CVE-2021-29649 – Linux kernel before 5.11.11. The user mode driver (UMD) has a copy_process() memory leak (30-03-2021)

Preface: A system with a serious kernel memory leak will quickly become unusable. Tracking down memory leaks can be painful work.

How do you find memory leaks in Linux?
Kmemleak provides a way of detecting possible kernel memory leaks in a way similar to a tracing garbage collector. CONFIG_DEBUG_KMEMLEAK in “Kernel hacking” has to be enabled. A kernel thread scans the memory every 10 minutes (by default). For more details please refer to link – https://www.kernel.org/doc/html/latest/dev-tools/kmemleak.html

Vulnerability details: An issue was discovered in the Linux kernel before 5.11.11. The user mode driver (UMD) has a copy_process() memory leak, related to a lack of cleanup steps in kernel/usermode_driver.c and kernel/bpf/preload/bpf_preload_kern.c.

Official details:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f60a85cad677c4f9bb4cadd764f1d106c38c7cf8

Impact: This vulnerability is currently awaiting analysis.

CVE-2021-29249 Although the CVE record announce late. It it is good for studying. (29th Mar 2021)

Preface: From a investment market perspective, blockchain might become next-generation investment tool. So called investment will contain risk. For instance, Hedge Fund and currencies buy and sell on markets are risky. This atmosphere we are living in long time. So no feeling any special.

BTCPay server background:
– MIT License.
– Anyone can deploy a server. Become a self-hosted payment processor and receive payments directly to your wallet.
– Your private key is never required. Non-custodial. BTCPay only needs xpubkey (public key) to generate invoices.
– Code is open-source and can be inspected by security auditors and developers.

Vulnerability details: The data is shared only between two parties – the buyer and a seller. However, due to a vulnerability, it may allow outsiders (via API) to create invoices in your store. So it is possible for people to read the data in your store.

Impact: BTCPay Server before 1.0.6.0 when the payment button is used, has vulnerability occurred.

Remedy: Due to a vulnerability occur, users of the payment button are strongly encouraged to update to 1.0.6.0 as soon as possible.

OpenSSL Security Advisory – 25th Mar 2021

Preface: If you are doubts of this OpenSSL vulnerability (CVE-2021-3449 & CVE-2021-3450), you should update your current installations to OpenSSL 1.1.1k.

Background: With OpenSSL, you can apply for your digital certificate (Generate the Certificate Signing Request) and install the SSL files on your server. You can also convert your certificate into various SSL formats, as well as do all kind of verifications.

Vulnerability Details: The exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition.
The design defect has problem occur when the X509_V_FLAG_X509_STRICT flag enable. Error occurs in additional security checks of the certificates present in a certificate chain).
Perhaps a defect found in presence of elliptic curve parameters.
Details require vendor provided.

Official details: https://www.openssl.org/news/secadv/20210325.txt

Security Focus: CVE-2021-21625 (Jenkins CloudBees AWS Credentials Plugin) 23rd Mar 2021

Background: You can refer to Amazon’s Creating an IAM User in Your AWS Account page to create this IAM user. Once this is done, you can add new credentials of type Aws Credentials (specifying your Access key ID and a Secret access key).Whereby it can store Amazon IAM access keys (AWSAccessKeyId and AWSSecretKey) within the Jenkins Credentials.

Vulnerability details: Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.

One of the possible reasons: In Java, the java. lang. NullPointerException is thrown when a reference variable is accessed (or de-referenced) and is not pointing to any object. This error can be resolved by using a try-catch block or an if-else condition to check if a reference variable is null before dereferencing it.

Impact: the attacker might be able to use the resulting exception to bypass security logic.

Official announcement – https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2032

Zerologon vulnerability note – last revised (23rd Mar, 2021)

Preface: “Logic 0” and “logic 1” represent binary digits (0 and 1) or Boolean logic conditions (true and false).  A vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers.

Background: The algorithm originally used to encrypt the logon process in Windows NT was 2DES. Thus design weakness found in this place. MS-NRPC uses an obscure setting known as AES-CFB8 (Advanced Encryption Standard – Cipher Feed Back 8 bit). However use of AES-CFB8 within MS-NRPC has an issue with the Initialisation Vector (IV) which should be a random number, but MS-NRPC has it fixed at a value of 16 bytes of zeros.

Impact: Tom Tervoort from Secura, he discovered there is a likelihood of one of every 256 keys used will create cipher text that has a value of all zeros.  Whereby, a high possibility way to root AD server. To change the password, attackers use the message NetServerPasswordSet2 in MS-NRPC. It is possible to change a password by simply sending the frame with the preferred new password. The easiest approach is to remove the password or set it to a blank value –  the hacker can now log in through a normal process.

Since February 9, 2021 is the enforcement phase. And therefore, vendor will be enforce the following setttings.

  • Enforces secure RPC usage for machine accounts on non-Windows based devices unless allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
  • Logging of Event ID 5829 will be removed.  Since all vulnerable connections are denied, you will now only see event IDs 5827 and 5828 in the System event log.

Official announcement: https://kb.cert.org/vuls/id/490028

Perhaps you will forget, vulnerability in VMware View Planner (CVE-2021-21978) – 21st March 2021

Preface: The Secure Development Lifecycle – From requirements to design, coding to test, the SDL strives to build security into a product or application at every step in the development process.

Background: VMware View Planner is a workload generator that simulates typical user operations such as typing in Microsoft Word, playing a PowerPoint slideshow, reading Outlook emails, browsing PDF and Web pages and watching video.

Vulnerability details: The VMware View Planner Web management interface has an entry for uploading log function files.
The path of the log file written without authentication is user-controllable.
By overwriting the uploading log function file by crafted python script, RCE can be realized.

Remedy: Official details refer to link – https://www.vmware.com/security/advisories/VMSA-2021-0003.html

CVE-2021-3195 Improper Input Validation of Dumpwallet (19th Mar 2021)

Preface: In 2020, the public doubts that Bitcoin may die. The fact is, his performance is strong.

Background: Dumpwallet capable to dump all wallet keys in a human-readable format to a server-side file. When you use dumpwallet, you should expect to see several thousand lines. If you have not imported any scripts, you should have the same number of key lines as script lines.
This is because each key has a segwit script. SegWit is the process by which the block size limit on a blockchain is increased by removing signature data from bitcoin transactions. BIP173 is a way to encode segwit transaction outputs. If you have imported any scripts such as multisig scripts or addresses which are not yours, then you will see those scripts in the script lines as well.

Vulnerability details: Bitcoind is the Bitcoin Core daemon. A design weakness found on dumpwallet. The bitcoind in Bitcoin Core through 0.21.0 can create a new file in an arbitrary directory (e.g., outside the ~/.bitcoin directory) via a dumpwallet RPC call.

Impact: Arbitrary code execution is possible if file created. It increase the insider threats risk level.

Status: No official announcement has been received stating that the bug has been fixed. For more details, please refer to the link – https://github.com/bitcoin/bitcoin/issues/20866

Highly Evasive Leverages (16the March, 2021)

Preface: There is a registry key in your system that can be set to prevent certain applications from running, including security software.

Background: If the software developer creates a buffer and reserves 1024 bytes then tries to copy anything more than 1023 bytes (computers start counting at 0 remember) it will overflow out from the buffer and overwrite other memory locations on the stack.
When problem occurred. It will overwrite is the saved EBP (base pointer) and then the saved EIP (saved return address) and then the function parameters.
The function gets called it first creates a new Stack Frame. Then pushes the base pointer onto the stack so that it can retrieve it later and then it pushes the return address (saved EIP) onto the stack, this is so that when the function finishes it can return to the previous function that called it.

Reference: If interested to know the detail, you can read the details through the link – https://malvuln.com/advisory/8936c97e99799809812fa740076a2d7f.txt
It was interested that the Portable executor not new. The historical record shown that the first submission of PE file is on 2016.
This malware/Torjan activities keep going on for 6 years.

A validation of the input string will be reduced cyber attack surface on your web application -16th Mar 2021

Synopsis: The package xmlhttprequest before 1.7.0 had vulnerability occurs. The CVE-2020-28502 was published on 5th March, 2021.

Background: node-XMLHttpRequest is a wrapper for the built-in http client to emulate the browser XMLHttpRequest object.
This can be used with JS designed for browsers to improve reuse of code and allow the use of existing libraries.

Vulnerability details: This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Official details: https://nvd.nist.gov/vuln/detail/CVE-2020-28502

Current status: There is no fixed version for org.webjars.npm:xmlhttprequest-ssl.

Hints: Enhance preventive and detective control.Using something like filter (example ^\w+) base on speical chars will be allowed. Such as regular expression.

F5 network products cover a wide range. When vulnerability occur, they should be remedied as soon as possible. (CVE-2021-22991 – 12th Mar 2021)

Preface: F5 network products are commonly deployed in data center and on-premises Internet facing infrastructure.

Background: F5 Network’s Traffic Management Operating System (TMOS) is not a separate operating system. It is the software foundation for all of F5’s network or traffic (not data) products including both physical or virtual platform. TMM is the core component of TMOS as it handles all network activities and communicates directly with the network switch hardware (or vNICs for VE (Virtual Edition)). TMM also controls communications to and from the HMS. Local Traffic Manager (LTM) and other modules run within the TMM.

Vulnerability details: Vulnerability found allow attacker use of uninitialized memory. Uninitialized memory means reading data from the buffer that was allocated but not filled with initial values. It means that the data are starting to be used before they are initialized. Finally using `wrapped_umem_alloc` for heap allocations, it will also lead to a direct crash of the TMM due to the heap buffer overflow.

Official announcement: https://support.f5.com/csp/article/K56715231

antihackingonline.com