Posts

Microsoft Security Bulletin Coverage for November 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of November 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-38666 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 254: Malformed-File exe.MP_220

CVE-2021-42292 Microsoft Excel Security Feature Bypass Vulnerability
ASPY 253: Malformed-File xls.MP_74

CVE-2021-42298 Microsoft Defender Remote Code Execution Vulnerability
ASPY 252: Malformed-File html.MP_111

The following vulnerabilities do not have exploits in the wild :
CVE-2021-26443 Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26444 Azure RTOS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36957 Windows Desktop Bridge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-3711 OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow
There are no known exploits in the wild.
CVE-2021-38631 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38665 Remote Desktop Protocol Client Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-40442 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41349 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-41351 Microsoft Edge (Chrome based) Spoofing on IE Mode
There are no known exploits in the wild.
CVE-2021-41356 Windows Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-41366 Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41367 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41368 Microsoft Access Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41370 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41371 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41372 Power BI Report Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-41373 FSLogix Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41374 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41375 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41376 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41377 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41378 Windows NTFS Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41379 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42274 Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-42275 Microsoft COM for Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42276 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42277 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42279 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2021-42280 Windows Feedback Hub Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42282 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42283 NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42284 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-42285 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42286 Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42287 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42288 Windows Hello Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42296 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42300 Azure Sphere Tampering Vulnerability
There are no known exploits in the wild.
CVE-2021-42301 Azure RTOS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-42302 Azure RTOS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42303 Azure RTOS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42304 Azure RTOS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42305 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-42316 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42319 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42321 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42322 Visual Studio Code Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42323 Azure RTOS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43208 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43209 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.

SolarWinds Orion Platform RenderControl.aspx Vulnerability

/in /by

Overview:

  The SolarWinds Orion Platform is the base platform used by numerous SolarWinds products such as Network Performance Monitor, Virtualization Manager, and Server Configuration Monitor. The platform is designed to seamlessly integrate all Orion-based products into a single interface. The core Orion platform utilizes a web-based interface built using ASP.NET and by default is accessible via HTTP on port 8787

  An insecure deserialization vulnerability has been reported in SolarWinds Orion, the core platform for multiple SolarWinds products. The vulnerability is due to insufficient validation of user-supplied JSON data submitted to the RenderControl.aspx endpoint.

  A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target system. Successful exploitation results in remote code execution under the security context of NETWORK SERVICE.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-35215.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.9 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Several UI elements in SolarWinds Orion Platform utilize controls to render customized ASP.NET pages. To load the content of these custom controls, the application sends a POST request to the endpoint “/Orion/ RenderControl.aspx”. This endpoint reads the type of the control from the Control parameter and the control’s properties from the config parameter. These parameters can be submitted either via the request-URI query or via a JSON object in the HTTP body of the request. When the endpoint processes the request, it first loads the requested control, then sets each of the control’s properties as set in the config parameter. The control parameters are set by invoking the setter function associated with each property.

  An insecure deserialization vulnerability exists in SolarWinds Orion Platform. The vulnerability is due to a lack of sanitization of parameters sent to the RenderControl.aspx endpoint. This endpoint allows loading an arbitrary control, and setting properties of that control to arbitrary values. Due to the fact there is no check to see if a given control property setter method is safe to be invoked, a malicious control, such as an instance of the SolarWinds.Orion.Web.Actions.ActionPluginBaseView class with a crafted ViewContextJsonString property may be sent by an attacker. This results in invocation of the ParseViewContext() method on the malicious property, which in turn calls the JsonConvert.DeserializeObject() method to deserialize the property as SolarWinds.Orion.Core.Models.Actions.Contexts.AlertingActionContext if the EnviromentType property is set to “Alerting”, or as SolarWinds.Orion.Core.Models.Actions.Contexts.ReportingActionContext if the EnviromentType property is set to “Reporting”. Both of these classes inherit from SolarWinds.Orion.Core.Models.Actions.Contexts.ActionContextBase, which can be leveraged to achieve remote code execution using the known gadget chain used in the public exploit for CVE-2021-31474.

  A remote, authenticated attacker can exploit this vulnerability by sending a crafted serialized object to the target server. Successful exploitation can result in arbitrary code execution under the security context of NETWORK SERVICE.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the target server.
  • The attacker must authenticate to the target application.

Triggering Conditions:

  The attacker authenticates to the target application. Next, the attacker sends a crafted HTTP request to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8787/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2168 SolarWinds Orion RenderControl Insecure Deserialization

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch resolving the vulnerability.
    • Upgrading to a version unaffected by the vulnerability.
    • Detecting and filtering malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Foxxy RaaS released. Decryption key and function present in sample

/in /by

The SonicWall Capture Labs threat research team has come across new ransomware known as Foxxy.  This ransomware appeared in late October 2021 and the sample we have obtained appears to be a proof of concept that has been released into the wild from an unknown source.  After further investigation, we discovered that this ransomware is from a suite of services supplied by the operator.  The malware charges 0.9 BTC (around $55k USD at this time) for file recovery.  However, there is no way to communicate with the operators.

 

 

Infection Cycle:

 

The malware uses the following icon:

 

Upon infection, the malware encrypts files on the system and appends “.foxxy” to their filenames.  The following message is shown on the desktop:

 

The following file is added to the system:

  • %USERPROFILE%\Desktop\___RECOVER__FILES__.foxxy.txt

 

___RECOVER__FILES__.foxxy.txt contains the following message:

 

The malware is written in C# for the .NET framework and is easy to decompile.  Decompilation reveals the intent of the malware and shows the encryption key and ransom message:

 

The encryption function and key can be clearly seen in the code.  It uses Rijndael symmetric encryption.  Because the encryption method is symmetric, the key used for encryption can be used for decryption as long as the same “randomSalt” value is used:

 

The malware also includes the decryption function.  Usually, with most ransomware, this is not the case.  Most operators will only supply decryption software after payment:

 

The malware supplies “foxxy.tiiny.site” as an email address for file recovery consultation.  However, this is not an email address.  It is a website that sells foxxy ransomware:

 

In addition to selling foxxy ransomware, the operators sell various other services such as DDoS and password cracking:

 

The “Malware (Raas)” button leads to the following page detailing the features of foxxy ransomware:

 

This site has since been taken offline.

 

There has been some activity at the supplied bitcoin address but it is unclear as to whether or not this is the result of the ransomware itself:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Foxxy.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Apache Httpd Traversal Vulnerability

/in /by

Overview:

  The Apache HTTP server is the most popular web server used on the Internet. The server is capable of being utilized with many different options and configurations. A wide variety of runtime loadable plug-in modules can be used to extend its functionality.

  A directory traversal vulnerability exists in Apache httpd. The vulnerability is due to improper normalization of paths in the request URI.

  A remote attacker could exploit the vulnerability by sending a crafted HTTP request to the target server. Successful exploitation would result in disclosure of the content of files outside the expected document root, or in the worst case, execution of arbitrary code under the security context of the server process.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-41773.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  When httpd receives an HTTP request, it is handled by the ap_process_async_request() function. The request data is processed by the ap_process_request_internal() function. This function normalizes the path submitted in the request URI by calling the ap_normalize_path() function. This function normalizes the path submitted by decoding URL-encoded characters, collapsing multiple slash (‘/’) characters, and interpreting “../” by traversing to the parent directory in the path.

  After the normalization function, the ap_run_translate_name() function is called, which calls translate_alias_redir(). This function calls try_alias_list(), which looks up any ScriptAlias entries in the httpd server configuration file that match the request URI. If a match is found, apr_filepath_merge() is called, which merges the server root path with the normalized path. The merged path is later saved to the filename field of the request_rec structure. Next, access permissions are checked by calling ap_run_access_checker_ex(), which looks up the appropriate Require entries in the httpd server configuration.

  If access is allowed, the appropriate handler is invoked for processing the request. If the request URI path begins with “/cgi-bin/”, and the mod_cgi module is enabled in the server configuration, the cgi_handler() function is called to handle the request. This function uses the filename field of the request_rec structure to build an OS command and runs the command in a child process. Then, the HTTP POST request data submitted is sent to the created process as input.

  A directory traversal vulnerability exists in Apache httpd. The vulnerability is due to a flaw in the normalization of the path submitted in the URI of HTTP requests. The ap_normalize_path() function attempts to resolve “../” sequences in the path by traversing to the parent directory. However, if the second dot character (‘.’) in a “../” sequence is URL-encoded (i.e. “.%2e/”), the “../” sequence will not be interpreted and the sequence will remain in the normalized path. When this path is later merged with the server root path using the apr_filepath_merge() function, the resulting path saved to the filename field of the request_rec structure could traverse beyond the server root path. If access is granted to the server’s root directory and the mod_cgi module is enabled, an arbitrary executable on the server can be called, leading to arbitrary code execution.

  A remote attacker could exploit this vulnerability by sending a request with a crafted URI to the target service. Successful exploitation could lead to exposure of the contents of arbitrary files on the server. If the mod_cgi module is enabled, exploitation could lead to execution of arbitrary code on the target server.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • Permissions must be granted to the server’s root directory in the httpd.conf configuration file.
  • Arbitrary code on the target server, the mod_cgi module must be enabled in the httpd.conf configuration file.

Triggering Conditions:

  The attacker sends an HTTP request with a maliciously crafted URI path. The vulnerability is triggered when the server attempts to process the HTTP request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP

  Http Request:

  

  Http Request In Text:

  

  Password File:

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2140 Web Application Directory Traversal 48

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

PowerShell script that steals email addresses from Outlook

/in /by

SonicWall Threats Research team has observed an obfuscated batch(BAT) file inside an archive which is delivered to the victim’s machine as an email attachment. The BAT file executes a PowerShell script which steals and sends email addresses from Outlook contacts:

 

BATCH SCRIPT:

The batch script contains a PowerShell cmdlet which communicates over HTTPS to execute remote PowerShell script:

 

PowerShell SCRIPT:

The PowerShell script is responsible for stealing and sending Outlook contacts email addresses to the remote machine.

The PowerShell script checks for the presence of file ‘$env:APPDATA\Microsoft\.Outlook’ , to ensure its single execution for a machine. If the file is already present then this script does not execute:

 

The PowerShell script enumerates outlook contacts and retrieves their email addresses to add them in a global list. However the code won’t work as it needed correction in the variable name and a property field as highlighted in the below snippet:

 

 

The stolen email addresses are sent to the remote machine at “https://puwq9m8p.educabrasil.live/gravadados.php?lista=”:

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Squid Game themed Android malware hides SpyNote spyware

/in /by

The series Squid Game has been a global phenomenon in the last few weeks and malware writers are using this popularity as a means to spread their malicious creations. We have started seeing numerous malicious Android apps use the name and icons of Squid Game. One of the highlights was SpyNote that has been masquerading as popular Android apps.

We have reported previously about the android spyware SpyNote that masquerades itself as popular applications. It uses the popularity of these apps to spread the infection and in this case its using the popularity of Squid Game to do the same.

 

  • Application Name: Squid Game Fake Call 1
  • Package Name: cmf0.c3b5bm90zq.patch
  • MD5: 785a9475c1088a798512ca6ab6d8b0f1

The app requests for a large number of suspicious permissions for a application that does ‘Fake Call’:

 

SpyNote requests for accessibility services and device admin privileges once installed and executed:

Spynote can install a legitimate apk present in the resources – res/raw/google.apk. It uses this to list a legitimate accessibility services entry when executed.

 

Upon execution the icon disappears from the app drawer but in the background the malware starts performing malicious actions. Few functionalities are listed below:

  • The app checks the applications installed on the device:

 

  • It uses hardcoded server address and port number and later communicates using sockets:

 

  • We identified multiple malicious apk’s that are linked to this campaign as they communicate with the same server, below VirusTotal graph highlights this:

 

  • It captures details about the device which can be used by the perpetrators to identify the victim and gather additional details. Following was identified:
    • Device manufacturer
    • Device model
    • OS version
    • SIM
    • Wifi
    • Bluetooth
    • Location

 

  • It has access to call logs and can make calls from the infected device:

 

SpyNote has been known to masquerade as popular Android apps. It is good at selecting trending topics and modifying the malware look and feel to mimic on such topics. We anticipate more malware writers to follow this trend and use the popularity of Squid Game to spread malware.

 

Sonicwall Capture Labs provides protection against multiple threats associated with this campaign using the signatures listed below:

  • AndroidOS.SpyNote.GN
  • AndroidOS.SpyNote.PT
  • AndroidOS.SpyNote.SP
  • AndroidOS.SpyNote.SC

Free game download links spread via Facebook come with free Infostealer

/in /by

Even back in the day, cybercriminals have been masking malware within pictures, screensavers or games that can be downloaded for free. But now, since the Internet has grown immensely into a huge form of entertainment for everyone especially with the popularity of social media, the threat from free downloads has greatly multiplied. This week we have come across free game download being distributed on Facebook which installs malware.

Infection cycle:

The sample we observed purportedly installs a free Nintendo Super Mario game. The main installer uses the following icon:

Upon execution it displays a fake splash screen that appears to install the game.

But instead it drops a Trojan along with a few legitimate libraries and python packages which it uses for a robust set of functionalities including data gathering and reconnaissance, downloading additional software, messaging functionality, receive commands from a remote server and more.

No game is installed but upon successful installation, the Trojan, janma.exe, runs in the background and begins gathering information about the victim machine like querying system security settings, browser settings, etc.

It intermittently sends and receives data from a remote server.

To maintain persistence it adds 5 scheduled jobs named “UpdateCore0x” to run a copy of the Trojan upon logon and every 10 minutes.

During further analysis, we observed that this Trojan gathers a lot of Facebook account information that might be available on the victim’s machine.

It gathers login information that might have been saved in the internet browsers.

It has the ability to add friends and confirm pending requests. In case the victim uses Facebook ad account, it has the ability to look at ad spent, retrieve ad ids, ad status and disable notifications, and therefore the victim will not be notified if there are any changes made on their ad account.

It also has the functionality to change Facebook security settings, check if the user uses two-factor authentication and to retrieve recovery codes.

This extensive amount of account information gathered can presumably be used to further this malicious campaign and spread via Facebook.

As always we urge our users to be vigilant and to be cautious of any free software download specially if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: FBSpam.FB (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

WordPress WooCommerce Plugin SQL Injection

/in /by

WooCommerce Blocks offers a range of Gutenberg blocks you can use to build and customize your site. Designed to work with the new Block Editor introduced with WordPress 5.0, WooCommerce Blocks offers a range of blocks you can use to build and customize your site. A SQL injection vulnerability exists in the WooCommerce Blocks feature WordPress plugin.

Sql Injection
SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data and execute administration operations on the database.

WordPress WooCommerce Plugin SQL Injection vulnerability | CVE-2021-32789
All WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16 are vulnerable to sql injection.This vulnerability could be exploited via a carefully crafted URL exploit against the   endpoint. A successful attack could lead to sensitive information disclosure. No authentication is needed to execute this attack.

Typical attack looks like this


This query will pull all the table schema information from the database.


This query will return admin users.


The query will return associated database fields with hashed passwords.

This vulnerability is patched.

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 15661: WordPress WooCommerce Plugin SQL Injection

Threat Graph

Microsoft Security Bulletin Coverage for October 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of October 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-40443 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 230:Malformed-File exe.MP_205

CVE-2021-40449 Win32k Elevation of Privilege Vulnerability
ASPY 235:Malformed-File exe.MP_210

CVE-2021-40450 Win32k Elevation of Privilege Vulnerability
ASPY 236:Malformed-File exe.MP_211

CVE-2021-40466 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 237:Malformed-File exe.MP_212

CVE-2021-40467 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 231:Malformed-File exe.MP_206

CVE-2021-40470 DirectX Graphics Kernel Elevation of Privilege Vulnerability
ASPY 232:Malformed-File exe.MP_207

CVE-2021-40487 Microsoft SharePoint Server Remote Code Execution Vulnerability
ASPY 233:Malformed-File exe.MP_208

CVE-2021-41357 Win32k Elevation of Privilege Vulnerability
ASPY 234:Malformed-File exe.MP_209

Adobe Coverage:
CVE-2021-40728 Use After free Vulnerability
ASPY 239:Malformed-File pdf.MP_510

The following vulnerabilities do not have exploits in the wild :
CVE-2020-1971 OpenSSL: CVE-2020-1971 EDIPARTYNAME NULL pointer de-reference
There are no known exploits in the wild.
CVE-2021-26427 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26441 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26442 Windows HTTP.sys Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34453 Microsoft Exchange Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-3449 OpenSSL: CVE-2021-3449 NULL pointer deref in signature_algorithms processing
There are no known exploits in the wild.
CVE-2021-3450 OpenSSL: CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT
There are no known exploits in the wild.
CVE-2021-36953 Windows TCP/IP Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-36970 Windows Print Spooler Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38662 Windows Fast FAT File System Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38663 Windows exFAT File System Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38672 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40454 Rich Text Edit Control Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-40455 Windows Installer Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-40456 Windows AD FS Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-40457 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-40460 Windows Remote Procedure Call Runtime Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-40461 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40462 Windows Media Foundation Dolby Digital Atmos Decoders Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40463 Windows NAT Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-40464 Windows Nearby Sharing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40465 Windows Text Shaping Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40468 Windows Bind Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-40469 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40471 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40472 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-40473 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40474 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40475 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-40476 Windows AppContainer Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40477 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40478 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40479 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40480 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40481 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40482 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-40483 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-40484 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-40485 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40486 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40488 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40489 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41330 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41331 Windows Media Audio Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41332 Windows Print Spooler Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41334 Windows Desktop Bridge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41335 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41336 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41337 Active Directory Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-41338 Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-41339 Microsoft DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41340 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41342 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41343 Windows Fast FAT File System Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41344 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41345 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41346 Console Window Host Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-41347 Windows AppX Deployment Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41348 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41350 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-41352 SCOM Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41353 Microsoft Dynamics 365 Sales Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-41354 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-41355 .NET Core and Visual Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41361 Active Directory Federation Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-41363 Intune Management Extension Security Feature Bypass Vulnerability
There are no known exploits in the wild.

VMware AsyncTelemetryController Arbitrary File Write Vulnerability

/in /by

Overview:

  VMware vCenter Server is a data centre management server application developed by VMware Inc. VMware vCenter Server is designed primarily for vSphere, VMware’s platform for building virtualized cloud infrastructures. As part of a broader VMware stack which may include both private and public cloud infrastructure, vCenter Server has an analytics service which provides health and telemetry data to VMware’s Cloud Analytics service (VAC) in order to help diagnose and prevent issues within the environment.

  An arbitrary file write vulnerability has been reported in VMware vCenter Server. The vulnerability is due to insufficient validation of collector IDs and collector instance IDs in requests handled by the AsyncTelemetryController class.

  A remote attacker could exploit this vulnerability by sending crafted requests to the target server. Successful exploitation of this vulnerability results in the writing of a .json file with arbitrary file contents to a location of the attacker’s choosing, potentially allowing the execution of arbitrary code.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-22005

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.0 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed

Technical Overview:

  One of the primary components of the analytics service is the Telemetry Server which exposes an API at “/analytics/telemetry/”. The Telemetry Server consists of several services which determine where the telemetry data is to be sent such as a local log file, or VMware Analytics Cloud. The sending of telemetry data is initiated by a request to one of the following URIs:

The second URI is considered the “staging” telemetry server.

  An arbitrary file write vulnerability exists in VMware vCenter Server. The vulnerability is due to the fact the class responsible for handling telemetry “send” requests does not validate or sanitize one of the HTTP request query parameters before using its value as a file path and writing the contents of the request body to the file. Requests to the aforementioned telemetry send URIs are handled by the AsyncTelemetryController class. Requests to the production URL are handled by the overloaded handleSendRequest() method and requests to the staging URL are handled by the handleStageSendRequest() method. In both cases, the request accepts three query parameters: _v, a version number, _c, a collector ID, and _i, a collector instance ID. These parameters are provided as arguments to a different overloaded version of the handleSendRequest() method which first creates a TelemetryRequest object given the version, collector ID, and collector instance ID. The method then calls the processTelemetry() method of the TelemetryLevelBasedTelemetryServiceWrapper class which first inspects the current telemetry level configured on the system then calls the processTelemetry() method of the LogTelemetryService class if telemetry is not disabled.

  LogTelemetryService.processTelemetry() first puts a path and filename into the thread context. The filename is created by passing the collector ID and collector instance ID from the request to the LogTelemetryUtil.getLogFileNamePattern() method. The method uses a format string of “_c%1$s_i%2$s” along with the collector ID and collector instance ID to create the file name. Then processTelemetry() calls the info() method of the currently configured logger to write the body of the received request to the location determined by the path and filename put into the thread context, appending the .json extension to the file as configured by the logger in the initial service definition. Due to the fact that the collector ID and collector instance ID values are not validated or sanitized, an attacker may provide a collector instance ID which contains directory traversal characters in order to write a .json file with attacker controlled contents to an arbitrary location where it may be used to facilitate execution of arbitrary code such as /etc/cron.d/.

  An unauthenticated, remote attacker can exploit this vulnerability by sending a crafted telemetry send request. Successful exploitation results in the writing of a .json file to an arbitrary location which may lead to the execution of arbitrary code as root.

Triggering the Problem:

  The server must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  The attacker sends a crafted HTTP request to the telemetry send endpoint of the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS, over port 443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15690 VMware vCenter Server AsyncTelemetryController Arbitrary File Creation 1

  • IPS: 18064 VMware vCenter Server AsyncTelemetryController Arbitrary File Creation 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering attack traffic using the signatures provided above.
    • Applying the vendor provided patch or workaround.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory