Tag: Staff Research Engineer

Microsoft’s June 2021 Patch Wednesday Addresses 49 CVEs

Microsoft’s June Patch Wednesday, addressed 49 CVEs. Of those, six have been observed as being exploited in the wild, and five are rated as critical. Remote Code Execution vulnerabilities account for 34% of the flaws, with elevation of privilege accounting for 26%. Below is a comment by Satnam Narang, Staff Research Engineer, Tenable and further analysis can be found here.

“This month’s Patch Wednesday release addressed 49 CVEs, five of which are rated critical. This is the third time in 2021 that Microsoft has patched less than 60 CVEs and this month’s release contains the lowest number of patches in a month so far this year.

“Microsoft patched six zero-day vulnerabilities that have been exploited in the wild, including four elevation of privilege vulnerabilities, one information disclosure vulnerability and one remote code execution vulnerability.

“CVE-2021-33742 is a remote code execution vulnerability in the Microsoft Windows MSHTML Platform. While this vulnerability does not require special privileges, the attack complexity for exploiting this vulnerability is high, which means an attacker would need to perform additional legwork to successfully exploit this flaw. It appears that was the case, though details of in-the-wild exploitation are not yet known.

“CVE-2021-31955 is an information disclosure vulnerability in the Windows Kernel, while CVE-2021-31956 is an elevation of privilege vulnerability in Windows NTFS. Details about the in-the-wild exploitation of these vulnerabilities are not yet known. While both vulnerabilities require the attacker to be authenticated to the target system, it is likely that they have been leveraged either post-compromise by the attackers directly or through the use of a malicious file opened by a local user.

“CVE-2021-33739 is an elevation of privilege zero-day vulnerability in the Microsoft Desktop Window Manager (DWM) Core Library. For context, Microsoft patched two elevation of privilege vulnerabilities in February (CVE-2021-1732) and April (CVE-2021-28310) which appear to be linked to a threat actor known as BITTER APT. In the case of CVE-2021-28310, researchers linked the flaw to the dwmcore.dll file. Given that CVE-2021-33739 is credited to the same researchers who found CVE-2021-1732 in February, and was discovered in the same core library as CVE-2021-28310, it is feasible this is another zero-day being leveraged by the same BITTER APT group.

“While these vulnerabilities have already been exploited in the wild as zero-days, it is still vital that organisations apply these patches as soon as possible. Unpatched flaws remain a problem for many organisations months after patches have been released.”– Satnam Narang, Staff Research Engineer, Tenable

Comment from Tenable- FBI Issues Second Alert on Attackers Leveraging Three Legacy Fortinet Vulnerabilities

“The Federal Bureau of Investigation (FBI) issued their second alert regarding multiple flaws in Fortinet’s FortiGate SSL VPN being exploited in the wild, the first was published over a month ago. However, multiple U.S. Government agencies, including the FBI, NSA and CISA have published several alerts over the last few years highlighting the use of CVE-2018-13379, a critical flaw in the SSL VPN, by advanced persistent threat (APT) groups that was patched two years ago.

“The fact that we continue to see these legacy vulnerabilities being exploited in spite of these alerts is a cautionary tale that unpatched flaws remain a valuable tool for APT groups and cybercriminals in general. The risk is further heightened by the broad shift of the workforce over the past year. Unpatched vulnerabilities, not zero-days, are the biggest threat to most organizations today because it gets attackers to their end goal in the fastest and cheapest way. It is imperative that both public sector and private organizations that use the FortiGate SSL VPN apply these patches immediately to prevent future compromise.” — Satnam Narang, Staff Research Engineer, Tenable

Critical vulnerability in Cisco SD-WAN vManage Software

Cisco addressed multiple vulnerabilities in its SD-WAN vManage Software. One of which allows an attacker to perform actions not granted to average users, such as creating accounts with administrative level access. Please find below a comment from Satnam Narang, Staff Research Engineer, Tenable.

“Cisco patched multiple vulnerabilities on Wednesday, including several flaws in its SD-WAN vManage software. The most severe flaw is CVE-2021-1468, an unauthorised message processing vulnerability. 

 “The flaw exists because the vManage software fails to perform an authentication check on input supplied by the user to the application’s messaging service. This vulnerability could be exploited pre-authentication, meaning the attacker does not need to possess valid credentials and authenticate to the vulnerable application. Successful exploitation would give an attacker the ability to perform actions not granted to average users, such as creating accounts with administrative level access. 

 “It should be noted that this particular vulnerability as well as several others patched on Wednesday can only be exploited if the vManage software is running in Cluster Mode.

If your organisation uses vManage, we strongly encourage you to apply these patches as soon as possible.” — Satnam Narang, Staff Research Engineer, Tenable

Comment from Tenable: Apple patches zero-day flaws

Apple recently patched several vulnerabilities across its lineup of software and operating systems. Included in these patches were fixes for two zero-day vulnerabilities that have been exploited in the wild. Please find below a comment from Satnam Narang, Staff Research Engineer, Tenable.

“Apple patched CVE-2021-30661, a vulnerability in its WebKit Storage component used in its browser engine. The vulnerability exists across its desktop operating system (macOS Big Sur) as well as its mobile devices such as iPhone (iOS), iPad (iPadOS), Apple Watch (watchOS) and its operating system for Apple TV, tvOS. Apple says that an attacker could gain arbitrary code execution when processing maliciously crafted web content. Apple said they’re aware of reports this flaw has been actively exploited in the wild.

“In addition to CVE-2021-30661, Apple also patched CVE-2021-30657, a logic issue in its System Preferences. The vulnerability would allow an attacker to bypass Apple’s Gatekeeper, which is supposed to prevent untrusted software from running on macOS. As an example, Security researcher Patrick Wardle, who wrote about the flaw, created a proof-of-concept of a resume PDF file that, when opened, will launch the system’s Calculator application, a popular benign tactic used to show successful exploitation.

“Researchers at Jamf also documented the in-the-wild exploitation of CVE-2021-30657 by operators of the Shlayer macOS malware. The group has been known to spread their malware through poisoned search results that lead to fake downloads of Adobe Flash Player.

“Users of Apple devices, from laptops to mobile devices should regularly update to the latest version to protect themselves against threats like the ones patched recently.” – Satnam Narang, Staff Research Engineer, Tenable

Comment from Tenable – CERT-IN cautions Whatsapp users of vulnerabilities detected in the app

Earlier this week, CERT-IN – India’s cyber security agency cautioned WhatsApp users about certain vulnerabilities detected in the instant messaging app that could lead to breach of sensitive information. The vulnerability was discovered in software that has ‘WhatsApp and WhatsApp Business for Android prior to v2.21.4.18 and WhatsApp and WhatsApp Business for iOS prior to v2.21.32.’ Please find below a comment from Satnam Narang, Staff Research Engineer, Tenable.

“With over two billion users, WhatsApp is one of the most popular messaging platforms around the world. Therefore, the discovery of vulnerabilities within the WhatsApp application for Android and iOS devices could be significant. Earlier this month, two flaws were patched in WhatsApp for Android and iOS. To exploit these flaws in apps like WhatsApp, more often than not, an attacker would need to socially engineer the victim into clicking on a link to visit a website.

“Whenever WhatsApp releases new versions of its software, it is important for end-users to ensure updates are applied, either automatically or by checking for updates. This can help address any known vulnerabilities within the application.

“With respect to the supposed WhatsApp Pink release, it appears that cybercriminals are circulating a fake copy of WhatsApp for Android that apparently changes the colour of the app logo and the app iconography and theme to pink. Installing apps from outside the Google Play Store is a risky proposition, so we strongly encourage users to be cautious and not install apps from outside the official Google Play Store.” — Satnam Narang, Staff Research Engineer, Tenable

Comment from Tenable: Proof-of-Concept for Google Chrome/Microsoft Edge 1-Day

A 1-day vulnerability in the V8 JavaScript engine used by Google Chrome and Microsoft Edge (Chromium) has come to light on social media. It appears to be the same flaw that was reported during the Pwn2Own contest held earlier this month. The known vulnerability has been patched in the V8 engine, but yet to be patched in both Chrome and Edge. Please find below a comment from Satnam Narang, Staff Research Engineer, Tenable.

“There are reports of a 1-day vulnerability in the V8 JavaScript engine used by Google Chrome and Microsoft Edge (Chromium). This vulnerability was disclosed on social media on April 12, but appears to be the same flaw that was reported during the Pwn2Own contest held earlier this month. The known vulnerability has been patched in the V8 engine, but yet to be patched in both Chrome and Edge.

“While it is concerning that details about a vulnerability in popular web browsers has been publicly disclosed, the cause for concern dissipates when you consider that the vulnerability by itself cannot escape Google’s sandbox. This means that an attacker could not compromise the underlying operating system or access confidential information. It’s sort of like clapping your hands; you can’t truly clap with just one hand, you need both. Similarly, in this instance, an attacker would need to chain this V8 vulnerability with a second vulnerability to escape the sandbox.

“Despite that, we strongly encourage users and organizations alike to ensure they are patching their browsers like Chrome and Edge as soon as possible, as unpatched browsers and systems are ripe targets for cybercriminals and advanced persistent threat groups.”– Satnam Narang, Staff Research Engineer, Tenable

Patch Wednesday- Four Critical Microsoft Exchange Server Vulnerabilities Patched in April

This month’s Patch Wednesday release addressed 108 CVEs, 19 of which are rated critical. This is the first time in 2021 that Microsoft patched over 100 CVEs. They’ve addressed 329 CVEs so far in 2021. Following last month’s out-of-band update addressing four critical zero-days in Microsoft Exchange Server that were exploited in the wild, including ProxyLogon, Microsoft patched four more critical Exchange Server vulnerabilities this month: CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483. All four are credited to the National Security Agency, with two also being discovered by Microsoft internally. Here’s a comment from Satnam Narang, Staff Research Engineer, Tenable.

“These vulnerabilities have been rated “Exploitation More Likely” using Microsoft’s Exploitability Index. Two of the four vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw. With the intense interest in Exchange Server since last month, it is crucial that organisations apply these Exchange Server patches immediately. Microsoft also patched CVE-2021-28310, a Win32k Elevation of Privilege vulnerability that was exploited in the wild as a zero-day.

“Exploitation of this vulnerability would give the attacker elevated privileges on the vulnerable system. This would allow an attacker to execute arbitrary code, create new accounts with full privileges, access and/or delete data and install programs. Elevation of Privilege vulnerabilities are leveraged by attackers post-compromise, once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges.” — Satnam Narang, Staff Research Engineer, Tenable