Category Archives: Potential Risk of CVE

CyberArk – CVE-2021-31798 (Quick and dirty way to understand the details) – 1st Sep, 2021

Preface: Cyberark provides the perfect authentication solution for enterprises. Because of their solutions, traditional authentication methods have evolved. However, there is no absolute anti-hacking solution in the world. The following explanation is to let you quickly understand this vulnerability. Even if this is not the right way, you will find out what they are doing.

Background: The CyberArk Vault uses a Shared Secret in order for the Server to identify a person. This Shared Secret can be a password or a combination of a password and another type of authentication. The Vault can enforce a password policy to avoid usage of passwords that can be easily guessed.

Vulnerability details: A vulnerability was found in CyberArk Credential Provider up to 12.0. An attack has to be approached locally.
Under certain conditions, the effective key space used to encrypt the cache is significantly reduced.
The effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious user can obtain the plaintext of cache files.

Remediation: Upgrading to version 12.1 eliminates this vulnerability.

Reference: The advisory is shared at korelogic.com – https://korelogic.com/Resources/Advisories/KL-001-2021-010.txt

Do you think CVE-2020-20486 (IEC104 v1.0) will impact your services? (31st Aug 2021)

Preface: IEC 60870-5-104 protocol (aka IEC 104) is a part of IEC Telecontrol Equipment and Systems Standard IEC 60870-5 that provides a communication profile for sending basic telecontrol messages between two systems in electrical engineering and power system automation.

Background: IEC 104 enables communication between control station and a substation via a standard TCP/IP network. The communication is based on the client-server model. The IEC104 protocol package has been tested in 2015 and is compatible with the following platforms, including stm32 (Arm® Cortex®-M processor) and linux platforms.In addition, iec104.c is a key component of the iec104 protocol package.

Vulnerability details: IEC104 v1.0 contains a stack-buffer overflow in the parameter Iec10x_Sta_Addr. This vulnerability is known as CVE-2020-18730 since 13th Aug, 2020. However, the vulnerability was released by NIST on August 23, 2021. The technical article state that a segmentation violation in the Iec104_Deal_I function of IEC104 v1.0 allows attackers to cause a denial of service (DOS). In addition, start from line 1175 of the iec104[.]c file. Experts discovered where the vulnerability occurred.

CVE-2020-18730 details can be found on this link – https://nvd.nist.gov/vuln/detail/CVE-2020-18730

Mitigation: Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice.

Not a critical flaw, but it is commonly found on web UI applications – VMware vRealize log Insight (CVE-2021-22021) – 24-8-2021

Preface: Log event collection without data normalization , it is hard to managed. And you will be crazy. If you do not have log event aggregation and correlation functions. Your IT life will become not easy.

Background: vRealize Log Insight delivers indexing and machine learning based Intelligent Grouping, to enable searching, for faster troubleshooting across physical, virtual and cloud environments.

Security Requirements recommended by vendor on the user guide. (Log-insight-getting-start-guide).
To ensure that your virtual environment is protected from external attacks, you must observe certain rules.
– Always install vRealize Log Insight in a trusted network.
– Always save vRealize Log Insight support bundles in a secure location.

Vulnerability details: VMware vRealize Log Insight contains a Cross Site Scripting (XSS) vulnerability due to improper user input validation. An attacker with user privileges may be able to inject a malicious payload via the Log Insight UI which would be executed when the victim accesses the shared dashboard link.

Reference: Input validation is the first step of checking the type and content of data supplied by a user or application. Improper input validation is a major factor in many web security vulnerabilities, including cross-site scripting (XSS) and SQL injection.

Remediation: Official announcement by vendor – https://www.vmware.com/security/advisories/VMSA-2021-0019.html

Another flaw prompted an urgent U.S. government warning and providing Guidance (Azure Cosmos DB) – 29th Aug 2021

Preface: Data scientists are big data wranglers, gathering and analyzing large sets of structured and unstructured data. Jupyter Notebooks allow data scientists to create and share their documents, from codes to full blown reports (Help them streamline their work).

Background: Azure Cosmos DB built-in Jupyter Notebooks are directly integrated into the Azure portal and Azure Cosmos DB accounts, let data scientists easy to use. The Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text. Uses include: data cleaning and transformation, numerical simulation, statistical modeling, data visualization, machine learning, and much more.

Speculation related to this matter: A trojan malware campaign found November last year (2020) is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems.

Vulnerability details: A misconfiguration vulnerability in Microsoft’s Azure Cosmos DB that may have exposed customer data. In the first step, the attacker will gained access to the client’s Cosmos DB primary key. For example, exploit the vulnerability on Jupyter Notebook (virtual machine) to get the key.

Ref: Primary keys are long-lived and allow full READ/WRITE/DELETE access to customer data.

Workaround: Navigate to your Azure Cosmos DB account on the Azure portal and Regenerate Secondary Key. Please refer to url for details – https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key#primary-keys

CISA announcement – https://us-cert.cisa.gov/ncas/current-activity/2021/08/27/microsoft-azure-cosmos-db-guidance

VMware security update (25th AUg 2021)

Preface: VMware has released a security update on August 24, 2021 to address vulnerabilities in multiple products. In addition, the risk level of these vulnerabilities is between 4.4-8.6 (CVSS-V3). So it attracted my interest in reading it.

Background: The vRealize Operations Manager API Programming Guide provides information about the vRealize Operations Manager REST APIs, including how to use the REST API resources, authenticate, and construct REST API calls.

Our focus on this time is (CVE-2021-22025). The flaw is that it allow an unauthenticated malicious actor with network access to the vRealize Operations Manager API. the risk rating is CVSSv3 base score of 8.6. Furthermore the article mentioned that it can add new nodes to existing vROps cluster when hack successful. Per my idea, all depends on the token type capture by attacker. If it is a privileges user, the access permission is high.

Remark: vROps_token is the token that you obtained from the response in Acquire an Authentication Token

Meanwhile, VMware programming guide had below function ready.
Since token has expire time setting. This setting not by default, but you can do the following. You can invalidate the token before the expiration date and time by sending a POST request to the logout endpoint. For details, please refer to attached diagram for reference.

Vulnerability summary:

Broken access control vulnerability in vRealize Operations Manager API (CVE-2021-22025) – CVSSv3 base score of 8.6.

Arbitrary log-file read vulnerability in vRealize Operations Manager API (CVE-2021-22024) – CVSSv3 base score of 7.5.

Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-22026, CVE-2021-22027) – CVSSv3 base score of 7.5.

Insecure direct object reference vulnerability in vRealize Operations Manager API (CVE-2021-22023) – CVSSv3 base score of 6.6.

Arbitrary file read vulnerability in vRealize Operations Manager API (CVE-2021-22022) – CVSSv3 base score of 4.4.

Official announcement (Remediation) – https://www.vmware.com/security/advisories/VMSA-2021-0018.html

If you are the Open Source Platform (Istio) user, please stay alert! 24-9-2021

Preface: Today developers are using Docker to build modules called Microservices, which decentralize packages and divide tasks into separate, stand-alone apps that collaborate with each other.

Background: A sidecar proxy is an application design pattern which abstracts certain features, such as inter-service communications, monitoring and security, away from the main architecture to ease the tracking and maintenance of the application as a whole. Furthermore, the sidecar proxy for each application has all the non-business logic. So, it lets developers can focus on application/service itself not worring about security or monitoring etc. Istio has two components: the data plane and the control plane. The data plane is the communication between services. And the control plane takes your desired configuration, and its view of the services, and dynamically programs the proxy servers, updating them as the rules or the environment changes.

Vulnerability details:

CVE-2021-39156: Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies.

Remedy: Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8.

CVE-2021-39155: Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed.

Remedy: Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8.

Do you know the design weaknesses of Eclipse Cyclone DDS? 23-08-2021

Preface: DDS is used in the following industries.

DDS is used to share Flight data within and across Air Traffic control centers.
DDS is used to Smart Factories to provide horizontal and vertical data integration across the traditional SCADA layers.
DDS used to control the 100.000 mirrors that make up ELT’s optics.

Technical background: DDS applications cooperate by autonomously and asynchronously reading and writing data on a Data Space that provides spatial and temporal decoupling. Eclipse Cyclone DDS is an implementation of the OMG Data Distribution Service (DDS) specification. Eclipse Cyclone DDS offers unique data-sharing capabilities compared to the already existing Eclipse solutions (i.e. for messaging). You can use the code from repositories to experiment, test, build, create patches, issue pull requests, etc.

Example: cyclonedds-python – Project repository hosted on GitHub.

https://github.com/eclipse-cyclonedds/cyclonedds-python

Vulnerability details:

CVE-2020-18735 – A heap buffer overflow in [/]src[/]dds_stream.c of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. – https://github.com/eclipse-cyclonedds/cyclonedds/issues/501

CVE-2020-18734 – A stack buffer overflow in [/]ddsi[/]q_bitset.h of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. – https://github.com/eclipse-cyclonedds/cyclonedds/issues/476

CISA cyber Security Alert – About the May 2021 MS patch (21st Aug, 2021)

Preface: With Exchange Server vNext, Microsoft is phasing out the on-premise delivery model, making Exchange Server 2019 the last on-premise product version.

Point of view: Perhaps quite a lot of people will be surprised of this notification. Since more and more organizations has been migrated the mail server to office 365. The patch issued on May 2021 was applied already. But the patch management from small to medium firm not easy to managed. It is quite common that a one I.T. technical support person supporting everything. It is unbelievable but it is factual. You can see a lot of large size mailbox not being managed. Furthermore, the patch management may not do it immediately. It wait for their schedule time window to do the patch management. As a result, before they conduct patch management. Attacker may landed to their email server. Apart of lack of SIEM facility, only relies on a single firewall is hard to defense such vulnerability attack. Or you will say, will the local OS antivirus can be do the detection. The answer is that if the antivirus feature do not involve to content security filter function. Therefore the attack might have chance to do the evasion . I believe that CISA on their malware sink hole infrastructure will see the details. And this is the objective of this alert.

Ref: Apart from design weakness (vulnerability). The modern architecture is virtual machine infrastructure. It is not rare that the exchange server front-end and back-end are located in same hardware box because we are living in virtual machine world. So if such vulnerability occur in an on premise infrastructure. The risk will be rapidly increase.

Vulnerability details: Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities:
CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. Details can be found in the following link (CISA official announcement) – https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell

There’s no best of both sides – CVE-2021-25218: BIND 9.16.19 and 9.17.16 triggered denial of service when applied too-strict assertion check. (19th Aug, 2021)

Preface: (BIND) is the most popular Domain Name System (DNS) server in use today. It was developed in the 1980s at the University of Berkley
and is currently in version 9.

Technical Background: For IPv4 packets, Path MTU Discovery works by setting the Don’t Fragment (DF) flag bit in the IP headers of outgoing packets. Some operating systems allow packets received via other protocols to affect PMTUD values for DNS over UDP.

Set “Don’t fragment” flag in IP header:
It is often useful to avoid fragmentation, since apart from CPU utilization for fragmentation and re-assembly, it may affect throughput (if lost fragments need re-transmission). For this reason, it is often desirable to
know the maximum transmission unit. So the ‘Path MTU discovery’ is used to find this size, by simply setting the DF bit.

Vulnerability Details: An attacker may abuse the Path MTU discovery (PMTUD) protocol to trick bind into exceeding the interface MTU. Response Rate Limiting (RRL) is not enabled by default for user defined views nor the builtin one, but it is enabled by default for the default builtin CHAOS class view, which bind uses to provide various information. From technical point of view, CH class is misused by BIND!

For details of vulnerability, please refer to link – https://kb.isc.org/v1/docs/h

As an end user, are you concerned about the CVE-2021-28372 vulnerability? 17th Aug 2021

Preface: The Kalay platform contains a major vulnerability that will allow hackers to remotely access IoT devices.

Background: Kalay Platform 2.0
This newly developed decentralized structure simplifies the role of the primary server to work as an intermediary transmitter,
which reduces the chances of a server being compromised or data being intercepted. Kalay 2.0 is designed using a two-factor UID
and end-to-end encryption to support multi-factor authentication and dynamic key-pairing, the new solution ensures protection
for the end-user’s data and transmission.

It will trigger the vulnerability in the following situations.

  • The device firmware that does not use AuthKey when IOTC is connected.
  • The firmware that uses the AVAPI module but the
    DTLS mechanism is not enabled.
  • The firmware that uses the RDT module or P2PTunnel.

Basically, when vendor conducted its own security review in 2018, the vulnerability was discovered and patched, that is, the SDK version 3.1.10 released at that time has been patched.

However security consulting company “Fireye” discovered that some network surveillance cameras have security vulnerabilities, and these devices are still using the old version of TUTK SDK before 3.1.4. Therefore, the CVE-2021-32934 vulnerability was announced.

Vulnerability details:

CISA encourages users and administrators to review the ICS Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01

FireEye Mandiant blog: https://www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html