Preface: Windows RCE vulnerabilities have targeted Office users, and Microsoft urgently provides mitigation instructions.

Background: The MS web browser COM control adds browsing, document, viewing, and downloading capabilities to your applications. Parsing and rendering of HTML documents in the WebBrowser control is handled by the MSHTML component which is an Active Document Dynamic HTML (DHTML) object Model hosting ActiveX Controls and script languages.

Unicode is a standard encoding system that is used to represent characters from almost all languages. Every Unicode character is encoded using a unique integer code point between 0 and 0x10FFFF .

Vulnerability details: Lookback Microsoft expert found vulnerability on 2002. Hacker mimic a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated.
As times goes by, in 2021 another critical flaw occurs with similarity. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document, said Microsoft. For mitigation and solutions, please refer to the link – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

Preface: Dashboard, a popular design trend concept in the digital world.Dashboard, a popular design trend concept in the digital world.
As the cloud and the Internet of Things force the network to evolve. Even operational work and network security can be managed in the
same dashboard.

Background: Permission checks will typically use the authentication information in the request.user and request.auth properties to determine if the incoming request should be permitted.

One of the possibilities: If firewall administrator enable read-write JSON API access on FortiManager. As a result, it may encounter the following matter.
A slightly less strict style of permission would be to allow full access to authenticated users, but allow read-only access to unauthenticated users. This corresponds to the IsAuthenticatedOrReadOnly class in REST framework.

Vulnerability details: An improper access control vulnerability in FortiManager versions 6.4.0 to 6.4.3 may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL.

Vendor announcement – https://www.fortiguard.com/psirt/FG-IR-20-061

Preface: Big data analysis can understand data by discovering trends and patterns. Machine learning can accelerate this process with the help of decision-making algorithms. It can classify incoming data, recognize patterns, and transform the data to do the technology development. In addition, it is a way to develop artificial intelligence.

Background: What is Apache Zeppelin used for?

Apache Zeppelin is a new and upcoming web-based notebook which brings data exploration, visualization, sharing and collaboration features to Spark. It support Python, but also a growing list of programming languages such as Scala, Hive, SparkSQL, shell and markdown.

Web-based notebooks are files that contain the input code and output such as results and graphs from an interactive session. They also contain additional information, such as documentation, mathematical expressions, and media related to an interactive session. Therefore it is the key element of big data analytics.

Vulnerability details: Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions. The attack can only be initiated within the local network. No form of authentication is needed for a successful exploitation. Please refer to the link for details – https://seclists.org/oss-sec/2021/q3/150

Preface: Cyberark provides the perfect authentication solution for enterprises. Because of their solutions, traditional authentication methods have evolved. However, there is no absolute anti-hacking solution in the world. The following explanation is to let you quickly understand this vulnerability. Even if this is not the right way, you will find out what they are doing.

Background: The CyberArk Vault uses a Shared Secret in order for the Server to identify a person. This Shared Secret can be a password or a combination of a password and another type of authentication. The Vault can enforce a password policy to avoid usage of passwords that can be easily guessed.

Vulnerability details: A vulnerability was found in CyberArk Credential Provider up to 12.0. An attack has to be approached locally.
Under certain conditions, the effective key space used to encrypt the cache is significantly reduced.
The effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious user can obtain the plaintext of cache files.

Remediation: Upgrading to version 12.1 eliminates this vulnerability.

Reference: The advisory is shared at korelogic.com – https://korelogic.com/Resources/Advisories/KL-001-2021-010.txt

Preface: IEC 60870-5-104 protocol (aka IEC 104) is a part of IEC Telecontrol Equipment and Systems Standard IEC 60870-5 that provides a communication profile for sending basic telecontrol messages between two systems in electrical engineering and power system automation.

Background: IEC 104 enables communication between control station and a substation via a standard TCP/IP network. The communication is based on the client-server model. The IEC104 protocol package has been tested in 2015 and is compatible with the following platforms, including stm32 (Arm® Cortex®-M processor) and linux platforms.In addition, iec104.c is a key component of the iec104 protocol package.

Vulnerability details: IEC104 v1.0 contains a stack-buffer overflow in the parameter Iec10x_Sta_Addr. This vulnerability is known as CVE-2020-18730 since 13th Aug, 2020. However, the vulnerability was released by NIST on August 23, 2021. The technical article state that a segmentation violation in the Iec104_Deal_I function of IEC104 v1.0 allows attackers to cause a denial of service (DOS). In addition, start from line 1175 of the iec104[.]c file. Experts discovered where the vulnerability occurred.

CVE-2020-18730 details can be found on this link – https://nvd.nist.gov/vuln/detail/CVE-2020-18730

Mitigation: Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice.

Preface: Log event collection without data normalization , it is hard to managed. And you will be crazy. If you do not have log event aggregation and correlation functions. Your IT life will become not easy.

Background: vRealize Log Insight delivers indexing and machine learning based Intelligent Grouping, to enable searching, for faster troubleshooting across physical, virtual and cloud environments.

Security Requirements recommended by vendor on the user guide. (Log-insight-getting-start-guide).
To ensure that your virtual environment is protected from external attacks, you must observe certain rules.
– Always install vRealize Log Insight in a trusted network.
– Always save vRealize Log Insight support bundles in a secure location.

Vulnerability details: VMware vRealize Log Insight contains a Cross Site Scripting (XSS) vulnerability due to improper user input validation. An attacker with user privileges may be able to inject a malicious payload via the Log Insight UI which would be executed when the victim accesses the shared dashboard link.

Reference: Input validation is the first step of checking the type and content of data supplied by a user or application. Improper input validation is a major factor in many web security vulnerabilities, including cross-site scripting (XSS) and SQL injection.

Remediation: Official announcement by vendor – https://www.vmware.com/security/advisories/VMSA-2021-0019.html

Preface: VMware has released a security update on August 24, 2021 to address vulnerabilities in multiple products. In addition, the risk level of these vulnerabilities is between 4.4-8.6 (CVSS-V3). So it attracted my interest in reading it.

Background: The vRealize Operations Manager API Programming Guide provides information about the vRealize Operations Manager REST APIs, including how to use the REST API resources, authenticate, and construct REST API calls.

Our focus on this time is (CVE-2021-22025). The flaw is that it allow an unauthenticated malicious actor with network access to the vRealize Operations Manager API. the risk rating is CVSSv3 base score of 8.6. Furthermore the article mentioned that it can add new nodes to existing vROps cluster when hack successful. Per my idea, all depends on the token type capture by attacker. If it is a privileges user, the access permission is high.

Remark: vROps_token is the token that you obtained from the response in Acquire an Authentication Token

Meanwhile, VMware programming guide had below function ready.
Since token has expire time setting. This setting not by default, but you can do the following. You can invalidate the token before the expiration date and time by sending a POST request to the logout endpoint. For details, please refer to attached diagram for reference.

Vulnerability summary:

Broken access control vulnerability in vRealize Operations Manager API (CVE-2021-22025) – CVSSv3 base score of 8.6.

Arbitrary log-file read vulnerability in vRealize Operations Manager API (CVE-2021-22024) – CVSSv3 base score of 7.5.

Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-22026, CVE-2021-22027) – CVSSv3 base score of 7.5.

Insecure direct object reference vulnerability in vRealize Operations Manager API (CVE-2021-22023) – CVSSv3 base score of 6.6.

Arbitrary file read vulnerability in vRealize Operations Manager API (CVE-2021-22022) – CVSSv3 base score of 4.4.

Official announcement (Remediation) – https://www.vmware.com/security/advisories/VMSA-2021-0018.html

Preface: Today developers are using Docker to build modules called Microservices, which decentralize packages and divide tasks into separate, stand-alone apps that collaborate with each other.

Background: A sidecar proxy is an application design pattern which abstracts certain features, such as inter-service communications, monitoring and security, away from the main architecture to ease the tracking and maintenance of the application as a whole. Furthermore, the sidecar proxy for each application has all the non-business logic. So, it lets developers can focus on application/service itself not worring about security or monitoring etc. Istio has two components: the data plane and the control plane. The data plane is the communication between services. And the control plane takes your desired configuration, and its view of the services, and dynamically programs the proxy servers, updating them as the rules or the environment changes.

Vulnerability details:

CVE-2021-39156: Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies.

Remedy: Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8.

CVE-2021-39155: Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed.

Remedy: Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8.

Preface: DDS is used in the following industries.

DDS is used to share Flight data within and across Air Traffic control centers.
DDS is used to Smart Factories to provide horizontal and vertical data integration across the traditional SCADA layers.
DDS used to control the 100.000 mirrors that make up ELT’s optics.

Technical background: DDS applications cooperate by autonomously and asynchronously reading and writing data on a Data Space that provides spatial and temporal decoupling. Eclipse Cyclone DDS is an implementation of the OMG Data Distribution Service (DDS) specification. Eclipse Cyclone DDS offers unique data-sharing capabilities compared to the already existing Eclipse solutions (i.e. for messaging). You can use the code from repositories to experiment, test, build, create patches, issue pull requests, etc.

Example: cyclonedds-python – Project repository hosted on GitHub.

https://github.com/eclipse-cyclonedds/cyclonedds-python

Vulnerability details:

CVE-2020-18735 – A heap buffer overflow in [/]src[/]dds_stream.c of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. – https://github.com/eclipse-cyclonedds/cyclonedds/issues/501

CVE-2020-18734 – A stack buffer overflow in [/]ddsi[/]q_bitset.h of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. – https://github.com/eclipse-cyclonedds/cyclonedds/issues/476