CVE-2021-43997 – Amazon FreeRTOS encounter vulnerability (18th Nov, 2021)

Preface: Amazon now “owns” FreeRTOS, in the sense that the company will provide all support going forward. FreeRTOS includes a kernel and a growing set of software libraries suitable for use across industry sectors and applications. To support a growing number of use cases, AWS provides software libraries that offer enhanced functionality including connectivity, security, and over-the-air updates.

Background: FreeRTOS is customised using a configuration file called FreeRTOSConfig.h. Every FreeRTOS application must have a FreeRTOSConfig.h header file in its pre-processor include path. FreeRTOSConfig.h tailors the RTOS kernel to the application being built. It is therefore specific to the application, not the RTOS, and should be located in an application directory, not in one of the RTOS kernel source code directories.

Reference:

Functions implemented in “application_defined_privileged_functions.h” must save and restore the processor’s privilege state using the prvRaisePrivilege() function and portRESET_PRIVILEGE() macro respectively. For example, if a library provided print function accesses RAM that is outside of the control of the application writer, and therefore cannot be allocated to a memory protected user mode task, then the print function can be encapsulated in a privileged function.

Official reminder: Above technique should only be use during development, and not deployment, as it circumvents the memory protection.

Vulnerability details: Amazon FreeRTOS 10.2.0 through 10.4.5 on the ARMv7-M and ARMv8-M MPU platforms does not prevent non-kernel code from calling the xPortRaisePrivilege and vPortResetPrivilege internal functions.

Remedy: This is fixed in 10.4.6 and in 10.4.3-LTS Patch 2.

Official announcement: https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.6

Security Focus on SMU Mailbox (CVE-2021-26331) -16th Nov 2021

Preface: Quick way to understand difference in between Ryzen and EPYC (see below):

About Ryzen: Some said, Ryzen CPUs are best suited for gaming PCs.
However, AMD has announced its newest range of mobile chips,
the Ryzen 5000 mobile series, which it claims will be used in 1500 devices during 2021.

About EPYC: AMD and Google Cloud have announced the beta availability of Confidential Virtual Machines (VMs) for Google Compute Engine powered by 2nd Gen AMD EPYC processors, taking advantage of the processors’ advanced security features.

Background: The system management unit (SMU) is a sub-component of the northbridge that is responsible for a variety of system and power management tasks during boot and runtime. The SMU contains a micro-controller to assist. The micro controller can be interrupted to cause it to perform several initialization and runtime tasks. BIOS and ACPI methods can interrupt the SMU to request a specific action.

Ref: It is worth mentioning that AMD’s SMU mechanism. SMU is the system management unit. When silent, the power consumption of Ryzen is controlled by SMU. The management functions of SMU include power consumption, current, temperature limiter, voltage controller and power consumption. Threshold etc. The voltage we see in the overclocking software is the upper limit voltage of the processor considered by SMU.
For example, the 1.35V voltage we see in the overclocking software is actually equivalent to a voltage of about 1.2V.

Vulnerability details: CVE-2021-26331 – Certain versions of 1st Gen AMD EPYC from AMD contain the following vulnerability:

AMD System Management Unit (SMU) contains a potential issue where a malicious user may be able to manipulate mailbox entries leading to arbitrary code execution.

Speculation: Each CPU class has completely different function/command IDs for the SMU. The standard mechanism will do a search. A design weakness occurs becuase the input validation feature do not contain on source file (smu[.]c). Therefore, it provides a possibilities to a malicious user send a command. As a result, to manipulate mailbox entries leading to arbitrary code execution.

Headline news – AMD reveals an Epyc 50 flaws – 23 of them rated high severity , said theregister[.]com. Official details please refer to the link – https://web.archive.org/web/20211112012410/https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1021

Review of major events (from windows 7 to AMD display driver design weakness) 15th Nov, 2021

Preface: Long time ago, digital world try to avoid malware infection. Malware has few different types. Memory-resident malware, also known as fileless malware, is a type of malicious software that writes itself directly onto a computer’s system memory. This behavior leaves very few signs of infection, making it difficult for traditional tools and non-experts to identify. Therefore software engineer invented ASLR to fight against them. Apart from that the public announcement said, 64 bit software OS contained anti-malware function. So people are imagine that our digital is secure forever.

Situation in the past ten years: The NTQuerySystemInformation function is implemented on NTDLL. And as a kernel API, it is always updated in the Windows version without any notice. The software developers revealed the reality afterwards. KASLR can be trivially bypassed by an exploit executed at medium-integrity through the use of the well-known EnumDeviceDrivers and NtQuerySystemInformation APIs. As such, NtQuerySystemInformation may be altered or unavailable in future versions of Windows. Perhaps it should use the other functions for replacement. But how about the EnumDeviceDrivers ?

Remark (1): EnumDeviceDrivers – Retrieves the load address for each device driver in the system. i.e. It enums already loaded device drivers.

A story can tell: In Windows 10 Redstone 2 (2017), the UserHandleTable containing the kernel-mode address of all objects allocated on the Desktop heap was removed, however the Desktop heap itself was still mapped in user-mode, allowing us to search through it and locate a specific object. Attacker can creating a window through the CreateWindowEx API, grabbing the address of the user-mode mapped Desktop heap from offset in the TEB, and performing a brute-force search for the Window handle on the user-mode mapped Desktop heap to obtain the offset. It sound likes bypass Kernel ASLR.

Remark (2): Every desktop object requires memory to store UI objects, such as windows and menus. This memory is called desktop heap.
When applications require a UI object, functions within user32. dll are called, and desktop heap memory is allocated.

Remark (3): Remark: TEB(winternl.h) – Win32 apps – The Threat Environment Block (TEB structure) describes the state of a thread.

Summary: In analysis of the AMD Escape calls, a potential set of weaknesses in several APIs was discovered, which could result in escalation of privilege, denial of service, information disclosure, KASLR bypass, or arbitrary write to kernel memory. Please refer to the link – https://web.archive.org/web/20211113054717/https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1000

CVE-2021-22101 – If someone can run out of resources, this is similar to a denial of service technique! (11-11-2021)

Preface: Who cares about spending all your money, maybe just yourself! Who cares about running out of your system resources, perhaps it is the system owner.

Background: VMware Tanzu Application Service is a modern application platform for enterprises that want to continuously deliver and run microservices across clouds. Release new features and updates to production daily. across clouds. Apply security patches and platform updates with near zero downtime.

A REST call requires the creation of a resource handler.
The resource handler represents the entry point for resource requests and is annotated with the @Path, context, and other information that is required to handle a request. Handlers are responsible for coordinating the client request. Handlers intercept calls, run required actions, and convert responses to a form consumable by the client by using standard
HTTP protocol elements.

Vulnerability Details: A denial-of-service vulnerability was found in one of the components of VMware (Tanzu Application Service for VM). Cloud Controller versions prior to 1.118.0 are vulnerable to unauthenticated denial of Service(DoS) vulnerability. The remote attacker can leverage this vulnerability to cause denial of service by using REST HTTP requests and generating an enormous SQL query leading to database (ccdb) unavailability.

Note: The design weakness notified by the supplier on manual before CVE record happens: (max_labels_per_resource) – Maximum number of labels allowed on any single resource. Too many labels may degrade performance of label selectors.
Default : 50

Remediation: upgrade to 2.12.1 (Release Date: 10/20/2021)
[Security Fix] CAPI – Cap label selectors at 50 in queries and improve label selector performance to mitigate DOS vulnerability (CVE-2021-22101) – https://www.vmware.com/security/advisories/VMSA-2021-0026.html

VMware – Security advisory to address a privilege escalation vulnerability in vCenter Server and Cloud Foundation – 10th Nov, 2021

Preface: Every Windows system is vulnerable to a particular NTLM relay attack that could allow attackers to escalate privileges from User to Domain Admin.

Background: If your administration portal is a web application which protected by IWA (Integrated Windows Authentication). When client send a request to web server doing handshaking, the web server will be rejected the request and sends a response saying the user needs to be authenticated using NTLM. NTLM relaying is a well known technique that has long been abused by attackers.
Normally, NTLM relays need user intervention, so you have to trick the victim to authenticate to a resource under your control.

Vulnerability details: When using Integrated Windows Authentication (IWA), there are many possibilities for attacks. Perhaps the privilege escalation vulnerability in the Windows RPC protocol may be different from traditional methods. May be not the specify attack method of such vulnerability. But it will enrich your seen.

VMware vCenter Server IWA privilege escalation vulnerability (CVE-2021-22048): The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. The attacker with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group. US Homeland secuirty (CISA) encourages users and administrators to review VMware Security Advisory – https://www.vmware.com/security/advisories/VMSA-2021-0025.html

Workaround Instructions for CVE-2021-22048https://kb.vmware.com/s/article/86292

Are you struggling with weaknesses in the SAP design – CVE-2021-40501? 9th Nov, 2021

Preface: In the digital world, it always has unexpected problems.

Background: SAP kernel is the core component of any SAP system. It includes executable files on the SAP server, which are used to connect to the system and execute SAP programs. In the SAP system environment, remote function call (RFC) is one of the main communication protocols used.
Remark: Remote Function Call (RFC) is the standard SAP interface for communication between SAP systems. RFC calls a function to be executed in a remote system.

Vulnerability details (official): CVE-2021-40501 – Missing Authorization check in ABAP Platform Kernel
(Product – SAP ABAP Platform Kernel, Versions – 7.77, 7.81, 7.85, 7.86)

My observation: The server-side implementation of the proprietary RFC protocol. Remote attackers capable of crafting special requests may exploit this vulnerability to claim a given identity that causes an authentication bypass in the SAP kernel. Similar vulnerability not the 1st time discovered.

Reminder: Due to the criticality and the impact on systems beyond the vulnerable system, we strongly recommend applying the corresponding kernel patch.

Official announcement – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864

“excessive resource usage” in jsonrpc whether Citrix announcement (CTX 330728 ) security focus? (9th Nov 2021)

Preface: The Citrix ADC NITRO protocol allows you to configure and monitor the Citrix ADC appliance programmatically by using
Representational State Transfer (REST) interfaces. Therefore, NITRO applications can be developed in any programming language.
Additionally, for applications that must be developed in Java or .NET or Python, NITRO APIs are exposed through relevant libraries
that are packaged as separate Software Development Kits (SDKs).

Background: When it comes to network services, you can use remote procedure calls (RPC) and representational state transfer (REST) to create APIs for network communication. As with any programming problem, understanding the advantages of each method will help you choose the best solution to reduce technically unforeseen problems. Are you experienced “excessive resource usage” in jsonrpc technical matter? For more information on this matter, please refer to the attached picture. In addition, do you think the security focus of the Citrix announcement (CTX 330728) is on similar topics?

Vulnerability details:

CVE-2021-22955 – Unauthenticated denial of service
Affected Products – Citrix ADC, Citrix Gateway (Appliance must be configured as a VPN (Gateway) or AAA virtual server)
Possible cause: Uncontrolled Resource Consumption
Criticality – Critical

CVE-2021-22956 – Temporary disruption of the Management GUI, Nitro API and RPC communication
Affected Products: Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP Edition (Access to NSIP or SNIP with management interface access)
Possible cause: Uncontrolled Resource Consumption
Criticality – Critical

Official announcement – https://support.citrix.com/article/CTX330728

Siemens Security Advisory by Siemens ProductCERT – 9th Nov 2021

Preface: Directory traversal (path traversal) happens when the attacker is able to read files on the web server outside of the directory of the website. Directory traversal is only possible if the website developer makes mistakes.

Background: SIMATIC PCS 7 Web can be used to operate and monitor a
plant via Intranet or Internet. Extensive configuration options enable individualized and secure online access to the operator control and monitoring level of the production plant. This enables remote control room concepts to be realized. The new version expands the integration of mobile devices for plant monitoring even further.

Vulnerability details:

CVE-2021-40364
The affected systems store sensitive information in log files. An attacker with access to the log files could publicly expose the information or reuse it to develop further attacks on the system.

CVE-2021-40359
When downloading files, the affected systems do not properly neutralize special elements within the pathname. An attacker could then cause the pathname to resolve to a location outside of the restricted directory on the server and read unexpected critical files.

CVE-2021-40358
Legitimate file operations of the affected systems do not properly neutralize special elements within the pathname. An attacker could then cause the pathname to resolve to a location outside of the restricted directory on the server and read, write or delete unexpected critical files.

Official announcement: https://cve.report/CVE-2021-40364/e6b9d41.pdf

CVE-2021-41250 Be alert to the Python Discord server (together with Python code) 5th Nov, 2021

Preface: One aspect of the Microsoft-python server focuses on Python or Microsoft-developed tools. If you want to develop data science, security or games, then the Python Discord server is your best choice.

Background: Bots on Discord, the group messaging platform, are helpful artificial intelligence that can perform several useful tasks on your server automatically. Build a Discord Bot With Python is easy (see below):

  1. pip install discord[.]py
  2. If you don’t have a Discord account, then you’re going to want to create one.
  3. Once you login, you are able to create New Application.

Discord servers are used in a wide range of applications, from basic mathematics to Python programming to more core data science concepts such as machine learning and artificial intelligence.

Vulnerability details: CVE-2021-41250 (Python Discord) : The token filtering function would exit early if it detected a URL within the message, but it made no extra checks to ensure there weren’t other tokens within that message that would trigger it.

Weakness Enumeration : Improper Input Validation

This issue has been resolved in commit: 67390298852513d13e0213870e50fb3cff1424e0 – https://github.com/python-discord/bot/commit/67390298852513d13e0213870e50fb3cff1424e0

Abuse macOS features, installing undetectable malware – 2nd Nov, 2021

Preface: Apple replaces bash with zsh as the default shell in macOS.

Background: According to the ZSH documentation on Startup/Shutdown Files, there are a number of files (located in the home directory $HOME or ~/):
[.]zprofile (login shell)
[.]zshenv (environment variables)
[.]zshrc (interactive shell)
[.]zlogin (login shell)
[.]zlogout (when the shell exits)

When zsh start, it looks for environment variables file (/etc/xxx[.]zshenv), If found, it runs command from file automatically.

Vulnerability details: The vulnerability is tracked as CVE-2021-30892 and was discovered in macOS Monterey 12.0.1 and Big Sur and Catalina updates.

So, for attackers  to perform arbitrary operations , find the specify path which process could take would be to create a malicious [.]zshenv file and then wait for system_installd to invoke zsh.

If you are interested in this matter, please refer to the URL

antihackingonline.com