Preface: The two main changes to the CONNACK message between MQTTv3.1.1 and MQTTv5 are the enhanced reason codes and the properties field.

Background: MQTT is an OASIS standard messaging protocol for the Internet of Things (IoT). It is designed as an extremely lightweight publish/subscribe messaging transport that is ideal for connecting remote devices with a small code footprint and minimal network bandwidth. Furthermore, the MQTT CONNECT and response messages (CONNACK) have been greatly enhanced in MQTTv5 with the addition of the properties field. The properties field allows for a large increase in the information that can be exchanged between client and server on connection establishment compared to MQTT v3.1.1.

Vulnerability details: In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur. Null-pointer dereferences result in the crash of the process. But if an attacker can intentionally trigger a null pointer dereference, the attacker might be able to use the resulting exception to bypass security logic.

Official announcement: Please refer to link – https://bugs.eclipse.org/bugs/show_bug.cgi?id=572608

Preface: Many industry standards still rely on XML to describe and exchange data between business partners in a way that guarantee interoperability even with legacy systems running on mainframes. SOAP enable developers to create and use APIs based on XML payloads.

Background: Apache CXF™ is an open source services framework. CXF helps you build and develop services using frontend programming APIs, like JAX-WS and JAX-RS. These services can speak a variety of protocols such as SOAP, XML/HTTP, RESTful HTTP, or CORBA and work over a variety of transports such as HTTP, JMS or JBI.

Vulnerability Details: A set of malicious client can launch a DoS attack to the authorization server by pointing the “request_uri” to a URI that returns extremely large content or extremely slow to respond. Under such an attack, the server may use up its resource and start failing. Official details shown in follow link – https://lists.apache.org/thread.html/r6445001cc5f9a2bb1e6316993753306e054bdd1d702656b7cbe59045@%3Cannounce.apache.org%3E

Workaround: To prevent such attack to succeed, the server should:

(a) check that the value of “request_uri” parameter does not point to an unexpected location.
(b) check the content type of the response is “application/oauth-authz-req+jwt”.
(c) implement a time-out for obtaining the content of “request_uri”.
(d) not perform recursive GET on the “request_uri”.

Preface: From developing anti-virus till today. The trend is Analyse attackers’ behaviour patterns to detect and conducting defence.

Product background: Carbon Black Cloud Workload is a data center security product that protects your workloads running in a virtualized environment. Carbon Black Cloud Workload ensures that security is intrinsic to the virtualization environment by providing a built-in protection for virtual machines.

Vulnerability details: For more details, please refer to link – https://www.vmware.com/security/advisories/VMSA-2021-0005.html

Supplement: The technical details not announce by vendor yet.
Maybe the attached picture will provide you with hints. Apart from that when you finish the software patching or workaround. I would recommend that conduct a review of alert logging in your VMware carbon black environment. But what is the coverage (period). The way is do a review on the monthly virus detection log, find out the victim workstation which have connectivity to carbon black network segment. But the next step all depends on what you find out in the 1st step. This audit check should covered 3 month log activities.

Preface: If attacker dexterous to use Server Side Request Forgery and Arbitrary file write vulnerability. It will boots up their risk impact.

Background: Photon OS, a lightweight Linux distribution created and maintained by VMware, is designed specifically to run as a container host and has been optimized for cloud-native applications and cloud platforms, and has been optimized to run on VMware infrastructure and in public clouds.

Vulnerability Details: On March 31, 2021, VMware officially released the risk notice of vmsa-2021-0004. The vulnerability numbers are cve-2021-21975 and cve-2021-21983. The vulnerability level is high risk and the vulnerability score is 8.6.

Remedy: For official announcement, please refer to link – https://www.vmware.com/security/advisories/VMSA-2021-0004.html

Supplement: If you have interested of the scenario on exploit those vulnerabilities. Please refer to attached diagram.

Preface: Once upon a time, Citrix Hypervisor was known as XenServer. “Xen” is the name of the hypervisor technology first developed by the University of Cambridge and eventually improved by Citrix.

Background:

Recommendation 1: It is recommended to use paravirtualized devices instead of emulated devices for virtual machines running I/O intensive applications.

Recommendation 2: Persistent grants feature provides high scalability. On some small systems, however, it could incur data copy overheads and thus it is required to be disabled.

Vulnerability details:

CVE-2021-28688 An attacker with the ability to execute privileged mode code in a guest can perform a denial of service attack against the host. Avoiding the use of persistent grants will also avoid the vulnerability. This can be achieved by passing the “feature_persistent=0” module option to the xen-blkback driver.

CVE-2021-28038 An attacker with the ability to execute privileged mode code in a guest can perform a denial of service attack against the host. Linux versions from at least 2.6.39 onwards are vulnerable, when run in PV mode. Earlier versions differ significantly in behavior and may
therefore instead surface other issues under the same conditions. Linux
run in HVM / PVH modes is not vulnerable.

Official details: Two security issues have been identified in Citrix Hypervisor – https://support.citrix.com/article/CTX306565

Preface: A system with a serious kernel memory leak will quickly become unusable. Tracking down memory leaks can be painful work.

How do you find memory leaks in Linux?
Kmemleak provides a way of detecting possible kernel memory leaks in a way similar to a tracing garbage collector. CONFIG_DEBUG_KMEMLEAK in “Kernel hacking” has to be enabled. A kernel thread scans the memory every 10 minutes (by default). For more details please refer to link – https://www.kernel.org/doc/html/latest/dev-tools/kmemleak.html

Vulnerability details: An issue was discovered in the Linux kernel before 5.11.11. The user mode driver (UMD) has a copy_process() memory leak, related to a lack of cleanup steps in kernel/usermode_driver.c and kernel/bpf/preload/bpf_preload_kern.c.

Official details:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f60a85cad677c4f9bb4cadd764f1d106c38c7cf8

Impact: This vulnerability is currently awaiting analysis.

Preface: From a investment market perspective, blockchain might become next-generation investment tool. So called investment will contain risk. For instance, Hedge Fund and currencies buy and sell on markets are risky. This atmosphere we are living in long time. So no feeling any special.

BTCPay server background:
– MIT License.
– Anyone can deploy a server. Become a self-hosted payment processor and receive payments directly to your wallet.
– Your private key is never required. Non-custodial. BTCPay only needs xpubkey (public key) to generate invoices.
– Code is open-source and can be inspected by security auditors and developers.

Vulnerability details: The data is shared only between two parties – the buyer and a seller. However, due to a vulnerability, it may allow outsiders (via API) to create invoices in your store. So it is possible for people to read the data in your store.

Impact: BTCPay Server before 1.0.6.0 when the payment button is used, has vulnerability occurred.

Remedy: Due to a vulnerability occur, users of the payment button are strongly encouraged to update to 1.0.6.0 as soon as possible.

Preface: If you are doubts of this OpenSSL vulnerability (CVE-2021-3449 & CVE-2021-3450), you should update your current installations to OpenSSL 1.1.1k.

Background: With OpenSSL, you can apply for your digital certificate (Generate the Certificate Signing Request) and install the SSL files on your server. You can also convert your certificate into various SSL formats, as well as do all kind of verifications.

Vulnerability Details: The exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition.
The design defect has problem occur when the X509_V_FLAG_X509_STRICT flag enable. Error occurs in additional security checks of the certificates present in a certificate chain).
Perhaps a defect found in presence of elliptic curve parameters.
Details require vendor provided.

Official details: https://www.openssl.org/news/secadv/20210325.txt

Background: You can refer to Amazon’s Creating an IAM User in Your AWS Account page to create this IAM user. Once this is done, you can add new credentials of type Aws Credentials (specifying your Access key ID and a Secret access key).Whereby it can store Amazon IAM access keys (AWSAccessKeyId and AWSSecretKey) within the Jenkins Credentials.

Vulnerability details: Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.

One of the possible reasons: In Java, the java. lang. NullPointerException is thrown when a reference variable is accessed (or de-referenced) and is not pointing to any object. This error can be resolved by using a try-catch block or an if-else condition to check if a reference variable is null before dereferencing it.

Impact: the attacker might be able to use the resulting exception to bypass security logic.

Official announcement – https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2032