Posts

3S Smart Software Solutions CoDeSys Vulnerability

/in /by

Overview:

  3S Smart Software Solutions CoDeSys is an IEC 61131-compliant PLC program development environment for multiple programming languages. CoDeSys supports PLC devices from over 250 device manufacturers. The CoDeSys Gateway Server is a service which facilitates enumeration, programming and interaction over TCP with devices, which themselves do not feature network connectivity.

  A stack buffer overflow vulnerability exists in 3S Smart Software CoDeSys. The vulnerability is due to insufficient boundary checking when parsing requests and allows overflowing a stack buffer with an overly long string.

  A remote unauthenticated attacker could exploit this vulnerability by sending crafted requests to the vulnerable service on ports 1211/TCP and 1210/TCP. Successful exploitation could result in code execution with SYSTEM privileges. Unsuccessful attack attempts could cause the affected service to terminate abnormally, causing a denial of service (DoS) condition.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2012-4708.

Common Vulnerability Scoring System (CVSS):

  Base score is 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C), based on the following metrics:
    • Access vector is network.
    • Level of authentication required is none.
    • Impact of this vulnerability on data confidentiality is complete.
    • Impact of this vulnerability on data integrity is complete.
    • Impact of this vulnerability on data availability is complete.
  Temporal score is 7.4 (E:U/RL:OF/RC:C), based on the following metrics:
    • The exploitability level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  While the IEC 61131 specification is not publicly available, The following general structure of the file service related requests are (Opcodes 0x04,0x06 and 0x03F1), sent to the Gateway Server over the ports TCP/1211 and TCP/1210:

  All multi-byte integers are in little-endian byte order.

  An opcode 0x06 request, GS_PUT_File, can be used to upload a file to the base directory on a CoDeSys server. The contents of the file is sent in the FileContent field of an opcode 0x06 request. If the request is for a Filename that already exists on the server, the contents of the existing file will be replaced by the new contents sent within the request.

  A stack buffer overflow vulnerability exists in 3S CoDeSys Gateway Server. The vulnerability is due to insufficient validation of the length of the Filename string within opcode 0x04, 0x06 and 0x03F1 requests. The vulnerable code appends the user-controlled Filename to the base directory string “C:\WINDOWS\Gateway Files” and then copies the whole path string to a one of the three size stack buffers. Depending on the opcode of the request, the vulnerable code uses a stack buffer with the following sizes:

    • 0x1c0 (448) bytes for the opcode 0x03F1.
    • 0x128 (296) bytes for the opcode 0x06.
    • 0x210 (528) bytes for the opcode 0x04.

  The vulnerable function uses 36 (0x24) bytes of the allocated space for other purposes. Providing an overly long Filename overflows the stack buffer overwriting other data on the stack, including the return address and the SEH.

  A remote, unauthenticated attacker can exploit this vulnerability by sending a malicious opcode 0x04, 0x06 and 0x03F1 request to a vulnerable server. Successful exploitation would allow the attacker to execute arbitrary code in the security context of the affected service, which is SYSTEM. If the attack fails, the service may terminate abnormally, leading to a denial-of-service condition.

Triggering the Problem:

  The target host must have the vulnerable version of the software installed and running.

  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  An attacker connects to the server and sends a crafted request containing a malicious Filename to the target host. The vulnerability is triggered when the affected product parses the malicious request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • 3S Smart Software Solutions CoDeSys Gateway Server Protocol, over port 1210/TCP
    • 3S Smart Software Solutions CoDeSys Gateway Server Protocol, over port 1211/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4888 CODESYS Gateway Server Buffer Overflow 1

Remediation Details:

  Listed below are a number of actions that may be taken in order to minimize or eliminate the risks:
    • Upgrade to a non-vulnerable version of the product.
    • Restrict network access to the vulnerable ports to trusted hosts only.
    • Filter attack traffic using the IPS signature above.
  The vendor has released a security patch that mitigates this vulnerability (requires customer login):
  Vendor Advisory

Rise of Android malware masquerading Covid related themes

/in /by

Malware writers often use trending topics to masquerade their malicious creations. Ever since early 2020 the Covid-19 pandemic has given fuel to malware writers and scamsters to use Covid related themes to hide malicious applications. SonicWall Threats Research team has been observing Covid related Android malware since mid-2020. This blog highlights how Android malware trends have corresponded with the rise in Covid related mortality rate in different parts of the world.

The graph below shows Covid related deaths as seen in different parts of the world between April 2020 and July 2021 where peaks were visible in the following months –

  • March, 2020
  • August-September, 2020
  • November-December, 2020
  • January, 2021
  • May-June, 2021

Covid related Android malware trends – 2020

  • Keywords – Coronavirus, Covid

The graph below shows malicious Android apps with the application name and package name containing the keywords – Coronavirus, Covid. This graph has few peaks that coincide with the graph that shows Covid related deaths seen worldwide.

 

  • Keywords – Temperature, Meeting

Working from home became a common practice for a lot of workforce around the world. As a result online meeting related apps became very popular. As a result we see a number of malicious Android apps with names related to online meetings rise during few months that coincide with peaks related to Covid related infections.

During the first peak in March, high body temperature was one of the main symptoms of Covid infection, as a result malicious apps that claim to check the temperature also became popular among malware writers. Peak in numbers for fake temperature related malicious Android apps coincide with the first graph related to Covid infections.

 

Covid related Android malware trends – 2021

  • Keywords – Vaccination

Vaccinations started in the early months of 2021 all over the world and slowly ramped up as time progressed. Shortly we started seeing vaccination themed malicious android malware as anticipated

 

Covid related Government Apps

Countries all around the world developed apps on multiple platforms to monitor and trace people who got infected during the pandemic. Unsurprisingly malware writers used this opportunity to masquerade malicious apps using the name of legitimate government applications. Below are malicious counterparts of legitimate government apps:

 

Among the government Covid related apps, Aarogya Setu from India was the one that was masqueraded the most. We have seen malicious apps passed as Aarogya Setu apps for both 2020 and 2021:

 

It is safe to say that Covid has been a very lucrative topic for malware writers as they have used this label to hide their malicious creations. While the pandemic is far from over, Covid related malware is expected to rise as time passes.

Sonicwall Capture Labs provides protection against multiple threats associated with Android Covid related malware, some of the signatures are listed below:

  • AndroidOS.Cerberus.COVID
  • AndroidOS.Cerberus.COVID_2
  • AndroidOS.HiddenAd.COVID
  • AndroidOS.CoronaTracker.BNK
  • AndroidOS.Corona.IR
  • AndroidOS.Corona.IR_3
  • AndroidOS.CoronaVirus.Spy
  • AndroidOS.Banker.COVID_2
  • AndroidOS.CoronaTracker.RSM

 

References

 

Cisco ASA Cross Site Scripting Vulnerability

/in /by

Cisco Adaptive Security Appliance XSS is being exploited in the wild.

The Cisco ASA Family of security devices protects corporate networks and data centers of all sizes. Cisco Adaptive Security Appliance (ASA) Software is the core operating system for the Cisco ASA Family. It delivers enterprise-class firewall capabilities for ASA devices in an array of form factors – standalone appliances, blades, and virtual appliances – for any distributed network environment. ASA Software also integrates with other critical security technologies to deliver comprehensive solutions that meet continuously evolving security needs.

Vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information.

Cross site scripting XSS

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

XSS attacks abuse the dynamic way websites interact with the browsers. It makes possible, for an attacker, to control the victim’s browser and his/her interaction with a given vulnerable website. To display back content provided or controlled by a user, like an URL parameter or an input field, a flawed application opens the door to manipulation of this content.

Cisco Adaptive Security Appliance XSS | CVE-2020-3580

When the website or application just reflects back content maliciously manipulated by user it is called a reflected XSS attack. This reflection, affects the way browsers displays the page and how they process things and behave.

For exploiting the Cisco ASA vulnerability the attacker abuses the svg tag’s onload event . Since the event handler code does not properly sanitize the input whatever is written in the alert is reflected back to the user.

Authentication is not needed to exploit this vulnerability. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information such as user’s session cookie, allowing an attacker to hijack the user’s session and take over the account. A successful exploit could also lead to the disclosure of end user files, installation of Trojan horse programs, redirect the user to some other page or site, or modify presentation of content.

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 15614: Cisco Adaptive Security Appliance XSS

Following versions are vulnerable

  • Earlier than 9.61
  • 9.61
  • 9.71
  • 9.8
  • 9.9
  • 9.101
  • 9.12
  • 9.13
  • 9.14
  • 9.15

Cisco had patched this vulnerability.

Threat Graph

Metamorfo Banking Malware Abusing Nvidia Executable

/in /by

SonicWall Threats Research team has observed a highly obfuscated batch(BAT) file inside an archive which is downloaded to the victim’s machine. The BAT file executes a PowerShell script which downloads an archive file containing Metamorfo banking malware. The archive file also contains other genuine files including NVIDIA Smart Maximise Helper Host executable, which is abused by the malware to load Metamorfo banking trojan using Dynamic Link Library (DLL) search order hijacking.

 

BATCH SCRIPT:

The batch script creates folder C:\ProgramData\Adobe-Fireworks-_<randombytes>, if not already exists and executes the PowerShell script to download the archive file:

PowerShell Script:

The PowerShell script downloads an archive file from Unified Resource Locator (URL) “h[t][t]ps://diasdegloria.s3.sa-east-1.amazonaws.com/voolivre-gelopanama-v1.artcos-78.docx” to C:\ProgramData\Adobe-Fireworks-_<randombytes>\Adobe-Fireworks-_<randombytes>.zip, however the URL is being updated frequently by the malware author.

The archive files contains Metamorfo banking trojan NvSmartMax.dll and a bunch of genuine files which includes NVIDIA Smart Maximise Helper Host executable, libeay32.dll and ssleay32.dll and others. The PowerShell script executes the NVIDIA Smart Maximise Helper Host executable which load Metamorfo banking trojan NvSmartMax.dll from current working directory.

Metamorfo Execution:

The malware uses a common technique of DLL injection to inject itself  into Internet Explorer executable. The DLL injection techniques involves below API sequences:

  • CreateProcessW : Creates process for Internet Explorer in suspended mode.
  • VirtualAllocEx : Allocates 1000 bytes into newly created Internet Explorer process.
  • WriteProcessMemory : Writes NvSmartMax.dll path to the allocated memory.
  • CreateRemoteThread : Calls the API using address of LoadLibraryW, passing written NvSmartMax.dll address as parameter.

 

Registry modifications:

The malware makes below persistence entry:

The malware also makes few other entries into HKEY_CURRENT_USER\Control Panel which seems configuration storage location for malware, as it also looks for HKCU\Control Panel\newprogram registry value:

 

File modifications:

The malware looks for below files on the victim’s machine:

  • C:\ProgramData\Adobe-Fireworks-_66c\Adobe-Fireworks-_66c.cab
  • C:\ProgramData\Adobe-Fireworks-_66c\mreb.xml
  • C:\ProgramData\Adobe-Fireworks-_66c\mreboot
  • C:\mreboot

 

Metamorf banking trojan primarily targets Brazil or Portugal citizens. It was initially abusing AVAST executable but recently it has started abusing Nvidia executable. SonicWall threat research team is continuously monitoring the Metamorf banking trojan distribution.

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Microsoft Security Bulletin Coverage for July 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of July 2021. A list of issues reported, along with SonicWall coverage information is as follows:

CVE-2021-31979 Windows Kernel Elevation of Privilege Vulnerability
ASPY 197:Malformed-File exe.MP.195

CVE-2021-33771 Windows Kernel Elevation of Privilege Vulnerability
ASPY 198:Malformed-File exe.MP.196

CVE-2021-34448 Scripting Engine Memory Corruption Vulnerability
IPS 15631:Scripting Engine Memory Corruption Vulnerability (CVE-2021-34448)

CVE-2021-34449 Win32k Elevation of Privilege Vulnerability
ASPY 185:Malformed-File exe.MP.184

CVE-2021-34467 Microsoft SharePoint Server Remote Code Execution Vulnerability
IPS 15630:Microsoft SharePoint Server Remote Code Execution (CVE-2021-34467)

CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability
IPS 15632:Microsoft Exchange Server Remote Code Execution (CVE-2021-34473)

CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability
IPS 15622: Print Spooler AddPrinterDriverEx Request

Adobe Coverage:
CVE-2021-28640Acrobat Reader Use After Free
ASPY 195: Malformed-File pdf.MP.476

CVE-2021-28635 Acrobat Reader Use After Free
ASPY 196: Malformed-File pdf.MP.477

The following vulnerabilities do not have exploits in the wild :
CVE-2021-31183 Windows TCP/IP Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31196 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31206 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31947 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31961 Windows InstallService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31984 Power BI Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33740 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33743 Windows Projected File System Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33744 Windows Secure Kernel Mode Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-33745 Windows DNS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-33746 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33749 Windows DNS Snap-in Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33750 Windows DNS Snap-in Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33751 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33752 Windows DNS Snap-in Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33753 Microsoft Bing Search Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-33754 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33755 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-33756 Windows DNS Snap-in Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33757 Windows Security Account Manager Remote Protocol Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-33758 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-33759 Windows Desktop Bridge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33760 Media Foundation Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-33761 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33763 Windows Remote Access Connection Manager Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-33764 Windows Key Distribution Center Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-33765 Windows Installer Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-33766 Microsoft Exchange Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-33767 Open Enclave SDK Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33768 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33772 Windows TCP/IP Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-33773 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33774 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33775 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33776 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33777 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33778 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33779 Windows ADFS Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-33780 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-33781 Active Directory Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-33782 Windows Authenticode Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-33783 Windows SMB Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-33784 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-33785 Windows AF_UNIX Socket Provider Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-33786 Windows LSA Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-33788 Windows LSA Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-34438 Windows Font Driver Host Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34439 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34440 GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34441 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34442 Windows DNS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-34444 Windows DNS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-34445 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34446 Windows HTML Platform Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-34447 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34450 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34451 Microsoft Office Online Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-34452 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34454 Windows Remote Access Connection Manager Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34455 Windows File History Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34456 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34457 Windows Remote Access Connection Manager Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34458 Windows Kernel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34459 Windows AppContainer Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34460 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34461 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34462 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34464 Microsoft Defender Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34466 Windows Hello Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-34468 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34469 Microsoft Office Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-34470 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34474 Dynamics Business Central Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34476 Bowser.sys Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-34477 Visual Studio Code .NET Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34479 Microsoft Visual Studio Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-34488 Windows Console Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34489 DirectWrite Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34490 Windows TCP/IP Driver Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-34491 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34492 Windows Certificate Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-34493 Windows Partition Management Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34494 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34496 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34497 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34498 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34499 Windows DNS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-34500 Windows Kernel Memory Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34501 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34503 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34504 Windows Address Book Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34507 Windows Remote Assistance Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34508 Windows Kernel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34509 Storage Spaces Controller Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34510 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34511 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34512 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34513 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34514 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34516 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34517 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-34518 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34519 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34520 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34521 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34522 Microsoft Defender Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34523 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34525 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34528 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34529 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.

Spammers piggybacking on the Kaseya server exploit

/in /by

The recent Kaseya VSA server exploit incident has given an opportunity for cybercriminals to distribute fake Kaseya update programs. An unsuspecting user is tricked to downloading a program that appears to be from Kaseya but in fact runs malware.

Infection Cycle:

This Trojan arrives via a spam campaign. A user might receive an email similar to this screenshot below:

It purports to be coming from Kaseya’s “response team” with a download link to a tool that is a “critical fix” for the recently reported issue. The tool appears to be hosted on the legitimate Kaseya.com website but clicking on the link takes you to a different URL. Discord has been a popular choice for hosting malicious payloads lately.

The malware uses a legitimate sounding filename, but this particular sample has the following file properties

Upon execution, the malware goes through the registry and appears to be scoping the system looking through system policies and services. Many are very specific that were not found in our test system.

It then goes on to download another file.

And then intermittently just keeps connecting to a remote server.

Since there isn’t an official fix from Kaseya yet, some users might fall for this in an attempt to protect their networks from being a target of a possible attack. Kaseya has issued a statement regarding this to remind their customers to not click on any link if they are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Malagent.FT (Trojan)

This threat is also detected by SonicWall Capture ATP with Real-Time Deep Memory Inspection (RTDMI) and the Capture Client endpoint solutions.

Oracle Endeca Server RCE Vulnerability

/in /by

Overview:

  Oracle Endeca Server is a hybrid search-analytical database. It organizes complex and varied data from disparate source systems into a flexible data model that reduces the need for upfront modeling. Oracle Endeca Server is designed for discovery. Through its flexible data model, columnar storage, and in-memory analytics, it unifies search, navigation, and analytics to deliver fast answers on structured and unstructured data.

  A command execution vulnerability exists in Oracle Endeca Server. The vulnerability is due to the controlSoapBinding web service exposing the createDataStore method which contains a flaw that allows for the injection of arbitrary commands.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to the affected server. Successful exploitation could result in arbitrary command execution with elevated privileges.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2013-3763.

Common Vulnerability Scoring System (CVSS):

  Base score is 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C), based on the following metrics:
    • Access vector is network.
    • Access complexity is low.
    • Level of authentication required is none.
    • Impact of this vulnerability on data confidentiality is complete.
    • Impact of this vulnerability on data integrity is complete.
    • Impact of this vulnerability on data availability is complete.
  Temporal score is 8.3 (E:F/RL:OF/RC:C), based on the following metrics:
    • The exploitability level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Oracle Endeca Server uses commands to manage the database. The command-line interface executes commands in a remote system by sending a SOAP request. SOAP (Simple Object Access Protocol) is a specification for exchanging information with web services. Messages are sent over HTTP using a POST request using XML (eXtensible Markup Language) to structure the data.

  A typical request sent to the SOAP interface will have the following structure:

  A command execution vulnerability exists in Oracle Endeca Server. The vulnerability is due to insufficient validation of SOAP requests sent to the target server. When the vulnerable web application, endeca-server-7.4.war, receives a request to createDataStore function from the user, it uses the value of the dataStoreConfig tag as the parameters to pass to external commands. Inside the dataStoreConfig tag, there may be a dataFiles tag, otherwise the server will use the value from the name tag to build a dataFiles variable. The web application will use this variable to build an external command. The parameters are not sanitized before they are used. If the value of the name or dataFiles includes a double quote character (") (encoded as quot or #34 or #x22) the vulnerable program interprets the double quote as a terminator character for a text string and will treat the rest of the parameter as a continuation of the command line. If the following string contains characters that serve as command line separators on the target operating system (such as ampersand “&”, pipe “|”, backtick “`”, a dollar-parenthesis sequence “$(“and a semicolon “;”), it is possible to inject a shell command and execute it on the target system.

  By crafting a malicious request, a remote, un-authenticated attacker can exploit this vulnerability to execute arbitrary commands on the affected system. The executed commands will run in the security context of SYSTEM.

Triggering the Problem:

  • The target host must have the vulnerable product installed.
  • The attacker must have network connectivity to the Oracle Endeca Server.

Triggering Conditions:

  The attacker sends a malicious request to the affected service on the vulnerable system. The crafted request to the createDataStore function contains a malicious name or dataFiles tag value. The vulnerability is triggered upon processing the malicious request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SOAP/HTTP, over port 7770/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4691 Oracle Endeca Server Remote Command Execution 2

Remediation Details:

  Listed below are several actions, which may be taken in order to minimize or eliminate the risks posed:
    • Limit network connectivity to the affected communication service to trusted users only.
    • Detect and filter malicious traffic using the signature provided above.
    • Apply the vendor-provided patch to eliminate the vulnerability.
  The vendor, Oracle, has not issued a security advisory to address this vulnerability:
  Vendor Advisory

Kaseya VSA server exploitation and another supply chain ransomware attack

/in /by

The SonicWall Capture Labs threat research team has analyzed the ransomware that is spreading using the exploitation of the Kaseya standalone on-premises VSA server and the subsequent supply-chain attacks.

The attack starts with exploitation of the Kaseya server. The ransomware dropper (agent.crt) encoded in base-64 format is uploaded to the Kaseya VSA server using the file upload functionality. In addition, the attacker uploads userFilterTableRpt.asp on the victim server which likely allows it to take advantage of  additional vulnerabilities on the VSA server in order to issue the hotfix procedure. Once the server (standalone version) is exploited the attacker issues a hotfix update to the agent to transfer ransomware from the server to all the managed endpoint agents. This file is decoded/decrypted as agent.exe and executed. The sample is found to belong to the REvil/Sodinokibi ransomware family.

 

Infection Cycle:

The sample agent.exe is the ransomware dropper and its purpose is to drop the following files that are stored in its resource section and execute them. The location where the files are dropped in the system depends on the user’s privilege access.

  1. mpsvc.dll (stored in the resource named ‘MODLIS’ )
  2. MsMpEng.exe (stored in the resource named ‘SOFTIS’ )


Fig-1: Dropper retreiving files from Resource

agent.exe executes ‘MsMpEng.exe’ using CreateProcess API as shown in the above image. MsMpEng.exe is a clean file related to Microsoft Security Essentials. It imports a custom dll named ‘mpsvc.dll’, which is the same name used by the threat actor for the other malicious DLL dropped by agent.exe. Due to the order of preference, while loading  dll, malicious DLL present in the current folder is loaded into memory by MsMpEng.exe


Fig-2:Import table of MsMpEng.exe

MsMpEng.exe loads the mpsvc.dll and executes the function ‘ServiceCrtMain’, which is exported by the dll, as shown below:


Fig-3:MsMpEng.exe calling ServiceCrtMain

Once the execution control is transferred to mpsvc.dll, it does the following:

  • Creates a Mutex
    • \BaseNamedObjects\422BE415-4098-BB75-3BD9-3E62EE8E8423
  • Encrypts the files and changes the extension to a random name
    • “filename.doc” is renamed to  “filename.doc.6t0s1w”
  • Adds a readme.txt ransom note in every folder, the name of readme text will be the same, as per appended extension, to every encrypted file
    • “6t0s1w-readme.txt”
  • There is a configuration file embedded in the DLL, which contains:
    • Folders that are excluded during the ransomware encryption routine
      • program files, appdata, mozilla, application data, google, windows.old, programdata, system volume information, program files (x86), boot, tor browser, windows, intel, perflogs, msocache
    • Files that are excluded during the ransomware encryption process:
      • ntldr, thumbs.db, bootsect.bak, autorun.inf, ntuser.dat.log, iconcache.db, bootfont.bin, ntuser.dat, ntuser.ini, desktop.ini
    • File extensions that are excluded from the encryption process
      • ps1, ldf, lock, theme, msi, sys, wpx, cpl, adv, msc, scr, bat, key, ico, dll, hta, deskthemepack, nomedia, msu, rtp, msp, idx, ani, 386, diagcfg, bin, mod, ics, com, hlp, spl, nls, cab, exe, diagpkg, icl, ocx, rom, prf, themepack, msstyles, lnk, icns, mpa, drv, cur, diagcab, cmd, shs
    • Terminates the following process if running:
      • encsvc, powerpnt, ocssd, steam, isqlplussvc, outlook, sql, ocomm, agntsvc, mspub, onenote, winword, thebat, excel, mydesktopqos, ocautoupds, thunderbird, synctime, infopath, mydesktopservice, firefox, oracle, sqbcoreservice, dbeng50, tbirdconfig, msaccess, visio, dbsnmp, wordpad, xfssvccon
    • The following services are stopped if running:
      • veeam, memtas, sql, backup, vss, sophos, svc$, mepocs

On completion of the encryption routine, the following ransom note is displayed to the victim.


Fig-4:Ransomware notes

If the sample has administrator privilege, then it encrypts the MasterBootRecord (MBR).


Fig-5: System with infected MBR

The ransomware will store all generated public / private keys and random file extension ( appended to encrypted files ) during its operation under “SOFTWARE\BlackLivesMatter” reg key. This crucial information can be used later by malware .

Fig-6: Registry Key Created – Software/BlackLivesMatter

The malware checks the default set language of the user and system using GetUserDefaultUILanguage and GetSystemDefaultUILanguage.

If it matches the listed language then it stops further execution.

Fig-7: Language check

It creates mutex to execute only one instance using createMutexW API.

If we execute more than one instance of malware then it will show error as “ERR0R D0UBLE RUN!”

Fig-8: Mutex Created

The files are encrypted using the Salsa20 algorithm.

Fig-9: Salsa20 algorithm

 

 This threat can be detected via the following methods:

  • GAV: MalAgent.VSA (Trojan)
  • GAV: Filecoder.N (Trojan)
  • IPS: [2041]Kaseya VSA Server userFilterTableRpt Request

This threat can also be detected by SonicWall Capture ATP with Real-Time Deep Memory Inspection (RTDMI) and the Capture Client endpoint solutions.

SonicWall Capture Labs continues to monitor this threat and will provide further information as it becomes available.

Indicators Of Compromise (IOC):

Files:

  • 561cffbaba71a6e8cc1cdceda990ead4 (agent.exe)
  • a47cf00aedf769d60d58bfe00c0b5421 (mpsvc.dll)
  • 95f0a946cd6881dd5953e6db4dfb0cb9 (agent.crt)

Registry:

  • HKLM\BlackLivesMatter\

References:

  1. Incident Overview & Technical Details – Kaseya
  2. Important Notice July 6th, 2021 – Kaseya

Microsoft Windows PrintNightmare zero-day vulnerability (CVE-2021-34527)

/in /by

Overview:

A new remote code execution (RCE) has been discovered in Microsoft Windows Print Spooler service. This vulnerability has been referred to publicly as PrintNightmare and assigned as CVE-2021-34527. According to the vendor, this vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675.
Exploit addressing this vulnerability must involve an authenticated user calling RpcAddPrinterDriverEx(). A successful attack exploiting this vulnerability can run arbitrary code with SYSTEM privileges. At the time of this article was written, the vulnerability is actively used to attack vulnerable versions of Windows Print Spooler service.

Workarounds and protections:
According to the vendor, the following two options are suggested as workarounds:

  • Option 1 – Disable the Print Spooler service
  • Option 2 – Disable inbound remote printing through Group Policy

SonicWall’s Intrusion Prevention System (IPS) provides the ability to stop this threat by blocking all invocations of AddPrinterDriverEx Request method:

  • 15622 Print Spooler AddPrinterDriverEx Request

SonicWall also detects the exploitation of threats related to CVE-2021-1675 with the following IPS signature:  

  • 15623 Print Spooler Elevation of Privilege (CVE-2021-1675)

Note that the above signatures only work for SMBv2. Signature 15622 is set to low priority; customers need to enable it for protection.

The vendor has released the following advisory regarding this vulnerability:

Oracle E-Business Suite Infinite Loop Vulnerability

/in /by

Overview:

  Oracle E-Business Suite is a collection of applications for Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), and Supply Chain Management (SCM) and contains several product lines intended for specific use cases. The E-Business suite utilizes Oracle’s Weblogic application server and Oracle database technologies and is generally operated using a combination of web interface and Java Web Start (JWS) applets executed on a client’s system. By default, the Oracle E-Business interface is accessible via HTTP on port 8000/TCP or HTTPS on port 4443/TCP.

  An infinite loop vulnerability has been reported in the Sales Offline component of Oracle E-Business Suite. The vulnerability is due to improper handling of requests by the authentication component of Sales Offline.

  An unauthenticated, remote attacker can exploit this vulnerability by sending a crafted request to the target server. Successful exploitation causes an infinite loop, consuming large amounts of CPU resources and possibly leading to denial of service conditions on the target server.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-2190.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  One of the applications in the E-Business Suite is called Sales Offline, an additional module for the main sales application that leverages a Microsoft Excel document template with macros to allow users to work with and update Oracle sales data without the need to have a persistent connection to the Oracle E-Business instance. On current versions of the client the synchronization is primarily handled by Oracle Web Applications Desktop Integrator, a framework for synchronizing data between E-Business Suite applications and Excel. Synchronization with Sales Offline results in a request to the following URL:

/OA_HTML/BneUploaderService

  The request will contain a reference to an “integrator” which tells the Desktop Integrator service which application will handle the upload and in turn will locate a Java class that implements the BneAbstractUploader interface for that application. The Java class that handles this for Sales Offline, AslUploader, builds and sends a request to aslUploadEngine.jsp to actually handle the updated data.

  It is important to note that it appears as if legacy versions of the Sales Offline client would send requests directly to aslUploadEngine.jsp for synchronization and also would initially load “lookup” data from the server by sending a request to aslLookupDown.jsp. In current versions this data is already included in the downloaded template.

  An infinite loop vulnerability exists in Oracle E-Business Suite. The vulnerability is due to improper handling of HTTP POST requests with a Content-Length request header value of 0. Ordinarily, when the aforementioned AslUploader class sends a request to aslUploadEngine.jsp, it sends an HTTP POST request with several request parameters in the query portion of the request-URI and places the file sent in the original request to BneUploaderService in the request body. This file, and therefore the request body to aslUploadEngine.jsp, is expected to contain a username, a password which is typically unused, a “Resp key”, and some synchronization preferences and each of these items is expected to be followed by a CRLF sequence (\x0d\x0a). These items in the request body are parsed by the included JSP file aslAuthincps.jsp which begins by attempting to first skip over any lines in the request body that only contain a CRLF to locate the username. This is performed by entering a loop which calls readLine() on the ServletInputStream object from the request and checking to see if the number of bytes read is fewer than three, exiting the loop when three bytes or more are read from a line in the request body.

  However, aslAuthincps.jsp fails to check if the HTTP request body actually contains any data, the length of which should be specified in the Content-Length header. As a result, if an attacker sends an HTTP POST request to aslUploadEngine.jsp or aslLookupDown.jsp, which also includes aslAuthincps.jsp, where the Content-Length header is missing or has a value of 0, the aforementioned loop will never exit due to the fact that readLine() will always return -1 and never satisfy the condition that it must return 3 or greater to exit the loop, causing an infinite loop and consuming excessive CPU resources, potentially leading to denial of service conditions.

  A remote, unauthenticated attacker can exploit this vulnerability by sending an HTTP POST request without a Content-Length header or with a Content-Length header value of 0. Successful exploitation results in an infinite loop condition, causing excessive CPU usage and potentially leading to denial of service conditions on the target server.

Triggering the Problem:

  • The server must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  An attacker sends an HTTP POST request without a Content-Length header or a header with a value of 0 to one of the vulnerable endpoints. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8000/TCP
    • HTTPS, over port 4443/TCP

    

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:15617 Oracle E-Business Suite Template Component DoS 3
  • IPS:15618 Oracle E-Business Suite Template Component DoS 4

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch resolving the vulnerability.
    • Detect and filter malicious traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
    Vendor Advisory