Embedded Files
Few recent vulnerability of the year 2021
1. Pulse Connect Secure contains a use-after-free vulnerability.
Overview:
Pulse Connect Secure (PCS) gateway contains a use-after-free vulnerability that can allow an unauthenticated remote attacker to execute arbitrary code.
Description:
CVE-2021-22893
A use-after-free vulnerability that can be reached via a license server handling endpoint may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Pulse Connect Secure gateway system.
Every system that is running PCS 9.0R3 or higher or 9.1R1 through 9.2R11.3 is affected. Having the license server configuration enabled is NOT a prerequisite to being vulnerable. The vulnerable endpoints are present regardless of whether the system is an actual license server or not.
This vulnerability is being exploited in the wild.
Impact:
By making a crafted request to a vulnerable Pulse Connect Secure system, an unauthenticated remote attacker may be able to execute arbitrary code on the gateway with root privileges.
Solution:
Apply an update:
This vulnerability and others are addressed in Pulse Connect Secure 9.1R11.4.
Apply a workaround:
If you are not using the features that the following workaround disables, we recommend applying the XML workaround even on systems that have been upgraded to 9.1R11.4 to reduce attack surface. Pulse Secure has published a Workaround-2104.xml file that contains mitigations to protect against this and other vulnerabilities. Importing this XML workaround will activate the protections immediately and does not require any downtime for the VPN system. This workaround will block requests that match the following URI patterns:
^/+dana/+meeting
^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb
^/+dana-ws/+namedusers
^/+dana-ws/+metric
Note that installing this workaround will block the ability to use the following features:
Windows File Share Browser
Pulse Secure Collaboration
License Server
Instead of using the workaround to protect a PCS that is being used as a license server, we recommend updating such systems to PCS 9.1R11.4. If this is not possible, restrict which IP addresses are allowed to communicate with the system.
2. Embedded TCP/IP stacks have memory corruption vulnerabilities.
Overview:
Multiple open-source embedded TCP/IP stacks, commonly used in Internet of Things (IoT) and embedded devices, have several vulnerabilities stemming from improper memory management. These vulnerabilities are also tracked as ICS-VU-633937 and JVNVU#96491057 as well as the name AMNESIA:33.
Description:
Embedded TCP/IP stacks provide essential network communication capability using TCP/IP networking to many lightweight operating systems adopted by IoT and other embedded devices. These software stacks can also be used in the latest technologies such as Edge Computing. The following embedded TCP/IP stacks were discovered to have 33 memory related vulnerabilities included in this advisory:
Contiki-OS and Contiki-NG: https://www.contiki-ng.org/
PicoTCP and PicoTCP-NG: http://picotcp.altran.be
FNET: http://fnet.sourceforge.net/
These networking software stacks can be integrated in various ways, including compiled from source, modified and integrated, and linked as a dynamic or static libraries, allowing for a wide variety of implementations. As an example, projects such as Apache Nuttx and open-iscsi have adopted common libraries and software modules, thus inheriting some of these vulnerabilities with varying levels of impact. The diversity of implementations and the lack of supply chain visibility has made it difficult to accurately assess the impact, usage as well as the potential exploitability of these vulnerabilities.
In general, most of these vulnerabilities are caused by memory management bugs, commonly seen in lightweight software implementations in Real Time Operating Systems (RTOS) and IoT devices. For specific details on these vulnerabilities, see the Forescout advisory that provides technical details. Due to the lack of visibility of these software usage, Forescout has released an open source version of Detector that can be used to identify potentially vulnerable software.
Impact:
The impact of these vulnerabilities vary widely due to the combination of build and runtime options customized while including these in embedded devices. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause the vulnerable device to behave in unexpected ways such as a failure (denial of service), disclosure of private information, or execution of arbitrary code.
Solution:
Apply updates
Update to the latest stable version of the affected embedded TCP/IP software that address these recently disclosed vulnerabilities. If you have adopted this software from an upstream provider, contact the provider to get appropriate updates that need to be integrated into your software. Concerned end-users of IoT and embedded devices that implement these vulnerable TCP/IP software stacks should contact their vendor or the closest reseller to obtain appropriate updates.
Follow best-practices
We recommend that you follow best practices when connecting IoT or embedded devices to a network:
Avoid exposure of IoT and embedded devices directly over the Internet and use a segmented network zone when available.
Enable security features such as deep-packet inspection and firewall anomaly detection when available to protect embedded and IoT devices.
Ensure secure defaults are adopted and disable unused features and services on your embedded devices.
Regularly update firmware to the vendor provided latest stable version to ensure your device is up to date.
3. Sudo set_cmd() is vulnerable to heap-based buffer overflow.
Overview:
A heap-based overflow has been discovered in the set_cmd() function in sudo, which may allow a local attacker to execute commands with elevated administrator privileges.
Description:
From the Sudo Main Page:
Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.
It is possible for a local Non-administrative user to exploit this vulnerability to elevate their privileges so that they can execute commands with administrator privileges. The team at Qualys assigned this vulnerability CVE-2021-3156 and found multiple *nix operating systems were vulnerable, including Fedora, Debian, and Ubuntu. A blog update from February 3, 2021, reports that macOS, AIX, and Solaris may be vulnerable, but Qualys had not yet confirmed this. There is additional reporting that other operating systems are affected, including Apple’s Big Sur.
Impact:
If an attacker has local access to an affected machine then it is possible for them to execute commands with administrator privileges.
Solution:
Apply an Update
Update sudo to the latest version to address this vulnerability when operationally feasible. This issue is resolved in sudo version 1.9.5p2. Please install this version, or a version from your distribution that has the fix applied to it.
4. Atlassian Bitbucket on Windows is vulnerable to privilege escalation due to weak ACLs.
Overview:
Atlassian Bitbucket on Windows fails to properly set ACLs, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges.
Description:
The Atlassian Bitbucket Windows installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\Atlassian\Bitbucket\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.
Impact:
By placing a specially-crafted DLL file in the Bitbucket installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Bitbucket software installed. See DLL Search Order Hijacking for more details.
Solution:
Apply an update
This issue has been addressed in the Bitbucket Windows installer for versions 7.10.1, 7.6.4, and 6.10.9. Please see https://jira.atlassian.com/browse/BSERV-12753 for more details.
5. SolarWinds Orion API authentication bypass allows remote command execution.
Overview:
The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.
Description:
The SolarWinds Orion Platform is a suite of infrastructure and system monitoring and management products. The SolarWinds Orion API is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.axd, ScriptResource.axd, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.
This vulnerability, also known as CVE-2020-10148, is the vulnerability that SolarWinds has indicated to have been used to install the malware known as SUPERNOVA.
We have created a python3 script to check for vulnerable SolarWinds Orion servers: swcheck.py
Impact:
This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.
Solution:
Apply an Update
Users should update to the relevant versions of the SolarWinds Orion Platform:
2019.4 HF 6 (released December 14, 2020)
2020.2.1 HF 2 (released December 15, 2020)
2019.2 SUPERNOVA Patch (released December 23, 2020)
2018.4 SUPERNOVA Patch (released December 23, 2020)
2018.2 SUPERNOVA Patch (released December 23, 2020)
More information can be found in the SolarWinds Security Advisory.
Harden the IIS Server
Especially in cases when updates cannot be installed, we recommend that users implement these mitigations to harden the IIS server.
Page updated
Google Sites
Report abuse