Preface: Some people say that CGI-Bin is a historical site. Today’s onerous security environment, perhaps not people use it. The truth tell us is that CGI-Bin still have space for survival.

Background: About two months ago, the proof of concept for CVE-2021-41773 (Apache 2.4.49 & 2.4.50) vulnerability was released. The remedy solution is modify the configuration of Apache server httpd[.]conf file. As a matter of fact, Apache server has multifunciton, high capability feature. Therefore if software developer and web master do some mistake in this file. It will expand the problem if it has vulnerability occurs.

Vulnerability details (CVE-2021-42013): Found that remedy for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.

Reference: In addition to the above-mentioned vulnerabilities, the supplier also discovered new vulnerabilities. For more details, please refer to the link – https://httpd.apache.org/security/vulnerabilities_24.html#2.4.49

Preface: Perhaps we still remember a denial of service tool so called slow http attack. It can easily to make a Apache server out of resources less than minute. UTM firewall contains many components. For example, SSL VPN gateway. From technical point of veiw, this module also similar a HTTPS web server. If it contain application filter function, it will be included regular expression function installed.

Background: While analyzing traffic, FortiWeb’s HTTP parser must extract and buffer each part in the request or response. The buffer allows FortiWeb to scan and/or rewrite it before deciding to block or forward the finished traffic.
Buffers are not infinite due to the physical limitations inherent in all RAM, they are allocated a maximum size. If the part of the request or
response is too large to fit the buffer, FortiWeb must either pass or block the traffic without further analysis of that part.

For example, if your web applications require HTTP POST requests with unusually large parameters, you would adjust the HTTP body buffer size. For details, see http-cachesize in the FortiWeb CLI Reference.

Vulnerability details: An uncontrolled resource consumption vulnerability [CWE-400] in FortiWeb may allow an unauthenticated attacker to cause a Denial of Service to the FortiWeb’s HTTP daemon via sending a large amount of crafted HTTP requests.

My observation: If this design weakness given by http handler. Think it over, HTTP handler is a Java component that consists of properties. The handler delivers an outbound integration message as an XML document to a URL by using HTTP or HTTPS protocols. The HTTP handler also evaluates the response code received from the external system. If this is the exact vulnerable component. Maybe one of the possibilities looks like scenario shown on attached diagram.

Official details: Please refer to the link – https://www.fortiguard.com/psirt/FG-IR-21-131

Preface: If it is a integer, just use it directly. If it is a pointer, need to check for valid user address:
int access_ok(int type, const void *addr, unsigned long size);

Background: IOCTL is referred as Input and Output Control, which is used to talk with device drivers. IOCTL is a system call where system call is the programmatic way in which a computer program in user space
requests a service from the kernel space of the operating system.

According to Oracle Solaris 11 Information Library article. So called Well Known ioctl Interfaces. Many ioctl(9E) operations are common to a class of device drivers. For example, most disk drivers implement many of the dkio(7I) family of ioctls. Many of these interfaces copy in or copy out data structures from the kernel, and some of these data structures have changed size in the LP64 data model.

Perhaps the vulnerability this time not related to Oracle 11. Since Oracle is outdated and end-of-life.

Vulnerability details: SentinelLabs has discovered a number of high severity flaws in driver software affecting numerous cloud services. These vulnerabilities originated from a library developed and provided by Eltima, which is in use by several cloud providers. These vulnerabilities affect multiple products. Attacker choose the code deals with a user buffer of type METHOD_NEITHER (Type3InputBuffer), if it IOCTL handler do not have validating. It will trigger the vulnerability of the IOCTL handlers 0x22001B. If you are interested, please refer to the link – https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/

Preface: CISA Releases Security Advisory on WebHMI Vulnerabilities – https://us-cert.cisa.gov/ics/advisories/icsa-21-336-03

Background: The company Distributed Data Systems LLC is well-known in Ukraine and abroad for products with WebHMI and 7bit brands for remote monitoring and control of industrial equipment in Industry 4.0 format.

Remark: 7Bit ModBus Proxy is a caching gateway from ModBus TCP protocol to Modbus RTU.

SCADA is a powerful control system that is designed to collect, analyze, and visualize data from industrial equipment. Web-based HMIs allow users to monitor and control devices and processes at a distance. WebHMI is a SCADA-system with built-in web server that allows you to monitor and control any automation system on the local network and via the Internet from your computer and mobile devices.

Vulnerability details: The WebHMI itself encountered two different vulnerabilities includes Authentication Bypass by Primary Weakness and Unrestricted Upload of File with Dangerous Type.

CVE-2021-43931 The authentication algorithm of the WebHMI portal is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

CVE-2021-43936 The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product’s environment or lead to arbitrary code execution.

The following information is our speculation on the cause of the vulnerabilities.

CVE-2021-43931 – Insufficient Session Expiration is a security flaw that lets an application permit an attacker to reuse old session credentials or session IDs, thus exposing an application to attacks that steal or reuse users’ session identifiers.
CVE-2021-43936 – Sneaking in a malicious script is easier than using compiled malware. Once these scripts make their way to the target host, they are executed in a safe location where they cannot be flagged, such as the /tmp folder. Generally, these scripts do not carry out anything malicious on their own, although they do connect to the command-and-control (C&C) server to download malware.

Preface: If a network interface controller is intended to be used as a boot device for a UEFI operating system or UEFI applications, then a UEFI Driver must be implemented that produces Network Interface Identifier Protocol and UNDI, the Simple Network Protocol, or the Managed Network Protocol.

Background: Tianocore EDK II is the UEFI reference implementation by Intel. EDK is the abbreviation for EFI Development Kit and is developed by the TianoCore community.

UEFI stands for Unified Extensible Firmware Interface. It does the same job as a BIOS, but with difference. It stores all data about initialization and startup. UEFI supports drive sizes upto 9 zettabytes, whereas BIOS only supports 2.2 terabytes. UEFI provides faster boot time.

UEFI also includes TCP (the latest version of UEFI from IIRC supports booting via HTTP, similar to iPXE).

Disadvantages of UEFI?

• 64-bit are necessary.
• Virus and Trojan threat due to network support, since UEFI doesn’t have anti-virus software.

Vulnerability details: Certain versions of EDK II from TianoCore contain vulnerability (NetworkPkg/IScsiDxe has remotely exploitable buffer overflows). The fact is that potential integer overflow in IScsiBinToHex().

Reason: EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.

Official details: Please refer to the link – https://bugzilla.tianocore.org/show_bug.cgi?id=3356

Preface: Nextcloud is a suite of client-server software for creating and using file hosting services. It is enterprise-ready with comprehensive support options. Being free and open-source software, anyone is allowed to install and operate it on their own private server devices.

Background: The Nextcloud News Reader App makes it possible to synchronize feeds between Android and the Nextcloud News App. In order to use this app , you will need to have a nextcloud instance running with the news app installed.

About Nextcloud 17. The main novelty of the new version of Nextcloud is that the addition of the “remote wipe” feature is very eye-catching. This allows users to delete files on mobile devices. The administrator will delete data from all devices of a given user.

Unlike Google Drive, Dropbox, Yandex.Disk and box.net services, the ownCloud and Nextcloud projects provide users with complete control over their data: the information is not tied to an external closed cloud storage system, but the user controls the device.

Vulnerability details: How to switch from the original first MainActivity to the ResultActivity we just generated? The answer is to use Intent,

In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android.

Remedy: Users should upgrade to version 0.9.9.63 or higher as soon as possible.

Observation: In Android, there are many specific security related issues that pertain only to certain technologies such as Activities or SQLite. If a developer does not have enough knowledge about each of the different security issues regarding each technology when designing and coding, then unexpected vulnerabilities may arise.

Repair details: please refer to the link https://github.com/nextcloud/news-android/commit/05449cb666059af7de2302df9d5c02997a23df85

Preface: (2021-07-30) Reported to KDE and GNOME development teams – In response, patches for both kio and glib were implemented.
However, both projects rely mainly on udisks and use own code only as fallback.

Background: Ubuntu used to have Unity desktop in its default edition but it switched to GNOME desktop since version 17.10 release.
Ubuntu offers several desktop flavors and the KDE version is called Kubuntu. GNOME is the default desktop for Fedora and KDE is the default desktop for OpenSUSE. Depending on how old your Linux distribution is you might have udisks or udisks2 (fourth process) and then you have the udev daemon (second process).

One of the characteristics of Dbus, if you plug in a USB storage device. Dbus and UDisks2 will notified you device is ready.

Remark (a): udisks2 is used by KDE and GNOME nowadays at least (since years). udisks (1) is outdated/obsolete.

Remark (b): The one is udisks which deals with storage devices like USB sticks and the like. The second is udev, a daemon that deals with all kind of devices from PCI boards to the keyboard and mouse (including everything that udisks deals with).

Vulnerability details: Several user-accessible mount helpers use insecure defaults which allow ext2/3/4 file systems to cause a denial of service (kernel panic) upon mounting a crafted image.

Official announcement – https://bugzilla.redhat.com/show_bug.cgi?id=2003649

Udisks2 hides certain devices from the user by default. You can enter the following directory for review:

Fedora – /usr/lib/udev/rules[.]d/80-udisks2[.]rules

Preface: CSV file is a useful thing in today’s world when we are talking about machine learning, data handling, and data visualization.

Background: There are many Raw storage bucket for big data analytic. You might store it in a text format such as JavaScript Object Notation (JSON) or comma-separated values (CSV), or perhaps even Apache Avro. Most people prefer to store it in either JSON or CSV files. CSV format is about half the size of the JSON and another format file. It helps in reducing the bandwidth, and the size of the below would be very less. Therefore, csv is one of the important data types used in the field of data analysis.

Vulnerability details: When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files.

Impact: This affects all versions of package html-to-csv.

Official details: Please refer to the link for details – https://security.snyk.io/vuln/SNYK-PYTHON-HTMLTOCSV-1582784

Reference: BeautifulSoup parsing flaw – None of the parsing error is caused due to BeautifulSoup. It is because of external parser use (html5lib, lxml) since BeautifulSoup doesn’t contain any parser code. One way to resolve above parsing error is to use another parser.

Python built-in HTML parser causes two most common parse errors, HTMLParser.HTMLParserError: malformed start tag and HTMLParser.HTMLParserError: bad end tag and to resolve this, is to use another parser mainly: lxml or html5lib.