Category Archives: Potential Risk of CVE

Exposes ring 0 code execution in the context of the driver, defense software perhaps will encounter this mistake (CVE-2021-31728 MalwareFox AntiMalware)

24th May, 2021

Preface: It let you avoid malware infection in your computer. MalwareFox can detect and remove malware in precise way. MalwareFox Antimalware at low cost comparing to other competitors.

Background: In a computer, ioctl is a system call dedicated to the input and output operations of the device. The call receives a request code related to the device. The function of the system call depends entirely on the request code.

Remark: The ioctl system call first appeared in Version 7 of Unix under that name. Microsoft Windows provides a similar function, named “DeviceIoControl”, in its Win32 API.

Vulnerability details: IOCTL 0x80002040 exposes kernel memory allocation in the NonPagedPool where a user-mode string is copied into the target buffer, this buffer can be used for shellcode by forcing the input data to be larger than 0x1000 bytes, a buffer larger than 0x834 will cause a STATUS_ACCESS_VIOLATION. Hacker must trick the IOCTL into failing and forgetting to free the buffer, you can then search SystemBigPoolInformation for the newly allocated buffer with the shellcode.

* When writing to a file Microsoft sets the bufferSize to 4096 bytes, but when reading they are using [0x1000].

Official details: As of today, vendor does not provide update related to this matter. Their homepage can be found in the following link – https://www.malwarefox.com/

Cyber Security Focus – use a Raspberry Pi for Windows 10 (17th May 2021)

Preface: Windows 10 IoT Core is a version of Windows 10 that is optimized for smaller devices with or without a display, and that runs on the Raspberry Pi 2 and 3.

Background: ASP.NET Core is one of the best frameworks available to make cross-platform web applications. The free Windows 10 IoT Core along with ASP.NET 3.0 allows one to build applications or background run services on an IoT device. Since Windows 10 requires greater amounts of RAM than most Linux distributions, only a Raspberry Pi 4, 3, or 2 with at least 1 GB of RAM can run the ARM edition through the WoR project.

Vulnerability details: An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.

Reminder: If you plan to run Windows 10 IoT Core on Raspberry Pi. Don’t forget to fix it.

Remedy: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166

Small storm in Big data world (CVE-2021-22135 & CVE-2021-22136) 13th May 2021

Preface: 3350 companies reportedly use Elasticsearch in their tech stacks, including Uber, Shopify, and Udemy.

Background: Organizations can use big data analytics systems and software to make data-driven decisions that can improve business-related outcomes. Elasticsearch is a popular open-source search
and analytics engine for use cases such as log analytics, real-time application monitoring, and click stream analytics.

Remark: Elastic, the company behind Elasticsearch and Kibana, has made a change to their licensing. They’ve taken a unique approach to “doubling down on open”: customers can now choose between two non-open source licenses. 

Vulnerability details: Flaw found in Kibana and Elasticsearch version before 7.11.2 abd 6.8.15. It risk to exposure of Sensitive Information to an Unauthorized person and unintentionally extending authenticated users sessions. Details shown as below:

CVE-2021-22136 – https://nvd.nist.gov/vuln/detail/CVE-2021-22136

CVE-2021-22135 – https://nvd.nist.gov/vuln/detail/CVE-2021-22135

CVE-2021-23134 : Linux – the implementation of nfc sockets contains flaw ! (12th May 2021)

Preface: Near field communication (NFC) technology lets smartphones and other enabled devices communicate with other devices containing a NFC tag.

Vulnerability details: Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. This flaw is rated as having a Moderate impact because in the default configuration, the issue can only be triggered by a privileged local user (with capability CAP_NET_RAW).
What if Creating raw socket in Python without root privileges?

Reference:

Activating the SUID bit for the file with a command like chmod +s file and set its owner to root with chown root.root file.
This will run your script as root, regardless of the effective user that executed it.

Setting the CAP_NET_RAW capability on the given file with a command like setcap cap_net_raw+ep file.
This will give it only the privileges required to open a raw socket

Announcement by vendor – https://access.redhat.com/security/cve/CVE-2021-23134

Citrix Workspace App (CVE-2021-22907) Security Update – 11th May 2021

Preface: The Improper Access Control weakness describes a case where software fails to restrict access to an object properly.

Background: Citrix Workspace ensures corporate data is safe and malicious activities are spotted quickly. If the installation is user-based, Citrix Workspace app must be installed for each user who logs on to the local machine.

Vulnerability details: Citrix has released security updates to address a vulnerability in Citrix Workspace App for Windows. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability affects all supported versions of Citrix Workspace app for Windows but does not affect Citrix Workspace app on any other platforms. Since vendor do not mentioned explicitly what is the actual flaw. However , whether does it encounter former design weakness again (Refer to diagram for details).

Official announcement: CTX307794 (Citrix Workspace App Security Update) – https://support.citrix.com/article/CTX307794

CVE-2021-20326 Performing a specific type of find query in MongoDB may trigger a denial of service. 10th May 2021

Preface: The term ‘NoSQL’ means ‘non-relational’. It means that MongoDB isn’t based on the table like relational database structure.

Background: MongoDB storage format called BSON. It is similar to JSON format. Traditional database store data in tabular format. In a MongoDB database, data is stored in collections and a collection has documents. A document has fields and values, like in a JSON. The field types include scalar types (string, number, date, etc.) and composite types (arrays and objects). The query operations on array fields using the db.collection.find() method in the mongo shell. MongoDB supports query operations on geospatial data. MongoDB uses collections of documents instead of tables of rows to organize and store data. In MongoDB, you can store geospatial data as GeoJSON objects or as legacy coordinate pairs.

Vulnerability details: A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.4. For more details, please refer to diagram attached.

Remedy: Add stricter parser checks around positional projection
Branch: v4.4 – https://github.com/mongodb/mongo/commit/0c7f643a2dfe4000ac9630ed5dace0cb40ec9740

VMware vRealize Business for Cloud updates address a remote code execution vulnerability (CVE-2021-21984) – 5th May 2021

Preface: vSphere 6.5 – introduction of several new REST APIs included in the vCenter Server Appliance (VCSA).

Background: You can use vRealize Business for Cloud to manage the following VMware products and services: vCenter Server,vCloud Director,vRealize Automation & vRealize Operations Manage. Through the REST API. To get access VCSA appliance. The corresponding API endpoint for available updates are under the [/]rest[/]appliance[/]update section.If you run the API explorer, you will get the following result. Endpoint shows UP_TO_DATE, while VAMI shows 5 available updates.

Vulnerability details: Attackers can exploit this security flaw using management interface (VAMI) upgrade APIs to gain access to unpatched vRealize Business for Cloud Virtual Appliances.

Remedy – Official announcement : https://www.vmware.com/security/advisories/VMSA-2021-0007.html

Dell patches 12-year-old driver vulnerability impacting millions of PCs – 5th May 2021

Background: DBUtil_2_3. Sys is a Windows driver. A driver is a small software program that allows your computer to communicate with
hardware or connected devices. This means that a driver has direct access to the internals of the operating system,
hardware etc.

Vulnerability details: Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges,
denial of service, or information disclosure. Local authenticated user access is required. Vendor plans to release proof of concept code for CVE-2021-21551 on 1st June 2021, said Dell computer.
But we can do the imagination before they announce the update. For details, please refer to diagram.

Official announcement https://www.dell.com/support/kbdoc/zh-hk/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability

In normal circumstances, IT team will be avoid people scanning their site. Perhaps sometimes this check will be avoided of the careless mistake. 4th May 2021

Preface: US Homeland security urge their local country computer users should stay alert of multiple vulnerabilities matter on Pulse Secure product. Perhaps all the world should be aware of it.

Synopsis: As times goes by, Pulse secure acquired juniper SSL VPN product for few years. Perhaps we can remember that Juniper is the active player on telecommunication services provider. Around the world including enterprise firm, they are satisfy with Juniper SSL VPN services.

Security focus: Product Affected by vulnerabilities (PCS: 9.1Rx and 9.0Rx)
CVE-2021-22894 – Buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows a remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.
CVE-2021-22899 – allows a remote authenticated users to perform remote code execution via Windows File Resource Profiles.
CVE-2021-22900 – allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

Details please refer to linkhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/

Samba Releases Security Updates – 30th APr 2021

Technical background: A Samba file server enables file sharing across different operating systems over a network. It lets you access your desktop files from a laptop and share files with Windows and macOS users.

Vulnerability details: Unprivileged users can delete files in network shares that they shouldn’t access.
However, vendor stated that they conduct analysis of the code paths but not yet confirm the specify way for a remote user to be able to trigger this flaw reproducibly.
Perhaps you may have luck to find out the root causes. For more details, please refer to attached diagram .

Official details (CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids()) https://www.samba.org/samba/security/CVE-2021-20254.html

Protecting an unpatched Samba server: The easiest way is to use the “Host Allow” and “Host Deny” options in the Samba configuration [smb.conf] file to only allow access to your server from a specific range of hosts. The example is shown below:

[]hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24[]
[]hosts deny = 0.0.0.0/0[]