Preface: Bitbucket’s advantage over GitHub used to be that both Git and Mercurial repository hosting were available with Bitbucket.

Background: If you are a Jira user, you can import your existing Git repositories into Bitbucket. Jira Software and Bitbucket does integrate and will work with third party builders like Jenkins. However, the deepest integrations are with Bamboo and using Jira Software and Bitbucket.

Vulnerability details: Atlassian Bitbucket on Windows is vulnerable to privilege escalation due to weak ACLs. For more details, please refer to link or attached diagram – https://kb.cert.org/vuls/id/240785

Remedy: https://jira.atlassian.com/browse/BSERV-12753

Ref: DLLSpy (Dynamic) – DLLSpy scans the loaded modules figure out loaded module list. Then it checks if any of those modules could be hijacked by trying to write to their file location on disk and then checking if they could be overwritten. This happens after the duplication of the access token for browser, which is a weak token. Attacker do that in order to test whether he have write permission to the DLL location and the DLL itself as a regular user.

Preface: CarrierWave provides a simple and extremely flexible way to upload files from Ruby applications. Ruby On Rails Companies Websites are popular. It covered all your familiar areas – Airbnb, Groupon, GitHub, Twitter, Zendesk, Bloomberg…

Background: CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability.

Vulnerability details: The “#manipulate!” method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). For more details, please refer to diagram.

Workaround: It is recommended to stop supplying untrusted input to #manipulate!’s mutation option.

Remedy: upgrade to 2.1.1 or 1.3.2.

Reference: RubyGems is a package manager for Ruby. It provides a standard format “gem” for distributing Ruby programs and libraries. It is designed to conveniently manage gem installation tools and servers for distributing gems. This is similar to Python’s pip.

Preface: Embedded TCP/IP stacks have memory corruption vulnerabilities (Vulnerability Note VU#815128) – Siemens, SUSE Linux, iSCSI, FNet, Micrichip Technology, Weinert Automation, Abbott Labs, ….
There are plenty of companies current status not confirmed.

Background: CERT Coordination Center alert to public on December 2020 that the TCP/IP stacks has memory corruption vulnerabilities. Therefore, this design weakness is impacting the IoT world. Forescout Research Labs discovered 33 vulnerabilities impacting millions of IoT, OT and IT devices that present an immediate risk for organizations worldwide. So called amnesia33. A closer look of vulnerability checklist, you will find that there are plenty of vulnerabilities result deny of service & info leak. Furthermore, CVE-2020-24336 & CVE-2020-24338 flaw will allow attacker to do a remote code execution (RCE).

Security focus: The serious impact is RCE caused by defects in the DNS function shown on report issued by Forescout. The flaw shown that the processes DNS queries and responses has plenty of issues. Refer below:

• no check on whether a domain name is nukk-terminated.
• DNS response data length is not checked
• DNS queries and response (set in DNS header) is not checked against the data present
• length byte of a domain name in a DNS query and response is not checked and is used for internal
  memory operations.

Current status: We are still waiting for vendor response. For detail, please refer to link – https://kb.cert.org/vuls/id/815128

Preface: Node.js is an application runtime environment that enables using JavaScript for building server-side applications that have access to the operating system, file system, and everything else to be fully-functional. There are total 8 Top companies that rely on Node.js.

Background: Using Node.js allows organizing full stack JavaScript development ensuring the speed and performance of the application. Furthermore you are queries that how to check a process is running by the process name? Perhaps, it can use the ps-node package.

Vulnerability details: Node-ps package encountered design weakness. It found a injection point in lib/index.js. Perhaps it should avoid using the exec() function and use execFile() instead. The execFile() function will execute a single command and does not spawn a shell by default which makes it safer than exec().

Remark: By default, pipes for stdin, stdout, and stderr are established between the parent Node.js process and the spawned subprocess.

Official announcement: https://nvd.nist.gov/vuln/detail/CVE-2020-7785

Preface: With vSphere Replication, you can set up replication of VM from the source site to the target site, monitor and manage the replication status, and restore VM on the target site.

Background: vSphere Replication is an alternative to storage-based replication. It protects virtual machines from partial or complete site failures by replicating the virtual machines from a source site to a target site. Some configuration files contain settings that affect the security of vSphere Replication (see below):
– The default system configuration of the vSphere Replication Management server.
[/]opt[/]vmware[/]hms[/]conf[/]hms-configuration.xml
– The configuration file for the embedded database.
[/]opt[/]vmware[/]hms[/]conf[/]embedded_db.cfg

Vulnerability details: Attacker with administrative access in vSphere Replication can execute shell commands on the underlying system. Successful exploitation of this issue may allow authenticated admin user to perform a remote code execution.
Official announcement: https://www.vmware.com/security/advisories/VMSA-2021-0001.html

Remark: If html page lack of sanitization function and causes the injection of command. The impact may unforeseeable.

Preface: There are many reasons to encounter win32k.sys problems. Most issues related to SYS files involve blue crashes in past.

Background: win32k.sys is a valid program that is required to run at startup.The Graphics Device Interface Provides functionality for outputting graphical content to monitors, printers and other output devices. It resides in gdi.exe on 16-bit Windows, and gdi32.dll on 32-bit Windows in user-mode. Kernel-mode GDI support is provided by win32k.sys which communicates directly with the graphics driver. What is the difference if System Call filtering had been enabled. This may be examined by using the W32pServiceTableFilter instead.

Vulnerability details: A zero day vulnerability occurred in win32k callback, it could be used to escape the sandbox of Microsoft IE browser or Adobe Reader on the lasted Windows 10 version.

Attack Vector: Tricking a legitimate user into opening a malicious document

Impact: Elevation of Privilege

Official announcement – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732

Preface: Unlike Windows or MacOS which push out software updates to users automatically, it is up to developers to look for Linux kernel updates on their own.

Background: The futex() system call provides a method for waiting until a certain condition becomes true. It is typically used as a blocking construct in the context of shared-memory synchronization.

• in the user-space fastpath a PI-enabled futex involves no kernel work
  (or any other PI complexity) at all. No registration, no extra kernel
  calls – just pure fast atomic ops in userspace.

Vulnerability details: An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458. See whether attached diagram can give you hints on the matter.

Remedy: Fix fault handling in futex_lock_pi. Official details refer to following link – https://nvd.nist.gov/vuln/detail/CVE-2021-3347

Comments: Perhaps you have doubts when aware this vulnerability? Can we maintain this statement say, Linux is secure than windows OS. But don’t forget that hacker likes Microsoft.

Preface: In 2020, the global AI software market is expected to grow approximately 54 percent year-on-year, reaching a forecast size of 22.6 billion U.S. dollars.

Background: NVIDIA^® Jetson™ Linux requires a root file system. You must create a Linux host system and copy it to your reference board. NVIDIA provides a tool to generate a root filesystem. To use the tool, go to Navigate to the tools/samplefs directory of the extracted NVIDIA driver package. When you install according to the standard, you must download a file. Then run the apply_binaries.sh script to copy the NVIDIA user space libraries into the target file system.

Vulnerability details: A vulnerability occurred of existing mechanism causes improper access control is applied, which may lead to an unprivileged user being able to modify system device tree files, leading to denial of service. Official details shown as below link.

https://nvidia.custhelp.com/app/answers/detail/a_id/5147

Supplement: Perhaps the impact is a denial of service but this is the alert signal to AI and robotic world to staying alert.

Preface: About decades ago, video recording was used to perform IT system monitoring and governance. The most famous brands are RSA NetWitness and CyberArk. However, products made in Israel provide a cost-effective solution. The software product named “ObserveIT”. The “ObserveIT” software product is now under the umbrella of Proofpoint, Inc..

Vulnerability details: The Proofpoint Insider Threat Management (formerly ObserveIT) Agent for Windows, which allows a local authenticated Windows user to run arbitrary commands with the privileges of the Windows SYSTEM user.

Affected version: before 7.4.3, 7.5.4, 7.6.5, 7.7.5, 7.8.4, 7.9.3, 7.10.2, and 7.11.0.25 as well as versions 7.3 and earlier.

Remedy: https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-2021-0001

Additional note: If user have access permission to change a file or folder. Meanwhile there is a named service in this directory.
As a result, user can create a payload with “msfvenom” tool. With this payload it can manipulate this specify service. After uploading the payload to system and moved into “common files” directory. When it start, you will receive a session on the system as NT Authority/System.

Background: sudo command allows you to run programs with the security privileges of another user. All auditors and security expert highly recommend to use. We can say it is a best practices.

Vulnerability details: Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via “sudoedit -s”
and a command-line argument that ends with a single backslash character.

Impact: Taking control of the Linux system vulnerability version: before 1.9.5p2

Workaround: No

Fix: The bug is fixed in sudo 1.9.5p2.

Immediate action: You should patch immediately.

Reference: https://us-cert.cisa.gov/ncas/current-activity/2021/02/02/sudo-heap-based-buffer-overflow-vulnerability-cve-2021-3156

Security concern: Since system admin will deny to use SSH remotely without VPN connectivity because of security reason.
Therefore this design weakness will be exploit by insider threats. If you cannot patch immediately. You should fine tune your SIEM to monitoring sudo usage.