Posts

Microsoft Windows PrintNightmare zero-day vulnerability (CVE-2021-34527)

Overview:

A new remote code execution (RCE) has been discovered in Microsoft Windows Print Spooler service. This vulnerability has been referred to publicly as PrintNightmare and assigned as CVE-2021-34527. According to the vendor, this vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675.
Exploit addressing this vulnerability must involve an authenticated user calling RpcAddPrinterDriverEx(). A successful attack exploiting this vulnerability can run arbitrary code with SYSTEM privileges. At the time of this article was written, the vulnerability is actively used to attack vulnerable versions of Windows Print Spooler service.

Workarounds and protections:
According to the vendor, the following two options are suggested as workarounds:

  • Option 1 – Disable the Print Spooler service
  • Option 2 – Disable inbound remote printing through Group Policy

SonicWall’s Intrusion Prevention System (IPS) provides the ability to stop this threat by blocking all invocations of AddPrinterDriverEx Request method:

  • 15622 Print Spooler AddPrinterDriverEx Request

SonicWall also detects the exploitation of threats related to CVE-2021-1675 with the following IPS signature:  

  • 15623 Print Spooler Elevation of Privilege (CVE-2021-1675)

Note that the above signatures only work for SMBv2. Signature 15622 is set to low priority; customers need to enable it for protection.

The vendor has released the following advisory regarding this vulnerability:

Oracle E-Business Suite Infinite Loop Vulnerability

Overview:

  Oracle E-Business Suite is a collection of applications for Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), and Supply Chain Management (SCM) and contains several product lines intended for specific use cases. The E-Business suite utilizes Oracle’s Weblogic application server and Oracle database technologies and is generally operated using a combination of web interface and Java Web Start (JWS) applets executed on a client’s system. By default, the Oracle E-Business interface is accessible via HTTP on port 8000/TCP or HTTPS on port 4443/TCP.

  An infinite loop vulnerability has been reported in the Sales Offline component of Oracle E-Business Suite. The vulnerability is due to improper handling of requests by the authentication component of Sales Offline.

  An unauthenticated, remote attacker can exploit this vulnerability by sending a crafted request to the target server. Successful exploitation causes an infinite loop, consuming large amounts of CPU resources and possibly leading to denial of service conditions on the target server.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-2190.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  One of the applications in the E-Business Suite is called Sales Offline, an additional module for the main sales application that leverages a Microsoft Excel document template with macros to allow users to work with and update Oracle sales data without the need to have a persistent connection to the Oracle E-Business instance. On current versions of the client the synchronization is primarily handled by Oracle Web Applications Desktop Integrator, a framework for synchronizing data between E-Business Suite applications and Excel. Synchronization with Sales Offline results in a request to the following URL:

/OA_HTML/BneUploaderService

  The request will contain a reference to an “integrator” which tells the Desktop Integrator service which application will handle the upload and in turn will locate a Java class that implements the BneAbstractUploader interface for that application. The Java class that handles this for Sales Offline, AslUploader, builds and sends a request to aslUploadEngine.jsp to actually handle the updated data.

  It is important to note that it appears as if legacy versions of the Sales Offline client would send requests directly to aslUploadEngine.jsp for synchronization and also would initially load “lookup” data from the server by sending a request to aslLookupDown.jsp. In current versions this data is already included in the downloaded template.

  An infinite loop vulnerability exists in Oracle E-Business Suite. The vulnerability is due to improper handling of HTTP POST requests with a Content-Length request header value of 0. Ordinarily, when the aforementioned AslUploader class sends a request to aslUploadEngine.jsp, it sends an HTTP POST request with several request parameters in the query portion of the request-URI and places the file sent in the original request to BneUploaderService in the request body. This file, and therefore the request body to aslUploadEngine.jsp, is expected to contain a username, a password which is typically unused, a “Resp key”, and some synchronization preferences and each of these items is expected to be followed by a CRLF sequence (\x0d\x0a). These items in the request body are parsed by the included JSP file aslAuthincps.jsp which begins by attempting to first skip over any lines in the request body that only contain a CRLF to locate the username. This is performed by entering a loop which calls readLine() on the ServletInputStream object from the request and checking to see if the number of bytes read is fewer than three, exiting the loop when three bytes or more are read from a line in the request body.

  However, aslAuthincps.jsp fails to check if the HTTP request body actually contains any data, the length of which should be specified in the Content-Length header. As a result, if an attacker sends an HTTP POST request to aslUploadEngine.jsp or aslLookupDown.jsp, which also includes aslAuthincps.jsp, where the Content-Length header is missing or has a value of 0, the aforementioned loop will never exit due to the fact that readLine() will always return -1 and never satisfy the condition that it must return 3 or greater to exit the loop, causing an infinite loop and consuming excessive CPU resources, potentially leading to denial of service conditions.

  A remote, unauthenticated attacker can exploit this vulnerability by sending an HTTP POST request without a Content-Length header or with a Content-Length header value of 0. Successful exploitation results in an infinite loop condition, causing excessive CPU usage and potentially leading to denial of service conditions on the target server.

Triggering the Problem:

  • The server must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  An attacker sends an HTTP POST request without a Content-Length header or a header with a value of 0 to one of the vulnerable endpoints. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8000/TCP
    • HTTPS, over port 4443/TCP

    

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:15617 Oracle E-Business Suite Template Component DoS 3
  • IPS:15618 Oracle E-Business Suite Template Component DoS 4

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch resolving the vulnerability.
    • Detect and filter malicious traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
    Vendor Advisory

Snoopdog ransomware charges 36K in BTC for recovery. 20% discount negotiable

The SonicWall Capture Labs threat research team have been tracking ransomware that encrypts and gives files a “.snoopdog” filename extension.  The operator charges 1 BTC for file retrieval.  However, as with most ransomware today, the price is negotiable and a discount may be provided to the victim.

 

Infection Cycle:

 

Upon execution, the malware encrypts files on the system.  Each file is given a “.snoopdog” extension to indicate that it has been encrypted.

 

The following files are dropped onto the infected system:

  • %APPDATA%\Roaming\noputana.exe (copy of original malware) [detected as: GAV: Snoopdog.RSM (Trojan)]
  • %APPDATA%\Roaming\userkey.dat
  • !DECRYPT_FILES.txt (dropped in all dirs where files were encrypted)

 

The following keys are added to the registry:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HelloAV “%APPDATA%\Roaming\noputana.exe”
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WelcomeBack “%APPDATA%\Roaming\!DECRYPT_FILES.txt”

 

!DECRYPT_FILES.txt contains the following message:

 

userkey.dat contains the following data:

1WOD64X5CWPMX8

 

The following applications are killed if found to be running:

msftesql.exe vmware-vmx.exe vmware-authd.exe sqlagent.exe sqlbrowser.exe sqlservr.exe
sqlwriter.exe oracle.exe ocssd.exe dbsnmp.exe synctime.exe mydesktopqos.exe
agntsvc.exe isqlplussvc.exe xfssvccon.exe mydesktopservice.exe ocautoupds.exe
agntsvc.exe agntsvc.exe agntsvc.exe encsvc.exe firefoxconfig.exe tbirdconfig.exe
ocomm.exe mysqld.exe mysqld-nt.exe mysqld-opt.exe dbeng50.exe sqbcoreservice.exe
excel.exe infopath.exe msaccess.exe mspub.exe onenote.exe outlook.exe powerpnt.exe
steam.exe thebat.exe thebat64.exe thunderbird.exe visio.exe winword.exe wordpad.exe
taskmgr.exe

 

The tOr link leads to the following page:

 

A Telegram link (http://t.me/SENDMYiDbot) is provided for communication with the malware operators.  We had the following conversation with the operator:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Snoopdog.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Advantech iView Remote Command Injection

Overview:

  Advantech iView application enables network managers to configure, update, manage and monitor B+B SmartWorx solutions from a central location. It is a Simple Network Management Protocol-based element management software provided free-of-charge with all intelligent FTTx, Optical Access and Media Conversion solutions. It is designed as a web-based application with the main program functionality residing on a web server and all user access through a web browser.

  A remote command execution has been reported in Advantech iView. The vulnerability is due to improper input sanitization. A remote user could exploit the vulnerability by sending a crafted request to the server.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-32930.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Advantech iView is a Java-based servlet application and requires a Java servlet container such as Apache/Tomcat to be installed on the web server. iView will store program information in a database and requires a relational database management system such as MySQL to be installed on the web server. Before using any features of iView, a user needs to authenticate with the system. Advantech iView allows user to create zero-touch provisioning (ZTP) configuration files for B&B Electronics devices that provide support for the related functionalities. The ZTP Configuration menu section displays the ZTP Configuration dialog which can be accessed from the “Tools” menu. The ZTP related services are handled by either NetworkServlet or CommandServlet endpoint. The URL mappings for these servlets are found in the web.xml file:

  A Command injection vulnerability exists in Advantech iView. The vulnerability is due to a lack of proper input validation for shell command injection characters in the HTTP request parameter fwfilename. When the application receives an HTTP request with Request-URI set to either “/iView3/CommandServlet” or “/iView3/NetworkServlet”, and request parameter ztp_config_name is set to the associated action; the doPost() method in Java class NetworkServlet is called. The “NetworkServlet” class checks the page_action_type parameter and invokes the associated function based on the task. For example, in the case of upgrading the ProView component, the application receives page_action_type parameter as “runProViewUpgrade” and in such case, the runProViewUpgrade() method is invoked to perform the upgrade operation. The vulnerable function accepts two more parameters in the HTTP request as device_id and filename.

  In the implementation of the runProViewUpgrade() method, the vulnerable code first extracts the ipaddress and strDeviceModel from the Database using the supplied device_id. If the device_id can not be found in the Database, the vulnerable function will return with an error. The function builds a list of strings for the “command” parameter of the ProcessBuilder Java class in order to execute the CMD program. The value supplied in the fwfilename field is used to build one of the command arguments. However, the runProViewUpgrade() method does not sanitize the fwfilename parameter value for command injection characters before applying it to build the command-line string. An attacker can include command injection characters in the value of the fwfilename parameter which are then applied to construct the command line list. This allows for the execution of arbitrary commands on the underlying system when the start() method of Java class ProcessBuilder executes the constructed commands list.

Triggering the Problem:

  • The target system must have the vulnerable product installed and enabled.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must know a valid device ID in the target application.

Triggering Conditions:

  The attacker sends a crafted HTTP request to the vulnerable server with malicious parameters. The vulnerability is triggered when the affected software processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8080/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:15599 “Advantech iView Command Injection”

Remediation Details:

  Listed below are actions that may be taken in order to mitigate the risks associated with this vulnerability:
    • Restrict access to the affected communication port to trusted hosts only.
    • Upgrade the product with a new patched version.
    • Detect and block malicious traffic with IPS:15599
  The vendor, Advantech, has released a new version of the product:
  Vendor Advisory

AndroidBot malware with obfuscation and multiple capabilities spreading in the wild

SonicWall Threats Research team observed an AndroidBot malware that contains multiple obfuscation layers that hides the hardcoded URLs and malicious code. Similar to a number of Android malware, this malware drops the dex file during execution that contains malicious code.

Sample details

At the time of writing this blog, this sample is hosted on the following link:

Infection Cycle

The app requests for a number of permissions, below are a few risky ones:

  • android.permission.CALL_PHONE
  • android.permission.CAPTURE_VIDEO_OUTPUT
  • android.permission.DISABLE_KEYGUARD
  • android.permission.READ_CONTACTS
  • android.permission.READ_SMS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.RECEIVE_SMS
  • android.permission.REORDER_TASKS
  • android.permission.REQUEST_DELETE_PACKAGES
  • android.permission.REQUEST_INSTALL_PACKAGES
  • android.permission.SEND_SMS
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.WRITE_SMS

 

Upon installation and execution the application requests for accessibility permissions, once granted the application gains the ability to execute its malicious components:

 

The main class listed in the Manifest.xml file is not present in the decompiled codebase:

 

The malware drops a file – agAzJPYW.dex – during execution which is actually the dex file that contains malicious code.:

 

This dex file contains the main activity which is listed in the original manifest.xml file:

 

The malware obfuscates the strings present in the code to deter security researchers from analyzing the malware and automated tools from identifying suspicious strings in the code:

 

However, the decryption routine is also present in the code which can be used to decode the strings:

 

Decoded string:

 

We identified several interesting bits when the strings were decoded:

 

 

 

Capabilities

This bot is capable of performing a series of malicious/dangerous actions on an infected device, some of them include:

  • Show custom notifications
  • Screencast/screencapture
  • TeamViewer execution
  • Read, write and send messages
  • Extract information about running processes
  • Extract information about the device
  • Load URLs
  • Receive messages via Fire Cloud Messaging (FCM)
  • Install and remove applications
  • Subscribe to premium messaging services
  • Check if emulator is present

 

Hardcoded URLs

The class BotConfigs contained an interesting string titled Admin URL. Upon deobfuscation we got the string – http://das37rwa5cyfkb7o.onion/api/mirrors. After a series of layers we ultimately obtained a login page on the link newspotheres.xyz:

 

Based on the hardcoded url’s obtained in the code we created a VirusTotal Graph as shown below:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • AndroidOS.AndroidBot.DX

 

Indicators of Compromise (IOC):

 

We have blacklisted the following URLs:

  • https://newspotheres.xyz
  • https://babosiki.buzz
  • https://trustpoopin.xyz
  • https://trygotii.xyz
  • https://trytogoi.xyz

 

CHIYU Technology Devices CRLF injection vulnerability

CHIYU Technology is a leading access control manufacturer and marketer of multi door access control system for enterprise, small business, and residential applications. BF-430 is a universal serial device server that enables industrial serial devices, such as, PLC, flow meters, gas meters, CNC machines, and biometric identification card readers to be monitored from the network.
Similarly BF-450M is a universal serial device server that can enable industrial serial devices, such as, access control, time attendance, PLC, CNC machines, and flow meters to be monitored from the network. Moreover, it includes built-in I/O control which could let users easily integrate with other systems via this special design.

CRLF injection vulnerability
A CRLF injection vulnerability exists if an attacker can inject the CRLF characters into a web application. A CRLF injection attack can be used to escalate to more malicious attacks such as Cross-site Scripting (XSS), page injection, web cache poisoning etc. The term CRLF refers to Carriage Return (ASCII 13, HEX 0d) Line Feed (ASCII 10, HEX 0a).CR and LF are special characters that are used to signify the End of Line (EOL) in Windows operating system. A CRLF injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.

CVE-2021-31249
A CRLF injection vulnerability exists in BF-430, BF-431, and BF-450M TCP IP Converter devices. This is due to a lack of validation on the parameter redirect= available on multiple CGI components.

As can br seen in this example   i.e. CRLF is used to split and   is used to carry out a cross-site scripting attack. In this case the CRLF injection vulnerability leads to XSS attack.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15592:CHIYU Technology Devices CRLF injection

A quick check on Shodan shows vulnerable devices.

 

Another ransomware possibly belonging to the Revil ransomware group seen actively spreading in the wild

The SonicWall Capture Labs Research team has been observing a massive increase in ransomware attacks with increasingly targeted attacks hitting mostly critical infrastructures. With companies willing to pay millions in ransom payment to restore operations, the ransomware industry has never been more lucrative for cybercriminals. This week we have observed a spike in detections for a somewhat small player in the ransomware world. We have first spotted Prometheus ransomware in February and have not seen a lot of action until this week.

Interestingly, with Revil Ransomware in spotlight for which a lot of the high profile ransomware attacks have been attributed to lately, Prometheus ransomware claims to be from the same cybercriminal group. We have no proof that this is true, however.

Infection Cycle:

Upon execution, the first thing this ransomware does is to find and delete Raccine, an open source program that blocks ransomware from deleting shadow copies of a system’s data – a very common ransomware behavior. It employs taskill.exe to kill the Raccine executable, if it happens to be present in the system as well as delete any Raccine-related registry values.

It then continues to kill other running processes using taskkill.exe including Microsoft Office processes like winword.exe, excel, mspub and visio, sql database related processes like sqlservice.exe, dbeng50.exe, mysqld.exe, among many others.

It also employs sc.exe to configure certain system services such as “SQLwriter start” to disable the functionality to be able to create backup and restore SQL Server data through the Volume Shadow Copy Service.

To ensure network connectivity it pings a loopback address 127.0.0.7

It also executes netsh.exe to run commands to alter the firewall settings to allow the infected system to be discoverable within the network and to allow for files and printer sharing.

Once target files have been encrypted, it displays an alert on the system tray and also opens an hta file with instructions on how to pay and retrieve files.  The header of the instructions imparts that Prometheus belongs to the well-known Revil ransomware group.

 

Another similar sample that we analyzed appears to be a more beefy program with more functionalities such as running commands to check the ARP table which can possibly be used for ARP attacks.

Also running a powershell command to delete all volume shadow copies.

And also trying to configure and login to the local router admin page using additional dropped components.

This newer version also provides additional ways to reach the ransomware authors outside of the Tor browser.

This goes to show that we will mostly likely see more from this ransomware group because they have been continuously improving their program with more robust functionalities to improve infection and possibly evade detection.

This week, we have noticed an uptick in detection for this particular ransomware.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Prometheus.RSM (Trojan)
  • GAV: Prometheus.RSM_1 (Trojan)
  • GAV: Prometheus.RSM_2 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

Microsoft Security Bulletin Coverage for June 2021

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of June 2021. A list of issues reported, along with SonicWall coverage information is as follows:

CVE-2021-31199 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
ASPY 192:Malformed-File exe.MP.187

CVE-2021-31201 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
ASPY 193:Malformed-File exe.MP.188

CVE-2021-31952 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
ASPY 187:Malformed-File exe.MP.183

CVE-2021-31954 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 194:Malformed-File exe.MP.189

CVE-2021-31955 Windows Kernel Information Disclosure Vulnerability
ASPY 189:Malformed-File exe.MP.185

CVE-2021-31956 Windows NTFS Elevation of Privilege Vulnerability
ASPY 188:Malformed-File exe.MP.184

CVE-2021-31959 Scripting Engine Memory Corruption Vulnerability
IPS 15594:Scripting Engine Memory Corruption Vulnerability (CVE-2021-31959)

CVE-2021-33739 Microsoft DWM Core Library Elevation of Privilege Vulnerability
ASPY 190:Malformed-File exe.MP.186

Adobe Coverage:
CVE-2021-28554 Acrobat Reader Arbitrary Code Execution Vulnerability
ASPY 191:Malformed-File pdf.MP.478

The following vulnerabilities do not have exploits in the wild :
CVE-2021-1675 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26414 Windows DCOM Server Security Feature Bypass
There are no known exploits in the wild.
CVE-2021-26420 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31938 Microsoft VsCode Kubernetes Tools Extension Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31939 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31940 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31941 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31942 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31943 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31944 3D Viewer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31945 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31946 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31948 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31949 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31950 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31951 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31953 Windows Filter Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31957 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31958 Windows NTLM Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31960 Windows Bind Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31962 Kerberos AppContainer Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31963 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31964 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31965 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31966 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31967 VP9 Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31968 Windows Remote Desktop Services Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31969 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31970 Windows TCP/IP Driver Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31971 Windows HTML Platform Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31972 Event Tracing for Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31973 Windows GPSVC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31974 Server for NFS Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31975 Server for NFS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31976 Server for NFS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31977 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31978 Microsoft Defender Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31980 Microsoft Intune Management Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31983 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31985 Microsoft Defender Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.

VMware vCenter Server vSAN Health Check plug-in RCE Vulnerability

Overview:

Multiple vulnerabilities have been discovered and reported in the VMware vSphere Client (HTML5), specifically in VMware vCenter Server vSAN Health Check plug-in product. Among these vulnerabilities, CVE-2021-21985 is a remote code execution vulnerability rated as Critical.

CVE-2021-21985 is caused by invalid input checking in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

 

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15574 VMware vCenter Server vSAN Health Check plug-in Possible RCE Attempt 1
  • IPS: 15575 VMware vCenter Server vSAN Health Check plug-in Possible RCE Attempt 2
  • IPS: 15576 VMware vCenter Server vSAN Health Check plug-in Possible RCE Attempt 3

Note: given that vCenter is likely enabled for access via TLS/HTTPS, DPISSL (Server deployment) would have to be enabled in order for these signatures to cover all cases of a real world exploitation of this vulnerability.

 

SonicWall has detected the following attacks with the above signatures:

 

Remediation Details:

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Reconfigure the plugin settings according to the vendor advisory.
  • Apply the updates from the vendor.

The vendor has released the following advisory regarding this vulnerability:

        Vendor Advisory

Microsoft Visual Studio RCE Vulnerability

Overview:

  Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft. It can be used to develop console and graphical user interface (GUI) applications along with web sites, web applications, and web services. This is achieved in combination with native and managed code for all platforms supported by Microsoft Windows, Windows Mobile, Windows CE, .NET Framework, .NET Compact Framework and Microsoft Silverlight.

  The IDE supports a wide variety of programming languages and technologies; either built-in or as extensions. Built-in languages include C, C++, C++/CLI, Visual Basic .NET, C#, F#, JavaScript, TypeScript, XML, XSLT, HTML, and CSS. Support for other languages such as Python, Ruby, Node.js, and M among others is also available via extensions.

  A remote code execution vulnerability has been reported in the Python interpreter services, a component of the Python language support extension for Microsoft Visual Studio. The vulnerability is due to a design weakness. The python language interpreter “python.exe” may be provided in a Python project workspace. The embedded interpreter will be executed when the project is opened without confirmation from the user.

  A remote, unauthenticated attacker can exploit this vulnerability by enticing a user to open a malicious Python project/workspace. The workspace contains a crafted “python.exe” file in a subdirectory. Successful exploitation results in code execution in the context of the Microsoft Visual Studio IDE.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-27068

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is required.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.3 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Upon opening a workspace/folder containing python source files, the workspace initialization procedure begins at the method InitializeCurrentContext in PythonWorkspaceContextProvder.cs. This procedure involves discovering Python interpreters within the workspace. The Python interpreter, in a Windows OS environment is the binary file “python.exe”. The initialization process requires the interpreter in other to retrieve interpreter information. The method FindInterpretersInSubFolders in WorkspaceInterpreterFactoryProvider.cs invokes the method CreateEnvironmentInfo for each interpreter path discovered within the workspace. The method CreateEnvironmentInfo is also defined in WorkspaceInterpreterFactoryProvider.cs and will in turn invoke the method PrefixFromSysPrefix defined in the same class file, on the discovered path. The method PrefixFromSysPrefix will build and execute the following template command line:

  (full path to interpreter within workspace) -c "import sys; print(sys.prefix)"

  The method CreateEnvironmentInfo, made no attempt to validate the integrity of the discovered python interpreter. Therefore, an attacker can craft a Python workspace such that an included python.exe is in fact a malicious binary which will be executed autonomously on opening the crafted workspace within Visual Studio.

  A remote, unauthenticated attacker can exploit this vulnerability by enticing a user to open a malicious Python project/workspace. The workspace contains a crafted “python.exe” file in a subdirectory. Successful exploitation results in code execution in the context of Microsoft Visual Studio.

Triggering the Problem:

  • A vulnerable version of Microsoft Visual Studio is installed.
  • The attacker must be able to deliver a malicious Python project to the target user.

Triggering Conditions:

  The attacker creates a malicious Python project for Microsoft Visual Studio and delivers it to the target user. The Python project contains a maliciously crafted python.exe file within a subdirectory. The vulnerability is triggered when this project is processed by a vulnerable version of Microsoft Visual Studio.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP
    • SSH, over port 22/TCP
    • FTP, over port 21/TCP
    • SMB/CIFS, over ports 139/TCP, 445/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15579 Microsoft Visual Studio Remote Code Execution (CVE-2021-27068)

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Not cloning and opening untrusted Python projects within Visual Studio.
    • Upgrading to a non-vulnerable version of Visual Studio.
    • Filtering malicious traffic.
  The vendor, Microsoft, has released the following advisory regarding this vulnerability:
  Vendor Advisory