Preface: According to market survey, there are 3723 companies reportedly use Elasticsearch in their tech stacks, including Uber, Shopify, and Udemy. Perhaps part of the 3723 companies will use Kibana at the same time.

Background: As suggested by Elasticsearch, customers can install Kibana on the same server as Elasticsearch. But that’s not the only setup method that can be used.

Elasticsearch allows you to store, search, and analyze huge volumes of data quickly and in near real-time and give back answers in milliseconds. It’s able to achieve fast search responses because instead of searching the text directly, it searches an index.

By default, data is retrieved from the cluster specified in the elasticsearch.hosts value in the kibana.yml file. If you want to retrieve it from a different cluster, set monitoring.ui.elasticsearch.hosts.

Kibana is a free and open user interface that lets you visualize your Elasticsearch data and navigate the Elastic Stack. Do anything from tracking query load to understanding the way requests flow through your apps.

Vulnerability details: A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch cluster. Authentication with a vulnerable Kibana instance is not required to view the exposed information. The Elastic Stack monitoring exposure only impacts users that have set any of the optional monitoring.ui.elasticsearch.* settings in order to configure Kibana as a remote UI for Elastic Stack Monitoring. The same vulnerability in Kibana could expose other non-sensitive application-internal information in the page source.

Doubt: Kibana can retrieve monitoring event logs. See attached diagram (item 5). User IDs and passwords are not encrypted. Since the vulnerability is not described in detail. Whether this the reason said that it expose sensitive information?

Official announcement: For official details, please refer to the link https://discuss.elastic.co/t/kibana-7-17-3-and-8-1-3-security-update/302826

Preface: Security misconfiguration vulnerabilities take place when an application component is vulnerable to attack as a result of insecure configuration option or misconfiguration.

Background: AWS Systems Manager (formerly known as SSM) is Amazon software that runs on Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs). A managed node is any machine configured for Systems Manager. Systems Manager supports Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs), including VMs in other cloud environments. SSM Agent makes it possible for Systems Manager to update, manage, and configure these resources.

System administrator can securely connect to your Amazon EC2 instances using AWS Systems Manager Session Manager. AWS Systems Manager Session Manager is a browser/CLI based shell that enables you to connect to Amazon EC2 instances without the need to open ports.
However, AWS Systems Manager SSM Agent (version 2.3.68.0 or later ) must be installed on the EC2.
By default, sessions are launched using the credentials of a system-generated ssm-user account that is created on a managed node. (On Linux and macOS machines, this account is added to /etc/sudoers/.)
Starting with version 2.3.50.0 of SSM Agent, the agent creates a local user account called ssm-user and adds it to the /etc/sudoers.d directory (Linux and macOS) or to the Administrators group (Windows Server).

Vulnerability details: Amazon AWS amazon-ssm-agent before 3.1.1208.0 creates a world-writable sudoers file, which allows local attackers to inject Sudo rules and escalate privileges to root. This occurs in certain situations involving a race condition.

Ref: In layman terms, a race condition can be defined as, a condition in which two or more threads compete together to get certain shared resources. For example, if thread A is reading data from the linked list and another thread B is trying to delete the same data.

Data in world-writable files can be read, modified, and potentially compromised by any user on the system. If ssm-user had remove sudo access for some reason. If sudoers file is world-writable. Non admin User can restore sudo access. For example: Change the working directory (cd /etc/sudoers.d),open the file named ssm-agent-users for editing. Add the following line.
ssm-user ALL=(ALL) NOPASSWD:ALL.

Remedy: Amazon SSM Agent – Release 3.1.1260.0 – 2022-04-12. Please refer to the link for details – https://github.com/aws/amazon-ssm-agent/releases/tag/3.1.1260.0

Preface: In medium to small size firm, software developer is busy to achieve their company objective. Perhaps cyber security is not the priority of their awareness. The software version control is major successful factor of their software development. Perhaps they will make use of Git LFS (Large File Storage).

Background: What is a git LFS? Git LFS (Large File Storage) is a Git extension developed by Atlassian, GitHub, and a few other open source contributors, that reduces the impact of large files in your repository by downloading the relevant versions of them lazily. The git repository is github. It is free unless you want to create a private repository. For private repositories you have to pay a monthly price but it is not mandatory. GitHub’s recommended maximum file size of 50 MB. If your push operation failed because file size exceeded limit. The solution to this is to install Git Large File Storage support.

Managing large files such as audio, video and graphics files has always been one of the shortcomings of Git. The general recommendation is to not have Git repositories larger than 1 GB to preserve performance.

Vulnerability details: On Windows, if Git LFS operates on a malicious repository with a ..exe file as well as a file named git[.]exe, and git[.]exe is not found in PATH, the ..exe program will be executed, permitting the attacker to execute arbitrary code.
Similarly, if the malicious repository contains files named ..exe and cygpath[.]exe, and cygpath[.]exe is not found in PATH, the ..exe program will be executed when certain Git LFS commands are run.

Remark: This does not affect Unix systems.

Remedy: Git LFS has resolved this vulnerability by always reporting an error when a program is not found in any directory listed in PATH rather than passing an empty string to the Go os/exec package in this case.

The bug in the Go os/exec package has been reported to the Go project and is expected to be patched after this security advisory is published.

The problem was introduced in v2.12.1 and is patched in v3.1.3 and v3.1.4. Users of affected versions should upgrade to v3.1.4.

Preface: ONTAP or Data ONTAP or Clustered Data ONTAP or Data ONTAP 7-Mode is NetApp’s proprietary operating system used in storage disk arrays such as NetApp FAS and AFF, ONTAP Select and Cloud Volumes ONTAP. RHEL 6.3 and later can be used with NetApp Clustered Data ONTAP. This setup integrate with SUNPRC UNIX Network Programming.
Remark: RHEL 6.3 end of life on November 30, 2020. Additionally, Extended Lifecycle Support will end on June 30, 2024.

Background: Remote Procedure Call (SunRPC) protocol provides access to run procedures on remote machine. RPC is used heavily in UNIX to implement many protocols, for example NFS and NIS. RPC protocol is designed to be machine, operating system, network architecture, and transport protocol independent.
Sun RPC does not have a network-wide binding service. Instead it provides a local binding service called the port mapper which runs on every computer. Each instance of a port mapper records the port in use by each service running locally. The port mapper assigns a unique TCP/UDP protocol port number to an RPC program. Upon starting, the Network File System uses a port map to listen to and send data to specific ports.

Vulnerability details: The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.

Highlight one of the technical issues – In the C programming language, the instruction malloc() is used to allocate memory space of the requested size for use by the program. When a program needs to read or write data in memory, it uses pointers. When the program is done using the data, it can use the function free() to free the memory.
It’s important to note that free() just marks the block of memory as free and available for use. It does not clear any data stored in the memory block, nor does it free or clear the pointers that the program uses to refer to the memory block.

Remedy: Ensure we flush any closed sockets before xs_xprt_free().

For solution details, please refer to the following link – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1a3b1bba7c7a5eb8a11513cf88427cb9d77bc60a

Preface: In fact, when the details of a vulnerability were announced. It’s hard to guess when it first happened. This is a well-known fact in the cybersecurity community. However, security analysts and researchers don’t mind the delay. Since the goal is to fix the problem and avoid a similar vulnerability in another product.
For example, the details of the fix for this vulnerability were released on February 18, 2022. But details of the vulnerability just revealed this week.

Background: Currently, there are three technologies that support RDMA: InfiniBand, Ethernet RoCE and Ethernet iWARP. All three technologies share a common user API which is defined in this docu- ment, but have different physical and link layers.
InfiniBand (IB) is a computer network communication standard for high-performance computing with extremely high throughput and low latency. Six of the top ten high-performance computing (HPC) and artificial intelligence (AI) supercomputers on June 2019 TOP500 list. They deployed infiniBand technology.

Vulnerability details: CVE-2022-29156 – drivers/infiniband/ulp/rtrs/rtrs-clt[.]c in the Linux kernel before 5.16.12 has a double free related to rtrs_clt_dev_release.

Traditionally, the kfree( ) function is generally paired with the kmalloc( ) function to free a section of memory starting at address objp.
What is objp? The memory address, usually the return value of the kmalloc( ) function, that is, the address pointer to the starting address of the allocated memory block.

In practice, double-freeing a block of memory will corrupt the state of the memory manager, which might cause existing blocks of memory to get corrupted or for future allocations to fail in bizarre ways (for example, the same memory getting handed out on two different successive calls of malloc). Double frees can happen in all sorts of cases.

• kmalloc() can be called only in kernel-space
• malloc() can be called in user-space and kernel-space

Reason (Official announcement): Callback function rtrs_clt_dev_release() for put_device() calls kfree(clt) to free memory. We shouldn’t call kfree(clt) again, and we can’t use the clt after kfree too.

Solution: Replace device_register() with device_initialize() and device_add() so that dev_set_name can() be used appropriately. Move mutex_destroy() to the release function so it can be called in the alloc_clt err path.

Do mutexes need to be destroyed? Implementations are required to allow an object to be destroyed and freed and potentially unmapped immediately after the object is unlocked.

Below version of rtrs-clt[.]c was fixed this vulnerability.
v5.18-rc2 v5.18-rc1 v5.17 v5.17-rc8 v5.17-rc7 v5.17-rc6

Preface: Public Key Infrastructure is the proven solution for authentication, encryption and data integrity. DigiCert PKI solutions are built on trust. Public trust. Private trust. And the world’s most trusted roots. XenMobile Server GPKI support includes DigiCert Managed PKI, also referred to as MPKI.

Background: XenMobile Server GPKI support includes DigiCert Managed PKI, also referred to as MPKI. The requirements are including Windows Server 2012 R2 server with the following components installed.

– Java
– Apache Tomcat (Install Apache Tomcat on Windows Server)
– DigiCert PKI Client
– Portecle

Vulnerability details: CVE-2022-26151 – The underlying operating system in Citrix XenMobile Server allows unauthorized root access. For official announcement of details, please refer to Citrix Endpoint Management (XenMobile Server) Security Bulletin for CVE-2021-44519, CVE-2021-44520, and CVE-2022-26151. The url is shown as below:

https://support.citrix.com/article/CTX370551

CVE-2022-26151

Unauthorized root access to the underlying OS

CWE-20: Improper Input Validation

Admin access to XenMobile Server CLI

Speculation: Vendor did not provide vulnerability details. But the problem can happen in the following area:

XenMobile server (that is, localhost).

This Tomcat server allows callers to execute a variety of commands that should not be available to unauthenticated users. For example:

• Change the administrator password (/admin_user/cli/reset_password)
• Create a new administrator (/admin_user/ui/create1)
• Decrypting passwords (/sftu/crypto/dec)
• Dropping firewall rules (/firewall/iptables_stop)

Workaround: Mitigated by the internal firewall that limits access to configuration services to localhost.

Remedy:

CVE-2021-44519, CVE-2021-44520 – Medium severity:
XenMobile Server 10.14.0 rolling patch 4 and later releases of 10.14.0
XenMobile Server 10.13.0 rolling patch 7 and later releases of 10.13.0

CVE-2022-26151 – Low severity:
XenMobile Server 10.14.0 rolling patch 5 and later releases of 10.14.0
XenMobile Server 10.13.0 rolling patch 8 and later releases of 10.13.0

Preface: Several vulnerabilities in VMware products (CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, and CVE-2022-22958) are reported to be at high risk of being exploited. System administrators should immediately install patches to affected systems to reduce the risk of cyber-attacks.

Background: VMware Workspace ONE is an intelligence-driven digital workspace platform that enables you to simply and securely deliver and manage any app on any device, anywhere. You can add Web applications to the Workspace ONE Access catalog and assign them to users and groups to provide users access to these applications from the Workspace ONE Intelligent Hub app and portal. You configure single sign-on (SSO) to the applications by using a federation protocol such as SAML 2.0 to configure the applications.

Vulnerability details: CVE-2022-22954 – VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution. You can create a template to enable a group of clients to register dynamically with the VMware Identity Manager service to allow users access to a specific application.

Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server.

Remedy:

HW-154129 – Patch instructions to address CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 in Workspace ONE Access Appliance (VMware Identity Manager) (88099) – https://kb.vmware.com/s/article/88099

HW-154129 – Workaround instructions to address CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 in Workspace ONE Access Appliance (VMware Identity Manager) (88098) – https://kb.vmware.com/s/article/88098

Preface: JBD2 is the kernel thread of the ext4 file system. It often experiences the shadow (BH_Shadow) state during its use, which can affect the system performance. To solve this problem, Alibaba Cloud Linux 2 provides an interface in version 4.19. 81-17.

Background:

• Ext3 would call an allocator for each block
  A 100MB file would need to call the allocator 25600 times for each individual block in Ext3
• Ext4 only calls the allocator once for each file
  In Ext4, the allocator is called only once to allocate the 25600 blocks

Ext4 uses 48-bit internal addressing, making it theoretically possible to allocate files up to 16 TiB on filesystems up to 1,000,000 TiB (1 EiB). Early implementations of ext4 were still limited to 16 TiB filesystems by some userland utilities, but as of 2011, e2fsprogs has directly supported the creation of >16TiB ext4 filesystems. As one example, Red Hat Enterprise Linux contractually supports ext4 filesystems only up to 50 TiB and recommends ext4 volumes no larger than 100 TiB.

Lustre is an open source parallel distributed file system (DFS) specialized for large-scale cluster computing. The name is a portmanteau of Linux and cluster. Lustre is used by many supercomputers and large multi-cluster sites. A large precent of supercomputers use Lustre file systems. LCOC (Lustre Cache on Client) provides a group of local cache. Each client has its own local cache based on SSD. For example, LCOC uses Ext4 (Samsung SSD 850 EVO 500GB) as local cache.

Vulnerability details: CVE-2022-28796 – jbd2_journal_wait_updates in fs/jbd2/transaction[.]c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

In the case of traditional (use-after-free) vulnerabilities. Due to an absence of a locking mechanism, an attacker is able to create a race condition in the device mechanism and trigger a Use After Free vulnerability. But the developers discovered the following reasons.
jbd2_journal_wait_updates() is called with j_state_lock held in normal circumstances. But if there is a commit in progress, then this transaction might get committed by function (jbd2_journal_commit_transaction()). Finally freed via this function (jbd2_journal_free_transaction()) release j_state_lock.

Solution: Upgrade to 5.18-rc2

Preface: President Biden’s Executive Order is modernizing the Federal Government defenses and improving the security of widely-used technology. On March 2022, he urged U.S. companies operating critical infrastructure, including in the energy sector, to harden their digital defenses.

Background: CODESYS, formerly known as CoDeSys, is an acronym for Controller Development System, an Integrated Development Environment for Programmable Logic Controller applications, compliant with the IEC 61131-3 standard, a hardware and manufacturer-independent integrated development environment . IEC 61131-3:2013 specifies the syntax and semantics of a unified suite of programming languages for programmable controllers (PCs).The product CODESYS Control RTE SL is a real-time software PLC for PC-based industrial controllers under Windows. The CODESYS Control RTE SL product is a real-time soft PLC used to develop industrial controllers under the Windows operating system on the PC side. The runtime system has its own real-time kernel: in the absence of other hardware components or OS extensions, the system jitter value can remain in the μs range.

Vulnerability details: A remote, authenticated attacker can send a specific crafted HTTP or HTTPS requests causing CODESYS V3 runtime systems (CmpWebServer) encounter buffer-over-read.
A buffer overread is like a buffer overflow, except that it occurs during a read operation. While reading from a buffer, the program goes over the buffer boundary and reads adjacent memory.
In languages like C, programs are free to access data in any part of the virtual memory via a pointer. Because of this, buffer overread issues can occur when pointers or their indexes are incremented beyond the bounds of the buffer (when iterating an array or reading a string), or when pointer arithmetics yields a result outside a valid memory address.

Impact: maliciously crafted inputs that are designed to exploit a lack of bounds checking to read parts of memory not intended to be accessible. They may also be caused by programming errors alone.

Official announcement: For details, please refer to the link – https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17094&token=2fb188e2213c74194e81ba61ff99f1c68602ba4d&download=

Preface: If the workstation is running in Linux kernel 5.17.1, due to this vulnerability (CVE-2022-28390). The adjacent communications peer device will be at risk. As a result, it allowing an attacker to execute arbitrary code to adjacent communications peer device.

Background: The CANbus USB adapter connects a CANbus to the USB port of a PC or notebook, which also supplies the power to the adapter (no power supply needed). The CAN/USB Data Converter allows a personal computer to act as a diagnostic analyzer during development and testing of an automotive ECU (electronic control unit) or industrial field bus system that supports the CAN communications protocol.

Vulnerability details: ems_usb_start_xmit in drivers/net/can/usb/ems_usb[.]c in the Linux kernel through 5.17.1 has a double free. Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.

According to Developer (Hangyu Hua) explanation. There is no need to call dev_kfree_skb() when usb_submit_urb() fails because can_put_echo_skb() deletes the original skb and can_free_echo_skb() deletes the cloned skb.

Known Limitations: dev_kfree_skb() is just a macro that simply calls kfree_skb(). kfree_skb bypasses the reference count of skb. Generally speaking, adding “” before the function name in the kernel prompts to be used with caution, that is, some checks are omitted, so check before calling such functions.

Solution: upgrade to v5.18-rc1.