Regarding to ManageEngine security announcement (CVE-2021-44757), do you have doubt on their design? (19-1-2022)

Preface: Asset scan is the key function to maintain the asset management integrity. If the company structure not operating standalone. In some circumstance, the system architect will formalize a distributed architecture. However, how to scan and collecting data is a important topic. Perhaps the file size is variable because of the data content. As a result, when the file transfer go to back-end system. it will using compression technology traditionally to resolve the network bandwidth consumption. For example: ZIP file. Furthermore, software developer aim to improve the process completion time.

Background (Asset Scan in Remote AE Server): The scanned information in the Remote AE Server can be updated periodically either manually or automatically in the Central AE Server.

You can install AssetExplorer as a Central Server by choosing the server type as Central AE Server on starting the application for the first time. The application is started as the Central AE Server.

As a result, Central AE server will tracks all your newly added assets, and have a record of all the assets in the organization.

About CVE-2021-44757: An authentication bypass vulnerability that can allow a remote user to perform unauthorized actions in the server. If exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary zip file on the server. 

As usual, vendor not disclose the vulnerability in details. However, referring to existing system design. It relies on compression function assistance. Perhaps the earlier version of design do not enforce the data integrity check. And therefore it provide a channel to attacker create the trouble.

Official announcement: For details, please refer to link – https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022

Oracle Releases January 2022 Critical Patch Update – Quick and easy understanding of CVE-2021-2351 (Oracle JDBC Native Network Encryption design limitation).

Preface: Even thought CVE-2021-2351 was announced on last year (21st July, 2021), however this topic still lure of my interest. As we know, web server and DB server is an important component in existing digital World. For example, Big data, IoT, automotive and mobility functions will working with front end web server. Whereby in between web server and database server relies on ODBC or JDBC form a bridge do communications to database server. In traditional attack scenario, SQL injection is very common type of attack. When incident happen, it will lost our data confidentiality.

Background: The JDBC thin client is a pure Java, Type IV driver. If you are accessing one type of database, such as Oracle, Sybase and IBM, the preferred driver type is 4.

Oracle Database provides native data network encryption and integrity to ensure that data is secure as it travels across the network. The setup offers two ways to encrypt data over the network, native network encryption and Transport Layer Security (TLS).

In order to cope with confidentiality of data in system design. Encrypting network data provides data privacy so that unauthorized parties cannot view plaintext data as it passes over the network. However, if a design weakness occurs in between devices communication? Do you think what is the exact impact to this defect?

Vulnerability details: There are two fundamental design constraints on this issue (Native Network Encryption).

  • Clients that do not support native network encryption can fall back to unencrypted connections while incompatibility is mitigated.
  • It provides no non-repudiation of the server connection (that is, no protection against a third-party attack).

When an insider threat occurs, the above 2 design limitations will increase the possibility of being attacked.

Attack scenario: If insider threat happens, cyber criminals do a sniffing in internal network since the reason of point 1 and 2 (refer to attached diagram). And therefore it can easily to do the session hijacking because there is no more protection. Since no need to get and install the SSL certificate CA in attacker machine to conduct the man-in-the-middle attack. Therefore he can easily receive a valid session token. As a result, he gain authorized access similar to existing victim user.

Workaround: Update the Oracle Database servers and clients to the patched versions. Enforce usage of a secured protocol version by setting the following options:

SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS=FALSE (server-side)
SQLNET.ALLOW_WEAK_CRYPTO=FALSE (client-side)

Or use TLS-based transport security instead of Native Network Encryption.

US National Vulnerability Database details announcement – https://nvd.nist.gov/vuln/detail/CVE-2021-2351

About CVE-2022-0240 Do not contempt low risk vulnerability (17th Jan,2022)

Preface: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Background: MRuby is the lightweight implementation of the Ruby language complying to (part of) the ISO standard. Its syntax is Ruby 2[.]x compatible. MRuby is embeddable. Can be run inside other applications. Great for scripting and configuration.

MRuby is the lightweight implementation of the Ruby language complying to (part of) the ISO standard. Its syntax is Ruby 2.x compatible. Whereas, MRuby is embeddable. Can be run inside other applications. Great for scripting and configuration. An unofficial consensus by IoT manufacturer that IoT Dumb devices are only provide resources/service. In broker cloud of IoT, most of them contains application logic design. MRuby fits this use case well despite performance issues.

Vulnerability details: Mruby is vulnerable to NULL Pointer Dereference. There is a NULL Pointer Dereference in prepare_singleton_class. Offical remedy said that add additional two lines of syntax in src/class[.]c will be remedied the vulnerability.

Refer to attached diagram, if the design criteria based on Ruby code compiler to Bytecode . Then install to virtual machine of IoT.
As a matter of fact, null pointer dereference happened in MRuby object class. Will it be impacted the program after compiler?

Perhaps below articles by apple developer will provides guidance.

Dereferencing a null pointer always results in undefined behavior and can cause crashes. If the compiler finds a pointer dereference, it treats that pointer as nonnull. As a result, the optimizer may remove null equality checks for dereferenced pointers.

But uncertainty related to above topic not found hints on internet. So, it still need to observed.

Remedy: The official announcement can be found at the following link: https://github.com/mruby/mruby/commit/31fa3304049fc406a201a72293cce140f0557dca

CVE-2022-23094 on Libreswan. Stay alert!

Preface: Pluto is an IKE (“IPsec Key Exchange”) daemon. Pluto is an implementation of IKE. It runs as a daemon on a network node. Currently, this network node must be a LINUX system running the KLIPS
or NETKEY implementation of IPsec, or a FreeBSD/NetBSD/Mac OSX system running the KAME implementation of IPsec.

Background: Libreswan is a free software implementation of the most widely supported and standardized VPN protocol using “IPsec” and the Internet Key Exchange (“IKE”). Most IPsec deployments fall into two types of deployment. The first type is the Remote Access, where roaming users (phones, laptops) connect to the corporate network. The second type of IPsec network is where two or more IPsec gateways connects different networks together.

Is Libreswan safe? This open-source VPN is secure if you’re a Linux user since it uses a built-in “XFRM” IPsec stack and DDNS crypto library. The VPN is compatible with Linux distribution such as RHEL/EPEL, Arch Linux, and Fedora.

What is xfrm interface?
The design of virtual xfrm interfaces interfaces was discussed at the Linux IPsec workshop 2018. This patchset implements these interfaces as the IPsec userspace and kernel developers agreed. The purpose of these interfaces is to overcome the design limitations that the existing (Virtual Tunnel Interfaces) VTI devices have.

Vulnerability details: According to vendor announcement. Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1[.]c wrongly expects that a state object exists.
Observation: Are the consequences of NULL pointer dereference due to vmalloc in the specified function?

Mitigation: If all configured connections are using IKEv2, the IKEv1 subsystem can be disabled by adding the option ikev1-policy=drop to the “config setup” section of ipsec[.]conf. Alternatively, libreswan can be compiled with USE_IKEv1=false.

OR Install version 4.6.

Official announcement: For details of the official announcement, please see the homepage – https://libreswan.org/

Prophecy astrology and astronomical phenomenon (16th Jan, 2022)

Preface: The history of Vedic astrology, some said it’s been around since 10,000 B.C!

Synopsis:

About Prophecy astrology: Vedic astrology refers to Indian or Hindu astrology, a system that originated in ancient India and was recorded by saints in the Vedic scriptures. Also known as “Jyotish” – the science of light Vedic astrology involves the patterns of astral light that are thought to determine our destiny.

About astronomical phenomenon: On the ecliptic plane, the planets are clustered near the line connecting the sun and the Earth. From astronomical point of view. It is considered to be Planets align in order. However, it is excluding exoplanets.

Reminder: From 3001 BC to 3000 AD, there were 49 occurrences of “six-star Planets align in order” with a θ angle below 5 degrees, “seven-star Planets align in order” 3 times, and “eight-star Planets align in order” or above did not or would not occur. If the θ angle is expanded to 10 degrees, there are 709 times “Six Stars Planets align in order”, 52 times “Seven Stars Planets align in order”, and 3 times “Eight Stars Planets align in order”.

What astrology is the term “Karasapa Yoga” derived from? Kala Sarpa Yoga, or Kala Sarpa Dosha, is one of the most concerning planetary combinations in Vedic astrology. For example planets align in order. It is often called Dosha because it mainly leads to unlucky results.
Kala Sarpa yoga is mostly ominous and thought to seriously hurt people. The results of this Dosha, while harmful, are different for everyone. The extent or scale of damage it can cause varies depending on the location and condition of the planet.

Prediction of 7 major astronomical phenomena in 2022 Meteor shower / total lunar eclipse / super full moon / rare eight planets align in order. Perhaps when planets align in order bring the Astrology attention.

In late June (25th June 2022), there will be a rare “eight stars in a row”. The seven planets Venus, Jupiter, Mercury, Mars, Saturn, Uranus and Neptune plus Pluto will be in a line, and there is a chance to watch it before sunrise.

Reference: We’ve heard predictions recently (presumably based on Vedic astrology).
Believe it or not, it’s all up to you.

About Citrix vulnerabilities (CVE-2021-28704 & CVE-2021-28707) 13th Jan 2022

Preface: Virtual memory settings can often be controlled through the OS. In addition, RAM uses swapping techniques, while virtual memory uses paging. While physical memory is limited to the size of the RAM chip, virtual memory is limited by the size of the hard disk.

Background: When you create a VM, a fixed amount of memory is allocated to the VM. You can use Dynamic Memory Control (DMC) to improve the utilization of physical memory in your Citrix Hypervisor environment. DMC is a memory management feature that enables dynamic reallocation of memory between VMs.

The QEMU component is a superset of the QEMU device model present in Xen. In KVM, the QEMU binary directly takes care of talking to the hypervisor to create the guest domain. In Xen, the QEMU binary merely provides the I/O emulation, while XenD takes care of actually creating the domain.

DomU, it is an unprivileged domain with (by default) no access to the hardware. It must run a FrontendDriver for multiplexed hardware it wishes to share with other domains. In Dom0, the kernel for a DomU comes from Dom0’s filesystem, not from the filesystem exported to the DomU.

Vulnerability details: Citrix has released security updates to address vulnerabilities in Hypervisor. An attacker could exploit these vulnerabilities to take control of an affected system. For more details, please refer to the link – https://support.citrix.com/article/CTX335432

About: HTTP Protocol Stack RCE Vulnerability (11th Jan, 2022)

Preface: HTTP[.]sys is mature technology that protects against many types of attacks and provides the robustness, security, and scalability of a full-featured web server. IIS itself runs as an HTTP listener on top of HTTP[.]sys.

Background: HTTP/1.1 specifies that a response sent as Transfer-Encoding: chunked can include optional trailers (ie. what would normally be sent as headers, but for whatever reason can’t be calculated before the content, so they can be appended to the end).

The http 1.1 specification, which lays out how chunking works. Specifically section 3.6.1.
The chunked encoding modifies the body of a message in order to transfer it as a series of chunks, each with its own size indicator, followed by an OPTIONAL trailer containing entity-header fields. This allows dynamically produced content to be transferred along with the information necessary for the recipient to verify that it has received the full message.

Vulnerability details: This vulnerability can be exploited by sending specially crafted packets to exploit the HTTP protocol stack to launch an attack. In view of the high harm of this vulnerability.

Ref (1): The HTTP Trailer response header allows the sender to include additional fields at the end of chunked messages in order to supply metadata that might be dynamically generated while the message body is sent. No package install is needed if you use the (xref:)Microsoft[.]AspNetCore[.]All metapackage.

The Microsoft[.]AspNetCore[.]Server[.]HttpSys package is included in the metapackage.

Ref (2): Call the UseHttpSys extension method on WebHostBuilder in your Main method, specifying any HTTP[.]sys options that you need.

Mitigations: Please refer to the link – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907

About: CVE-2022-22531 – Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA (11-1-2022)

Preface: For security reasons, SAP will not disclose the details of the vulnerability. Security bulletin issued yesterday. However, the end user only needs to tinker. But we don’t know what happened? So my purpose of this topic is to try to dig out details an interest that appeals to you. If , my findings didn’t precise find the reason of this vulnerability. No worries. Since, the weaknesses in client-side JavaScript security in SAPUI5 applications may be ubiquitous. It is easily find the details somewhere.

Background: F0743 (Create Single Payment) is a SAP S/4HANA Transactional app used by a Accounts Payable Accountant through user interface (UI) technology SAP Fiori (SAPUI5). With this app you can make a direct payment to a supplier when no invoice exists and you can pay open supplier line items. When you make a direct payment to a supplier without an invoice, you specify the supplier details, the bank details, and the amount to be paid, then create the payment.

Vulnerability details: Official announcement stated that Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA.

Results are based on my observations: SAPUI5 is Hybrid app (Because of HTML5). Therefore, SAPUI5 is technology whereas Fiori is a methodology. Fiori focus mainly on mobility. Fiori uses SAPUI5 for frontend and it uses odata to get back end data. Based on the theory above apps built using SAPUI5 are responsive across browsers and devices. They can run on smartphones, tablets, and desktops.If not properly used, SAPUI5 framework is susceptible to various types of security vulnerabilities that usually affect client side JavaScript frameworks.

Static Application Security Testing shown that SAPUI5 contains DOM Based Cross Site Scripting & Code injection loophole. For example (type-0 XSS), vulnerable document.write() sink method that reflects user input directly in the web page DOM structure from the user input textbox retrieved from getValue() method from vulnerable SAPUI5 application.

Impact: It increases the likelihood that client code will behave in an “unexpected” way.

Official announcement: Please refer to the link – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035

CVE-2022-21825 Citrix Workspace App for Linux Security Update (11-1-2022)

Preface: Privilege escalation attacks can be separated into two way. It is horizontal privilege escalation and vertical privilege escalation. Privilege escalation happens when a malicious user exploits a bug, design flaw, or configuration error in an application or operating system to gain elevated access to resources that should normally be unavailable to them.

Background: Starting with 2109 version, Citrix Workspace app introduces an option to append the User-Agent strings in the network request and identify the source of a network request. Based on this User-Agent strings request, you can decide how to manage your network request.
For version 2108, the app protection feature is now fully functional. The app protection feature supports apps and desktop sessions and is enabled by default. However, you must configure the app protection feature in the AuthManConfig.xml file to enable it for the authentication manager and the Self-Service plug-in interfaces.

Vulnerability details: A vulnerability has been identified in Citrix Workspace app for Linux that could result in a local user elevating their privilege level to root on the computer running Citrix Workspace app for Linux.

This vulnerability only affects Citrix Workspace app for Linux 2012 – 2111 and only exists if App Protection was installed as part of Citrix Workspace app for Linux. This vulnerability does not exist if App Protection is not installed.

My observation: Vendor did not disclose details, but due to the design constraints of the product. The vulnerable version of glibc might have possibilities to trigger the design weakness. Because workspace app for Linux (has been installed with App Protection) do not support the app protection feature on the OS that uses glibc 2.34 or later. For more details, please refer to attached diagram.

Official announcement: Please refer to the link –

https://support.citrix.com/article/CTX338435

CVE-2021-23218 Missing Release of Memory after Effective Lifetime 10th Jan 2022

Preface: Deploy the leading enterprise container runtime with just two commands

Background: Mirantis Container Runtime is the industry-leading, high-level runtime at the heart of Mirantis Kubernetes Engine, enabling it to operate Swarm and Kubernetes containers efficiently on any substrate. It is based on containerd, the Cloud Native Computing Foundation (CNCF) core container runtime. FIPS 140-2 is only supported in MCR. MKE and MSR currently do not support FIPS 140-2.

Vulnerability details: When running with FIPS mode enabled, Mirantis Container Runtime leaks memory during TLS Handshakes which could be abused to cause a denial of service.

Affected Products: Mirantis Container Runtime (MCR) version 20.10.8

Mitigations: FIPS mode is not the default mode of operation.

Observation: One of the possibilities. Users using SSL channels with applications often connecting and disconnecting state. The message digest in such a way which could cause internal resources to fail to be cleaned up when multiple threads were starting and ending SSL sessions concurrently.

Official announcement: Please refer to the link – https://github.com/Mirantis/security/blob/main/advisories/0002.md

antihackingonline.com