The Bug Report – May 2022 Edition

By Trellix · June 1, 2022
This blog was written by Douglas McKee

Your Cybersecurity Comic Relief

Source: https://twitter.com/cyb3rops/status/1523579115152064513?s=20&t=jtGMOibQPsPviek_QoWKIA

Why Am I here?

People often come together not only due to common interest but also common things they hate. Let’s face it - nobody likes remembering passwords, dealing with biometric scanners that work half the time or carrying around a bunch of two factor tokens. Guess what? Malicious actors hate them too! I dare say sometimes they hate them even more. So, join the rest of the world and rejoice alongside our malicious counterparts in this month’s edition of the Bug Report, showcasing a lack of properly implemented authentication. The winners of this month’s most critical bugs, will remove the overbearing requirement to remember a few passwords:

• CVE-2022-1388: F5 BIG-IP Authentication bypass
• CVE-2022-22972: VMware authentication bypass
• CVE-2022-26925: Windows LSA Spoofing

CVE-2022-1388: Psssh, I am sure someone else checked their ID….

What is it?

There is nothing small about being able to access a root bash shell of an edge device. F5’s BIG-IP appliance which serves as a load balancer, application firewall and proxy has been identified vulnerable to an authentication bypass that enables an attacker to gain remote code execution though the iControl REST API. The attack is made possible by fiddling with the HTTP request header and the X-F5-Auth Token values. The vulnerability exists because of confusion on which application is supposed to authenticate a request. The front end (Apache) believes the backend (Jetty) should authenticate a request that contains an “X-F5-Auth Token”. By using the “Connection” header, an attacker can force the Token to be removed by the time it gets to the backend. Since the token is then no longer present, the backend believes the frontend already performed the authentication and allows the request to move forward. Think of it like being told to pay for your meal at the bar by your server and telling the bartender they already took your payment.

To make matters worse, bash is accessible from this web API. Let that sink in while I repeat for dramatic effect….BASH is accessible from a WEB UI. Therefore, once authentication is bypassed, it is possible to send bash commands directly to the system as root, turning the attack into unauthenticated remote code execution.

Who cares?

Active exploitation by threat actors attempting to erase F5 BIG-IP devices means at least someone is interested. If your organization is running one of the few versions between and including 11.x and 17.x you might be interested as well (someone is for sure interested in you!). The attack surface is exposed through the management port and is not recommended in an internet facing deployment; however, that hasn’t stopped thousands of devices from being configured externally according to Shodan.

What can I do?

For starters, ensure iControl REST API access is not externally facing. Additionally, F5 recommends restricting access to the API to only trusted networks, users and devices by IP address. There are also modifications which can be made to the device’s “httpd” configuration file to mitigate this vulnerability. One other thing that MIGHT prove beneficial would be that rare and controversial idea for fixing vulnerabilities; applying the code the vendor produced explicitly to completely fix this exact issue – otherwise known as a patch!

CVE-2022-22972: Endpoints management without passwords!

What is it?

VMware released an advisory on May 18th about an authentication bypass vulnerability that would allow an attacker with network access, administrative access to certain automation and identity management platforms. This attack works via a modification to the Host header field of an HTTP POST request from the VMware authentication endpoint address to a machine address controlled by an attacker. Not only does this causes the VMware application to send the attacker-controlled machine the credential information, but it lets the attacker decide if the credentials are valid! Therefore, if the attacker-controlled host returns a 200 status, the user is successfully authenticated. It’s like getting to decide if you deserve a raise! Hey Fred, do you think Fred deserves a raise? Gee Fred that sounds like a great idea!

Who cares?

There are 5 VMware products which are affected:

1. VMware Workspace ONE Access (Access)
2. VMware Identity Manager (vIDM)
3. VMware vRealize Automation (vRA)
4. VMware Cloud Foundation
5. vRealize Suite Lifecycle Manager

Although there is not currently any known exploitation, CISA has issued a warning about how threat actors are likely to start using this vulnerability in a larger attack chain, which would allow full system control of VMware systems. Threat actors won’t need to work too hard, considering exploit code for this vulnerability has been released on GitHub recently. Since VMware is one of the largest competitors in the unified endpoint management space, this affects many organizations.

What can I do?

VMware has issued a patch, which is the recommended method to protect against this vulnerability and every other vulnerability where a patch is released. If you are unable to patch, workarounds have also been provided by VMware which vary by affected product.

CVE-2022-26925: EFS, the gift that keeps on giving

What is it?

To understand this roller coaster of a story, we must first go back to last year. In July of 2021, security researcher Topotam disclosed a vulnerability referred to as "PetitPotam” which is an NTLM Relay attack that allowed for unauthenticated attackers on the same network to completely control a Windows domain. This is made possible through bugs found in the remote encrypted file system protocol, or MS-EFSRPC API. Although this attack was supposedly patched in the August 2021 patch release, CVE-2022-26925 is the result of unpatched attack vectors, this time in the EFS API OpenEncryptedFileRaw(A/W). All your domain admins are belong to us!

Who cares?

Although not likely to be an externally facing vulnerability, threat actors continue to prove this is not a barrier of entry. In fact, this vulnerability is already being actively exploited in the wild according to Microsoft. If this follows the same trends as the original PetitPotam vulnerability, we can expect to see ransomware families such as LockFile leveraging this version 2.0. It’s a good thing you switched your entire organization over to Linux and Apple products last month or you might need to worry about exploitation too!

What can I do?

First send an email to the largest distribution list your organization has and ask, “Why are we still using an almost 30-year-old security protocol with many known security flaws when its replacement, Kerberos was released almost 20 years ago?” This should spark a whirlwind of invigorating debate and nasty “reply all” emails to ensure everyone’s mailbox is full by lunch! Now the real work can begin. Ensure to install the latest patch released by Microsoft but also review Microsoft’s guidance on preventing NTLM Relay attacks in the future.