Posts

Ransomware asking victims to subscribe to a YouTube channel

/in /by

The SonicWall Capture Labs Threat Research team has come across a ransomware with a bizaare demand in exchange for decryption. This ransomware calls itself “Black Eye” but instead of demanding for cryptocurrency as payment, it requires the victim to subscribe to a YouTube channel and to comment on the videos on the said channel.

Infection cycle:

Upon execution, this ransomware creates a copy of itself in the following directory:

  • %AppData%\Roaming\BLACK EYE RANSOMWARE.exe

It then spawns the copy and begins encrypting the files in the victim machine. It adds 4 random characters to all encrypted files.

It also adds a text file in all the directories named “readme_it.txt” which is then opened in notepad upon successful infection.

This is a poorly written ransom note with a lot of grammatical and spelling errors.

To get their files back, victims are asked to subscribe to a YouTube channel. The owner of the said channel appears to have had an interest on ransomware ever since and has been posting videos about ransomware.

It also changes the desktop wallpaper to this photo.

And to maintain persistence, it adds a copy of the ransom note in the %Startup% directory along with the link to the “Black Eye Ransomware” executable which will both run upon system reboot.

It is unclear if the malware author has actually successfully infected victims who agreed to subscribe to his Youtube channel. But when we first analyzed this malware, that channel had 60+ subscribers and this week it has grown to 73.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Black.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for February 2022

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of February 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-21989 Windows Kernel Elevation of Privilege Vulnerability
IPS 2457:Windows Kernel Elevation of Privilege Vulnerability (CVE-2022-21989)

CVE-2022-21994 Windows DWM Core Library Elevation of Privilege Vulnerability
ASPY 293:Malformed-File exe.MP_234

CVE-2022-21996 Win32k Elevation of Privilege Vulnerability
ASPY 294:Malformed-File exe.MP_235

CVE-2022-22000 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 295:Malformed-File exe.MP_236

CVE-2022-22715 Named Pipe File System Elevation of Privilege Vulnerability
ASPY 296:Malformed-File exe.MP_237

CVE-2022-22718 Windows Print Spooler Elevation of Privilege Vulnerability
ASPY 297:Malformed-File exe.MP_238

The following vulnerabilities do not have exploits in the wild :
CVE-2022-21844 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21926 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21927 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21957 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21965 Microsoft Teams Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21968 Microsoft SharePoint Server Security Feature BypassVulnerability
There are no known exploits in the wild.
CVE-2022-21971 Windows Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21974 Roaming Security Rights Management Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21981 Windows Common Log File System Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21984 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21985 Windows Remote Access Connection Manager Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21986 .NET Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21987 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-21988 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21991 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21992 Windows Mobile Device Management Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21993 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21995 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21997 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21998 Windows Common Log File System Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21999 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22001 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22002 Windows User Account Profile Picture Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-22003 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22004 Microsoft Office ClickToRun Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22005 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22709 VP9 Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22710 Windows Common Log File System Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-22712 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-22716 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-22717 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23252 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-23254 Microsoft Power BI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23255 Microsoft OneDrive for Android Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-23256 Azure Data Explorer Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-23261 Microsoft Edge (Chromium-based) Tampering Vulnerability
There are no known exploits in the wild.
CVE-2022-23262 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23263 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23269 Microsoft Dynamics GP Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-23271 Microsoft Dynamics GP Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23272 Microsoft Dynamics GP Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23273 Microsoft Dynamics GP Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23274 Microsoft Dynamics GP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23276 SQL Server for Linux Containers Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-23280 Microsoft Outlook for Mac Security Feature Bypass Vulnerability
There are no known exploits in the wild.

EmbedThis GoAhead Web Server CGI RCE

/in /by

Overview:

  EmbedThis GoAhead is a popular compact web server intended and optimized for embedded devices. Despite its small size, the server supports HTTP/1.1, CGI handler among others.

  An unrestricted file upload vulnerability has been reported in EmbedThis GoAhead Web Server. The vulnerability is due to improper validation of user form variables passed to the file upload filter.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to the server. Successful exploitation could lead to arbitrary code execution under the security context of the server process.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-42342.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.0 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A remote code execution vulnerability exists in EmbedThis GoAhead. Variables supplied through the multipart/form-data content processing are added using websSetVar(), which does not prefix the variable name or set the arg value. Other areas of code use a wrapper function, addFormVars(), for this purpose. The function cgiHandler() attempts to blacklist certain variable names, but uses the strim() function with a null value for the set parameter, returning a null value and preventing any of the values included in the blacklist from matching. Without the arg value set, the variables are used as environment variables verbatim in the spawned process. This vulnerability is due to an incomplete fix for CVE-2017-17562.

  Exploitation of this vulnerability does not misuse the interface, which makes detecting illegitimate variables not possible. However, the CVE was opened for the specific exploitation path of using the LD_PRELOAD environment variable to point to a supplied shared object ELF file to run arbitrary code stored in the .init section. This can either send the data after the multipart/form-data content and use the CGI standard input file from the proc directory or the dev directory, or by uploading the file in a multipart/form-data payload and using the temporary filename. Other “LD_” prefixed environment variables may also be used to affect CGI behaviour.

  Incomplete Fix CVE-2017-17562

Triggering the Problem:

  • The target must have a vulnerable version of the product installed and running.
  • The target product must have been compiled with the ME_GOAHEAD_UPLOAD and ME_GOAHEAD_CGI flags.
  • The target path must be configured to handle CGI requests.
  • The target must support loading ELF shared objects.
  • The target loader must honor the LD_PRELOAD environment variable.
  • The attacker must have network connectivity to the vulnerable application.

Triggering Conditions:

  The attacker sends a crafted HTTP POST request to the target server. The body contains the LD_PRELOAD variable and an embedded ELF shared object. The vulnerability is triggered when the target server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 6178 EmbedThis GoAhead File Upload Filter Remote Code Execution

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering attack traffic using the signature above.
    • Compiling the software with either the ME_GOAHEAD_UPLOAD or ME_GOAHEAD_CGI flags disabled.
    • Remove all CGI binaries.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Argos 2.0 ransomware threat actor gives up decryption key

/in /by

The Sonicwall threat research team have recently seen reports of ransomware called Argos 2.0.  The ransomware works like most others, encrypting files and demanding payment in bitcoin for file recovery.  However, reverse engineering the malware is trivial and the decryption key is easily obtainable.  In addition to this, the attacker is also willing to give out the decryption key for no payment.

 

Infection Cycle:

 

Upon infection, @argosd3crypter.exe is spawned and can be seen running in the background:

 

Files on the system are encrypted.  After this, the following image is displayed on the screen:

 

The following files are dropped on to the system:

  • C:\Ransom.png (as seen above)
  • C:\@argosd3crypter.exe [Detected as: GAV: Argos.RSM (Trojan)]

 

The malware is written in C# and is trivial to decompile:

 

It has code that reports the infection to the attacker via Discord:

 

The core decryption function can be seen in the source:

 

The hardcoded decryption key can be easily seen in the decompiled code along with target directories:

 

Entering this key results in the following message:

 

We also contacted BigFrankND#4978 on Discord and were able to freely obtain the decryption key.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Argos.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Oracle MySQL Server InnoDB Memcached Vulnerability

/in /by

Overview:

  MySQL is a popular open-source implementation of a relational database that supports the Structured Query Language (SQL) for querying and updating stored data. Communication with the database occurs using the MySQL protocol. As with other database implementations, MySQL supports a number of database storage engines, with InnoDB as the default backend.

  A buffer overflow vulnerability has been reported in Oracle MySQL. The vulnerability exists in the InnoDB memcached plugin component.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted packet to the vulnerable server. Successful exploitation will allow an attacker to execute arbitrary code in the context of the application.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-2429.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C).

  Base score is 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is low.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 6.4 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A heap buffer overflow vulnerability exists in MySQL InnoDB-memcached plugin when it is handling the incoming get command. This is performed in the innodb_get() function. When there was “@@store_name” notation inside a get command, the vulnerable function will execute the code branch to switch tables. During the implementation, it will retrieve the schema (db_schema) and table (db_table) information using the supplied store_name, and build the table_name by following format string (depending on Windows platform or not):

  %s\%s

  or

  %s/%s

  For the above example, when the memcached server received a get command as “get @@aaa”, the table_name will be built as “ts1\tab1”. Then, this table_name will be copied into a heap buffer with fixed size of 16384. If there were multiple “@@store_name” notations in one get command, all generated table_name will be copied into this buffer in order. However, the vulnerable function failed to validate the total length of these table_name strings and this could result in the said heap buffer overflowed.

  Memcached Get Data

Triggering the Problem:

  • The target host must have a vulnerable version of the affected product installed and running.
  • The target product must have the InnoDB-memcached plugin enabled.
  • The attacker must have the means to deliver crafted packets to the target service.

Triggering Conditions:

  The attacker sends a malicious Memcached get request to the target server. The vulnerability is triggered when the server processes the malicious request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • Memcache, over port 11211/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3109 MySQL InnoDB Memcached Plugin DoS

Remediation Details:

  Listed actions that may be taken in order to mitigate or eliminate the risks associated with this vulnerability.
    • Limit access to the database to allow trusted users only.
    • Restrict remote connections to trusted hosts only.
    • Filter attack traffic using the signature above.
    • Upgrade the vulnerable product to a non-vulnerable version.
  The vendor, Oracle, has released the following advisory regarding this vulnerability
  Vendor Advisory

Traces of an Android malware yet again lead to a Github repository

/in /by

SonicWall Threats Research team identified yet another Github repository that might have been used to create and release an Android malware in the wild, this time its AndroRAT.

Specifics for the sample that was identified in the wild:

  • MD5: f1d83d43b21478c349f2ee515aef4271
  • Application Name: Google Service Framework
  • Package Name: com.IiIiIiIi.IiIiIiIiIiIiiIIIIiIiI

 

Using this repository a malicious app can be configured with the following options:

 

We created a test app using this repository and compared the code of both the applications. The code looks identical:

The application identified was created with the following options as can be seen from the config class:

 

The application requests for a number of permissions, some of them are capable of accessing sensitive user information:

  • Receive_boot_completed
  • Wake_lock
  • Camera
  • Read_external_storage
  • Write_external_storage
  • Read_sms
  • Access_fine_location
  • Access_coarse_location
  • Read_call_log
  • Record_audio
  • System_alert_window

 

This gives a taste of the components in this malware. The  application contains a multitude of malicious functionalities and is capable of accepting commands from the attacker, some of them are listed below:

  • exit
  • camList
  • takepic
  • shell
  • getClipData
  • deviceInfo
  • help
  • clear
  • getSimDetails
  • getIP
  • vibrate
  • getSMS
  • getLocation
  • startAudio
  • stopAudio
  • startVideo
  • stopVideo
  • getCallLogs
  • getMACAddress

Commands are visible in the code as shown:

 

We configured a test AndroRAT sample to understand how this malware works further. Configuring and listening for incoming connections quickly gave a shell once the malware was executed on the infected device:

 

Commands can now be executed on the infected device:

For instance, running ‘deviceInfo’ gave us details of the infected device:

 

Overall this threat is a potent spyware and Remote Access Tool  (RAT). Though its features are limited, considerable personally identifiable information (PII) can be extracted from an infected device. The fact that this RAT is freely available on Github is a cause of concern.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Androrat.PN

 

Indicators of Compromise:

  • f1d83d43b21478c349f2ee515aef4271

 

 

Grafana plugins Directory Traversal Vulnerability

/in /by

Grafana is a multi-platform, open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.

Directory Traversal Vulnerability
Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to directory traversal. A directory traversal attack (also known as path traversal) aims to access files and directories that are stored outside the web root folder by manipulating variables that reference files with dot-dot-slash sequences.

CVE-2021-43798 | Grafana plugins Directory Traversal Vulnerability
Directory traversal vulnerability exists in Grafana allowing access to local files. The vulnerable URL path  . The plugin_id can be the default plugin that comes pre-installed with Grafana, for example:

  • alertlist
  • annolist
  • barchart
  • bargauge
  • candlestick
  • cloudwatch
  • dashlist
  • Elasticsearch

The vulnerability is due to insufficient sanitization of user input for plugin assets. This that allows the reading of arbitrary files from the filesystem. A remote, unauthenticated attacker can exploit this vulnerability by sending a request to a valid plugin asset directory with dot-dot sections to request arbitrary paths. Successful exploitation results in the disclosure of arbitrary file contents from the target server.

Threat actors can leverage this flaw by crafting an HTTP request to read sensitive files from servers, leading to the disclosure sensitive information . the following exploits disclose sensitive information .

The following versions are vulnerable:

    • Grafana versions 8.0.0-beta1 through 8.3.0

Grafana has patched the vulnerability vendor advisory is available here.

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 15728:Grafana plugins Directory Traversal

Threat Graph

Linux-based ransomware found targeting VMWare ESXi Servers

/in /by

The Sonicwall Capture Labs threat research team has come across a linux variant of a ransomware early on this week. Avoslocker is another ransomware-as-a-service (RaaS) selling their ready-made ransomware to affiliates to carry out ransomware attacks. This linux variant was specifically made to target VMWare ESXi servers that more and more companies are switching their servers on to for easier management. It is a very valuable target for cybercriminals since one ESXi server can host multiple virtual machines and therefore host many critical services for a company.

Infection Cycle:

This variant comes as an ELF executable file. Upon manually running it, the user is presented with the following use options.

Once installed, Avoslocker will run the following command to power off all running virtual machines within an ESXi host.

esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | tail -n +2 | awk -F $’,’ ‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’

It appends “.avoslinux” extension to all encrypted files.

It also leaves a ransom note reminding victims to avoid shutting down their system to prevent any files being permanently damaged.

They provide a link to a website only accessible via a tor browser for further details on how to pay and retrieve encrypted files.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Avoslocker.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for January 2022

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of January 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-21881 Windows Kernel Elevation of Privilege Vulnerability
ASPY  285 Malformed-File exe.MP_228

CVE-2022-21882 Win32k Elevation of Privilege Vulnerability
ASPY  286 Malformed-File exe.MP_229

CVE-2022-21887 Win32k Elevation of Privilege Vulnerability
ASPY  287 Malformed-File exe.MP_230

CVE-2022-21897 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY  288 Malformed-File exe.MP_231

CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability
IPS 8535 Server Application Code Execution 28

CVE-2022-21908 Windows Installer Elevation of Privilege Vulnerability
ASPY 289 Malformed-File dll.MP_7

CVE-2022-21916 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 280:Malformed-File exe.MP_226

CVE-2022-21919 Windows User Profile Service Elevation of Privilege Vulnerability
ASPY 281:Malformed-File exe.MP_227

Adobe Coverage
CVE-2021-45067 Acrobat Reader Buffer Overflow Vulnerability
ASPY 282:Malformed-File pdf.MP_520

CVE-2021-44714 Acrobat Reader Security feature bypass
ASPY 283:Malformed-File pdf.MP_521

CVE-2021-44707 Acrobat Reader Buffer Overflow Vulnerability
ASPY 284:Malformed-File pdf.MP_522

The following vulnerabilities do not have exploits in the wild :
CVE-2021-22947 Open Source Curl Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36976 Libarchive Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21833 Virtual Machine IDE Drive Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21834 Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21835 Microsoft Cryptographic Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21836 Windows Certificate Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-21837 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21838 Windows Cleanup Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21839 Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21840 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21841 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21842 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21843 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21846 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21847 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21848 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21849 Windows IKE Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21850 Remote Desktop Client Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21851 Remote Desktop Client Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21852 Windows DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21855 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21857 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21858 Windows Bind Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21859 Windows Accounts Control Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21860 Windows AppContracts API Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21861 Task Flow Data Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21862 Windows Application Model Core API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21863 Windows StateRepository API Server file Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21864 Windows UI Immersive Server API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21865 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21866 Windows System Launcher Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21867 Windows Push Notifications Apps Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21868 Windows Devices Human Interface Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21869 Clipboard User Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21870 Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21871 Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21872 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21873 Tile Data Repository Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21874 Windows Security Center API Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21875 Windows Storage Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21876 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21877 Storage Spaces Controller Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21878 Windows Geolocation Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21879 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21880 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21883 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21884 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21885 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21888 Windows Modern Execution Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21889 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21890 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21891 Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-21892 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21893 Remote Desktop Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21894 Secure Boot Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21895 Windows User Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21896 Windows DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21898 DirectX Graphics Kernel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21899 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21900 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21901 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21902 Windows DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21903 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21904 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21905 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21906 Windows Defender Application Control Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21910 Microsoft Cluster Port Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21911 .NET Framework Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21912 DirectX Graphics Kernel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21913 Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass
There are no known exploits in the wild.
CVE-2022-21914 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21915 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21917 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21918 DirectX Graphics Kernel File Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21920 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21921 Windows Defender Credential Guard Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21922 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21924 Workstation Service Remote Protocol Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21925 Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21928 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21929 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21930 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21931 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21932 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2022-21954 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21958 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21959 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21960 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21961 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21962 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21963 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21964 Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21969 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21970 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.

GitLab Community and Enterprise Edition Vulnerability

/in /by

Overview:

  GitLab is web-based Git repository manager that includes additional features to handle all stages of the DevOps lifecycle including continuous integration and delivery, issue tracking, monitoring, and integration with many other applications. GitLab is built on several technologies including Ruby, Rails, Go, and Redis and is available as a free Community Edition or a paid Enterprise Edition.

  A stored cross-site scripting vulnerability has been reported in the Community edition and Enterprise edition of GitLab. The vulnerability is due to insufficient input sanitization of ipynb files.

  A remote, authenticated attacker can exploit these vulnerabilities with crafted requests to the target server. Successful exploitation could result in arbitrary script execution in the target user’s browser.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-39906.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C).

  Base score is 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is low.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 6.7 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A stored cross-site scripting vulnerability exists in GitLab. The vulnerability is due to insufficient Jupyter notebook rendering sanitization. The HTML output of a command can contain SVG data with a use element referencing a GitLab icons SVG file on the GitLab server. The attribute sanitization does not normalize the path. The path to a valid SVG file can be used with a relative path to a crafted SVG appended that passes the sanitization check in isUrlAllowed(). The crafted SVG must be hosted in a repository on the same GitLab host.

  In the crafted SVG file, a foreignObject element can be used to inject arbitrary HTML after GitLab sanitization is performed. The SVG specification mentions that a referenced SVG XML should be cloned for use element processing, without an exclusion for foreignObject elements. However, the only browser engine that honours the cloning of foreignObject elements is Gecko. As a result, this XSS can only be triggered on Firefox browsers. The SVG Working Group has discussed removing foreignObject from the elements to clone from use referenced SVG files, but this is not yet written into the specification.

  A remote, authenticated attacker can exploit this vulnerability by creating crafted SVG and IPYNB files on the target server. Successful exploitation results in arbitrary script execution in the target user’s browser.

  Scalable Vector Graphics (SVG) 2, 5.6.1. The use-element shadow tree
  SVG Working Group GitHub repository, and Issue

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must have authorized access to a user with permissions to create files in a project.

Triggering Conditions:

  The attacker will authenticate to the target system. Once authenticated, the attacker will create a malicious SVG and IPYNB file.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 705 GitLab ipynb Stored XSS 1

  • IPS: 18693 GitLab ipynb Stored XSS 2

  Please note that if your web service/server is accessible over HTTPS, then enabling of Server DPI-SSL is necessary for the above signature to detect exploits targeting this vulnerability.

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating the product by obtaining a new revision or applying the vendor supplied patch.
    • Filtering attack traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory