Preface: Software Development Life Cycle is the application of standard business practices to building software applications. It’s typically divided into six to eight steps: Planning, Requirements, Design, Build, Document, Test, Deploy, Maintain.

Background: The SAP NetWeaver development infrastructure combines the features and advantages of a local development environment (usually provided in a Java environment) and a server-based development environment, which can provide development teams with a consistent development environment and support software throughout its life cycle Development.

Component Build Service (CBS): Central build of the source files in the DTR based on the component model.

Vulnerability details: CVE-2021-33690 – Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service)

Affected Products – SAP NetWeaver Development Infrastructure (Component Build Service), Versions – 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.

Description: SSRF lets attackers send requests from the server to other resources, both internal and external, and receive responses.

Reference: If you are interested in knowing my understanding of this matter. Please refer to the picture above. The official details can be found in the link – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806

Preface: Public key infrastructure (PKI) governs the issuance of digital certificates to protect sensitive data, provide unique digital identities for users, devices and applications and secure end-to-end communications.

Technical background: From a technical point of view, application software is installed on the host and provides functions (listening to data on open ports or sending data to the LAN or the Internet). Protect online data transmission based on compliance. It will deploy PKI technology. If the SSL certificate installed on the host is not verified, it may allow an attacker to deceive trusted entities by interfering with the communication path between the host and the client. The software may connect to a malicious host and think it is a trusted host, or the software may be tricked into accepting spoofed data that appears to be from a trusted host.

Vulnerability details: A vulnerability in PKI Security Solution of Dream Security could allow arbitrary command execution. This vulnerability is due to insufficient validation of the authorization certificate. An attacker could exploit this vulnerability by sending a crafted HTTP request an affected program. A successful exploit could allow the attacker to remotely execute arbitrary code on a target system.

Please refer to the link – https://boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36174

Preface: The following companies use Btrfs in production: Facebook (testing in production as of 2014/04, deployed on millions of servers as of 2018/10) Jolla (smartphone) Lavu (iPad) point of sale solution.

Background: Btrfs is an advanced file system, jointly developed by an organization, and now specific Synology NAS models support this file system.Btrfs is now the Default Filesystem on Fedora 33.

Vulnerability details: (CVE-2019-16089) It was discovered that the btrfs file system implementation in the Linux kernel did not properly validate file system metadata in some situations. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash).

Cause: If process B allocated a new system chunk and process A is waiting on process B to finish creation of the respective system block group. However before process B ends its transaction handle and finishes the creation of the system block group, it attempts to allocate another chunk (like a data chunk for an fallocate operation for a very large range). process B will be unable to progress and allocate the new chunk.

*The default operation (i.e., mode is zero) of fallocate() allocates the disk space within the range specified by offset and len (off is used to pass an offset and len is used to pass a length)

Remedy: btrfs fix deadlock with concurrent chunk allocations – Refer to link: https://github.com/torvalds/linux/commit/1cb3db1cf383a3c7dbda1aa0ce748b0958759947

Preface: HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way.

Background: After the initial configuration of Workspace ONE Access is complete, administrator can go to the Workspace ONE Access console pages to install certificates, manage passwords, and download log files. You can also update the database, change the Workspace ONE Access FQDN, and configure an external syslog server.

How do I access VMware Identity Manager?
You can log in to the VMware Identity Manger console from your Workspace ONE portal page. To log in directly to the console,
VMware Identity Manager admin users can enter the following URL [/]SAAS[/]login[/]0.

Vulnerability details: The vulnerability exists due to insufficient validation of user-supplied input in the [/]cfg web app and diagnostic endpoints. A remote attacker can send a specially crafted HTTP request with a modified HTTP Host header to port 443[/]TCP and access the[ /]cfg web application, available at port 8443. As a result, a remote non-authenticated attacker can gain access to services in the internal network.

Official announcement – Please refer to the link https://www.vmware.com/security/advisories/VMSA-2021-0016.html

Preface: Alert by CISA. Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks.

Background: Because NTLM has basic design weaknesses. If cyber criminals take advantage of NTLM’s design weaknesses. The design weaknesses of converting NTLM coexist with the EfsRpcOpenFileRaw method. It such made a powerful tool to corrupt windows architecture.

Vulnerability details: Code running on any domain-joined system can trigger this function to be called on a domain controller without needing to know the credentials of the current user or any other user in an Active Directory. And because the EfsRpcOpenFileRaw method authenticates as the machine dispatching the request, this means that a user of any system connected to an AD domain can trigger an NTLM authentication request as the domain controller machine account to an arbitrary host, without needing to know any credentials. This can allow for NTLM relay attacks.

Observation: While NTLM is still supported by Microsoft, it has been replaced by Kerberos as the default authentication protocol in Windows 2000 and subsequent Active Directory (AD) domains. Should be confirm of your authenticaiton method on Share Point server. Do not use NTLM.

Official technical articles – Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks – https://kb.cert.org/vuls/id/405600

Preface: JSON is a text-based data format following JavaScript object syntax. Even though it closely resembles JavaScript object literal syntax,
it can be used independently from JavaScript, and many programming environments feature the ability to read (parse) and generate JSON.

Background: Java application developer oftentimes need to combine objects into a single one which contains all the individual properties of its constituent parts. This operation is called merging. The two most common ways of doing display below:

• Using the spread operator (…)
• Using the Object.assign() method

Perhaps, developers may using another tool. For example: Deepmergefn
Alernative to deepmerge and Lodash_.merge.

Vulnerability details: JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

Workaround:

– Avoid using unsafe recursive merge functions.
-Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

Status: There is no fixed version release yet.

Preface: In order to expand business development, software products sometimes use similar engineering designs. When vulnerabilities occur, their effects seem to be interrelated.

Privilege Escalation Attack Techniques: A low-privileged process from being escalated via a token stolen from a process with greater privileges. This technique is often used in tandem with another vulnerability to successfully deliver and run an attacker’s malicious code with system permissions.

Perhaps attacker not use this way now. But in past, Scheduled tasks can also be used to bypass User Account Control (UAC) and escalate privileges, when misusing system actions such as antivirus update for example. As this command is marked with auto-elevating, it will run with elevated privileges without prompting the user through UAC. The key is that it uses a user controlled environment variable as part of the path, which can be manipulated.

Vulnerability details:

CVE-2021-32464 – An incorrect permission assignment privilege escalation vulnerability in Trend Micro Apex One and Apex One as a Service could allow an attacker to modify a specific script before it is executed.
CVE-2021-32465 – An incorrect permission preservation vulnerability in Trend Micro Apex One and Apex One as a Service could allow a remote user to perform an attack and bypass authentication on affected installations.
CVE-2021-36741 – An improper input validation vulnerability in Trend Micro Apex One and Apex One as a Service allows a remote attached to upload arbitrary files on affected installations.
CVE-2021-36742 – A improper input validation vulnerability in Trend Micro Apex One and Apex One as a Service allows a local attacker to escalate privileges on affected installations.

Remedy by vendor:

Security Bulletin for Worry-Free Business Security – https://success.trendmicro.com/solution/000287820

Security Bulletin for Trend Micro Apex One and Apex One as a Service – https://success.trendmicro.com/solution/000287819

Preface: The computer behind the robots performance is the Programmable Logic Controllers (PLCs). PLCS are able to control the robots and help them do their job at very specific times and points in the production process.

Product background: The KR C4 software architeture integrates Robot Control, PLC Control, Motion Control (e.g. KUKA.CNC) and Safety Control. All controllers share a database and infrastructure.

KUKA System Software (KSS)
In the case of the KR C4 compact robot controller, safety options such as SafeOperation are only available via the Ethernet safety interface from KSS/VSS 8.3 onwards. From KSS 8.3 and from motherboard D3236-K onwards: Board Package USB stick in the USB port.

Vulnerability details: Multiple vulnerabilities in KUKA KR C4

Vulnerable software versions
– KSS: All versions
– KR C4: before 8.7 (hardware)

For the possibility of this vulnerability, please refer to the attached diagram.

CISA security advisory: Please refer to the link – https://us-cert.cisa.gov/ics/advisories/icsa-21-208-01

Workaround: If you are not able to do the any corrective action immediately. You should following vendor recommendation to install the antivirus to enforce the protection. Ikarus antivirus is the only one tested with kuka they don’t recommend any others due to testing.

Preface: Internet of Things (IoT) and machine-to-machine (M2M) technologies need to use a messaging and connectivity protocol in order to exchange information from a remote location.

Background: MQTT is a binary-based protocol and has command and command acknowledgement format. So every time a client sends a command to the broker, the broker sends an acknowledgement. This communication protocol is actually based on the TCP/IP protocol. So first there will be a TCP connection establishment and then there will be MQTT connection establishment and then the data transfer will occur. After which TCP connection will be terminated.

An MQTT broker is a server that receives all messages from the clients and then routes the messages to the appropriate destination clients.

Vulnerability details: In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.

Remedy: The design weakness was patched in version 2.08.

Client library: Fix mosquitto_{pub|sub}_topic_check() functions not returning MOSQ_ERR_INVAL on topic == NULL.

Causes: Under following condition, it will returns MOSQ_ERR_INVAL if the topic string is too long.