Last Week’s Security news: Exploits for ForgeRock, vSphere, Apache Tomcat, new Print Spooler vuln, Kaseya Patch and REvil, SolarWinds, Schneider Electric, Bulletins

Hello guys! The fourth episode of Last Week’s Security news, July 12 – July 18.

I would like to start with some new public exploits. I think these 4 are the most interesting.

• If you remember, 2 weeks ago I mentioned the ForgeRock Access Manager and OpenAM vulnerability (CVE-2021-35464). Now there is a public RCE exploit for it. ForgeRock OpenAM server is a popular access management solution for web applications. Michael Stepankin, Researcher: "In short, RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM". And now this vulnerability is Under Active Attack. "The [Australian Cyber Security Centre] has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools," the organization said in an alert. ACSC didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them".
• A new exploit for vSphere Client (CVE-2021-21985). The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
• Apache Tomcat 9.0.0.M1 - Open Redirect (CVE-2018-11784). "When the default servlet in Apache Tomcat […] returned a redirect to a directory […] a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice".
• Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (CVE-2019-0221). "The SSI printenv command in Apache Tomcat […] echoes user provided data without escaping and is, therefore, vulnerable to XSS". However, in real life this is unlikely to be used. "SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website".

For the last 2 weeks I have mentioned PrintNightmare and Kaseya. These topics seem to be coming to their logical end. But there is still something to tell about them.

• Microsoft has shared guidance revealing yet another vulnerability connected to its Windows Print Spooler service, saying it is "developing a security update."
  The latest Print Spooler service vuln […] is an elevation of privilege […]. An attacker needs to be able to execute code on the victim system to exploit the vulnerability […]. The solution? For now, you can only "stop and disable the Print Spooler service," disabling both the ability to print locally and remotely.
• Following the supply-chain ransomware attack, Kaseya had urged on-premises VSA customers to shut down their servers until a patch was available. Almost 10 days later the firm has shipped new VSA version with fixes for three security flaws (CVE-2021-30116 - Credentials leak and business logic flaw; CVE-2021-30119 - Cross-site scripting vulnerability; CVE-2021-30120 - Two-factor authentication bypass). The other 4 out of 7 vulnerabilities that could have been exploited in the attack were fixed earlier. Interestingly, REvil, the infamous ransomware cartel behind this attack, has mysteriously disappeared from the dark web, leading to speculations that the criminal enterprise may have been taken down. Let's hope so.

Most news sites over the past week have written about the use of SolarWinds Zero-Day RCE (CVE-2021-35211) in targeted attacks. "A memory escape vulnerability in SolarWinds Serv-U Managed File Transfer Server. The flaw exists due to the way Serv-U has implemented the Secure Shell (SSH) protocol and can only be exploited if an organization has made the Serv-U SSH protocol externally accessible. Microsoft says that, if exploited, an attacker would be able to “remotely run arbitrary code with privileges,” which may include but is not limited to installing or executing malicious code, as well as accessing or altering data on the system". On July 13, Microsoft published a blog post providing additional insight into their discovery of the flaw and the exploitation activity associated with it. Over 8,000 systems remain publicly accessible and potentially vulnerable.

Also, news sites wrote a lot about the dangers of Industrial and Utility Takeovers. "A critical remote code-execution (RCE) vulnerability in Schneider Electric programmable logic controllers (PLCs) has come to light (CVE-2021-22779), which allows unauthenticated cyberattackers to gain root-level control over PLCs used in manufacturing, building automation, healthcare and enterprise environments. Schneider has released a set of mitigations for the bug, but no full patch is available yet".

Several large Security Bulletins have been published last week:

• Android Security Bulletin for July 2021 addresses 44 vulnerabilities, out of which 7 are rated as critical vulnerabilities.
• Adobe Patches 11 Critical Bugs in Popular Acrobat PDF Reader.
• Microsoft Patch Tuesday fixes 13 critical flaws, including 4 under active attack. I have released a separate video with an overview of these vulnerabilities and recommend watching it.

There were some other interesting news that I would like to point out, but I do not want to make this episode too long. Therefore, I will do it very briefly.

• Google patches Chrome zero‑day vulnerability exploited in the wild (CVE-2021-30563).
• Critical Juniper Bug Allows DoS, RCE Against Carrier Networks (CVE-2021-0276, CVE-2021-0277).
• SonicWall has told users of two legacy products running unpatched and end-of-life firmware to take immediate and urgent action to head off an “imminent” ransomware campaign.
• Attackers Exploited 4 Zero-Day Flaws in Chrome, Safari & IE.
• CloudFlare CDNJS Bug Could Have Led to Widespread Supply-Chain Attacks. CDNJS is a free and open-source content delivery network (CDN) that serves about 4,041 JavaScript and CSS libraries.
• Microsoft to beef up security portfolio with reported half-billion-dollar RiskIQ buyout. RiskIQ is all about using security intelligence to protect the attack surface of an enterprise.
• Chinese makers of network software and hardware must alert Beijing within two days of learning of a security vulnerability in their products under rules coming into force in China this year.