MySQL for Windows contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.
Description
CVE-2021-2307
MySQL includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory of /build_area/. On the Windows platform, this path is interpreted as C:\build_area. MySQL contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
Impact
By placing a specially-crafted openssl.cnf in a C:\build_area subdirectory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable MySQL software installed.
Solution
Apply an update
This vulnerability is addressed in the MySQL Windows installer version 8.0.24 and 5.7.34.
Create a C:\build_area directory
In cases where an update cannot be installed, this vulnerability can be mitigated by creating a C:\build_area directory and restricting ACLs to prevent unprivileged users from being able to write to this location.
Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC.
Pulse Connect Secure (PCS) gateway contains multiple use-after-free vulnerabilities that can allow an unauthenticated remote attacker to execute arbitrary code.
Description
CVE-2021-22893
Multiple use-after-free vulnerabilities that can be reached via license server CGI endpoints may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Pulse Connect Secure gateway system. Note that a system does not need to be configured to have license server features enabled to be vulnerable. The vulnerable endpoints are present regardless of whether the system is an actual license server or not.
Products affected by this vulnerability are PCS version 9.0R3 and higher.
By making a crafted request to a vulnerable Pulse Connect Secure system, an unauthenticated remote attacker may be able to execute arbitrary code on the gateway with root privileges.
Pulse Secure has assigned this vulnerability a critical CVSS Score of 10.0 3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Solution
Apply an update
This vulnerability is addressed in Pulse Connect Secure 9.1R11.4.
Apply a workaround
Pulse Secure has published a Workaround-2104.xml file that reportedly contains mitigations to protect against this vulnerability. Note that installing this workaround will block the ability to use the following features:
Windows File Share Browser
Pulse Secure Collaboration
License Server
Instead of using the workaround to protect a PCS that is being used as a license server, we recommend updating such systems to PCS 9.1R11.4. If this is not possible, restrict which IP addresses are allowed to communicate with the sytem.
Acknowledgements
This vulnerability was publicly reported by Pulse Secure with additional details and context published by Fireye.
This document was written by Chuck Yarbrough and Will Dormann.
Atlassian Bitbucket on Windows fails to properly set ACLs, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges.
Description
The Atlassian Bitbucket Windows installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\Atlassian\Bitbucket\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.
Impact
By placing a specially-crafted DLL file in the Bitbucket installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Bitbucket software installed. See DLL Search Order Hijacking for more details.
Solution
Apply an update
This issue has been addressed in the Bitbucket Windows installer for versions 7.10.1, 7.6.4, and 6.10.9. Please see https://jira.atlassian.com/browse/BSERV-12753 for more details.
Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC.
Siemens Totally Integrated Administrator (TIA) fails to properly set the module search path to be used by a privileged Node.js component, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges. The PCS neo administration console is reported to be affected as well.
Description
Siemens TIA runs a privileged Node.js component. The Node.js server fails to properly set the module search path. Because of this, Node.js will look for modules in the C:\node_modules\ directory when the server is started. Because unprivileged Windows users can create subdirectories off of the system root, a user can create this directory and place a specially-crafted .js file in it to achieve arbitrary code execution with SYSTEM privileges when the server starts.
Impact
By placing a specially-crafted JS file in the C:\node_modules\ directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Siemens TIA or PCS neo administration console software installed.
A heap-based overflow has been discovered in the set_cmd() function in sudo, which may allow a local attacker to execute commands with elevated administrator privileges.
Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.
It is possible for a local Non-administrative user to exploit this vulnerability to elevate their privileges so that they can execute commands with administrator privileges. The team at Qualys assigned this vulnerability CVE-2021-3156 and found multiple *nix operating systems were vulnerable, including Fedora, Debian, and Ubuntu. A blog update from February 3, 2021, reports that macOS, AIX, and Solaris may be vulnerable, but Qualys had not yet confirmed this.
There is additional reporting that other operating systems are affected, including Apple’s Big Sur.
Impact
If an attacker has local access to an affected machine then it is possible for them to execute commands with administrator privileges.
Solution
Apply an Update
Update sudo to the latest version to address this vulnerability when operationally feasible. This issue is resolved in sudo version 1.9.5p2. Please install this version, or a version from your distribution that has the fix applied to it
Acknowledgements
This vulnerability was researched and reported by the Qualys Research Team.
Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.
Description
The Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.
Impact
By placing a specially-crafted DLL file in the ColdFusion installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable ColdFusion software installed. See DLL Search Order Hijacking for more details.
Solution
Use the Server Auto-Lockdown Installer
By default, ColdFusion does not configure itself securely. In order to secure ColdFusion with respect to service privileges, ACLs, and other attributes, the ColdFusion Server Auto-Lockdown installer must be installed in addition to installing ColdFusion itself.
Dnsmasq is vulnerable to a set of memory corruption issues handling DNSSEC data and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory on a vulnerable system and perform cache poisoning attacks against a vulnerable environment.
These vulnerabilities are also tracked as ICS-VU-668462 and referred to as DNSpooq.
Description
Dnsmasq is widely used open-source software that provides DNS forwarding and caching (and also a DHCP server). Dnsmasq is common in Internet-of-Things (IoT) and other embedded devices.
JSOF reported multiple memory corruption vulnerabilities in dnsmasq due to boundary checking errors in DNSSEC handling code.
CVE-2020-25681: A heap-based buffer overflow in dnsmasq in the way it sorts RRSets before validating them with DNSSEC data in an unsolicited DNS response
CVE-2020-25682: A buffer overflow vulnerability in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data
CVE-2020-25683: A heap-based buffer overflow in get_rdata subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries
CVE-2020-25687: A heap-based buffer overflow in sort_rrset subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries
JSOF also reported vulnerabilities in DNS response validation that can result in DNS cache poisoning.
CVE-2020-25684: Dnsmasq does not validate the combination of address/port and the query-id fields of DNS request when accepting DNS responses
CVE-2020-25685: Dnsmasq uses a weak hashing algorithm (CRC32) when compiled without DNSSEC to validate DNS responses
CVE-2020-25686: Dnsmasq does not check for an existing pending request for the same name and forwards a new request thus allowing an attacker to perform a "Birthday Attack" scenario to forge replies and potentially poison the DNS cache
Note: These cache poisoning scenarios and defenses are discussed in IETF RFC5452.
Impact
The memory corruption vulnerabilities can be triggered by a remote attacker using crafted DNS responses that can lead to denial of service, information exposure, and potentially remote code execution. The DNS response validation vulnerabilities allow an attacker to use unsolicited DNS responses to poison the DNS cache and redirect users to arbitrary sites.
Solution
Apply updates
These vulnerabilities are addressed in dnsmasq 2.83. Users of IoT and embedded devices that use dnsmasq should contact their vendors.
Follow security best-practices
Consider the following security best-practices to protect DNS infrastructure:
Protect your DNS clients using stateful-inspection firewall that provide DNS security (e.g.,
stateful firewalls and NAT devices can block unsolicited DNS responses, DNS application layer inspection can prevent forwarding of anomalous DNS packets).
Provide secure DNS recursion service with features such as DNSSEC validation and the interim 0x20-bit encoding as part of enterprise DNS services where applicable.
Prevent exposure of IoT devices and lightweight devices directly over the Internet to minimize abuse of DNS.
Implement a Secure By Default configuration suitable for your operating environment (e.g., disable caching on embedded IoT devices when an upstream caching resolver is available).
Acknowledgements
Moshe Kol and Shlomi Oberman of JSOF researched and reported these vulnerabilities. Simon Kelley (author of dnsmasq) worked closely with collaborative vendors (Cisco, Google, Pi-Hole, Redhat) to develop patches to address these security vulnerabilities. GitHub also supported these collaboration efforts providing support to use their GitHub Security Advisory platform for collaboration.
The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.
Description
The SolarWinds Orion Platform is a suite of infrastructure and system monitoring and management products. The SolarWinds Orion API is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.axd, ScriptResource.axd, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.
This vulnerability, also known as CVE-2020-10148, is the vulnerability that SolarWinds has indicated to have been used to install the malware known as SUPERNOVA.
We have created a python3 script to check for vulnerable SolarWinds Orion servers: swcheck.py
Impact
This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.
Solution
Apply an Update
Users should update to the relevant versions of the SolarWinds Orion Platform:
2019.4 HF 6 (released December 14, 2020)
2020.2.1 HF 2 (released December 15, 2020)
2019.2 SUPERNOVA Patch (released December 23, 2020)
2018.4 SUPERNOVA Patch (released December 23, 2020)
2018.2 SUPERNOVA Patch (released December 23, 2020)
Veritas Backup Exec contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.
Description
CVE-2019-1552
Veritas Backup Exec includes an OpenSSL component that specifies an OPENSSLDIR variable as /usr/local/ssl/. On the Windows platform, this path is interpreted as C:\usr\local\ssl. Backup Exec contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
Impact
By placing a specially-crafted openssl.cnf in the C:\usr\local\ssl directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Veritas software installed.
Solution
Apply an update
This vulnerability is addressed in Backup Exec 21.1 Hotfix 657517 (Engineering version 21.0.1200.1217) and Backup Exec 20.6 Hotfix 298543 (Engineering version 20.0.1188.2734).
Create a C:\usr\local\ssl directory
In cases where an update cannot be installed, this vulnerability can be mitigated by creating a C:\usr\local\ssl directory and restricting ACLs to prevent unprivileged users from being able to write to this location.
Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC.
Multiple open-source embedded TCP/IP stacks, commonly used in Internet of Things (IoT) and embedded devices, have several vulnerabilities stemming from improper memory management. These vulnerabilities are also tracked as ICS-VU-633937 and JVNVU#96491057 as well as the name AMNESIA:33.
Description
Embedded TCP/IP stacks provide essential network communication capability using TCP/IP networking to many lightweight operating systems adopted by IoT and other embedded devices. These software stacks can also be used in the latest technologies such as Edge Computing. The following embedded TCP/IP stacks were discovered to have 33 memory related vulnerabilities included in this advisory:
These networking software stacks can be integrated in various ways, including compiled from source, modified and integrated, and linked as a dynamic or static libraries, allowing for a wide variety of implementations. As an example, projects such as Apache Nuttx and open-iscsi have adopted common libraries and software modules, thus inheriting some of these vulnerabilities with varying levels of impact. The diversity of implementations and the lack of supply chain visibility has made it difficult to accurately assess the impact, usage as well as the potential exploitability of these vulnerabilities.
In general, most of these vulnerabilities are caused by memory management bugs, commonly seen in lightweight software implementations in Real Time Operating Systems (RTOS) and IoT devices. For specific details on these vulnerabilities, see the Forescout advisory that provides technical details. Due to the lack of visibility of these software usage, Forescout has released an open source version of Detector that can be used to identify potentially vulnerable software.
Impact
The impact of these vulnerabilities vary widely due to the combination of build and runtime options customized while including these in embedded devices. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause the vulnerable device to behave in unexpected ways such as a failure (denial of service), disclosure of private information, or execution of arbitrary code.
Solution
Apply updates
Update to the latest stable version of the affected embedded TCP/IP software that address these recently disclosed vulnerabilities. If you have adopted this software from an upstream provider, contact the provider to get appropriate updates that need to be integrated into your software. Concerned end-users of IoT and embedded devices that implement these vulnerable TCP/IP software stacks should contact their vendor or the closest reseller to obtain appropriate updates.
Follow best-practices
We recommend that you follow best practices when connecting IoT or embedded devices to a network:
Avoid exposure of IoT and embedded devices directly over the Internet and use a segmented network zone when available.
Enable security features such as deep-packet inspection and firewall anomaly detection when available to protect embedded and IoT devices.
Ensure secure defaults are adopted and disable unused features and services on your embedded devices.
Regularly update firmware to the vendor provided latest stable version to ensure your device is up to date.
Acknowledgements
Jos Wetzels, Stanislav Dashevskyi, Amine Amri and Daniel dos Santos of Forescout Technologies researched and reported these vulnerabilities.
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. This could allow a remote attacker to execute commands with unrestricted privileges on the underlying operating system.
Description
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. This could allow a remote attacker with access to the administrative configurator on port 8443 and a valid password to execute commands with unrestricted privileges on the underlying operating system. For additional details, please see VMSA-2020-0027 and CVE-2020-4006.
Impact
This could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.
The Replay Protected Memory Block (RPMB) protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area.
Description
The RPMB protocol "...enables a device to store data in a small, specific area that is authenticated and protected against replay attack." RPMB is most commonly found in mobile phones and tablets using flash storage technology such as eMMC, UFS, and NVMe. The RPMB protocol allows an attacker to replay stale write failure messages and write commands, leading to state confusion between a trusted component and the contents of an RPMB area. Additional details are available in Replay Attack Vulnerabilities in RPMB Protocol Applications.
Impact
An attacker with physical access to a device can cause a mismatch between the write state or contents of the RPMB area and a trusted component of the device. These mismatches can lead to the trusted component believing a write command failed when in fact it succeeded, or the trusted component believing that certain content was written when in fact different content (unmodified by the attacker) was written. Further implications depend on the specific device and use of RPMB. At least one affected vendor has confirmed that denial of service
Rotem Sela and Brian Mastenbrook of Western Digital identified this vulnerability. Western Digital coordinated its disclosure with the affected vendors. Thanks Western Digital PSIRT!
Macrium Reflect contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.
Description
CVE-2020-10143
Macrium Reflect includes an OpenSSL component that specifies an OPENSSLDIR variable as C:\openssl\. Macrium Reflect contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
Impact
By placing a specially-crafted openssl.cnf in the C:\openssl\ directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Macrium software installed.
Chocolatey Boxstarter fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.
Description
CVE-2020-15264
The Chocolatey Boxstarter installer fails to set a secure access-control list (ACL) on the C:\ProgramData\Boxstarter directory, which is added to the system-wide PATH environment variable. A privilege escalation vulnerability is introduced since any location in the system-wide PATH environment variable may be used to load code that runs with privileges.
Impact
By placing a specially-crafted DLL file in the C:\ProgramData\Boxstarter directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Boxstarter software installed. See DLL Search Order Hijacking for more details.
Solution
Apply an update
This vulnerability is addressed in Chocolatey Boxstarter version 2.13.0. Please see the security advisory for more details.
Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC.
Acronis True Image, Cyber Backup, and Cyber Protection all contain privilege escalation vulnerabilities, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.
Description
CVE-2020-10138
Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis Cyber Backup and Cyber Protect contain a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
CVE-2020-10139
Acronis True Image 2021 includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis True Image contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
CVE-2020-10140
Acronis True Image 2021 fails to properly set ACLs of the C:\ProgramData\Acronis directory. Because some privileged processes are executed from the C:\ProgramData\Acronis directory, an unprivileged user can achieve arbitrary code execution with SYSTEM privileges by placing a DLL in one of several paths within C:\ProgramData\Acronis.
Impact
By placing a specially-crafted openssl.cnf or DLL file in a specific location, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Acronis software installed. See DLL Search Order Hijacking for more details.
Solution
Apply an update
These vulnerabilities are addressed in Acronis True Image 2021 build 32010 (release notes), Acronis Cyber Backup 12.5 build 16363 (release notes), and Acronis Cyber Protect 15 build 24600 (release notes).
Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC. Acronis also credits HackerOne researchers @adr, @mmg, @vanitas, @xnand with independently discovering and reporting the vulnerabilities.
Law enforcement agencies across the U.S. have used facial recognition technology to solve homicides and bust human traffickers, but concern about its accuracy and the growing pervasiveness of video surveillance is leading some state lawmakers to hit the pause button.
The United States Department of Defense this week announced an expansion of the scope of its vulnerability disclosure program to include all of its publicly accessible information systems.
A new threat actor that appears to be financially motivated has targeted many organizations in the United States and other countries using several new pieces of malware, FireEye reported on Tuesday.
Cyber asset management and governance solutions provider JupiterOne on Tuesday announced that it raised $30 million in Series B funding, which brings the total raised by the company to more than $49 million.
The funding round was led by Sapphire Ventures, with participation from previous investor Bain Capital Ventures.
I’m glad this column is coming out now instead of earlier this year. Cloud security is more topical than ever when considering all the fun things that have happened in 2021 with security startups!
The company providing internet services for Belgium’s parliament, government agencies, universities and scientific institutions said Tuesday that its network was under cyberattack, with connections to several customers disrupted.
Owners of Dell devices were informed on Tuesday that a firmware update driver present on a large number of systems is affected by a series of high-severity vulnerabilities.
A new variant of the Buer malware loader has been detected, written in Rust. The original version is written in C. Rust is efficient, easy-to-use, and an increasingly popular programming language – Microsoft uses it, and joined the Rust Foundation in February 2021.