Preface: Sometimes, a low to medium risk rating vulnerability will be transformed into potential risk.

Background: Aruba’s ClearPass Policy Manager, part of the Aruba 360 Secure Fabric, provides role- and device-based secure network access control for IoT, BYOD & corporate devices.

The ClearPass Policy Manager is the only policy solution that centrally enforces all aspects of enterprise-grade mobility and NAC for any industry. Granular network access enforcement is based on a user’s role, device type and role, authentication method, EMM/MDM attributes, device health, location, and time-of-day.

Vulnerability details: Publication Date: 2021-Oct-12 (see below):

CVE-2021-37736, CVE-2021-37737, CVE-2021-37738,     CVE-2021-37739, CVE-2021-40986, CVE-2021-40987,      CVE-2021-40988, CVE-2021-40989, CVE-2021-40990,      CVE-2021-40991, CVE-2021-40992, CVE-2021-40993,      CVE-2021-40994, CVE-2021-40995, CVE-2021-20996,      CVE-2021-40997, CVE-2021-40998, CVE-2021-40999.

Multiple vulnerabilities have occurred. The focus area of this topic will focus on CVE-2021-40988 (path traversal). From a technical point of view, once this type of vulnerability persists. It will amplify other potential risks. Perhaps our description is one of the possibilities. The goal is to provide you with tips for consideration.

Images are loaded via some HTML, the loadImage URL takes a filename parameter and returns the contents of the specified file. The image files themselves are stored on disk. Thus, attacker allow the application reads from the web page reachable file path. If the web application has path traversal vulnerability encounters, so an attacker can request additional path to retrieve an arbitrary file from the server’s filesystem. See the attached drawings for details.

Official announcement: ClearPass Policy Manager Multiple Vulnerabilities – https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-018.txt

Preface: A Java EE server is a server application that the implements the Java EE platform APIs and provides the standard Java EE services. Java EE servers are sometimes called application servers, because they allow you to serve application data to clients, much like web servers serve web pages to web browsers.

Background: The difference between WildFly and Tomcat:
WildFly is a full Java EE application Server, while Tomcat is a Java servlet container and web server and, since because it doesn’t come with an implementation of the full JEE stack.

Tomcat uses JMX MBeans as the technology for implementing manageability of Tomcat. The descriptions of JMX MBeans for Catalina are in the mbeans-descriptors. xml file in each package. You will need to add MBean descriptions for your custom components in order to avoid a “ManagedBean is not found” exception.

Vulnerability details: The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Remedy: Users of the affected versions should apply one of the following
mitigations:

• Upgrade to Apache Tomcat 10.1.0-M6 or later
• Upgrade to Apache Tomcat 10.0.12 or later
• Upgrade to Apache Tomcat 9.0.54 or later
• Upgrade to Apache Tomcat 8.5.72 or later

Technical reference: When using the WebSocket client to connect to server endpoints, the number of HTTP redirects that the client will follow is controlled by the userProperties of the provided javax.websocket.ClientEndpointConfig. The property is org.apache.tomcat.websocket.MAX_REDIRECTIONS. The default value is 20. Redirection support can be disabled by configuring a value of zero.

Preface: For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.

Background: The assert macro performs a runtime check of the given condition. For example: When a buffer maximum is 8, where the value of i is less that 8 the assert passes. But once i becomes 8 the assert fails causing the program to abort.

Vulnerability details: An expert discovered that even if the screen color is reversed, this vulnerability can be triggered. A memory corruption issue was addressed with improved memory handling.

Impact: An application may be able to execute arbitrary code with kernel privileges.

Official announcement: https://support.apple.com/en-us/HT212846

Preface: Linux mainly uses a paging mechanism to achieve virtual memory management. The size of the memory page is PAGE_SIZE bytes instead of 4 KB. On different platforms, the page size can range from 4 KB to 64 KB.

Background: The Aspeed BMC family which is what is used on OpenPOWER machines and a number of x86 as well is typically connected to the host via an LPC (Low Pin Count) bus (among others).

The check mixes pages (vm_pgoff) with bytes (vm_start, vm_end) on one side of the comparison, and uses resource address (rather than just the resource size) on the other side of the comparison. This can allow malicious userspace to easily bypass the boundary check and map pages that are located outside memory-region reserved by the driver.

Vulnerability details: CVE-2021-42252 – An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes.

Reminder: Hardware filter in the southbridge perhaps not easy to detect attacker exploit the vulnerability.

Official announcement:Please refer to the website for details – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b49a0e69a7b1a68c8d3f64097d06dabb770fec96

Remark: Seems no proof of concept disclosed till now. Refer to official details, it is a local attack. But this design flaw cause by memory corruption error trigger privilege escalation. Furthermore it is running on Linux. Therefore exploit the design flaw through 3rd party API then triggers the vulnerability still have possibilities.

Preface: the most famous UTF-8 attack was against unpatched web server.

Background: The most common users of Apache HTTP Server are from Small Businesses and the Information Technology & Services industry. Perhaps

How to Check the Apache Version?

1. Open terminal application on your Linux, Windows/WSL or macOS desktop.
2. Login to remote server using the ssh command.
3. To see Apache version on a Debian/Ubuntu Linux, run: apache2 -v.
4. For CentOS/RHEL/Fedora Linux server, type command: httpd -v.

Vulnerability details: The server didn’t correctly handle contents in the URL. So the contain contained invalid UTF-8 representation of the [/] character. Such an invalid UTF-8 escape is often referred to as an overlong sequence. Therefore it provide an opportunity to the attacker. On 6th Oct,2021, Apache released Apache HTTP 2.4.50 to fix an actively exploited path traversal vulnerability in version 2.4.49 (tracked as CVE-2021-41773). This flaw allows threat actors to view the contents of files stored on a vulnerable server. Please refer to the official website for announcements – https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013

Preface: BPF is available on most Unix-like operating systems and eBPF for Linux and for Microsoft Windows. In addition, if the driver for the network interface supports promiscuous mode, it allows the interface to be put into that mode so that all packets on the network can be received, even those destined to other hosts.

Background: The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic (and eBPF is an extended BPF JIT virtual machine in the Linux kernel). It provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received.

Vulnerability details: CVE-2021-29249 prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel through 5.14.9 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.

In 32-bit architecture, the result of sizeof() is a 32-bit integer so the expression becomes the multiplication between two 32-bit integers which can potentially leads to integer overflow. As a result, bpf_map_area_alloc() allocates less memory than needed.

Remedy: Correct this by casting 1 operand to u64 (See attached picture for details).

Point of view: More than 20 years ago, the firewall function was independent, excluding the firewall policy service and vpn function.
The advantage is that when the firewall box is compromised. Nothing else will be found in the box by the attacker.
Over time, the trend of unified threat management has grown. From a technical point of view, it is a multifunctional service.
Maybe it’s hardening. But we can’t say that it is a state machine model (Bell-LaPadula model).

Having said that, the specific design responds to more and more technological developments in the world.
But it is hard to avoid vulnerability occurs due to design weakness.
This time an alert annouced by Sonicwall that an improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. This defect can do a DoS attack.

One of the possibilities encounter this defect: Incorrect configuration of aliases may allow an attacker to read files stored outside the target folder. For more details, please refer to attached diagram.

Official announcement: Please refer to link – https://www.sonicwall.com/support/product-notification/security-notice-critical-arbitrary-file-delete-vulnerability-in-sonicwall-sma-100-series-appliances/210819124854603/

Preface: Cryptocurrency look like myth. Someone avoid to use. But somebody like it. If Cryptocurrency only provide payment function. That is no investment value. Furthermore if someone going to transfer money will be know who is sender and recipient. If it come true, what is the result?

Background: BTCPay Server is an open source, P2P payment processor for Bitcoin and other cryptocurrencies where users can self-host their own server and effectively process their own payments.

Quick and easy setup (for individual and retail business): You just open an account on BTCpayserver. it is web GUI and internet everywhere. So, your customer can pay to you by cryptocurrency.

Users have even built web based point of sales payment solutions using the project. Physical stores can leverage the PoS app for accepting crypto payments. BTCPay Server is code, not a company. There is no third-party between a merchant and a customer. The merchant is always in full control of their funds. There are no processing or subscription fees.

Vulnerability details: BTCpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’). So called Cross-site Scripting, btcpayserver” stored XSS, also known as persistent XSS. In stored XSS, the malicious code is stored on the server of the application. Stored XSS is possible only when the application is designed to store user input. The attacker would inject the code through requests to the application.

Cause: During page generation, the application does not prevent the data from containing content that is executable by a web browser, hsuch as JavaScript, HTML tags, HTML attributes. For details of vulnerability , please refer to attached diagram.

Official details: – https://nvd.nist.gov/vuln/detail/CVE-2021-3830

Preface: Rapid7 Labs estimates there are over 2,700 vulnerable vCenter servers exposed to the public internet.

Background: As of May 1 2020, the Pivotal Telemetry program is governed by VMware’s Customer Experience Improvement Program.
Data and continuous feedback loops play an important role in shaping the way Pivotal builds software.

VMware analytics service consists of components that gather and upload telemetry data from various vSphere components to the VMware Analytics Cloud and manage the Customer Experience Improvement Program (CEIP).

Vulnerability details: CVE-2021-22005 (CVSS score of 9.8) – It is an arbitrary file upload vulnerability in the Analytics service, which can be used to execute commands and software on the vCenter Server Appliance. A malicious actor with network access to port 443 on vCenter Server could exploit it by uploading a specially crafted file.

Observation: Since it can upload telemetry data by analytics service. So, attacker might do the following:

Unauthenticated OVA File Upload RCE – Exploits an unauthenticated OVA file upload and path traversal in vCenter Server to write a JSP payload to a web-accessible directory.

Official announcement – VMware has disclosed a critical bug in its flagship vSphere and vCenter products and urged users to drop everything and patch it. The virtualization giant also offered a workaround. For more details, please refer to the link – https://www.vmware.com/security/advisories/VMSA-2021-0020.html