Preface: The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications.

Background: The Auth0 Next. js SDK is a library for implementing user authentication in Next[.] js applications. Auth0 offers two ways to implement login authentication for your applications:

• Universal Login where users log in to your application through a page hosted by Auth0.
• Embedded Login where users log in to your application through a page you host.

Vulnerability details: If you are using nextjs-auth0 Authorization solution. The client application redirects the user authentication to Auth0 server , who handles all the required authentication and authorization logic (sign-up, sign-in, MFA, consent, and so on). Once users log in, Auth0 redirects them to your application with an Authorization Code in the query string. The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability.

The open redirect vulnerability can manipulates users and redirects them from one site to another. The potential risk of this vulnerability is that when attacker doing the exploition. He can combines with other vulnerabilities (For example: server-side request forgery, XSS-Auditor bypass and Oauth vulnerability) to increasing the risk of impact.

Reference: Next[.] js is a JavaScript framework created by Zeit.
It lets you build server-side rendering and static web applications using React. Key Applications / Companies Leveraging The Power Of React Native including Facebook, Instagram, Walmart, Bloomberg, Tesla…….

Official announcement: https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-2mqv-4j3r-vjvp

Preface: The biggest advantage for Android is actually in hardware, not software. The best part of Android platform is that it is flexible in accommodating third party applications which facilitates the Android user to add more functionality in his/her mobile device.

Background: Configfs is a ram-based filesystem that provides the converse of sysfs’s functionality. Where sysfs is a filesystem-based view of kernel objects, configfs is a filesystem-based manager of kernel objects, or config_items.

Both sysfs and configfs can and should exist together on the same system. One is not a replacement for the other.

Privileged or kernel mode is the processing mode that allows code to have direct access to all hardware and memory in the system. Kernel mode means when any process or program wants to use any functionality controlled by Operating System, so in that case,
we make a system call to execute any particular set of instructions stored in O.S. So these set of instructions are executed in Kernel mode.

Vulnerability details: About CVE-2021-39656, .The remedy was completed in March 2021. This week’s CVE record provides a summary (see below):

In __configfs_open_file of file[.]c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed.

Remedy: To fix this issue, remove the config_item_put in __configfs_open_file to balance the refcount of config_item. Please refer to the attached picture for details.

Official announcement: https://android.googlesource.com/kernel/common/+/14fbbc8297728e880070f7b077b3301a8c698ef9

Preface: The Oracle 10g limitation of 1000 items in a static IN clause. How do you increase maximum number of expressions in a list is 1000 in Oracle? Any in statement like x in (1,2,3) can be rewritten as (1,x) in ((1,1), (1,2), (1,3)) and the 1000 element limit will no longer apply.

Background: SAP Commerce organizes data like product information to be propagated using multiple communication channels in a consistent and efficient way. This enables businesses to sell products across multiple distribution channels. ORA-01792 error message alert that maximum number of columns in a table or view is 1000 on remote DB, this is a unpublished design limitation.

Vulnerability details: If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized “in” clause, SAP Commerce – versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized “in” clause accepts more than 1000 values.

Observation: Backend is consists of the server which provides data on request, the application which channels it, and the database which organizes the information. If attacker known the details, it let them easier to do the SQL injection.

Official details: For more details, please refer to the link – https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021

Preface: We like Java and sometimes we hate it. People think that the php programming language will be eliminated, but there are still many people still using it.

Background: Apache is a pioneer in occupying the Web server platform market. Over time, people worry about the weaknesses of the Apache overall design. So a group of users migrated to NGINX. In fact, Apache still has a small number of loyal fans, the proportion is not small, it include vendor. If people ask you, who is safe? Is NGINX safer than Apache? If a system platform needs to work with other application components to form a service. Therefore, it doesn’t make sense to only focus on whether a single component is designed to be safe.

According to numerous open source reports, Log4j is used with Apache software like Apache Struts, Solr, Druid, along with other technologies. Apache Log4j is a very old logging framework and was the most popular one for several years. It introduced basic concepts, like hierarchical log levels and loggers, that are still used by modern logging frameworks. The development team announced Log4j’s end of life in 2015.

PHP Server Monitor (Phpservermon) is a script that checks whether your websites and servers are up and running. It comes with a web based user interface where you can manage your services and websites, and you can manage users for each server with a mobile number and email address.

Vulnerability details:

CVE-2021-44228 – Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

Ref: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

CVE-2021-4097 – A vulnerability was found in phpservermon (unknown version) and classified as critical. The phpservermon is vulnerable to Improper Neutralization of CRLF Sequences. CRLF injections are vulnerabilities where the attacker is able to inject CR (carriage return, ASCII 13) and LF (line feed, ASCII 10) characters into the web application. This lets the attacker add extra headers to HTTP responses or even make the browser ignore the original content and process injected content instead.

Ref: https://www.tenable.com/cve/CVE-2021-4097

Preface: Some people say that CGI-Bin is a historical site. Today’s onerous security environment, perhaps not people use it. The truth tell us is that CGI-Bin still have space for survival.

Background: About two months ago, the proof of concept for CVE-2021-41773 (Apache 2.4.49 & 2.4.50) vulnerability was released. The remedy solution is modify the configuration of Apache server httpd[.]conf file. As a matter of fact, Apache server has multifunciton, high capability feature. Therefore if software developer and web master do some mistake in this file. It will expand the problem if it has vulnerability occurs.

Vulnerability details (CVE-2021-42013): Found that remedy for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.

Reference: In addition to the above-mentioned vulnerabilities, the supplier also discovered new vulnerabilities. For more details, please refer to the link – https://httpd.apache.org/security/vulnerabilities_24.html#2.4.49

Preface: Perhaps we still remember a denial of service tool so called slow http attack. It can easily to make a Apache server out of resources less than minute. UTM firewall contains many components. For example, SSL VPN gateway. From technical point of veiw, this module also similar a HTTPS web server. If it contain application filter function, it will be included regular expression function installed.

Background: While analyzing traffic, FortiWeb’s HTTP parser must extract and buffer each part in the request or response. The buffer allows FortiWeb to scan and/or rewrite it before deciding to block or forward the finished traffic.
Buffers are not infinite due to the physical limitations inherent in all RAM, they are allocated a maximum size. If the part of the request or
response is too large to fit the buffer, FortiWeb must either pass or block the traffic without further analysis of that part.

For example, if your web applications require HTTP POST requests with unusually large parameters, you would adjust the HTTP body buffer size. For details, see http-cachesize in the FortiWeb CLI Reference.

Vulnerability details: An uncontrolled resource consumption vulnerability [CWE-400] in FortiWeb may allow an unauthenticated attacker to cause a Denial of Service to the FortiWeb’s HTTP daemon via sending a large amount of crafted HTTP requests.

My observation: If this design weakness given by http handler. Think it over, HTTP handler is a Java component that consists of properties. The handler delivers an outbound integration message as an XML document to a URL by using HTTP or HTTPS protocols. The HTTP handler also evaluates the response code received from the external system. If this is the exact vulnerable component. Maybe one of the possibilities looks like scenario shown on attached diagram.

Official details: Please refer to the link – https://www.fortiguard.com/psirt/FG-IR-21-131

Preface: If it is a integer, just use it directly. If it is a pointer, need to check for valid user address:
int access_ok(int type, const void *addr, unsigned long size);

Background: IOCTL is referred as Input and Output Control, which is used to talk with device drivers. IOCTL is a system call where system call is the programmatic way in which a computer program in user space
requests a service from the kernel space of the operating system.

According to Oracle Solaris 11 Information Library article. So called Well Known ioctl Interfaces. Many ioctl(9E) operations are common to a class of device drivers. For example, most disk drivers implement many of the dkio(7I) family of ioctls. Many of these interfaces copy in or copy out data structures from the kernel, and some of these data structures have changed size in the LP64 data model.

Perhaps the vulnerability this time not related to Oracle 11. Since Oracle is outdated and end-of-life.

Vulnerability details: SentinelLabs has discovered a number of high severity flaws in driver software affecting numerous cloud services. These vulnerabilities originated from a library developed and provided by Eltima, which is in use by several cloud providers. These vulnerabilities affect multiple products. Attacker choose the code deals with a user buffer of type METHOD_NEITHER (Type3InputBuffer), if it IOCTL handler do not have validating. It will trigger the vulnerability of the IOCTL handlers 0x22001B. If you are interested, please refer to the link – https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/

Preface: CISA Releases Security Advisory on WebHMI Vulnerabilities – https://us-cert.cisa.gov/ics/advisories/icsa-21-336-03

Background: The company Distributed Data Systems LLC is well-known in Ukraine and abroad for products with WebHMI and 7bit brands for remote monitoring and control of industrial equipment in Industry 4.0 format.

Remark: 7Bit ModBus Proxy is a caching gateway from ModBus TCP protocol to Modbus RTU.

SCADA is a powerful control system that is designed to collect, analyze, and visualize data from industrial equipment. Web-based HMIs allow users to monitor and control devices and processes at a distance. WebHMI is a SCADA-system with built-in web server that allows you to monitor and control any automation system on the local network and via the Internet from your computer and mobile devices.

Vulnerability details: The WebHMI itself encountered two different vulnerabilities includes Authentication Bypass by Primary Weakness and Unrestricted Upload of File with Dangerous Type.

CVE-2021-43931 The authentication algorithm of the WebHMI portal is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

CVE-2021-43936 The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product’s environment or lead to arbitrary code execution.

The following information is our speculation on the cause of the vulnerabilities.

CVE-2021-43931 – Insufficient Session Expiration is a security flaw that lets an application permit an attacker to reuse old session credentials or session IDs, thus exposing an application to attacks that steal or reuse users’ session identifiers.
CVE-2021-43936 – Sneaking in a malicious script is easier than using compiled malware. Once these scripts make their way to the target host, they are executed in a safe location where they cannot be flagged, such as the /tmp folder. Generally, these scripts do not carry out anything malicious on their own, although they do connect to the command-and-control (C&C) server to download malware.

Preface: If a network interface controller is intended to be used as a boot device for a UEFI operating system or UEFI applications, then a UEFI Driver must be implemented that produces Network Interface Identifier Protocol and UNDI, the Simple Network Protocol, or the Managed Network Protocol.

Background: Tianocore EDK II is the UEFI reference implementation by Intel. EDK is the abbreviation for EFI Development Kit and is developed by the TianoCore community.

UEFI stands for Unified Extensible Firmware Interface. It does the same job as a BIOS, but with difference. It stores all data about initialization and startup. UEFI supports drive sizes upto 9 zettabytes, whereas BIOS only supports 2.2 terabytes. UEFI provides faster boot time.

UEFI also includes TCP (the latest version of UEFI from IIRC supports booting via HTTP, similar to iPXE).

Disadvantages of UEFI?

• 64-bit are necessary.
• Virus and Trojan threat due to network support, since UEFI doesn’t have anti-virus software.

Vulnerability details: Certain versions of EDK II from TianoCore contain vulnerability (NetworkPkg/IScsiDxe has remotely exploitable buffer overflows). The fact is that potential integer overflow in IScsiBinToHex().

Reason: EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.

Official details: Please refer to the link – https://bugzilla.tianocore.org/show_bug.cgi?id=3356

Preface: Nextcloud is a suite of client-server software for creating and using file hosting services. It is enterprise-ready with comprehensive support options. Being free and open-source software, anyone is allowed to install and operate it on their own private server devices.

Background: The Nextcloud News Reader App makes it possible to synchronize feeds between Android and the Nextcloud News App. In order to use this app , you will need to have a nextcloud instance running with the news app installed.

About Nextcloud 17. The main novelty of the new version of Nextcloud is that the addition of the “remote wipe” feature is very eye-catching. This allows users to delete files on mobile devices. The administrator will delete data from all devices of a given user.

Unlike Google Drive, Dropbox, Yandex.Disk and box.net services, the ownCloud and Nextcloud projects provide users with complete control over their data: the information is not tied to an external closed cloud storage system, but the user controls the device.

Vulnerability details: How to switch from the original first MainActivity to the ResultActivity we just generated? The answer is to use Intent,

In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android.

Remedy: Users should upgrade to version 0.9.9.63 or higher as soon as possible.

Observation: In Android, there are many specific security related issues that pertain only to certain technologies such as Activities or SQLite. If a developer does not have enough knowledge about each of the different security issues regarding each technology when designing and coding, then unexpected vulnerabilities may arise.

Repair details: please refer to the link https://github.com/nextcloud/news-android/commit/05449cb666059af7de2302df9d5c02997a23df85