Security News


 Vulnerability News SecurityWeek Feed
 
  • VU#142546: SMA Technologies OpCon UNIX agent adds the same SSH key to all installations


    Overview

    SMA Technologies OpCon UNIX agent adds the same SSH key on every installation and subsequent updates. An attacker with access to the private key can gain root access on affected systems.

    Description

    During OpCon UNIX agent installation and updates, an SSH public key is added to the root account's authorized_keys file. The corresponding private key titled sma_id_rsa is included with the installation files and is not encrypted with a passphrase. Removal of the OpCon software does not remove the entry from the authorized_keys file.

    Impact

    An attacker with access to the private key included with the OpCon UNIX agent installation files can gain SSH access as root on affected systems.

    Solution

    Remove private key

    SMA Technologies has provided a tool to address the issue.

    Another option is to manually remove the SSH key entry from root's authorized_keys file. The key can be identified by its fingerprints:

    SHA256:qbgTVNkLGI5G7erZqDhte63Vpw+9g88jYCxMuh8cLeg MD5:f1:6c:c9:ba:21:66:ce:7c:5a:55:e2:4d:07:72:cc:31

    Depending on the shell and operating system there are various ways to generate fingerprints for public keys listed in authorized_keys.

    Upgrade

    SMA Technologies reports that "We have updated our UNIX agent version 21.2 package to no longer include (and also remove) any existing vulnerability."

    Acknowledgements

    Thanks to Nick Holland at Holland Consulting for researching and reporting this vulnerability.

    This document was written by Kevin Stephens.

  • VU#473698: uClibc, uClibc-ng libraries have monotonically increasing DNS transaction ID


    Overview

    The uClibc and uClibc-ng libraries, prior to uClibc-ng 1.0.41, are vulnerable to DNS cache poisoning due to the use of predicatble DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.

    Description

    The uClibc and the Uclibc-ng software are lightweight C standard libraries intended for use in embedded systems and mobile devices. The uClibc library has not been updated since May of 2012. The newer uClibc-ng is the currently maintained fork of uClibc, as announced on the OpenWRT mailing list in July 2014.

    Researchers at the Nozomi Networks Security Research Team discovered that all existing versions of uClibc and uClibc-ng libraries are vulnerable to DNS cache poisoning. These libraries do not employ any randomization in the DNS Transaction ID (DNS TXID) field when creating a new DNS request. This can allow an attacker to send maliciously crafted DNS packets to corrupt the DNS cache with invalid entries and redirect users to arbitrary sites. As uClibc and uClibc-ng are used in devices such as home routers and firewalls, an attacker can perform attacks against multiple users in a shared network environment that relies on DNS responses from the vulnerable device.

    The DNS cache poisoning scenarios and defenses are discussed in IETF RFC5452.

    Impact

    The lack of DNS response validation can allow an attacker to use unsolicited DNS responses to poison the DNS cache and redirect users to malicious sites.

    Solution

    Apply a patch

    If your vendor has developed a patched version of uClibc or uClibc-ng to address this issue, apply the updates provided by your vendor. uClibc-ng was updated to 1.0.41 on 05/20/2022.

    Product Developers

    If you have a forked or customized version of uClibc or uClibc-ng, develop or adopt a patch to ensure the dns_lookup function provides adequate randomization of DNS TXID's while making DNS requests. Review and consider applying the patch has been made available in patchwork repository of uClibc-ng with VU#638879 tag.

    Follow security best practices

    Consider the following security best-practices to protect DNS infrastructure:

    • Prevent direct exposure of IoT devices and lightweight devices over the Internet to minimize attacks against a caching DNS server.
    • Provide secure DNS recursion service with features such as DNSSEC validation and the interim 0x20-bit encoding as part of enterprise DNS recursion services where applicable.
    • Implement a Secure By Default configuration suitable for your operating environment (e.g., disable caching on embedded IoT devices when an upstream caching resolver is available).

    Acknowledgements

    Thanks to the Nozomi Networks Security Research Team for this report

    This document was written by Vijay Sarvepalli and Timur Snoke.

  • VU#730007: Tychon is vulnerable to privilege escalation due to OPENSSLDIR location


    Overview

    Tychon contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user may be able to place files.

    Description

    Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.

    Impact

    By placing a specially-crafted openssl.cnf in a location used by Tychon, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Tychon software installed.

    Solution

    Apply an update

    This issue is addressed in Tychon 1.7.857.82

    Acknowledgements

    This document was written by Will Dormann.

  • VU#411271: Qt allows for privilege escalation due to hard-coding of qt_prfxpath value


    Overview

    Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a fixed value, which may lead to privilege escalation vulnerabilities in Windows software that uses Qt.

    Description

    Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a value that reflects the path where Qt exists on the system that was used to build Qt. For example, it may refer to a specific subdirectory within C:\Qt\, which is the default installation location for Qt on Windows. If software that is built with Qt runs with privileges on a Windows system, this may allow for privilege escalation due to the fact that Windows by default allows unprivileged users to create subdirectories off of the root C:\ drive location.

    In 2015, a patch was made to windeployqt to strip out any existing qt_prfxpath value from Qt5Core.dll. If Windows software that uses Qt prior to version 5.14 is not properly packaged using windeployqt, then it may be vulnerable to privilege escalation.

    Impact

    By placing a file in an appropriate location on a Windows system, an unprivileged attacker may be able to execute arbitrary code with the privileges of the software that uses Qt.

    Solution

    Apply an update

    This issue is addressed in Qt 5.14. Starting with this version, Qt no longer hard-codes the qt_prfxpath value in Qt5Core.dll.

    Run windeployqt to prepare Windows Qt software for deployment

    The windeployqt utility will replace the qt_prfxpath value in the Qt core DLL with the value of ., which helps prevent this path from being used to achieve privilege escalation.

    Acknowledgements

    This document was written by Will Dormann.

  • VU#970766: Spring Framework insecurely handles PropertyDescriptor objects with data binding


    Overview

    The Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

    Description

    The Spring Framework is a Java framework that can be used to create applications such as web applications. Due to improper handling of PropertyDescriptor objects used with data binding, Java applications written with Spring may allow for the execution of arbitrary code.

    Exploit code that targets affected WAR-packaged Java code for tomcat servers is publicly available.

    NCSC-NL has a list of products and their statuses with respect to this vulnerability.

    Impact

    By providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application. Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.

    Solution

    Apply an update

    This issue is addressed in Spring Framework 5.3.18 and 5.2.20. Please see the Spring Framework RCE Early Announcement for more details.

    Acknowledgements

    This issue was publicly disclosed by heige.

    This document was written by Will Dormann

  • VU#383864: Visual Voice Mail (VVM) services transmit unencrypted credentials via SMS


    Overview

    Visual Voice Mail (VVM) services transmit unencrypted credentials via SMS. An attacker with the ability to read SMS messages can obtain VVM IMAP credentials and gain access to VVM data.

    Description

    VVM is specified by Open Mobile Terminal Platform-OMPT and is implemented with SMS and IMAP (and other protocols). VVM IMAP credentials are sent unencrypted in SMS messages. From vvm-disclosure:

    When a client sends any sort of STATUS SMS (activate, deactivate, status), the carrier will respond with all credentials needed to log into the IMAP server (i.e. username, password, server host-name).

    From section 2.1.1.2 AUTHENTICATE of the OMTP VISUAL VOICEMAIL INTERFACE SPECIFICATION v1.3: "The IMAP4 password is sent in the STATUS SMS message."

    To intercept an SMS message, an attacker would need, for example: * temporary physical access to the SIM card, * to operate a spoofed a base station (cell tower), or * to convince a user to install a malicious application that has SMS access.

    VVM IMAP services may be widely accessible over the internet or carrier networks.

    From vvm-disclosure:

    There is no indication on to a victim that someone else has access to their VVM. Android leaves their VVMs on the IMAP server until the client deletes it, so any VVMs on the client are accessible to a malicious actor.

    Impact

    An attacker with the ability to read SMS messages can obtain VVM IMAP credentials and gain access to VVM data.

    Solution

    We are not aware of a practical solution to this vulnerability.

    Take general precautions against SMS interception.

    If supported, change your VMM password on some basis.

    Delete VMM data quickly.

    Acknowledgements

    Thanks to Chris Talbot for researching and reporting this vulnerability.

    This document was written by Brad Runyon.

  • VU#229438: Mobile device monitoring services do not authenticate API requests


    Overview

    The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. These services and their associated apps can be used to perform non-consensual, unauthorized monitoring and are commonly called "stalkerware." An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.

    Description

    IDOR is a common web application flaw that essentially exposes information on a server because of insufficient authentication or authorization controls. Multiple services and apps are affected by this backend vulnerability. A list of known vendors is included below.

    For more information and a detailed account of the flaw and investigation, please see "Behind the stalkerware network spilling the private phone data of hundreds of thousands."

    Impact

    An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.

    Solution

    We are unaware of a practical solution to this problem. The infrastructure provider (according to the TechCrunch investigation, 1Byte Software), would need to address the IDOR vulnerability.

    For advice on detecting and removing stalkerware apps, see "Your Android phone could have stalkerware, here's how to remove it." As noted by TechCrunch:

    Before you proceed, have a safety plan in place. The Coalition Against Stalkerware offers advice and guidance for victims and survivors of stalkerware. Spyware is designed to be covert, but keep in mind that removing the spyware from your phone will likely alert the person who planted it, which could create an unsafe situation.

    Acknowledgements

    Thanks to Zack Whittaker from TechCrunch for researching and reporting this vulnerability and investigating the wider security concerns related to stalkerware.

    This document was written by James Stanley and Art Manion.

  • VU#796611: InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM


    Overview

    The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM).

    Description

    UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code. SMM's privileges, also referred to as "Ring -2," exceed the privileges of the operating system's kernel ("Ring-0"). For this reason, SMM is executed in a protected area of memory called the SMRAM. It is typically accessed via System Management Interrupt (SMI) Handlers using communication buffers, which are also known as "SMM Comm Buffers." The SMM also provides protection against SPI flash modifications and performs boot time verifications similar to those performed by SecureBoot.

    UEFI software requires both openness (for hardware drivers, pluggable devices and Driver eXecution Environment (DXE) updates) as well as very tight security controls (for e.g., SMM Comm Buffer Security), making it a complex software that needs a thorough set of security controls that need validation throughout the software's lifecycle. UEFI also supports recent capabilities like Virtual Machine Manager (VMM) for virtualization and the increasing demand of virtual computing resources.

    Insyde's H2O UEFI firmware contains several (23) memory management vulnerabilities that were disclosed by Binarly. While these vulnerabilities were discovered in Fujitsu and Bull Atos implementations of Insyde H2O software, the same software is also present in many other vendor implementations due to the complex UEFI supply chain. The vulnerabilities can be classified by the following UEFI vulnerability categories.

    Vulnerability CategoryCount
    SMM Privilege Escalation 10
    SMM Memory Corruption12
    DXE Memory Corruption1

    Impact

    The impacts of these vulnerabilities vary widely due to the nature of SMM capabilities. As an example, a local attacker with administrative privileges (or a remote attacker with administrative privileges) can exploit these vulnerabilities to elevate privileges above the operating system to execute arbitrary code in SMM mode. These attacks can be invoked from the operating system using the unverified or unsafe SMI Handlers, and in some cases these bugs can also be triggered in the UEFI early boot phases ( as well as sleep and recovery like ACPI) before the operating system is initialized.

    In summary, a local attacker with administrative privileges (in some cases a remote attacker with administrative privileges) can use malicious software to perform any of the following:

    • Invalidate many hardware security features (SecureBoot, Intel BootGuard)
    • Install persistent software that cannot be easily erased
    • Create backdoors and back communications channels to exfiltrate sensitive data

    Solution

    Install the latest stable version of firmware provided by your PC vendor or your nearest reseller of your computing environments. See the links below to resources and updates provided by specific vendors.

    If your operating system supports automatic or managed updates for firmware, such as Linux Vendor Firmware Service (LVFS), apply the related software security updates. Binarly has also provided a set of UEFI software detection rules called FwHunt rules to assist with identifying vulnerable software. LVFS applies these FwHunt rules to detect and support the fix of firmware updates that are impacted by this advisory.

    Acknowledgements

    The efiXplorer team of Binarly researched and reported these vulnerabilities to Insyde Software. Insyde Software worked closely with CERT/CC during the coordinated disclosure process for these vulnerabilities.

    This document was written by Vijay Sarvepalli.

  • VU#119678: Samba vfs_fruit module insecurely handles extended file attributes


    Overview

    The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.

    Description

    The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba with vfs_fruit configured allows out-of-bounds heap read and write via specially crafted extended file attributes.

    For more information, see the Samba announcement for CVE-2021-44142 and bug 14914. Also available for reference is a detailed blog post from ZDI.

    Impact

    A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

    From the Samba annoucement for CVE-2021-44142:

    Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.

    Solution

    Apply an update

    Samba has released versions 4.13.17, 4.14.12, and 4.15.5.

    Disable vfs_fruit

    As a workaround, remove 'fruit' from 'vfs objects' lines in Samba configuration files (e.g., smb.conf).

    Acknowledgements

    Thanks to Orange Tsai of DEVCORE for researching and reporting this vulnerability. Thanks also to Samba, ZDI, and Western Digital for coordination efforts.

    This document was written by James Stanley and Art Manion.

  • VU#287178: McAfee Agent for Windows is vulnerable to privilege escalation due to OPENSSLDIR location


    Overview

    McAfee Agent contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user may be able to place files.

    Description

    CVE-2022-0166

    McAfee Agent, which comes with various McAfee products such as McAfee Endpoint Security, includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. McAfee Agent contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.

    Impact

    By placing a specially-crafted openssl.cnf in a location used by McAfee Agent, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable McAfee Agent software installed.

    Solution

    Apply an update

    This vulnerability is addressed in McAfee Agent version 5.7.5.

    Acknowledgements

    This vulnerability was reported by Will Dormann of the CERT/CC.

    This document was written by Will Dormann.

  • VU#142629: Silicon Labs Z-Wave chipsets contain multiple vulnerabilities


    Overview

    Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications.

    Description

    Z-Wave devices based on Silicon Labs chipsets have multiple vulnerabilities. For further details, including specific devices tested, see Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes.

    CVE-2020-9057
    Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption.

    CVE-2020-9058
    Z-Wave devices based on Silicon Labs 500 series chipsets using CRC-16 encapsulation do not implement encryption or replay protection.

    CVE-2020-9059
    Z-Wave devices based on Silicon Labs 500 series chipsets using S0 authentication are susceptible to uncontrolled resource consumption which can lead to battery exhaustion.

    CVE-2020-9060
    Z-Wave devices based on Silicon Labs 500 series chipsets using S2 are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages.

    CVE-2020-9061
    Z-Wave devices based on Silicon Labs 500 and 700 series chipsets are susceptible to denial of service via malformed routing messages.

    CVE-2020-10137
    Z-Wave devices based on Silicon Labs 700 series chipsets using S2 do not adequately authenticate or encrypt FIND_NODE_IN_RANGE frames.

    Impact

    Depending on the chipset and device, an attacker within Z-Wave radio range can deny service, cause devices to crash, deplete batteries, intercept, observe, and replay traffic, and control vulnerable devices.

    Solution

    Mitigations for these vulnerabilities vary based on the chipset and device. In some cases it may be necessary to upgrade to newer hardware, for example, 500 and 700 series chipsets that support S2 authentication and encryption.

    Acknowledgements

    Thanks to Carlos Kayembe Nkuba, Seulbae Kim, Sven Dietrich, and Heejo Lee for researching and reporting these vulnerabilities.

    This document was written by Timur Snoke and Art Manion.

  • VU#692873: Saviynt Enterprise Identity Cloud vulnerable to local user enumeration and authentication bypass


    Overview

    Saviynt Enterprise Identity Cloud contains user enumeration and authentication bypass vulnerabilities in the local password reset feature. Together, these vulnerabilities could allow a remote, unauthenticated attacker to gain administrative privileges if an SSO solution is not configured for authentication.

    Description

    Saviynt Enterprise Identity Cloud contains two vulnerabilities in the password reset feature for the local authentication system. Specifying the id parameter returns user names and it is common that accounts with administrative privileges have low (often single digit) id values.

    /ECM/maintenance/forgotpasswordstep1?otpConfig=false&id=5

    It is then possible to either unhide a button or directly access a URL that bypasses verification and allows the password to be changed. Accessing a login URL with the new credentials yields cookies that can be used to authenticate to the Enerprise Identity Cloud instance.

    If another authentication or SSO system is configured, then it is not possible to exploit these vulnerabilities.

    Impact

    A remote, unauthenticated attacker can enumerate users and bypass authentication to change the password of an existing administrative user. The attacker can then perform administrative actions and possibly make changes to other connected authentication systems.

    Solution

    Saviynt has deployed a backend update for the software that resolves the issue in Saviynt IGA Release v5.5 SP2.x and later versions. As an additional layer of security, as the impacted URLs are not commonly used by customers leveraging SSO, Saviynt has blocked access to the URLs needed to exploit these vulnerabilities.

    Saviynt users should not need to take any action but might want to confirm they are running a fixed version.

    Acknowledgements

    This document was written by Eric Hatleback and Art Manion.

  • VU#930724: Apache Log4j allows insecure JNDI lookups


    Overview

    Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j.

    CISA has published Apache Log4j Vulnerability Guidance and provides a Software List.

    Description

    The default configuration of Apache Log4j supports JNDI (Java Naming and Directory Interface) lookups that can be exploited to exfiltrate data or execute arbitrary code via remote services such as LDAP, RMI, and DNS.

    This vulnerability note includes information about the following related vulnerabilities.

    • CVE-2021-44228 tracks the initial JNDI injection and RCE vulnerability in Log4j 2. This vulnerability poses considerabily more risk than the others.

    • CVE-2021-4104 tracks a very similar vulnerability that affects Log4j 1 if JMSAppender and malicious connections have been configured.

    • CVE-2021-45046 tracks an incomplete fix for CVE-2021-44228 affecting Log4j 2.15.0 when an attacker has "...control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern."

    We provide tools to scan for vulnerable jar files.

    More information is available from the Apache Log4j Security Vulnerabilities page, including these highlights.

    Certain conditions must be met to make Log4j 1.x vulnerable:

    Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

    Log4j API code alone is not affected:

    Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

    Impact

    A remote, unauthenticated attacker with the ability to log specially crafted messages can cause Log4j to connect to a service controlled by the attacker to download and execute arbitrary code.

    Solution

    In Log4j 2.12.2 (for Java 7) and 2.16.0 (for Java 8 or later) the message lookups feature has been completely removed. In addition, JNDI is disabled by default and other default configuration settings are modified to mitigate CVE-2021-44228 and CVE-2021-45046.

    For Log4j 1, remove the JMSAppender class or do not configure it. Log4j 1 is not supported and likely contains unfixed bugs and vulnerabilities (such as CVE-2019-17571).

    For applications, services, and systems that use Log4j, consult the appropriate vendor or provider. See the CISA Log4j Software List and the Vendor Information section below.

    Workarounds

    Remove the JndiLookup class from the classpath, for example:

    zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

    As analysis has progressed, certain mitigations have been found to be less effective or incomplete. See "Older (discredited) mitigation measures" on the Apache Log4j Security Vulnerabilities page.

    SLF4J also recommends write-protecting Log4j configuration files.

    Acknowledgements

    Apache credits Chen Zhaojun of Alibaba Cloud Security Team for reporting CVE-2021-44228 and CVE-2021-4104 and Kai Mindermann of iC Consult for CVE-2021-45046.

    Much of the content of this vulnerability note is derived from Apache Log4j Security Vulnerabilities and http://slf4j.org/log4shell.html.

    This document was written by Art Manion.

  • VU#999008: Compilers permit Unicode control and homoglyph characters


    Overview

    Attacks that allow for unintended control of Unicode and homoglyphic characters, described by the researchers in this report leverage text encoding that may cause source code to be interpreted differently by a compiler than it appears visually to a human reviewer. Source code compilers, interpreters, and other development tools may permit Unicode control and homoglyph characters, changing the visually apparent meaning of source code.

    Description

    Internationalized text encodings require support for both left-to-right languages and also right-to-left languages. Unicode has built-in functions to allow for encoding of characters to account for bi-directional, or Bidi ordering. Included in these functions are characters that represent non-visual functions. These characters, as well as characters from other human language sets (i.e., English vs. Cyrillic) can also introduce ambiguities into the code base if improperly used.

    This type of attack could potentially be used to compromise a code base by capitalizing on a gap in visually rendered source code as a human reviewer would see and the raw code that the compiler would evaluate.

    Impact

    The use of attacks that incorporate maliciously encoded source code may go undetected by human developers and by many automated coding tools. These attacks also work against many of the compilers currently in use. An attacker with the ability to influence source code could introduce undetected ambiguity into source code using this type of attack.

    Solution

    The simplest defense is to ban the use of text directionality control characters both in language specifications and in compilers implementing these languages.

    Two CVEs were assigned to address the two types of attacks described in this report.

    CVE-2021-42574 was created for tracking the Bidi attack. CVE-2021-42694 was created for tracking the homoglyph attack.

    Acknowledgements

    Thanks to the reporters, Nicholas Boucher and Ross Anderson of The University of Cambridge (UK).

    This document was written by Chuck Yarbrough.

  • VU#883754: Salesforce DX command line interface (CLI) does not adequately protect sfdxurl credentials


    Overview

    The default security configuration in Salesforce allows an authenticated user with the Salesforce-CLI to create URL that will allow anyone, anywhere access to the Salesforce GUI with the same administrative credentials without a log trace of access or usage of the API.

    Description

    The Salesforce-cli interface allows an authenticated user to create an access URL using the CLI interface. This URL can be shared as a link, so anyone who has the link can access this site from anywhere (any IP address or any device) with the same access rights as the creator or the URL. This access is only available for the duration of the access token, however this new access will not be logged or tracked in any way available to the user or to the user's organization. The generated URL requires no user/pass or any form of challenge/response, such as MFA, to verify the identity of the new access. OWASP API Security 2019 recommends a number of protections (relevant sections API2:2019, API6:2019 and API10:2019) of API endpoints that will prevent potential abuse of such API endpoints by malicious actors, including malicious insiders.

    Impact

    An unauthenticated user who gains access to an URL, generated by Salesforce-cli, can perform administrative actions as if logged in with the same rights as the account owner who generated the URL. This includes the ability to add user accounts that have administrative rights, manage existing users or applications, and any other action that is available to the user who generated the URL.

    Solution

    In the Salesforce GUI you can Modify Session Security Settings, it is possible to Lock Sessions to the IP address that the session originated on, which would limit the ability for the URL to be shared with other hosts. The default configuration does not have this lock enabled because it may impact various applications and some mobile devices. It is also possible to lock down sessions using domain names instead of IP addresses. It is recommended that Salesforce customers verify that their applications do not require such untethered or unmonitored access or that using custom generated URL's is currently required in their operations before enforcing the above recommended access control.

    Acknowledgements

    Thanks to the reporter, who wishes to remain anonymous, for reporting this vulnerability.

    This document was written by Timur Snoke.