128) – Siemens, SUSE Linux, iSCSI, FNet, Micrichip Technology, Weinert Automation, Abbott Labs, ….
There are plenty of companies current status not confirmed.

Background: CERT Coordination Center alert to public on December 2020 that the TCP/IP stacks has memory corruption vulnerabilities. Therefore, this design weakness is impacting the IoT world. Forescout Research Labs discovered 33 vulnerabilities impacting millions of IoT, OT and IT devices that present an immediate risk for organizations worldwide. So called amnesia33. A closer look of vulnerability checklist, you will find that there are plenty of vulnerabilities result deny of service & info leak. Furthermore, CVE-2020-24336 & CVE-2020-24338 flaw will allow attacker to do a remote code execution (RCE).

Security focus: The serious impact is RCE caused by defects in the DNS function shown on report issued by Forescout. The flaw shown that the processes DNS queries and responses has plenty of issues. Refer below:

• no check on whether a domain name is nukk-terminated.
• DNS response data length is not checked
• DNS queries and response (set in DNS header) is not checked against the data present
• length byte of a domain name in a DNS query and response is not checked and is used for internal
  memory operations.

Current status: We are still waiting for vendor response. For detail, please refer to link – https://kb.cert.org/vuls/id/815128

Preface: Node.js is an application runtime environment that enables using JavaScript for building server-side applications that have access to the operating system, file system, and everything else to be fully-functional. There are total 8 Top companies that rely on Node.js.

Background: Using Node.js allows organizing full stack JavaScript development ensuring the speed and performance of the application. Furthermore you are queries that how to check a process is running by the process name? Perhaps, it can use the ps-node package.

Vulnerability details: Node-ps package encountered design weakness. It found a injection point in lib/index.js. Perhaps it should avoid using the exec() function and use execFile() instead. The execFile() function will execute a single command and does not spawn a shell by default which makes it safer than exec().

Remark: By default, pipes for stdin, stdout, and stderr are established between the parent Node.js process and the spawned subprocess.

Official announcement: https://nvd.nist.gov/vuln/detail/CVE-2020-7785