fbpx

CVE-2021-41773: Path Traversal Zero-Day in Apache HTTP Server Actively Exploited

6 October 2021 - by Obrela SOC

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and Apache HTTP Server 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild.

According to Shodan it seems that almost 112,000 Apache HTTP Servers are running the vulnerable version. It is estimated though that the number is higher than this, since Apache HTTP Servers might be configured to not display any version information.

Severity: 5.1 (Important)

Affected version: Apache 2.4.49 and Apache 2.4.50

Remediation

All users should ensure that they update to the fixed version, 2.4.51 since the fix for CVE-2021-41773 in version 2.4.50 was insufficient.

LATEST UPDATES

Critical vCenter Server Vulnerability Advisory – CVE-2021-22005

22 September 2021 - by Obrela SOC

VMware issued a security advisory (VMSA-2021-0020) regarding a critical vulnerability in VMware vCenter Server, the server management product of virtualized hosts and virtual machines in enterprise environments. An attacker can gain access to the vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server deployment either in Windows or Linux servers.

 

vCenter Server file upload vulnerability (CVE-2021-22005)

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

 

Severity: 9.8 (Critical)

Affected products and versions:

  • vCenter Server 6.7, 7.0
  • Cloud Foundation (vCenter Server) 3.x, 4.x

 

The official advisory issued from VMware can be found here:  https://www.vmware.com/security/advisories/VMSA-2021-0020.html

 

It is important to keep in mind that given the severity and the impact of this vulnerability, it is expected that exploitation can come from within the corporate network, hence administrators should make sure that a proper firewall configuration and logging are in place to detect potential insider threat or any persistent malicious entity hiding within.

 

Mitigation

Updates are available to remediate these vulnerabilities in affected VMware products, however to ensure quick mitigation of the issues, it is strong advised to implement the suggested workarounds as fast as possible. The provided steps in VMware’s link ensure only temporary mitigation.

LATEST UPDATES

Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444)

8 September 2021 - by Obrela SOC

Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444)
(Updated: 15 Sept 2021)

Microsoft has released mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in Microsoft Windows resulting from the malicious usage of Microsoft Office files. This vulnerability is exploitable with fairly low complexity and no privileges required, allowing a remote attacker to take control of an affected system. This vulnerability has been detected in exploits in the wild.

Mitigation

Given the return from Summer holidays, it is expected that you may have several documents for review on your Inbox. It is strongly advised not to open any Microsoft Office files from untrusted senders.

Upon successfully exploiting the system with crafted Office files using Malicious ActiveX controls, attackers will typically gain access to the system with user rights. Users with fewer or “just enough” rights could be less impacted compared to administrative privileges. Applying the principle of least privilege is the key in avoiding a mass spread compromise inside the organization.

For administrators

Although by default, Microsoft Office opens documents from the internet in Protected View, users may be tricked to bypass it and edit the malicious files. Since there is no official patch available at the moment, it is advised to mitigate the attack it is advised to disable the installation of all ActiveX controls in Internet Explorer through an addition of configuration in the registry. For the complete recommended registry edit, please consult Microsoft’s advisory in this link.

Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.

Remediation

Microsoft has released security updates for all affected versions of Windows to address this vulnerability. These updates include Monthly Rollups, Security Only, and IE Cumulative updates.

Customers running Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 can apply either the Monthly Rollup or both the Security Only and the IE Cumulative updates.

Customers running Windows 7, Windows Server 2008 R2, or Windows Server 2008:

  • The Monthly Rollup for Windows 7, Windows Server 2008 R2, and Windows Server 2008 includes the update for this vulnerability. Customers who apply the Monthly Rollup do not need to apply the IE Cumulative update.
  • Customers who only apply Security Only updates need to also apply the IE Cumulative update to be protected from this vulnerability.

CVE-2021-40444 Details

 

Note: This article was updated on 15 September 2021 to add remediation measures released by Microsoft.

LATEST UPDATES

Security Updates for Confluence Server and Data Center

6 September 2021 - by Obrela SOC

CVE-2021-26084 is being actively exploited in the wild, patch immediately.

On August 25, 2021, Atlassian released security updates to address a remote code execution vulnerability affecting Confluence Server and Data Center. Recently, exploitation attempts for CVE-2021-26084 have been seen in the wild.

The flaw is an OGNL injection issue that can be exploited by an authenticated attacker, and in some instances an unauthenticated user if “Allow people to sign up to create their account” is enabled, to execute arbitrary code on affected Confluence Server and Data Center instances. Threat actors actively exploit this vulnerability to take control of affected systems.

The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

CISA also published a security advisory to urge admins to apply the necessary updates.

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the issue by running the scripts provided by Atlassian for the Operating System that Confluence is hosted on.

Remediation

Atlassian recommends that you upgrade to the latest Long Term Support release. You can download the latest version from Atlassian’s download center.

LATEST UPDATES

Security updates Advisory for multiple products

27 August 2021 - by Obrela SOC

The closing week of August, vendors  VMware, Cisco and F5 have announced several vulnerabilities along with their security updates, impacting their respective products.

Please find below a brief summary of the impact a possible attack on the appliances may have, and mitigation recommendations

 

 

VMware

Arbitrary file read vulnerability in vRealize Operations Manager API CVE-2021-22022/CVE-2021-22024

Severity: Moderate/Important

An arbitrary file read vulnerability can be exploited in the vRealize Operations Manager API. An attacker  with administrative access to vRealize Operations Manager API can read any arbitrary file on server leading to information disclosure.

 

Insecure direct object reference vulnerability in vRealize Operations Manager API CVE-2021-22023

Severity: Moderate

An insecure object reference vulnerability in the vRealize Operations Manager API was discovered. A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover.

 

Broken access control vulnerability in vRealize Operations Manager API CVE-2021-22025

Severity: Important

The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.

 

Mitigation

Download and install the correct Security Patch version that matches your version of vRealize Operations. Download the vRealize Operations Security Patch PAK file from the VMware Patch Portal. For more information on patching, please refer to this link

 

 

Cisco

Cisco Application Policy Infrastructure Controller Arbitrary File Read and Write Vulnerability CVE-2021-1577

Severity: 9.1 (Critical)

A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an unauthenticated, remote attacker to read or write arbitrary files on an affected system.

This vulnerability is due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on an affected device.

 

Cisco NX-OS Software VXLAN OAM (NGOAM) Denial of Service Vulnerability CVE-2021-1587

Severity: 8.6 (High)

A vulnerability in the VXLAN Operation, Administration, and Maintenance (OAM) feature of Cisco NX-OS Software, known as NGOAM, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

 

Although the NGOAM feature should be disabled by default, this vulnerability is due to improper handling of specific packets with a Transparent Interconnection of Lots of Links (TRILL) OAM EtherType. An attacker could exploit this vulnerability by sending crafted packets. A successful exploit could allow the attacker to cause an affected device to experience high CPU usage and consume excessive system resources, which may result in overall control plane instability and cause the affected device to reload.

 

This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco NX-OS Software, they have the NGOAM feature enabled, and they are configured with a virtual port channel (vPC) peer:

 

  • Nexus 3000 Series Switches
  • Nexus 9000 Series Switches in standalone NX-OS mode

 

Mitigation

Cisco has released free software updates that address the vulnerabilities described in the advisories of each product in the following link. It is advised to update during non-working hours and verify that you have performed a backup of the previous state first

 

F5

F5 has addressed more than a dozen high-severity vulnerabilities in multiple products, they include authenticated remote command execution flaws, cross-site scripting (XSS) issues, request forgery bugs, along insufficient permission and denial-of-service flaws, including an issue that is considered as critical severity when exploited under specific conditions. An authenticated attacker with access to the Configuration utility can trigger the flaw to execute arbitrary system commands, create or delete files, and/or disable services. The issue could allow an attacker to completely compromise the network device.

 

 

BIG-IP TMUI vulnerability CVE-2021-23025

Severity: 7.2 (High)

An authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility.

 

iControl SOAP vulnerability CVE-2021-23026

Severity: 7.5 (High)

BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.

 

TMUI XSS vulnerability CVE-2021-23027

CVSS score: 7.5 (High)

A DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.

 

BIG-IP Advanced WAF and ASM vulnerability CVE-2021-23028, CVE-2021-23029

Severity: 7.5 (High)

When JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate.

Insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility.

 

BIG-IP Advanced WAF and ASM Websocket vulnerability CVE-2021-23030

Severity: 7.5 (High)

When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.

 

BIG-IP Advanced WAF and ASM TMUI vulnerability CVE-2021-23031

Severity: 8.8 (High) / 9.9 (Appliance Mode Only)

Note: The limited number of customers using Appliance Mode will have Scope: Changed, which raises the CVSSv3 score to 9.9. For information on Appliance mode, refer to K12815: Overview of Appliance mode.

An authenticated user may perform a privilege escalation on BIG-IP Advanced WAF and ASM TMUI.

 

BIG-IP DNS vulnerability CVE-2021-23032

Severity: 7.5 (High)

When a BIG-IP DNS system is configured with non-default Wide IP and pool settings, undisclosed DNS responses can cause the Traffic Management Microkernel (TMM) to terminate.

 

BIG-IP Advanced WAF and ASM Websocket vulnerability CVE-2021-23033

Severity: 7.5 (High)

When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.

 

BIG-IP TMM vulnerability CVE-2021-23034

Severity: 7.5 (High)

When a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.

 

TMM vulnerability CVE-2021-23035, CVE-2021-23036

Severity: 7.5 (High)

When an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked responses can cause the Traffic Management Microkernel (TMM) to terminate.

When a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

 

TMUI XSS vulnerability CVE-2021-23037

Severity: 7.5 (High)

A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.

 

Mitigation

Updates are available to remediate these vulnerabilities in affected F5 products. It is advised to perform the provided updates as fast as possible  to eliminate the risk posed by these vulnerabilities. For more information on security updating please consult the following link provided by F5.

 

LATEST UPDATES

ProxyShell Bugs on Microsoft Exchange Servers

16 August 2021 - by Obrela SOC

As of August 12, 2021, Microsoft Exchange Servers seem to be under active attack. Threat actors take advantage of the ProxyShell exploit chain that allows remote unauthenticated attackers to execute arbitrary commands on vulnerable on-premises instances of Microsoft Exchange Servers.

The ProxyShell exploit chain consists of 3 vulnerabilities:

  • CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-34523 – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability

The above 3 vulnerabilities are exploited remotely through Microsoft Exchange’s Client Access Service (CAS) running on port 443 in IIS. When chained together they allow attackers to bypass ACL controls, send a request to a PowerShell back-end, and elevate privileges.

According to Shodan it seems that there are at least 47,916 publicly exposed MS Exchange Servers that are still unpatched against at least one of the three bugs that can be chained together for this attack.

Mitigation

Block incoming, external traffic over port 443 to corporate Microsoft Exchange Servers if this does not break any functionality for the organization and until it is ensured that the above 3 vulnerabilities are fully patched.

Remediation

Microsoft has released cumulative updates that include the patches for the below Microsoft Exchange Server vulnerabilities:

CVE-2021-34473
CVE-2021-34523
CVE-2021-31207

 

LATEST UPDATES