Preface: F5 network products are commonly deployed in data center and on-premises Internet facing infrastructure.

Background: F5 Network’s Traffic Management Operating System (TMOS) is not a separate operating system. It is the software foundation for all of F5’s network or traffic (not data) products including both physical or virtual platform. TMM is the core component of TMOS as it handles all network activities and communicates directly with the network switch hardware (or vNICs for VE (Virtual Edition)). TMM also controls communications to and from the HMS. Local Traffic Manager (LTM) and other modules run within the TMM.

Vulnerability details: Vulnerability found allow attacker use of uninitialized memory. Uninitialized memory means reading data from the buffer that was allocated but not filled with initial values. It means that the data are starting to be used before they are initialized. Finally using `wrapped_umem_alloc` for heap allocations, it will also lead to a direct crash of the TMM due to the heap buffer overflow.

Official announcement: https://support.f5.com/csp/article/K56715231

Preface: From technical point of view, attacker cast the returned void* to an int* and start using it. It is one of the modern cyber attack technique.

Background: Attacker would have to overwrite the return address to an address such as ”…………….“ where there would be a “JMP RSP” instruction, and continue with their shellcode after this address. In such a way let some hardening system appliance also become vulnerable. Can we say this is a design weakness of coding? Or whether is the memory protection not been enough.

Technical details: The F5 BIG-IP offers many programmable interfaces, from control-plane to data-plane.
iControl REST – REST-based API for imperative configuration and service control of BIG-IP from remote applications.
iControl (SOAP) – SOAP-based API for imperative configuration and service control of BIG-IP from remote applications.

Vulnerability details:

CVE-2021-22986 – The iControl REST interface has an unauthenticated remote command execution vulnerability. CVSS score: 9.8 (Critical)
CVE-2021-22987 – When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 9.9 (Critical)

Official announcement: https://support.f5.com/csp/article/K02566623

Preface: In SAP Business Client history, rare to offer a Chromium web browser control based on CefSharp (CEF – Open Source Version of Google Chrome) as an alternative rendering engine to Microsoft IE. In 2018, the dream come true happened.

SAP business clinet software technical background: If local client web browser not work, SAP client software will enforce the default browser control falls back to Internet Explorer. Unfortunately, Chrome Vulnerability is being exploited in the wild. According to CVE-2021-2116, a remote attacker could exploit some of these vulnerabilities to trigger denial of service, remote code execution, security restriction bypass and sensitive information disclosure on the targeted system.

Reference: When Chrome OS is vulnerable to malicious extensions by bad 3rd party apps programming. It can also put your system at risk if you choose to run an extension “unsandboxed.”

Official announcement : (SAP Security Patch Day – March 2021) – please refer to the link – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107

Preface: SaltStack was acquired by VMware on October 13, 2020. All SaltStack commercial information can be found on VMware.com. For the Salt open source project, visit saltproject.io

Background: SaltStack is a configuration management and orchestration tool. It uses a central repository to configure new servers and other IT infrastructure in Cloud computing environment. It can make changes to existing servers and computing devices and install software in the system environment. It allow to manage and scale cloud infrastructure with no downtime or interruptions.
There are 139 companies reportedly use Salt in their tech stacks, including Robinhood, Lyft, and LinkedIn.

Official announcement: All related vulnerabilities and remediation can be found in this link – https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Security Focus: Modern system architecture design will simplifies the synchronization process in order to update the whole system infrastructure. For example: Blockchain will relies on Atomic Broadcast update all the network. Furthermore, SaltStack can be synchronizing all (minions) of this command (salt * saltutil.sync_all). If access control not in correct way. It will impact by vulnerability found on this time. CVE-2021-25281 – salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. So we must staying alert!

Preface: In computing, ioctl (an abbreviation of input/output control) is a system call for device-specific input/output operations and other operations which cannot be expressed by regular system calls.

Background: The ioctl design for public is considered bad for numerous reasons. And therefore some people suggest replace ioctl with Netlink. Netlink is a very good way for two-way data transmission between the kernel and user applications. Therefore, Infrastructure to provide async events from transports to userspace via netlink. Users can send files associated with Netlink messages and iSCSI, the maximum length of which is the maximum length of Netlink messages.

Vulnerability details: Per user instruction, netlink message require to reference the “structures struct”, “msghdr”, “struct nlmsghdr”, and “struct iovec” when sending netlink messages using the function sendmsg. After completing the steps, the message can be sent directly through the following statement: sendmsg (fd, & msg, 0). However fault found existing design provide ability of an unprivileged user to craft Netlink messages. There are total 3 different vulnerabilities found.CVE-2021-27364 , CVE-2021-27363 and CVE-2021-27365.

Impact: No vendor announcing that their products involves to these design weakness. Perhaps we keep our eye open, see whether is there any related information update will be issued by vendor in future.

Preface: Snort is an open-source, free and lightweight network intrusion detection.The Snort Subscriber Ruleset is developed, tested, and approved by Cisco Talos.

Background: Sourcefire, Inc was a technology company that developed network security hardware and software. The company’s Firepower network security appliances were based on Snort. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger —
which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system.

Vulnerability details: CVE-2021-1285 can be exploited by an unauthenticated, adjacent attacker. The attacker is on the same layer 2 domain as the victim — to cause a device to enter a DoS condition by sending it specially crafted Ethernet frames. A successful exploit could allow the attacker to exhaust disk space on the affected device. Whereby it create denial of service attack.

Official Announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-ethernet-dos-HGXgJH8n

Background: On July last year (2020), Secret Service warned that since MSPs service a large number of organizations at the same time
through remote administration tools, cyber criminals are specifically targeting MSPs to conduct their attacks at scale to infect multiple companies through the same vector.

Incident details: CompuCom began contacting customers to alert them that their company system facilities had been encountered cyber attack. However, the details did not mentioned what type of cyber attack occurred . An unofficial new let the people know perhaps it was ransomware.

Reference: Maze ransomware relies on CVE-2018-8174. This ransomware aim to receive the user credentials before proceed Reconnaissance. By prediction, the attacker collecting the user credential through guessing default/weak passwords or spear-phishing through a targeted mail with a .docx attachment containing a malicious macro. When an attacker compromises the system and uses the vulnerability to escalate privileges. Upon completion, it will perform ransomware encryption operations.

Headline News: CompuCom Issues Statement Regarding Malware Incident – https://finance.yahoo.com/news/compucom-issues-statement-regarding-malware-212400889.html

Preface: Vulnerabilities are inevitable! For instance , the injection vulnerability will be managed by detective control. As usually, conducting remediation is the preventive and corrective control. To cope with reality, found and fix concept will be reduce the effectiveness of Defense concept. Zero Trust solution will be applied soon or later especially endpoint environment.

Background: The market slogan will say, SIEM is used for log analysis. Nagios is used for continuous monitoring. However SIEM product since Arcsight can do the continuous monitoring very well. Perhaps we would say SIEM can do both continuous monitoring and log analysis. Since Nagios ready to use feature is his benefit. It is because it can do the implementation quickly. Whereby, Nagois product cover some sort of IT operations.

Vulnerability details: A design weakness found in plugin_output_len variable. The flaw is that it do not contain sanitize function and thus can give a way for attacker do command execution. The code location of the files is in the the following path: [/]usr[/]local[/]nagiosxi[/]html[/]includes[/]configwizards[/]windowswmi[/]windowswmi.inc.php

Remedy: The supplier has no announcement at this time. – http://nagios.com

Reference: In order to avoid the impact of command injection on software application design. Digital world is better to following the Zero Trust Security model. For more details, please refer to link.
https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF

Background: The earlier release of vRealize Operations Manager with vCenter Server was shipped with the NGC plugin. The new vRealize Operations Manager plugin in vCenter Server, provides a mechanism to provide specific metrics and high-level information about data centers, datastores, VMs, and hosts, for the vCenter Server and vSAN. The plugin is supported only in the HTML5 version of the vSphere Client.

Reminder: If an administrator installs a plug-in in an instance of the vSphere Web Client, the plug-in can execute arbitrary commands with the privilege level of that administrator.

Vulnerability details: The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin.

Scenario: Perhaps attacker can make us of tool written by python and create a zip file that contains files with directory traversal characters in their embedded path. If a program and/or library does not prevent directory traversal characters then tool can be used to generate zip files that, once extracted, will place a file at an arbitrary location on the target system.

Workaround: The affected vCenter Server plugin for vROPs is available in all default installations. It is recommended to disabled immediately. Official recommendation: https://kb.vmware.com/s/article/82374

Remediation: To remediate CVE-2021-21972 apply the updates. Please refer to link – https://www.vmware.com/security/advisories/VMSA-2021-0002.html