Preface: (DLL) side-loading is an increasingly popular cyber attack method that takes advantage of how Microsoft Windows applications handle DLL files.

Background:

Where is the Citrix VDA?
By default, the supportability MSI is installed in C:\Program Files (x86)\Citrix\Supportability Tools\ . You can change this location on the Components page of the VDA installer’s graphical interface, or with the /installdir command-line option.

Vulnerability Details: A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM.

One of the possibilities: What if the C:\Program File\Citrix\ICA Client directory is configured with incorrect permissions and allows any user add file? A malicious version of the DLL file could be planted in this directory, allowing a local attacker to execute arbitrary code in the context of any other user who would run this application. Although that’s DLL searh order hijacking, the first variant is also sometimes rightly or wrongly called DLL Sideloading. It is mostly used by malwares but it cab also be used for privileges escalation.

Official details: https://support.citrix.com/article/CTX319750

Preface: As a digital identity decision maker in your organization, you already know that in today’s new reality are the cyber security challenges. Centrally manage access permissions to meet best practices in identity management.

Product Background: ForgeRock Access Manager/OpenAM supports a wide range of authentication modules (see diagram) that can be configured together using authentication chains, and authentication nodes that can be configured together using authentication trees. After you configure AM authentication, users can authenticate to AM using a browser or a REST API.

Vulnerability details: A pre-auth remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management software. Exploit a single GET/POST request can execute a code execution. The design weakness cause by unsafe Java object deserialization. The proof-of-concept tool can generating payloads that exploit unsafe Java object deserialization to shown the design weakness of ForgeRock Access Manager product. This vulnerability was patched in ForgeRock AM version 7.0 by entirely removing the “/ccvesion” endpoint, along with other legacy endpoints that use Jato. Furthermore Jato framework has not been updated for many years, so all other products that rely on it may still be affected. ForgeRock have provided a workaround for people still running 6.X.

AM Security Advisory #202104 – https://backstage.forgerock.com/knowledge/kb/article/a47894244

Preface: Microsoft has assigned CVE-2021-34527 to PrintNightmare. CVE-2021-1675 is similar but distinct from CVE-2021-34527.

Background: There is a vulnerability nickname PrintNightmare. PrintNightmare is not the same as CVE-2021-1675, which was fixed in the patch in June. there is currently no patch available for PrintNightmare.

Technical Details: The vulnerability numbered CVE-2021-34527 is the same RCE vulnerability in Print Spooler as CVE-2021-1675 that has attracted attention this week. Microsoft explained that it was caused by improper execution of the file by the Print Spooler service. To exploit this vulnerability, the attacker must be an authenticated user and execute RpcAddPrinterDriverEx(). Successful miners can execute arbitrary code with SYSTEM privileges.

Microsoft has addressed this issue in the updates for CVE-2021-34527. However, the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1. For this reason, please consider the workarounds before Microsoft release the patch.

Workaround: Microsoft has listed several workarounds in their advisory for CVE-2021-34527. For more details, please refer to link.https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Preface: Artificial intelligence (AI) has the potential to overcome the physical limitations of capital and labor and open up new sources of value and growth.

Background: Apache Jena is a free and open source Java framework for building semantic web and Linked Data applications. The framework is composed of different APIs interacting together to process RDF data. Apache Jena Fuseki – SPARQL server which can present RDF data and answer SPARQL queries over HTTP.

Apache Jena Fuseki is a SPARQL server. It can run as a operating system service, as a Java web application (WAR file), and as a standalone server.

RDF is a standard for data interchange that is used for representing highly interconnected data. Each RDF statement is a three-part structure consisting of resources where every resource is identified by a URI. Representing data in RDF allows information to be easily identified. And interconnected by AI systems.

Vulnerability details: A vulnerability classified as problematic has been found in Apache Jena Fuseki up to 4.0.0. Affected is an unknown code block of the component HTML Page Handler. The manipulation with an unknown input leads to a cross site scripting vulnerability.

Remediation: Users are advised to upgrade to Apache Jena 4.1.0 or later.

Preface: Similar vulnerability with another CVE record was announced on Feb 2021. Perhaps Citrix waiting for other vendor response and confirmation . Whereby, supculated that this is one of the possible factor of the announcement by the Citrix on Friday (25th June, 2021).

Background: How is memory allocated when recursive functions are called? Calling a function recursively is done just like any other function. So the memory will be allocated the same way as if you are calling any regular function.

Vulnerability Details: Two security issues (CVE-2021-3416 & CVE-2021-20257) have been identified in Citrix Hypervisor 8.2 LTSR, each of which may allow privileged code in a guest VM to cause the host to crash or become unresponsive. These issues only affect Citrix Hypervisor 8.2 LTSR.

Ref: A recursive function calls itself, so the memory for a called function is allocated on top of the memory allocated for calling the function. Remember, a different copy of local variables is created for each function call.
How is memory allocated when recursive functions are called?
Each recursive call pushes a new stack frame in that manner, then pops it when it returns. If the recursion fails to reach a base case, the stack will rapidly be exhausted leading to the eponymous Stack Overflow crash.

Official announcement – https://support.citrix.com/article/CTX316325

Preface: An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as `openssl[.]cnf’ in an unrestricted directory which would allow code to be executed with elevated privileges,” VMware said.

Background:

VMware App Volumes provides a system to deliver applications to desktops through virtual disks. Installing App Volumes involves installing the App Volumes Manager, App Volumes agents, and related components.
The installers for VMware Tools for Windows is built into VMware Workstation as ISO image files. The new features of VMware Tools for Windows (11.2.6) including OpenSSL version has been updated to 1.1.1k.
VMware Remote Console Open-source components have been updated, including jansson 2.10, libjpeg-turbo 2.0.5, libgksu 2.0.13, openssl 1.1.1h, pcre 8.44, sqlite 3.23.3, and rsvg 2.40.21.

Vulnerability details: VMware Tools for Windows (11.x.y prior to 11.2.6), VMware Remote Console for Windows (12.x prior to 12.0.1) , VMware App Volumes (2.x prior to 2.18.10 and 4 prior to 2103) contain a local privilege escalation vulnerability.

One of the possibilities: The vmware-vdiskmanager (command line utility) work with libeay32.dll[.] OpenSSL default of “[/]usr[/]local[/]ssl” is used in linux, but in windows it translates to c:[\]usr[\]local[\]ssl.

If a low privilege user creates the directory structure c:[\]usr[\]local[\]ssl[\], copies an openssl.cnf file and malicious .dll library inside it will result is arbitrary code execution when the command line (vmware-vdiskmanger) is executed. Furthermore, VDDK working with some of DLLs (ssleay32.dll, libeay32.dll, diskLibPlugin.dll) because VDDK needs to maintain state information and callback functions. Therefore, the privileges escalation vulnerability will be occurred.

Official announcement (CVE-2021-21999) – https://www.vmware.com/security/advisories/VMSA-2021-0013.html

Ref: There is another vulnerability on other products. VMware Carbon Black App Control update address authentication bypass (CVE-2021-21998) – https://www.vmware.com/security/advisories/VMSA-2021-0012.html

Preface: REST API has similar vulnerabilities as a web application. The possibilities will be from various threats, such as Man-in-the-Middle attacks, lack of XML encryptions, insecure endpoints, API URL parameters, ..etc.

Technical background: Cortex XSOAR is the Security Orchestration, Automation and Response (SOAR) solution from Palo AltoNetworks. Cortex XSOAR (formerly Demisto) is able to configuration with active API Key integrations. In Cortex XSOAR Server, you can add Integration.

1. Go to Cortex XSOAR, then to Settings -> Integrations, search for iLert integration and click on the Add instance button.

2. On the modal window, name the instance, paste the iLert API Key that that you generated in iLert and click on the Save & exit button.

Vulnerability details: The vulnerability exists due to an error in the REST API. A remote attacker can bypass authentication process and gain unauthorized access to the application.

Note: This vulnerability affects only to Cortex XSOAR configurations with active API key integrations.

Ref: Perhaps it can exploit IDOR vulnerability. For instance – The attacker simply modifies the ‘acct’ parameter in their browser to send whatever account number they want. If the application does not perform user verification, the attacker can access any user’s account or other methods.

Official announcements and remedies – https://security.paloaltonetworks.com/CVE-2021-3044

Preface: OPC UA Stack is not only vulnerable but also has a range of significant fundamental problems.

Background: The UA SDK is a C++ library that supports you in writing portable C++ OPC UA Servers and Clients. The UA SDK actually consists of two SDKs, a Server SDK and a Client SDK. Both use the same UA Base Library which does all the C++ encapsulation of the raw ANSI C types
that are defined in the OPC UA Communication Stack by the OPC Foundation.

Vulnerability details: OPC UA C++ SDK is vulnerable to a denial of service, caused by improper restriction of operations within
the bounds of a memory buffer. A remote attacker could exploit this vulnerability to cause the system to crash.

In the OPC UA Stack. OPC Foundation developers provide libraries that are essentially a set of exported functions based on a specification, similar to an API.
In this vulnerability, the exported library functions don’t properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations.

Remedy: Click here to download the latest software package from the Softing website. https://industrial.softing.com/products/opc-ua-and-opc-classic-sdks.html

ICS Advisory (ICSA-21-168-02) – https://us-cert.cisa.gov/ics/advisories/icsa-21-168-02