fbpx

CVE-2021-41773: Path Traversal Zero-Day in Apache HTTP Server Actively Exploited

6 October 2021 - by Obrela SOC

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and Apache HTTP Server 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild.

According to Shodan it seems that almost 112,000 Apache HTTP Servers are running the vulnerable version. It is estimated though that the number is higher than this, since Apache HTTP Servers might be configured to not display any version information.

Severity: 5.1 (Important)

Affected version: Apache 2.4.49 and Apache 2.4.50

Remediation

All users should ensure that they update to the fixed version, 2.4.51 since the fix for CVE-2021-41773 in version 2.4.50 was insufficient.

LATEST UPDATES

Obrela appoints Steve Katz, world’s first CISO, to Advisory Board

5 October 2021 - by John Alexiou

London, UK – 6 October, 2021 – Obrela Security Industries, a leading provider of security analytics and cyber risk management services to identify, analyse, predict and prevent highly sophisticated security threats, today announced it has appointed Steve Katz, the world’s first ever Chief Information Security Officer (CISO), to its advisory board.

Steve Katz is a world-renowned industry veteran, whose career spans over 40 years, making his tenure one of the longest to serve in the war against cybercriminals. In 1985, Katz was appointed as Head of Information Security at JP Morgan and in 1995 was appointed CISO for Citigroup, following a cyberattack on the bank from Russian hacker Vladimir Levin.

When Katz was hired by Citigroup, cybercrime was a new and unknown territory; attacks were simpler and focused on modems and dial-up internet connections, but the message Katz gave to his staff then remains the same as the message he says to security teams today – what is the risk?

“Even though my career has spanned over four decades, my focus on risk has never changed. Whenever I work with security teams and we are building out a cyber-resilience programme, the first question I always ask is ‘what’s the risk’? Security is risk-based and the only way to build an effective security programme is to think about how attacks impact business and operations. The role of the CISO has evolved significantly over the last 27 years and today it is an executive position embedded within almost all business functions. However, CISOs still need to demonstrate their worth by promoting security as a key-enabler in delivering products and services and meeting overall business goals. I am delighted to join the advisory board of Obrela. In my role I will act as a trusted guide to help the fantastic team achieve their business and growth goals,” said Katz.

The Obrela Advisory Board is a group of world-class professionals who have been tasked by the company to advise the board and executives on strategy, growth and expansion. Steve joins three other Advisory Board members who include Bob Wilkinson, a seasoned security and operational risk professional who has worked closely with Fortune 100 companies for over 30 years, Dimitris Stratakis, a cyber and risk professional with over 20 years’ experience in the financial industry, and Dr Irini Tzannetou, who has over 25 years’ experience helping organisations drive human resources and management frameworks.

“We are thrilled to have Steve join our team and I know his knowledge and experience of the security industry will offer great value to Obrela. I worked with Steve back in Citigroup when I just started out in security and I always found him an inspirational and dynamic leader. Today, organisations need to focus on operational resilience and to do this they need to have a clear understanding of all the security risks they are facing. Once they have identified the risks, they can build their security programme around them, putting their strongest defences into protecting against their worst-case scenarios. Steve has been reinforcing the importance of a risk-based approach to security for many years now and this is also a key focus for Obrela. I believe by appointing Steve to our advisory board we can enhance our offerings to customers, and he can help us build out risk-based security programmes where operational-resilience is the primary goal,” said George Patsis, CEO of Obrela Security Industries.

 

-ENDS-

 

About Obrela Security Industries

Obrela Security Industries is global cyber security service provider. Addressing an emerging demand, Obrela offers an ‘umbrella’ of end-to-end security services under which clients can enjoy peace of mind and focus on their business. Founded in 2009 and headquartered in London, Obrela leverages sophisticated real time risk management technology to dynamically protect its clients by identifying, analysing, predicting and preventing cyber security threats. Obrela’s mission statement ‘We Keep Your Business in Business’ underpins the company’s commitment to a better prepared, more secure corporate world.

 


Media Enquiries:

 

Lucy Harvey

+44 7502 269 304

lucy[at]eskenzipr.com

 

John Alexiou

+30 693 2289329

j.alexiou[at]obrela.com

LATEST UPDATES

Critical vCenter Server Vulnerability Advisory – CVE-2021-22005

22 September 2021 - by Obrela SOC

VMware issued a security advisory (VMSA-2021-0020) regarding a critical vulnerability in VMware vCenter Server, the server management product of virtualized hosts and virtual machines in enterprise environments. An attacker can gain access to the vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server deployment either in Windows or Linux servers.

 

vCenter Server file upload vulnerability (CVE-2021-22005)

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

 

Severity: 9.8 (Critical)

Affected products and versions:

  • vCenter Server 6.7, 7.0
  • Cloud Foundation (vCenter Server) 3.x, 4.x

 

The official advisory issued from VMware can be found here:  https://www.vmware.com/security/advisories/VMSA-2021-0020.html

 

It is important to keep in mind that given the severity and the impact of this vulnerability, it is expected that exploitation can come from within the corporate network, hence administrators should make sure that a proper firewall configuration and logging are in place to detect potential insider threat or any persistent malicious entity hiding within.

 

Mitigation

Updates are available to remediate these vulnerabilities in affected VMware products, however to ensure quick mitigation of the issues, it is strong advised to implement the suggested workarounds as fast as possible. The provided steps in VMware’s link ensure only temporary mitigation.

LATEST UPDATES

Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444)

8 September 2021 - by Obrela SOC

Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444)
(Updated: 15 Sept 2021)

Microsoft has released mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in Microsoft Windows resulting from the malicious usage of Microsoft Office files. This vulnerability is exploitable with fairly low complexity and no privileges required, allowing a remote attacker to take control of an affected system. This vulnerability has been detected in exploits in the wild.

Mitigation

Given the return from Summer holidays, it is expected that you may have several documents for review on your Inbox. It is strongly advised not to open any Microsoft Office files from untrusted senders.

Upon successfully exploiting the system with crafted Office files using Malicious ActiveX controls, attackers will typically gain access to the system with user rights. Users with fewer or “just enough” rights could be less impacted compared to administrative privileges. Applying the principle of least privilege is the key in avoiding a mass spread compromise inside the organization.

For administrators

Although by default, Microsoft Office opens documents from the internet in Protected View, users may be tricked to bypass it and edit the malicious files. Since there is no official patch available at the moment, it is advised to mitigate the attack it is advised to disable the installation of all ActiveX controls in Internet Explorer through an addition of configuration in the registry. For the complete recommended registry edit, please consult Microsoft’s advisory in this link.

Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.

Remediation

Microsoft has released security updates for all affected versions of Windows to address this vulnerability. These updates include Monthly Rollups, Security Only, and IE Cumulative updates.

Customers running Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 can apply either the Monthly Rollup or both the Security Only and the IE Cumulative updates.

Customers running Windows 7, Windows Server 2008 R2, or Windows Server 2008:

  • The Monthly Rollup for Windows 7, Windows Server 2008 R2, and Windows Server 2008 includes the update for this vulnerability. Customers who apply the Monthly Rollup do not need to apply the IE Cumulative update.
  • Customers who only apply Security Only updates need to also apply the IE Cumulative update to be protected from this vulnerability.

CVE-2021-40444 Details

 

Note: This article was updated on 15 September 2021 to add remediation measures released by Microsoft.

LATEST UPDATES

Security Updates for Confluence Server and Data Center

6 September 2021 - by Obrela SOC

CVE-2021-26084 is being actively exploited in the wild, patch immediately.

On August 25, 2021, Atlassian released security updates to address a remote code execution vulnerability affecting Confluence Server and Data Center. Recently, exploitation attempts for CVE-2021-26084 have been seen in the wild.

The flaw is an OGNL injection issue that can be exploited by an authenticated attacker, and in some instances an unauthenticated user if “Allow people to sign up to create their account” is enabled, to execute arbitrary code on affected Confluence Server and Data Center instances. Threat actors actively exploit this vulnerability to take control of affected systems.

The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

CISA also published a security advisory to urge admins to apply the necessary updates.

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the issue by running the scripts provided by Atlassian for the Operating System that Confluence is hosted on.

Remediation

Atlassian recommends that you upgrade to the latest Long Term Support release. You can download the latest version from Atlassian’s download center.

LATEST UPDATES

Security updates Advisory for multiple products

27 August 2021 - by Obrela SOC

The closing week of August, vendors  VMware, Cisco and F5 have announced several vulnerabilities along with their security updates, impacting their respective products.

Please find below a brief summary of the impact a possible attack on the appliances may have, and mitigation recommendations

 

 

VMware

Arbitrary file read vulnerability in vRealize Operations Manager API CVE-2021-22022/CVE-2021-22024

Severity: Moderate/Important

An arbitrary file read vulnerability can be exploited in the vRealize Operations Manager API. An attacker  with administrative access to vRealize Operations Manager API can read any arbitrary file on server leading to information disclosure.

 

Insecure direct object reference vulnerability in vRealize Operations Manager API CVE-2021-22023

Severity: Moderate

An insecure object reference vulnerability in the vRealize Operations Manager API was discovered. A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover.

 

Broken access control vulnerability in vRealize Operations Manager API CVE-2021-22025

Severity: Important

The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.

 

Mitigation

Download and install the correct Security Patch version that matches your version of vRealize Operations. Download the vRealize Operations Security Patch PAK file from the VMware Patch Portal. For more information on patching, please refer to this link

 

 

Cisco

Cisco Application Policy Infrastructure Controller Arbitrary File Read and Write Vulnerability CVE-2021-1577

Severity: 9.1 (Critical)

A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an unauthenticated, remote attacker to read or write arbitrary files on an affected system.

This vulnerability is due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on an affected device.

 

Cisco NX-OS Software VXLAN OAM (NGOAM) Denial of Service Vulnerability CVE-2021-1587

Severity: 8.6 (High)

A vulnerability in the VXLAN Operation, Administration, and Maintenance (OAM) feature of Cisco NX-OS Software, known as NGOAM, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

 

Although the NGOAM feature should be disabled by default, this vulnerability is due to improper handling of specific packets with a Transparent Interconnection of Lots of Links (TRILL) OAM EtherType. An attacker could exploit this vulnerability by sending crafted packets. A successful exploit could allow the attacker to cause an affected device to experience high CPU usage and consume excessive system resources, which may result in overall control plane instability and cause the affected device to reload.

 

This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco NX-OS Software, they have the NGOAM feature enabled, and they are configured with a virtual port channel (vPC) peer:

 

  • Nexus 3000 Series Switches
  • Nexus 9000 Series Switches in standalone NX-OS mode

 

Mitigation

Cisco has released free software updates that address the vulnerabilities described in the advisories of each product in the following link. It is advised to update during non-working hours and verify that you have performed a backup of the previous state first

 

F5

F5 has addressed more than a dozen high-severity vulnerabilities in multiple products, they include authenticated remote command execution flaws, cross-site scripting (XSS) issues, request forgery bugs, along insufficient permission and denial-of-service flaws, including an issue that is considered as critical severity when exploited under specific conditions. An authenticated attacker with access to the Configuration utility can trigger the flaw to execute arbitrary system commands, create or delete files, and/or disable services. The issue could allow an attacker to completely compromise the network device.

 

 

BIG-IP TMUI vulnerability CVE-2021-23025

Severity: 7.2 (High)

An authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility.

 

iControl SOAP vulnerability CVE-2021-23026

Severity: 7.5 (High)

BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.

 

TMUI XSS vulnerability CVE-2021-23027

CVSS score: 7.5 (High)

A DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.

 

BIG-IP Advanced WAF and ASM vulnerability CVE-2021-23028, CVE-2021-23029

Severity: 7.5 (High)

When JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate.

Insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility.

 

BIG-IP Advanced WAF and ASM Websocket vulnerability CVE-2021-23030

Severity: 7.5 (High)

When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.

 

BIG-IP Advanced WAF and ASM TMUI vulnerability CVE-2021-23031

Severity: 8.8 (High) / 9.9 (Appliance Mode Only)

Note: The limited number of customers using Appliance Mode will have Scope: Changed, which raises the CVSSv3 score to 9.9. For information on Appliance mode, refer to K12815: Overview of Appliance mode.

An authenticated user may perform a privilege escalation on BIG-IP Advanced WAF and ASM TMUI.

 

BIG-IP DNS vulnerability CVE-2021-23032

Severity: 7.5 (High)

When a BIG-IP DNS system is configured with non-default Wide IP and pool settings, undisclosed DNS responses can cause the Traffic Management Microkernel (TMM) to terminate.

 

BIG-IP Advanced WAF and ASM Websocket vulnerability CVE-2021-23033

Severity: 7.5 (High)

When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.

 

BIG-IP TMM vulnerability CVE-2021-23034

Severity: 7.5 (High)

When a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.

 

TMM vulnerability CVE-2021-23035, CVE-2021-23036

Severity: 7.5 (High)

When an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked responses can cause the Traffic Management Microkernel (TMM) to terminate.

When a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

 

TMUI XSS vulnerability CVE-2021-23037

Severity: 7.5 (High)

A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.

 

Mitigation

Updates are available to remediate these vulnerabilities in affected F5 products. It is advised to perform the provided updates as fast as possible  to eliminate the risk posed by these vulnerabilities. For more information on security updating please consult the following link provided by F5.

 

LATEST UPDATES

VMware vulnerabilities advisory

25 February 2021 - by Obrela SOC

On February 23, VMware issued a security advisory (VMSA-2021-0002) regarding 3 vulnerabilities affecting VMware ESXi, VMware vCenter Server, and VMware Cloud Foundation. According to open source intelligence, it is estimated that more than 6.700 systems are vulnerable

 

Vmware vCenter Server RCE in vSphere Client (CVE-2021-21972)

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Severity: 9.8 (Critical)

Affected versions: 7.0, 6.7, 6.5

Suggested resolution steps: https://kb.vmware.com/s/article/82374

 

ESXi heap overflow (CVE-2021-21974)

A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

Severity: 8.8 (Important)

Affected versions: 7.0, 6.7, 6.5

Suggested resolution steps: https://kb.vmware.com/s/article/76372

 

Vmware vCenter Server SSRF in vSphere Client (CVE-2021-21973)

A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure.

Severity: 5.3 (Moderate)

Affected versions: 7.0, 6.7, 6.5

Suggested resolution steps: https://kb.vmware.com/s/article/82374

 

Mitigation

Updates are available to remediate these vulnerabilities in affected VMware products, however only the provided steps ensure temporary mitigation. It is advised to perform the provided workarounds for each vulnerability separately, as soon as possible as exploitation proof of concept scripts are now publicly available for both Windows and Linux targets.

LATEST UPDATES