Last Week’s Security news: PrintNightmare, Kaseya, Intune, Metasploit Docker escape

Hello guys! The second episode of Last Week’s Security news from June 28 to July 4.

The most interesting vulnerability of the last week is of course Microsoft Print Spooler "PrintNightmare". By sending an RpcAddPrinterDriverEx() RPC request, for example over SMB, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable Windows system. And there is a public PoC exploit for this vulnerability published by the Chinese security firm Sangfor. And there is some strange story. It turns out that Sangfor published an exploit for the 0day vulnerability. But they thought this vulnerability (CVE-2021-1675) had already been patched as part of the June Micorosft Patch Tuesday. And then it turns out that this is a bug in the Microsoft patch. But Microsoft wrote that this is a different, new vulnerability CVE-2021-34527 and so there were no problems with the previous patch. In any case, a patch for this vulnerability has not yet been released and Microsoft is suggesting two Workarounds. Option 1 - Disable the Print Spooler service, Option 2 - Disable inbound remote printing through Group Policy. Do this first for Domain Controllers and other critical Windows servers. All versions of Windows contain the vulnerable code and are susceptible to exploitation. Also note that the new vulnerability has a flag Exploitation Detected on the MS site.

The most interesting attack of the week is Kaseya VSA Supply-Chain Attack. Kaseya Limited is an American software company that develops software for managing networks, systems, and information technology infrastructure. Kaseya VSA (Virtual System Administrator) is a cloud-based MSP (Managed Service Provider) platform that allows providers to perform patch management and client monitoring for their customers. So, REvil gang used around 30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was to encrypt over 1,000 businesses. It is now believed that this was an attack on on-premises VSA servers using SQL injection and authentication bypass vulnerabilities. Well, by agreeing to use the MSP, be prepared for such surprises.

Continuing the topic of vulnerabilities in services that simplify system administration, Finnish cybersecurity company Nixu has published a writeup for Remote Code Execution vulnerability in Microsoft Intune managed Windows devices (CVE-2021-31980) from June Patch Tuesday. "This proof-of-concept shows that remote attackers can run code with system privileges on a Windows machine by intercepting the TLS connections. This vulnerability could be exploited to install malware to the victim’s machine to take persistent full control over it". Intune Management Extension updates itself without any user action when the computer is connected to internet. But computers not connected to internet might still run the vulnerable version on startup.

I liked the new Metasploit module that leverages a flaw in runc to escape a Docker container and get command execution on the host as root. It overwrites the runc binary with the payload and wait for someone to use docker exec to get into the container.

And I want to mention these vulnerabilities:

• Microsoft Translation Bugs Open Edge Browser to Trivial UXSS Attacks. "Remotely inject and execute arbitrary code on any website just by sending a message".
• Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464) in ForgeRock Access Manager.
• The vulnerability in Windows 10 allows a low-privileged user to wipe out arbitrary files needed for UEFI boot.
• Western Digital's older network-attached storage systems allowed unauthenticated commands to trigger a factory reset, formatting the hard drives.
• Microsoft Discloses Critical Bugs Allowing Takeover of NETGEAR Routers.