Preface: The Citrix ADC NITRO protocol allows you to configure and monitor the Citrix ADC appliance programmatically by using
Representational State Transfer (REST) interfaces. Therefore, NITRO applications can be developed in any programming language.
Additionally, for applications that must be developed in Java or .NET or Python, NITRO APIs are exposed through relevant libraries
that are packaged as separate Software Development Kits (SDKs).

Background: When it comes to network services, you can use remote procedure calls (RPC) and representational state transfer (REST) to create APIs for network communication. As with any programming problem, understanding the advantages of each method will help you choose the best solution to reduce technically unforeseen problems. Are you experienced “excessive resource usage” in jsonrpc technical matter? For more information on this matter, please refer to the attached picture. In addition, do you think the security focus of the Citrix announcement (CTX 330728) is on similar topics?

Vulnerability details:

CVE-2021-22955 – Unauthenticated denial of service
Affected Products – Citrix ADC, Citrix Gateway (Appliance must be configured as a VPN (Gateway) or AAA virtual server)
Possible cause: Uncontrolled Resource Consumption
Criticality – Critical

CVE-2021-22956 – Temporary disruption of the Management GUI, Nitro API and RPC communication
Affected Products: Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP Edition (Access to NSIP or SNIP with management interface access)
Possible cause: Uncontrolled Resource Consumption
Criticality – Critical

Official announcement – https://support.citrix.com/article/CTX330728

Preface: Directory traversal (path traversal) happens when the attacker is able to read files on the web server outside of the directory of the website. Directory traversal is only possible if the website developer makes mistakes.

Background: SIMATIC PCS 7 Web can be used to operate and monitor a
plant via Intranet or Internet. Extensive configuration options enable individualized and secure online access to the operator control and monitoring level of the production plant. This enables remote control room concepts to be realized. The new version expands the integration of mobile devices for plant monitoring even further.

Vulnerability details:

CVE-2021-40364
The affected systems store sensitive information in log files. An attacker with access to the log files could publicly expose the information or reuse it to develop further attacks on the system.

CVE-2021-40359
When downloading files, the affected systems do not properly neutralize special elements within the pathname. An attacker could then cause the pathname to resolve to a location outside of the restricted directory on the server and read unexpected critical files.

CVE-2021-40358
Legitimate file operations of the affected systems do not properly neutralize special elements within the pathname. An attacker could then cause the pathname to resolve to a location outside of the restricted directory on the server and read, write or delete unexpected critical files.

Official announcement: https://cve.report/CVE-2021-40364/e6b9d41.pdf

Preface: One aspect of the Microsoft-python server focuses on Python or Microsoft-developed tools. If you want to develop data science, security or games, then the Python Discord server is your best choice.

Background: Bots on Discord, the group messaging platform, are helpful artificial intelligence that can perform several useful tasks on your server automatically. Build a Discord Bot With Python is easy (see below):

1. pip install discord[.]py
2. If you don’t have a Discord account, then you’re going to want to create one.
3. Once you login, you are able to create New Application.

Discord servers are used in a wide range of applications, from basic mathematics to Python programming to more core data science concepts such as machine learning and artificial intelligence.

Vulnerability details: CVE-2021-41250 (Python Discord) : The token filtering function would exit early if it detected a URL within the message, but it made no extra checks to ensure there weren’t other tokens within that message that would trigger it.

Weakness Enumeration : Improper Input Validation

This issue has been resolved in commit: 67390298852513d13e0213870e50fb3cff1424e0 – https://github.com/python-discord/bot/commit/67390298852513d13e0213870e50fb3cff1424e0

Preface: Apple replaces bash with zsh as the default shell in macOS.

Background: According to the ZSH documentation on Startup/Shutdown Files, there are a number of files (located in the home directory $HOME or ~/):
[.]zprofile (login shell)
[.]zshenv (environment variables)
[.]zshrc (interactive shell)
[.]zlogin (login shell)
[.]zlogout (when the shell exits)

When zsh start, it looks for environment variables file (/etc/xxx[.]zshenv), If found, it runs command from file automatically.

Vulnerability details: The vulnerability is tracked as CVE-2021-30892 and was discovered in macOS Monterey 12.0.1 and Big Sur and Catalina updates.

So, for attackers  to perform arbitrary operations , find the specify path which process could take would be to create a malicious [.]zshenv file and then wait for system_installd to invoke zsh.

If you are interested in this matter, please refer to the URL

Preface: Android garbage collection is an automatic process which removes unused objects from memory. However, frequent garbage collection consumes a lot of CPU, and it will also pause the app.

Background: The garbage collection of Unix sockets first selects a set of candidate sockets that are only referenced from the flight (total_refs == inflight_refs). This condition is checked and marked once during the candidate collection phase. Although inflight_refs is protected by unix_gc_lock, total_refs (file count) is not protected.

Vulnerability details: Google described the one that attackers may be picking apart – CVE-2021-1048 – as caused by a use-after-free (UAF) vulnerability in the kernel.

Additional: CVE-2021-1048 is a use-after-free issue in the Kernel that allows for local privilege escalation but require attacker had local access right. Afterwards, the attacker can install rogue applications or use Internet Web applications to obtain malicious code (Javascript).
As a result, the attacker will escape the sandbox and abuse this kernel vulnerability.

Official announcement: Published November 1, 2021 | Updated November 2, 2021. There are indications that CVE-2021-1048 may be under limited, targeted exploitation.Please refer to the link for details – https://source.android.com/security/bulletin/2021-11-01

Preface: The open source Paho MQTT project for embedded C to connect and communicate with IoT Platform.

Background: MQTT is based on the client-server communication mode. MQTT server is called as MQTT Broker. Currently, there are many MQTT Brokers in the IIoT world. MQTT client libraries under different programming languages and platforms (see below):

Eclipse Paho C and Eclipse Paho Embedded C
Eclipse Paho Java Client
Eclipse Paho MQTT Go client
emqtt : Erlang mqtt client library provided by EMQ
MQTT.js Web & Node.js Platform MQTT Client
Eclipse Paho Python

The Paho MQTT project for embedded C includes three sub-projects:
– MQTTPacket: provides serialization and deserialization of MQTT data packets and some helper functions.
– MQTTClient: encapsulates the high-level C++ client program generated by MQTTPacket.
– MQTTClient-C: encapsulates the high-level C client program generated by MQTTPacket.

Vulnerability details: In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket.

Ref: The design weakness of  Eclipse Paho MQTT C Client was found 21st June 2017. Version 1.1 do a remedy. Developer confirm with success on 14th July, 2017. However, the versions prior to 1.1  has been identified as a vulnerability by a researcher and assigned CVE-2021-41036 on 2nd Nov, 2021.

Question: Do you think the vulnerable version of MQTT Client-C have chance attacking the MQTT Broker?

Official announcement: https://github.com/eclipse/paho.mqtt.embedded-c/issues/96

Preface: Mojo is a collection of runtime libraries providing a platform-agnostic abstraction of common IPC primitives, a message IDL format
, and a bindings library with code generation for multiple target language to facilitate convenient message passing across arbitrary inter – and intra-process boundaries.

Background:Chrome limits most of the attack surface of the web (e.g., DOM rendering, script execution, media decoding, etc) to sandboxed processes.

Vulnerability details: Multiple vulnerabilities have been discovered in Google Chrome. Remote attackers can use these vulnerabilities to trigger remote execution of arbitrary code on the target system.

Possibilities: Refer to attached diagram (point 4). The interface defines one method, FilterInstalledApps. In the generated C++ interface, this method take an extra argument which is a callback to invoke with the result. In javaScript, the function instead returns a Promise.
Remark: The Promise object represents the eventual completion (or failure) of an asynchronous operation and its resulting value.

If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Solution: Install the patch provided by the software vendor – https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html

Preface: Generally speaking, heap buffer overflow unlike stack overflow, there is no such thing as ret on the heap that can change the program flow, so at most, the data is overwritten. It seems that there is little risk, but in fact it is not the case.

Background: Vim comes standard with most modern Linux distributions, but some of the minimal installation doesn’t include vim editor default. Vim is a vi-like editor but is more advanced and powerful than the original Vi.

Vulnerability details: Certain versions of vim is vulnerable to Heap-based Buffer Overflow. Found design weakness in raw file (move.c) programming syntax. Invalid memory access when scrolling without a valid screen.

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Buffer overflows generally lead to crashes.

Remedy: Do not set VALID_BOTLINE in w_valid.

Affected Vendor/Software: vim/vim version < 8.2.3564

Reference: In C++, new/delete should be preferred over malloc()/free() where possible. (In C, new/delete is not available, so the choice would be obvious there.)
The main difference between both these languages is C is a procedural programming language and does not support classes and objects, while C++ is a combination of both procedural and object-oriented programming languages.
Usually C compiler doesn’t add boundaries check for memory access. Sometimes due to code error, there is read or write from outside the buffer, such an error is usually hard to detect.

Preface: We install and configure a caching plugin which will speed up the delivery of page assets to your visitors, since these content will have been generated beforehand. The result will be a faster loading page, and reduced wait times for all operations.

Background: A caching plug-in will speed up the web application response. For websites with very high traffic (load balancing),
we install and configure object caching plugins, such as Redis or Memcache.

Vulnerability details: Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. AS_Redis is an AntSword plugin for Redis. The Redis Manage plugin for AntSword prior to version 0.5 is vulnerable to Self-XSS due to due to insufficient input validation and sanitization via redis server configuration. Self-XSS in the plugin configuration leads to code execution. This issue is patched in version 0.5.

How does Self-XSS work? Self-XSS operates by tricking users into copying and pasting malicious content into their browsers’ web developer console. Usually, the attacker posts a message that says by copying and running certain code, the user will be able to hack another user’s account.

Question: With reference to the attached picture, do you think it is really a self-xss vulnerability?

Official CVE announcement – https://nvd.nist.gov/vuln/detail/CVE-2021-41172

Preface: The Eclipse OpenJ9 virtual machine (VM) implements the Java Virtual Machine Specification. Most Java applications should run on an OpenJDK that contains the OpenJ9 VM without changing anything. However, because it is an independent implementation there are some differences compared to the HotSpot VM, which is the default OpenJDK VM and is also included in an Oracle JDK.

Background: OpenJ9 is a high performance, scalable, Java™ virtual machine (VM) implementation that is fully compliant with the Java Virtual Machine Specification.

Building OpenJDK with OpenJ9

$ git clone https://github.com/ibmruntimes/openj9-openjdk-jdk9
$ cd openj9-openjdk-jdk9
$ bash ./get_source.sh
$ bash ./configure –with-freemarker-jar=freemarker.jar
$ make images
$ cd build/linux-x86_64-normal-server-release/images/
$./jdk/bin/java -version

The VM has connections into the rest of the JDK
To build OpenJDK with OpenJ9 requires patches

• Build process
• Class libraries

Vulnerability details: In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods.

Risk rating: NVD score not yet provided.

Official announcement – https://bugs.eclipse.org/bugs/show_bug.cgi?id=576395