CVE-2021-34432 Do not kill mosquitto (27th July, 2021)

Preface: Internet of Things (IoT) and machine-to-machine (M2M) technologies need to use a messaging and connectivity protocol in order to exchange information from a remote location.

Background: MQTT is a binary-based protocol and has command and command acknowledgement format. So every time a client sends a command to the broker, the broker sends an acknowledgement. This communication protocol is actually based on the TCP/IP protocol. So first there will be a TCP connection establishment and then there will be MQTT connection establishment and then the data transfer will occur. After which TCP connection will be terminated.

An MQTT broker is a server that receives all messages from the clients and then routes the messages to the appropriate destination clients.

Vulnerability details: In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.

Remedy: The design weakness was patched in version 2.08.

Client library: Fix mosquitto_{pub|sub}_topic_check() functions not returning MOSQ_ERR_INVAL on topic == NULL.

Causes: Under following condition, it will returns MOSQ_ERR_INVAL if the topic string is too long.

Elasticsearch ECE 7.13.3 Database Disclosure (27th Jul 2021)

Preface: 3431 companies reportedly use Elasticsearch in their tech stacks, including Uber, Shopify, and Udemy.

Background: Elasticsearch is based on Lucene, very fast and scalable for searching operations. Elasticsearch is good for data analysis, logging and error monitoring and alerting so can be used to search all kinds of documents.
Remark: Apache Lucene is a free and open-source search engine software library, originally written completely in Java by Doug Cutting.

Elasticsearch Service on Google Cloud Platform (GCP) availabe in 2017, allowing customers to deploy the latest versions of Elasticsearch, Kibana, and our continually expanding set of features (such as security, machine learning, Elasticsearch SQL, and Canvas) and solutions for logging and infrastructure.

Vulnerability details: All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

Remedy: Vendor announcement, please refer to the link – https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180

Vulnerability found by Apple on Feb, 2021. However such vulnerability awaken digital world consider whether to continue using LibTIFF. (26th July, 2021)

Preface: Multiple vulnerabilities have been found in libTIFF, the worst of which may allow execution of arbitrary code. It is talking about 5 years ago (2016)! Has it become the focus of manufacturers’ attention now?

Background: TIFF offers support for tag extensions allowing for more tags than the standard TIFF specification. For example: Code, 326 (hex 0x0146). Name, BadFaxLines. Used in the TIFF-F standard, denotes the number of ‘bad’ scan lines encountered by the facsimile device.

Reference: Tag code 326 (BadFaxLines) – When using this tag in LibTIFF it is possible to have a type confusion vulnerability where LibTIFF attempts to read a mistyped argument off of the variable argument list.

Vulnerability details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. Crafted data in a TIFF image can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

Remark: By reading the TIFF-pages as BufferedImages, you essentially decompress the stored images, which might need a lot of memory depending on the size of the images: Every pixel will take up 3 (RGB) or 4 (ARGB) bytes.

Vulnerability exploit path: Exploiting this vulnerability requires user interaction, and the target must visit a malicious page or open a malicious file.

Existing status: ZDI notified the vendor of the intention to publish the case as a 0-day advisory on 07/22/21.

Stay alert! IPython code execution (23-7-2021)

Preface: IPython offers an enhanced read-eval-print loop (REPL) environment particularly well adapted to scientific computing. In other words, IPython is a powerful interface to the Python language.

Background: IPython provides a rich toolkit to help you make the most out of using Python, with:

  • Powerful Python shells (terminal and Qt-based).
  • A web-based notebook with the same core features but support for code, text, mathematical expressions, inline plots and other rich media.
  • Support for interactive data visualization and use of GUI toolkits.
  • Flexible, embeddable interpreters to load into your own projects.
  • Easy to use, high performance tools for parallel computing.

Vulnerability details: IPython could allow a remote attacker to execute arbitrary code on the system, caused by improper permission assignment.
By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code from the
current working directory.

Remedy: No remedy available as of July 22, 2021.

32-bit design limitation (0x7ffffffff). Another episode of Y2K. (23-07-2021)

Preface: Because humans have destroyed the environment. Therefore, natural disasters resemble God’s punishment. In the digital world, the situation is the same. The reason for the penalty is the design weakness of the software.

Background: Perhaps the younger generation has not experienced “Y2K” technical problems because they are still children. The millennium bug is about 22 years until today. I think many people have forgotten. The digital world disaster is similar to the Old Testament description of the earth flood, and God instructed to build an ark to save the species.

Fundamental design weakness: On a 32-bit Linux system, the maximum value that time_t can represent is 0x7ffffffff. When time_t takes the maximum value, it means that the system time is 2038-01-19 03:14:07, but when the clock keep going, time_t will overflow and become A negative value. At this time, the system time will start over and the operating system and upper-layer software will run incorrectly.

IoT current status 2021: The trend by today – 8-bit and 16-bit MCUs had been the hardware of choice for IoT devices, but 32-bit MCUs are now becoming increasingly popular, leading to many manufacturers using two different powered processes in devices. Therefore, your RTOS should be scalable in order to manage any future MCU upgrades.

Reports indicate that there will be 35.82 billion IoT devices installed worldwide by 2021 and 75.44 billion by 2025.

Remedy: In order to remedy this technical limitation. Software developer require to use GNU C Library 2.32 and Musl libc 1.2 to build user space for 64-bit time_t.
Musl, a C standard library, is mainly used on operating systems based on the Linux kernel. The target is embedded systems and mobile devices. It is released under the MIT license. The author is Rich Felker. The purpose of developing this library is to write a clean, efficient, and standard-compliant C standard library.

Expectation: We pass a new challenge token to the younger generation, because they have grown up now. It’s your turn.

Design flaws sometimes involve risks, but sometimes they are unknown (CVE-2021-33909)

Preface: A series of sequential read functions for seq operations are defined in fs/seq_file.c. These functions were first introduced in 2001, but have not been used much in the kernel before, and after the 2.6 kernel, many / The seq function is heavily used in proc’s read-only files.

Synopsis: Linux kernel 5.13 initially supports Apple’s M1 processor, supports the Landlock security module, is used to create a security sandbox to reduce the security impact of various flaws in user space applications, the ability to handle ASN.1 trusted keys, and preliminary support are applicable AMD Radeon “Aldebaran” GPU series.

Background: About There are numerous ways for a device driver (or other kernel component) to provide information to the user or system administrator. One useful technique is the creation of virtual files, in debugfs, /proc or elsewhere. Virtual files can provide human-readable output without any special utilities. The Linux kernel’s seq_file interface produces virtual files that contain sequences of records.

Vulnerability details: s/seq_file[.]c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user. For more information on this matter, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2021-33909

A flaw that awakens security vendors – free after use vulnerability (CVE-2021-32589) – 20th July, 2021.

Preface: If you have fgfmsd (TCP/541 / TCP/542) public-facing and have not upgraded to a fixed release, perhaps you should consider the workaround by vendor.

Background: The FGFM protocol runs over SSL (Secure Sockets Layer) using TCP port 541 under IPv4. Both FortiGate and FortiManager units have a ‘FGFM’ daemon running exclusively for FortiGate to FortiManager communication. The FortiManager unit listens on TCP port 541 for an incoming session request. The FortiGate unit establishes an SSL session with the FortiManager. Both units use TCP port 541 for sending and receiving messages.

You can add FortiAnalyzer devices to FortiManager and manage them. When you add a FortiAnalyzer device to FortiManager, FortiManager automatically enables FortiAnalyzer features. FortiAnalyzer and FortiManager must be running the same OS version, at least 5.6 or later.

Vulnerability details: The vulnerability exists due to a use-after-free error within the fgfmsd daemon. A remote non-authenticated attacker can send a specially crafted request to port 541/tcp (IPv4) or 542/tcp (IPv6), trigger a use-after-free error and execute arbitrary code on the system with root privileges.

Workaround: Disable FortiManager features on the FortiAnalyzer unit using the command below:
– config system global
– set fmg-status disable <— Disabled by default.
– end

Official announcement https://www.fortiguard.com/psirt/FG-IR-21-067

Closer look of VMware Thinapp design weakness (CVE-2021-22000) – 18th July 2021

Preface: Secure loading of libraries to prevent DLL preloading attacks, said Microsoft.

Background: When an application dynamically loads a dynamic link library (DLL) without specifying a fully qualified path, Windows tries to locate the DLL by searching a well-defined set of directories. If an attacker gains control of one of the directories, they can force the application to load a malicious copy of the DLL instead of the DLL that it was expecting. These attacks are known as “DLL preloading attacks” and are common to all operating systems that support dynamically loading shared DLL libraries. Even experts discovered that malware exploit similar method to inject code into system process.

Closer look of the POC details:

Design weakness in VMware-ThinApp-Enterprise-5.2.9-17340778[.]exe.
The method is that this vulnerability allows non-privileged users to create directories (C[:]\DummyTLS), copy a malicious dll file and rename it to dummyTLS[.]dll in the same place.It will trigger the specify vulnerability.

The steps are as follows:

  1. Run “C[:]\Program Files (x86)\VMware\VMware ThinApp\Setup Capture[.]exe”.
    Then C[:]\DummyTLS\dummy TLS.dll will be loaded simultaneously.
  2. Code injection completed.

In additional, other exe files like log_monitor[.]exe and snapshot[.]exe had similar vulnerability occur.

VMware security advisory – https://www.vmware.com/security/advisories/VMSA-2021-0015.html

CVE-2021-27610 contained CVSS v3 score of 9.0 and covers an authentication bypass vulnerability in the SAP kernel.(15-7-2021)

Preface: Generally, when it comes to interconnection in the SAP system environment, remote function call (RFC) is one of the main communication protocols used.

Observation: About CVE-2021-27610 – SAP resolved the design weakness of the server-side RFC protocol in July 2021. According to the official announcement, a remote attacker can make a special request through a given user identity, which can exploit this vulnerability, leading to the bypass of authentication in the SAP kernel. In the worst case, this can lead to highly privileged system access and ultimately allow the attack The person has full control of the target application server.

According to the official announcement, Security Note 3007182 covers almost all the correction instructions for maintaining the kernel version, and many network security experts speculate that the vulnerability has been hidden for many years. For my observations and tips, I wrote down the details in the attached drawings. If you are interested, please read the details.

Vulnerability details: An improper authentication vulnerability exists in SAP NetWeaver Application Server ABAP. ABAP Server and ABAP Platform do not create information about internal and external RFC user in distinguished and consistent format, which may be exploited by malicious users to obtain illegitimate access to the system.

CVE-2021-27610 – Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform (Authentication Bypass) – https://nvd.nist.gov/vuln/detail/CVE-2021-27610

Official announcement – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506

One of the possibilities causes CVE-2021-22928 (14th Jul, 2021)

Preface: (DLL) side-loading is an increasingly popular cyber attack method that takes advantage of how Microsoft Windows applications handle DLL files.

Background:

Where is the Citrix VDA?
By default, the supportability MSI is installed in C:\Program Files (x86)\Citrix\Supportability Tools\ . You can change this location on the Components page of the VDA installer’s graphical interface, or with the /installdir command-line option.

Vulnerability Details: A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM.

One of the possibilities: What if the C:\Program File\Citrix\ICA Client directory is configured with incorrect permissions and allows any user add file? A malicious version of the DLL file could be planted in this directory, allowing a local attacker to execute arbitrary code in the context of any other user who would run this application. Although that’s DLL searh order hijacking, the first variant is also sometimes rightly or wrongly called DLL Sideloading. It is mostly used by malwares but it cab also be used for privileges escalation.

Official details: https://support.citrix.com/article/CTX319750

antihackingonline.com