June 25th 2022 (APAC time zone), an extremely rare astronomical phenomenon

In the early morning of June 25th 2022 (APAC time zone), an extremely rare astronomical phenomenon “Eight Starts Converging” will be staged. During this period, Jupiter,Mars,Venus and Mercury, a total of five stars will appear in the night sky at the same time, and will be connected in a line to form the “Five Stars Convergence”, and the invisible Uranus, Neptune and Pluto are connected in a line, forming an extremely rare “eight-star converging”.

Reference: http://www.antihackingonline.com/science/prophecy-astrology-and-astronomical-henomenon-16th-jan-2022/

CVE-2022-1665 – Signed build of Red Hat Enterprise Linux for IBM Power can boot pre-production kernels

21st June 2022

Preface: What is Linux boot security?
Secure Boot allows only approved operating systems to run on the machine. Secure Boot checks the cryptographic signature in the operating system’s bootloader to see if it matches a registered key in the UEFI firmware. If a match is found, the boot process proceeds.

Background: UEFI Secure Boot requires that the operating system kernel is signed with a recognized private key. UEFI Secure Boot then verifies the signature using the corresponding public key. For Red Hat Enterprise Linux Beta releases, the kernel is signed with a Red Hat Beta-specific private key. UEFI Secure Boot attempts to verify the signature using the corresponding public key, but because the hardware does not recognize the Beta private key, Red Hat Enterprise Linux Beta release system fails to boot. Therefore, to use UEFI Secure Boot with a Beta release, add the Red Hat Beta public key to your system using the Machine Owner Key (MOK) facility.

To determine your version, use grub-install -V. (GRUB2 is configured with /boot/grub2/grub[.]cfg)

Red Hat Enterprise Linux 7 is distributed with version 2 of the GNU GRand Unified Bootloader (GRUB 2), which allows the user to select an operating system or kernel to be loaded at system boot time.

Vulnerability details: A set of pre-production kernel packages of Red Hat Enterprise Linux for IBM Power architecture can be booted by the grub in Secure Boot mode even though it shouldn’t. These kernel builds don’t have the secure boot lockdown patches applied to it and can bypass the secure boot validations, allowing the attacker to load another non-trusted code.

Red Hat Bugzilla – Bug 2089529 – https://bugzilla.redhat.com/show_bug.cgi?id=2089529

About CVE-2022-32973 (Tenable) – An authenticated attacker could create an audit file that bypasses PowerShell cmdlet checks and executes commands with administrator privileges. 21st June 2022

Preface: In order to prevent malicious scripts from running on your system, PowerShell enforces an execution policy. There are four execution policies you can use: Restricted, RemoteSigned, AllSigned and Unrestricted.

Background: The Nessus vulnerability scanner allows you to perform compliance audits of numerous platforms including (but not limited to) databases, Cisco, Unix, and Windows configurations as well as sensitive data discovery based on regex contained in audit files. Audit files are XML-based text files that contain the specific configuration, file permission, and access control tests to be performed. 

After you create an audit file, you can reference the audit file in a template-based Policy Compliance Auditing scan policy or a custom scan policy, said Tenable.

Vulnerability details: An authenticated attacker could create an audit file that bypasses PowerShell cmdlet checks and executes commands with administrator privileges.

Ref: In normal circumstances, if you are going to run powershell(xxx.ps1), you need to execute below action.

  • PowerShell as an Administrator
  • Set-ExecutionPolicy RemoteSigned
  • Running script (see below)
    & “xxx.ps1”

Official announcement: Tenable has opted to upgrade these components to address the potential impact of the issues. Nessus 10.2.0 fixes the reported Audit function vulnerabilities. For more details, please refer to link – https://www.tenable.com/security/tns-2022-11

About CVE-2022-31794 – Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04 (21st June 2022)

Preface: If management functions follow best practices, keep them running on separate network segments. Among other things, it limits the management console to a small number of workstations. Even if the product has vulnerabilities. Risk may be significantly reduced.

Background: TERNUS CS8000 is a datacenter solution for backup storage for mainframe and open systems. Using intelligent process automation and the pooling of storage capacities, backup data is automatically managed between different storage tiers, including disk, deduplication and tape technology.
The console GUI provides a complete graphical representation of an ETERNUS CS8000 system, and covers all connected devices and ISPs(Integrated Service Processor) such as ICPs(integrated channel processor), IDPs (integrated device processor) and VLPs (virtual library processor).

Vulnerability details: An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the requestTempFile function in hw_view.php. An attacker is able to influence the unitName POST parameter and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. The vulnerability resides in the “requestTempFile” function in hw_view[.]php.

Solution: Applying the patch 8.1A SP02 P04 is able to eliminate this problem.

Typically, a data center already has a SIEM installed. A SIEM might have no trouble tracking down similar cyber attacks.
In order to correctly define the triggering rules. You can refer to NCCGroup technical papers as a reference. Please refer to the link for details – https://research.nccgroup.com/2022/05/27/technical-advisory-fujitsu-centricstor-control-center-v8-1-unauthenticated-command-injection/

CVE-2022-33987 The got package before 12.1.0 for Node.js allows a redirect to a UNIX socket (18/06/2022)

Preface: You can use POSIX permissions to lock down access to the file descriptor (FD) associated with the socket, and the server side can request information such as credentials and PID of clients before they can fully connect.

Background: node.js can process upwards of 1000 requests per second and speed limited only to the speed of your network card.
From techincal point of view, in order to improve the loading on new generation of web services. There are web application design not using traditional way. They uses “GOT” to communicate from the API frontend where all correspondence ingresses to the official’s lookup database in back.

It’s a GET request by default, but can be changed by using different methods or via options.method. By default, Got will retry on failure. To disable this option, set options.retry to 0.

Vulnerability details: A vulnerability was found in got Package up to 12.0.3. The design weakness allow Node.js redirect to a UNIX socket. A Unix domain socket aka UDS or IPC socket (inter-process communication socket) is a data communications endpoint for exchanging data between processes executing on the same host operating system.

This bug sounds like attacker exploit netcat command redirecting TCP traffic(http) to a UNIX domain socket. If the application design similar as picture attached. This vulnerability has possibilities, let’s the attacker query the database.

Remedy: Disable redirects to UNIX sockets – https://github.com/sindresorhus/got/pull/2047/commits/ef5cc13996b9765f306625ac5a0040bd445580eb

About CVE-2022-29865 – OPC UA .NET Standard Stack impact by log4j (16-06-2022)

Preface: Accessing OPC UA servers or any other industrial system from the IIoT should be done through a secure network connection.

Background: OPC Unified Architecture (OPC UA) is a machine-to-machine communication protocol used for industrial automation and developed by the OPC Foundation. The OPC UA platform in an platform-independent service-oriented architecture that integrates individual OPC Classic specifications into an extensible framework.
.NET Standard allows to develop apps that run on all common platforms available today, including Linux, iOS, Android (via Xamarin) and Windows 7/8/8.1/10/11 (including embedded/IoT editions) without requiring platform-specific modifications. OPC UA .NET Standard SDK enables fast integration of OPC UA communication into .NET Standard applications.

Vulnerability details: This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows a malicious client or server to bypass the application authentication mechanism and allow a connection to an untrusted peer.
This security update has a base score of 6.5 (medium) using the CVSS v3.1 guidelines.

Mitigating Factors: Only affects applications running on Windows or MacOS.
Workarounds: Use self-signed Certificates for application authentication. Move CAs from the trust list to the issuers list and explicitly add each trusted peer into the trust list. Require user authentication in addition to application authentication.

Reference: https://cve.report/CVE-2022-29865/fd870923.pdf

CVE-2022-30165 – Windows Kerberos Elevation of Privilege Vulnerability (16th June 2022)

Preface: On May 2022 Security Updates from Microsoft by introducing a new Object ID (OID) in new certificates to further fingerprint the user. This is done by embedding the user’s objectSid (SID) within the new szOID_NTDS_CA_SECURITY_EXT (1.3.6.1.4.1.311.25.2) OID. Certificate Templates with the new CT_FLAG_NO_SECURITY_EXTENSION (0x80000) flag set in the msPKI-Enrollment-Flag attribute will not embed the new szOID_NTDS_CA_SECURITY_EXT OID, perhaps those templates still have design weakness.

Background: Since Windows 2000, Microsoft has used the Kerberos protocol as the default authentication method in Windows, and it is an integral part of the Windows Active Directory (AD) service. However Kerberos Authentication has risks associated with the older NTLM protocol.
Beginning with Windows Server 2016, KDCs support a way of public key mapping. If the public key is provisioned for an account, then the KDC supports Kerberos PKInit explicitly using that key. Since there is no certificate validation, self-signed certificates are supported and authentication mechanism assurance is not supported.

*PKINIT is a preauthentication mechanism for Kerberos 5 which uses X.509 certificates to authenticate the KDC to clients and vice versa.

Vulnerability details: Microsoft Windows Kerberos could allow a remote authenticated attacker to gain elevated privileges on the system.

By default, domain users can enroll in the User certificate template, and domain computers can enroll in the Machine certificate template. Both certificate templates allow for client authentication. This means that the issued certificate can be used for authentication against the KDC via the PKINIT Kerberos extension.

When we use the certificate for authentication, the KDC tries to map the UPN from the certificate to a user. However, computer accounts do not have a UPN.Therefore, specify an alternative to SubjectAltRequireDns (CT_FLAG_SUBJECT_ALT_REQUIRE_DNS) instead.
According to non-patch version design, authorized low priviliges user had the “Validated write to DNS host name” permission.
If authorized user modify the dNSHostName property value from itself to other (UPN to another user’s UPN). The servicePrincipalName property value of low priviliges user will update to reflect new “dNSHostName” value.
So if attacker want to update the servicePrincipalName of low priviliges user, the updated values must also be compliant with the dNSHostName property. When attacker use his low priviliges account delete the “servicePrincipalName” vlaues that contain the “dNSHostName”. And update the DNSHostName property value of low priviliges user to domain controller (example: DC.xxx.local). So it will triggers the priviliges escalation.

Since vendor do not announce the details, however I beleive the design weakness of this kerberbos which shown in vulnerability was patched as part of the May 2022 Security Updates from Microsoft.

Remedy: https://support.microsoft.com/en-us/topic/june-14-2022-kb5014702-os-build-14393-5192-e60ac0e1-44a4-49f9-871f-7c25eb0e5bb1

About SAP ASE – CVE-2022-31594 (14th June 2022)

Preface: SAP Adaptive Server Enterprise (SAP ASE) Protocol – Originally designed for Unix platforms in 1987 under the name Sybase SQL Server, it was renamed Sybase ASE, then renamed again when SAP bought Sybase. It is often used for online transaction management on location and in the cloud.

Background: The new SAP Adaptive Server Platform Edition (ASPE) is a packaged database solution consisting of SAP ASE, SAP IQ, and SAP Replication Server that provides.
SAP ASPE licenses SAP ASE, IQ, and Replication Server belonging to the ASPE suite in the form you want. You can choose within your license. Users can reconfigure their licenses at any time in any combination at no additional cost. This is provided to select an appropriate IT solution in a rapidly changing business processing environment. Mission-Critical OLTP From business support to data warehousing (DW) business analysis applications, disaster recovery (DR)/load balancing and data replication are supported.

Vulnerability details: A highly privileged user can exploit SUID-root program to escalate his privileges to root on a local Unix system.

Since the supplier did not describe the details. But the following situation would be one of the ways to trigger this design weakness.
SAP ASE may reuse the server user ID (suid) of a dropped login account when the next login account is created. This occurs only when the dropped login holds the highest suid in syslogins; however, it can
compromise accountability if execution of drop login is not being audited. Also, it is possible for a user with the reused suid to access database objects that were authorized for the old suid.

Solution (Preventive control): If the above details are correct with the technical issues of the subject. According to SAP ASE security practices. You are avoid to do the following.

You cannot drop a login when:
● The user is in any database.
● The login is the last remaining user who holds the system security officer or system administrator roles.
The system security officer can lock or drop a login using sp_locklogin or drop login. If the system procedure is being logged for replication, the system security officer must be in the master database when issuing the command.

Official announcement: SAP Patch Day Blog – https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

CVE-2022-28217 Design weakness of SAP NetWeaver (EP Web Page Composer) 13th June 2022

Preface: An XML External Entity (XXE) attack is a type of attack against an application that parses XML input. Furthermore, SSRF is an attack in which an attacker can force a vulnerable server to trigger malicious requests to third-party servers and or to internal resources.

Background: SAP Enterprise Portal is the Web front-end component for SAP NetWeaver – the comprehensive integration and application platform that facilitates the alignment of people, information, and business processes across organizational and technical boundaries.
Enterprise Portal (EP) provides users with a single, uniform point of access to the applications, services, and information they need for their daily work. Moreover, the Portal offers business users the features to easily create and manage portal pages and generate their own content using the following capabilities:
● KM and Web Content Capabilities
EP provides basic document management capabilities and content services within SAP Enterprise Portal (KM). KM provides the basic capabilities that customers need to run their scenarios, as well as an extension framework for custom implementations.
These KM capabilities are also integrated into the Web Page Composer environment to enable flexible Web content management scenarios, bringing relevant information from user-generated content and business
applications together in the portal.

Vulnerability details: Missing XML Validation vulnerability in SAP NW EP WPC. Product – SAP NetWeaver (EP Web Page Composer), Versions – 7.20, 7.30, 7.31, 7.40, 7.50.

Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system’s Availability by causing system to crash.

One of the possibilities: This is an example of an insider threat – In order to utilize SSRF through the escalation of the XXE, the XML entity must be identified by the URL attacker want to locate and use the data value that defines the entity. By using the given entity in the data value, i.e. returned in the application’s response. Then we can view the response from the URL in the application response.

Official announcement: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Timeline:
03/30/2022 CVE reserved
06/13/2022 +75 days Advisory disclosed

CVE-2022-25845: About fastjson (security advisory) – 11th June 2022

Preface: Vulnerability management is included in the security development life cycle. Maybe you’ll be concerned about vulnerabilities. In fact, computer products (software and hardware) are hard to avoid without design flaws. This is the reality.

Background: Fastjson is Alibaba’s open source JSON parsing library, based on the Java language, which supports the conversion between JSON-formatted strings and JavaBeans. It uses an “assumed ordered fast matching” algorithm to maximize the performance of JSON Parse. Furthermore, fastjson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object.

The fastjson does not use Java’s original serialization mechanism in the process of serialization and deserialization . It is a set of proprietary mechanisms.

Because the interface is simple and easy to use, it has been widely used in various application scenarios such as cache serialization, protocol interaction, and web output.

Vulnerability details: The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers.

Workaround: If upgrading is not possible, you can enable [safeMode] – https://github.com/alibaba/fastjson/wiki/fastjson_safemode

Official announcement: Autotype bug fix, please refer to the link – https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15

antihackingonline.com