24^th May, 2021

Preface: It let you avoid malware infection in your computer. MalwareFox can detect and remove malware in precise way. MalwareFox Antimalware at low cost comparing to other competitors.

Background: In a computer, ioctl is a system call dedicated to the input and output operations of the device. The call receives a request code related to the device. The function of the system call depends entirely on the request code.

Remark: The ioctl system call first appeared in Version 7 of Unix under that name. Microsoft Windows provides a similar function, named “DeviceIoControl”, in its Win32 API.

Vulnerability details: IOCTL 0x80002040 exposes kernel memory allocation in the NonPagedPool where a user-mode string is copied into the target buffer, this buffer can be used for shellcode by forcing the input data to be larger than 0x1000 bytes, a buffer larger than 0x834 will cause a STATUS_ACCESS_VIOLATION. Hacker must trick the IOCTL into failing and forgetting to free the buffer, you can then search SystemBigPoolInformation for the newly allocated buffer with the shellcode.

* When writing to a file Microsoft sets the bufferSize to 4096 bytes, but when reading they are using [0x1000].

Official details: As of today, vendor does not provide update related to this matter. Their homepage can be found in the following link – https://www.malwarefox.com/

Preface: Windows 10 IoT Core is a version of Windows 10 that is optimized for smaller devices with or without a display, and that runs on the Raspberry Pi 2 and 3.

Background: ASP.NET Core is one of the best frameworks available to make cross-platform web applications. The free Windows 10 IoT Core along with ASP.NET 3.0 allows one to build applications or background run services on an IoT device. Since Windows 10 requires greater amounts of RAM than most Linux distributions, only a Raspberry Pi 4, 3, or 2 with at least 1 GB of RAM can run the ARM edition through the WoR project.

Vulnerability details: An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.

Reminder: If you plan to run Windows 10 IoT Core on Raspberry Pi. Don’t forget to fix it.

Remedy: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166

Preface: 3350 companies reportedly use Elasticsearch in their tech stacks, including Uber, Shopify, and Udemy.

Background: Organizations can use big data analytics systems and software to make data-driven decisions that can improve business-related outcomes. Elasticsearch is a popular open-source search
and analytics engine for use cases such as log analytics, real-time application monitoring, and click stream analytics.

Remark: Elastic, the company behind Elasticsearch and Kibana, has made a change to their licensing. They’ve taken a unique approach to “doubling down on open”: customers can now choose between two non-open source licenses. 

Vulnerability details: Flaw found in Kibana and Elasticsearch version before 7.11.2 abd 6.8.15. It risk to exposure of Sensitive Information to an Unauthorized person and unintentionally extending authenticated users sessions. Details shown as below:

CVE-2021-22136 – https://nvd.nist.gov/vuln/detail/CVE-2021-22136

CVE-2021-22135 – https://nvd.nist.gov/vuln/detail/CVE-2021-22135

Preface: Near field communication (NFC) technology lets smartphones and other enabled devices communicate with other devices containing a NFC tag.

Vulnerability details: Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. This flaw is rated as having a Moderate impact because in the default configuration, the issue can only be triggered by a privileged local user (with capability CAP_NET_RAW).
What if Creating raw socket in Python without root privileges?

Reference:

Activating the SUID bit for the file with a command like chmod +s file and set its owner to root with chown root.root file.
This will run your script as root, regardless of the effective user that executed it.

Setting the CAP_NET_RAW capability on the given file with a command like setcap cap_net_raw+ep file.
This will give it only the privileges required to open a raw socket

Announcement by vendor – https://access.redhat.com/security/cve/CVE-2021-23134

Preface: The Improper Access Control weakness describes a case where software fails to restrict access to an object properly.

Background: Citrix Workspace ensures corporate data is safe and malicious activities are spotted quickly. If the installation is user-based, Citrix Workspace app must be installed for each user who logs on to the local machine.

Vulnerability details: Citrix has released security updates to address a vulnerability in Citrix Workspace App for Windows. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability affects all supported versions of Citrix Workspace app for Windows but does not affect Citrix Workspace app on any other platforms. Since vendor do not mentioned explicitly what is the actual flaw. However , whether does it encounter former design weakness again (Refer to diagram for details).

Official announcement: CTX307794 (Citrix Workspace App Security Update) – https://support.citrix.com/article/CTX307794

Preface: The term ‘NoSQL’ means ‘non-relational’. It means that MongoDB isn’t based on the table like relational database structure.

Background: MongoDB storage format called BSON. It is similar to JSON format. Traditional database store data in tabular format. In a MongoDB database, data is stored in collections and a collection has documents. A document has fields and values, like in a JSON. The field types include scalar types (string, number, date, etc.) and composite types (arrays and objects). The query operations on array fields using the db.collection.find() method in the mongo shell. MongoDB supports query operations on geospatial data. MongoDB uses collections of documents instead of tables of rows to organize and store data. In MongoDB, you can store geospatial data as GeoJSON objects or as legacy coordinate pairs.

Vulnerability details: A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.4. For more details, please refer to diagram attached.

Remedy: Add stricter parser checks around positional projection
Branch: v4.4 – https://github.com/mongodb/mongo/commit/0c7f643a2dfe4000ac9630ed5dace0cb40ec9740

Preface: vSphere 6.5 – introduction of several new REST APIs included in the vCenter Server Appliance (VCSA).

Background: You can use vRealize Business for Cloud to manage the following VMware products and services: vCenter Server,vCloud Director,vRealize Automation & vRealize Operations Manage. Through the REST API. To get access VCSA appliance. The corresponding API endpoint for available updates are under the [/]rest[/]appliance[/]update section.If you run the API explorer, you will get the following result. Endpoint shows UP_TO_DATE, while VAMI shows 5 available updates.

Vulnerability details: Attackers can exploit this security flaw using management interface (VAMI) upgrade APIs to gain access to unpatched vRealize Business for Cloud Virtual Appliances.

Remedy – Official announcement : https://www.vmware.com/security/advisories/VMSA-2021-0007.html