Search This Blog

Showing posts with label Security patches. Show all posts

SAP Issued Warning and Updates Regarding the Serious Flaws with the Code Injection

 

A German multinational software corporation SAP ( Systems Applications and Products in Data Processing ) is known for developing software solutions that work on managing business operations as well as customer relations. SAP is the name of their software as well as of the company that works on this technology. SAP provides “future-proof Cloud ERP (Enterprise Resource Planning) solutions that will power the next generation of business.” With its advanced capabilities, SAP can boost your organization's efficiency and productivity by automating repetitive tasks, making better use of your time, money, and resources. 

SAP has published some 14 new updates or the Security Note on the 2020 December Patch Day. Whereas in January 2021 they published another set of 7 new Security Notes, later providing their new updates as well. Five of the seven have the highest severity rate of the Hot News. Later in the month, they made a proclamation where they published 10 advisories to a document of flaws ad fixes for a range of serious security vulnerabilities. In the congregation of asserted vulnerabilities, the most important issue bears a CVSS score of 9.9 in the SAP Business Warehouse. 

 The very first note addressed CVE-2021-21465 which according to SAP is multiple issues in the Database Interface. These bugs are an SQL Injection with a missing authorization check which should have featured a CVSS score of 6.5. A SQL Injection is basically a code injection technique that might at times destroy the database interface. One of the most common hacking technique used by hackers is SQL Injection. In the SQL Injection, another thing that was missing was Onapsis, a firm that secures Oracle and SAP applications. These missing authorization checks would easily exploit to read any table of a database. 

 Mentioning that minimum privileges are required for successful exploitation, Onapsis in a blog quoted, “An improper sanitization of provided SQL commands allowed an attacker to execute arbitrary SQL commands on the database which could lead to a full compromise of the affected system,” SAP decided to fix such bugs b disabling the function module and applying the patches that will result in abandoning of all the applications that call this function module. 

 Another serious issue, other than the aforementioned issue, is a code injection flaw in both Business Warehouse and BW/4H4NA , that addresses as CVE-2021-21466. This issue is a result of insufficient input validation. Such flaws are misused to inject malicious code that gets stored persistently as a repot. These issues potentially affect the confidentiality, integrity, and availability of systems. The remaining three from the total five updates are fixes for the programs released in 2018 and 2020. 

 Further SAP added as a warning, “An issue in the binding process of the Central Order service to a Cloud Foundry application” that could have allowed “unauthorized SAP employees to access the binding credentials of the service”.

NSA Issued Warning Against Russian State-Sponsored Attackers for Exploiting VMware Access

An advisory warning has been issued by the United States National Security Agency (NSA) on 7th December that Russian malicious actors are posing a big threat to VMware by installing malware on corporate systems and accessing protected data. 
The attack came two weeks after the virtualization software company publicly disclosed vulnerabilities. According to the company malicious actor (s) is accessing —VMware workspace one, Connector, Identity Manager, and Identity Manager Connector products for Windows and Linux. However, the identities of malicious actors and when all of this started have not been disclosed. 

What is VMware? 

VMware is an American Software Company that provides cloud computing and virtualization software and services. VMware was one of the commercially successful companies to virtualize the x86 architecture.

Its desktop software runs on Microsoft Windows, Linux, and macOS, while its enterprise software hypervisor for servers, VMware ESXi, is a bare-metal hypervisor that runs directly on server hardware without requiring an additional underlying operating system. 

When The Threat Surfaced? 

It was about in late November when Vmware had addressed the attacking threat and pushed temporary workarounds to dig deeper into the issue. However, the ‘escalation-of-privileges ‘bug resolution had to wait till the 3rd of December 2020 to get resolved. 

The same day witnessed the United States Cybersecurity and Infrastructure Security Agency (CISA) releasing a brief bulletin to encourage administrators to review, apply, and patch as soon as possible.

Meanwhile, as per the National Security Advisor, VMware didn’t clearly disclose that the bug was being actively exploited by the attackers, which led to adversaries leveraging the vulnerability for launching attacks to steal data and exploit shared authentication systems. 

''The misuse via shell injection led to the installation of a web shell and follow up malicious activity where Security Assertion Markup Language (SAML) in the form of authentication assertions generated and sent to Microsoft Active Directory Federation Services, which allow actors access to protected data," the agency said. 

What is SAML? 

Security Assertion Markup Language or SAML an Open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions). 

Besides insisting on the organizations to update compromised systems to the latest version, the agency is also moving forward towards securing strong management. 

As of now, the threat hasn’t gone anywhere; the US National Security Advisory has advised the agencies to monitor all the systems, scan server logs for the presence of "exit statements" that indicate possible malicious activity. 

Attention! Malvertising Campaigns Using Exploit Kits On The Rise


Of all the things that online advertising could be used for, spreading malware is the one that throws you off the list by surpassing them all.

Not of late, researchers found out a recent ‘Malvertising’ campaign and sources say that it was done by way of the “Domen Social Engineering Toolkit”.
‘Malvertising’ (malicious advertising) could be defined as using online advertising means for spreading malware. Most typically it is done by inserting malware or malicious advertisements into legitimate advertising web pages or networks.

Per informed sources, this campaign was uncovered while trying to influence a VPN service as bait. It displayed a group of domains that gave Domen’s attack mechanism a fresh bend.

The construction of the campaign, as mentioned in reports, was such that ‘search-one[.]info’ was comprised in it as the ‘fake’ page, ‘mix-world[.]best’ as the download site and ‘panel-admin[.]best as the backend panel.

As revealed in reports, the campaign managed to redirect the users and bare them to ‘Smoke Loader’. This is conceivably a downloader that installs secondary payloads. And that’s what it did. They consisted of a ‘Vidar stealer’, ‘Buran ransomware’ and ‘IntelRapid cryptominer’.

Need not to mention, this campaign isn’t the first one to surface which was focused on payloads. Women's malvertising per source had commenced in September last year. The social engineering toolkit was employed to exploit the website and fool users into clicking on a fake ‘Adobe Flash Player’ update. The clicking would start a download of “download.hta”. Afterward, by way of employing PowerShell to connect to “xyxyxyxyxy[.]xyz”, only to download the 'NetSupport Remote Access Trojan' (RAT), later.

With amplification in the usage of the internet and online means, it becomes a top priority to build up a structured and strong defense mechanism to fight and prevent Malvertising.

Hiring security professionals is a safe pre-requisite and a building block towards creating the defense structure. Keeping abreast of the latest updates and patches must be a primary priority.

Word has it that in most cases the ‘exploit kits’ are employed to disseminate the malware payloads. Hence the organizations should have a clear account of all its obstruction points so that Malvertising campaign’s attack payloads could be detected and dealt with in time.

Security Flaw in Oracle POS systems discovered

Researchers at ERPScan have discovered a new security flaw in the Oracle Micros Point-of-Sale (POS) systems that has left over 300,000 systems vulnerable to attack from hackers.

It was discovered in September 2017 by Dmitry Chastuhin, a security researcher, and was named “CVE-2018-2636”.

Oracle has already issued updates for this issue earlier in the month but due to companies’ fear of unstable patches and losses, it is suspected that it may take months for the patch to reach affected systems.

According to Chastuhin, the POS malware enables hackers to collect configuration files from the systems and gain access to the server.

Hackers can also exploit the flaw remotely using carefully crafted HTTP requests. Many of the vulnerable systems have already been misconfigured to allow such access and are available online to be easily exploited if the patches aren’t used soon.

Patches for the flaw were made available in January 2018 in Oracle’s Critical Patch Update (CPU). More information on the bug can be found here.

Microsoft provides urgent security fix for Windows

Microsoft has recently provided a security fix for its Windows operating systems to plug a lapse in security that allowed hackers access to a victims computer.

Microsoft has said that the vulnerability present in their operating system would have allowed a hacker to gain complete access to an affected computer.

The vulnerability is present in Windows Vista, Windows 7, Windows 8 and 8.1 and Windows RT. These operating systems represent two out of three computers in the world that run a Microsoft operating system.

The company had previously provided an update like this in November 2014 also.

The flaw is said to exist in the final version of Windows 10 also that will be available to users from July 29.

The security fix will be done through Windows Update