Last Week’s Security news: Serious Sam in Metasploit, PetitPotam, Zimbra Hijack, Joint Advisory TOP30 CVEs

Hello everyone! Last Week's Security News, July 26 - August 1.

Serious Sam in Metasploit

Last week I talked about the Serious Sam vulnerability (CVE-2021-36934), also known as HiveNightmare. The name HiveNightmare comes from the fact that Windows stores its registry data in a small number of proprietary database files called hives. Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is possible for an unprivileged user to read those files and then, for example, extract the account password hashes. An exploit for this vulnerability is now available in Metasploit and it will be much easier for attackers to exploit this vulnerability. The issues is still under investigation by Microsoft and a patch is not currently available, only the list of vulnerable OS versions, however a workaround has been provided.

PetitPotam

At the beginning of last week, PetitPotam (Little Hippo) attack made a lot of noise. It could force remote Windows systems to reveal password hashes that could then be easily cracked.

> "The PetitPotam bug is tied to the Windows operating system and the abuse of a remote access protocol called Encrypting File System Remote Protocol (MS-EFSRPC). The protocol is designed to allow Windows systems to access remote encrypted data stores, allowing for management of the data while enforcing access control policies. […]
The PetitPotam PoC is a form of manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system. Next, an attacker uses the file-sharing protocol Server Message Block (SMB) to request access to a remote system’s MS-EFSRPC interface. According to [security researcher Gilles Lionel], this forces the targeted computer to initiate an authentication procedure and share its authentication details via NTLM.
>
> In response to the public availability of the PoC, Microsoft was quick to respond, outlining several mitigation options. For starters, Microsoft recommends disabling NTLM authentication on Windows domain controllers. It also suggests enabling the Extended Protection for Authentication (EPA) feature on AD CS services."

But there won't be any special fix. Microsoft: "PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers."

So, I can only repeat Kevin Beaumont's tweet:

> "Microsoft are no fixing this, so you have an out of the box no auth to Domain Admin path on default config Active Directory environments now, attackers."

> Microsoft are no fixing this, so you have an out of the box no auth to Domain Admin path on default config Active Directory environments now, attackers. pic.twitter.com/t9pOvCKbmT
>
> – Kevin Beaumont (@GossiTheDog) July 24, 2021

Zimbra Hijack

Stored XSS (CVE-2021-35208) and Proxy Servlet Open Redirect (CVE-2021-35209) vulnerabilities in Zimbra.

> "Zimbra is a cloud-based email, calendar, and collaboration suite for enterprises and is available both as an open-source version and a commercially supported version with additional features such as a proprietary connector API to synchronize mail, calendar, and contacts to Microsoft Outlook, among others. It's used by over 200,000 businesses across 160 countries." "A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization. […] As a result, an attacker would gain unrestricted access to all sent and received emails of all employees."

There are no public exploits yet for this vulnerability, but if you are using Zimbra in your organization, be sure to update it.

Joint Advisory TOP30 CVEs

Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) released the Joint Cybersecurity Advisory providing details on the top 30 vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs) — routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021.

This is not the first such advisory. The previous one was in April, but there were fewer vulnerabilities. I think this is a very good initiative that really helps prioritize vulnerabilities. But, of course, there are questions about the structure and content of the report. For example, there is no complete list of these TOP 30 vulnerabilities. I think a detailed review of vulnerabilities is a topic for a separate episode. This can be done quite simply with Vulristics. Write in the comments if you want to see it.

Here I can only say that the vulnerabilities are related to a wide variety of vendors: Microsoft, Telerik, Drupal, Atlassian, MobileIron, F5-Big IP, Fortinet, Pulse, Citrix, Accellion, VMware. I also liked that among the recommendations for fixing there was "To further assist remediation, automatic software updates should be enabled whenever possible". Of course, updates can sometimes break something, but automated patching is the right goal.