Security Intelligence FeedWe’ve got your back, even when you don’t know it.

On 23 September 2021, Apple released security updates to fix a vulnerability, exploited by threat actors, in older versions of iOS and macOS. We recommend applying the latest updates as soon as possible.

Details

• A privilege escalation vulnerability, CVE-2021-30869, could allow a malicious application to execute arbitrary code with the highest privileges. Apple addressed a confusion error in XNU, the OS kernel used by macOS and iOS, with the latest update introducing improved state handling. A threat actor would need to authenticate on the system to exploit this vulnerability.
• The flaw is being exploited together with other previously-reported vulnerabilities:
  • CVE-2021-30860 (in the CoreGraphics framework)
  • CVE-2021-30858 (in the WebKit browser engine)
  • For these two vulnerabilities, the updates for iOS 14 were released on 13 September, but are now also available for iOS 12.

• The following updates in Apple products need to be applied to fix these vulnerabilities:
  • iOS 12.5.5 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
  • Security Update 2021-006 for macOS Catalina

Recommendations 

• If you are using any of the vulnerable Apple products, ensure you have the latest updates installed.
• Check for and install software updates on your device manually by going to Settings > General > Software Update.

References

• Apple security updates
• 2021-006 Catalina
• iOS 12.5.5
• 13 September Updates

On 21 September 2021, VMware issued a security advisory on multiple vulnerabilities affecting some versions of VMware vCenter Server and Cloud Foundation. We recommend applying the latest updates as soon as possible.

Details

• Among the 19 flaws covered in the advisory, the most severe one, CVE-2021-22005, was assigned a CVSS 3.1 score of 9.8. Someone with network access could upload a crafted file and use it to execute code on the vCenter (VC) Server Appliance.
• This versions affected are:
  • vCenter Server 6.7 deployments on Linux-based virtual appliances (vCSA)
  • VCSAs running as external Platform Services Controllers (PSCs)  in a vCenter 6.7 environment
  • VC versions 7.0 on both Windows and Linux
  • Cloud Foundation versions 3.x and 4.x

• The flaw does not impact 6.7 VC systems running on Windows. It has been addressed in versions 7.0U2c build 18356314 released on August 24th, and 6.7U3o build 18485166 released on September 21st.
• Based on recent reports regarding vCenter flaws used in ransomware campaigns, the company warned that imminent exploitation of this vulnerability is likely. Shortly after, several independent reports emerged on an ongoing scanning activity for this flaw.
• Other vulnerabilities were noted in vCenter Server that could lead to various scenarios of exploitation once a threat actor gains initial entry. These include:
  • CVE-2021-21991 could allow a non-administrative user on vCenter Server host to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash). The problem is in the way vCenter Server handles session tokens. CVSSv3 base score: 8.8.
  • CVE-2021-22006 could allow a user with network access to port 443 on vCenter Server to access restricted endpoints. It is a reverse proxy bypass vulnerability due to the way the endpoints handle the URI. CVSSv3 base score: 8.3.
  • CVE-2021-22011 could allow a user with network access to port 443 on vCenter Server to perform unauthenticated VM network setting manipulation.
  • This is due to an unauthenticated API endpoint vulnerability in vCenter Server Content Library. CVSSv3 base score: 8.1.

Recommendations

• The best way to remediate this vulnerabilities is to apply the latest updates as outlined by VMware.
•  A workaround is available for those unable to patch for CVE-2021-22005 now. This involves editing a text file on the VCSA and restarting services.

References 

• VMware Security Advisories

On 14 September 2021, Siemens published 21 new security advisories and updated 25 which had been previously released. Five of the fixed vulnerabilities are labelled Critical. We recommend installing the latest updates as soon as possible.

Details

• Among the 36 vulnerabilities fixed this month, two received a maximum CVSS v3.1 Base Score of 10.0:
  • CVE-2021-37181 affects the CCOM communication component used by Desigo CC, Desigo CC Compact and Cerberus danger management station (DMS). The application deserialises untrusted data without sufficient validation. Only those systems that use Windows App and/or IE XBAP Web Client are affected. A remote unauthenticated threat actor could send specially-crafted data to the application and execute arbitrary code in the affected system.
  • CVE-2021-31891 is a command injection vulnerability affecting several building management systems that use the Open Interface Services (OIS) application. An unauthenticated remote user could exploit this vulnerability to execute arbitrary code on vulnerable system(s) with root privileges.

• Other vulnerabilities that received Critical rating are:
  • CVE-2021-27391, a buffer overflow vulnerability in the integrated web server of multiple APOGEE and TALON automation devices. It could allow a unauthenticated remote user to execute arbitrary code on the affected devices with root privileges. CVSS v3.1 Base Score: 9.8.
  • Multiple SmartVNC vulnerabilities in SIMATIC HMI/WinCC Products could allow remote code execution and denial-of-service attacks under certain conditions. One of the flaws is an out-of-bounds memory access issue tracked as CVE-2021-27384. It received a CVSS v3.1 Base Score of 9.8.
  • CVE-2021-37184, an authorization bypass vulnerability in Industrial Edge allows an unauthenticated user to change a password and impersonate any valid user on an affected system. CVSS v3.1 Base Score: 9.8.

Recommendations

• If you are using any of the vulnerable products, apply the latest updates as soon as possible.
• Follow recommended security practices for each product in the applicable Siemens advisory.

References

• Siemens Security Advisories

On 14 September 2021, Schneider Electric (SE) released seven security notifications on vulnerabilities in multiple products with some of them remaining unfixed. We recommend applying the mitigations and updates currently listed by the vendor.

Details

• The risks from two unpatched vulnerabilities in all current versions of monitoring software StruxureWare Data Center Expert could be mitigated by following the SE security hardening guidelines. Both were assigned a CVSS v3.1 Base Score of 9.1. The future versions of StruxureWare Data Center Expert will include a fix for these vulnerabilities:
  • CVE-2021-22794 is a path traversal vulnerability. A threat actor would need to send a specially-crafted request, and be authenticated in order to perform arbitrary code execution on vulnerable system.
  • CVE-2021-22795 could allow the execution of arbitrary OS commands on vulnerable system(s). A remote user would need to pass specially-crafted data to the application.

• SE provided a list of mitigations to be applied for three vulnerabilities affecting Web Server on Modicon M340, Legacy Offers Modicon Quantum and Premium and Associated Communication Modules. Unmitigated systems are at risk of being targeted via the web server, which could result in disclosure of sensitive information or denial of service of the controller.
• CVE-2021-22797 also remains unpatched and affects all current versions of EcoStruxure Control Expert, EcoStruxure Process Expert DCS, and SCADAPack RemoteConnect. An authenticated threat actor could use this flaw for opening a corrupted project file, which could then result in arbitrary code execution on the engineering workstation.
• SE added remediations for SAGE RTU C3414 CPU, C3413 CPU and C3412 CPU affected by critical third-party vulnerabilities in ISaGRAF Workbench and ISaGRAF Runtime products embedded in multiple SE offerings. Malicious actors could take advantage of these flaws to access and disclose sensitive information, for privilege escalation, and in some cases for remote code execution.
• Version 1.15.10 of the C-Bus Toolkit and Version 2.11.8 of the C-Gate Server were released to address multiple security issues that could lead to remote code execution under certain conditions.

Recommendations

• Refer to Schneider Electric Recommended Cybersecurity Best Practices document to ensure the defense-in-depth approach.
• Follow SE security hardening guidelines in the security notifications listed above to reduce the risk.
• If you are using any of the vulnerable products that have fixes available, apply the latest updates as soon as possible.

References

• Schneider Electric Security Notifications
• Cybersecurity Best Practices

On 14 September 2021, SAP released security notes to address 17 vulnerabilities, including seven that are marked HotNews (Critical). We recommend applying the latest updates as soon as possible.

Details

• CVE-2021-37535 affects SAP NetWeaver Application Server Java (JMS Connector Service). Versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 of the product fail to perform necessary authorization checks for user privileges. CVSS score: 10.
• SAP Business Client version 6.5 received an update to a Security Note released April 2018 regarding the browser control Google Chromium delivered with the product. CVSS score: 10.
• SAP Business One version 10.0 received an update to a Security Note released August 2021 on an issue tracked as CVE-2021-33698. This  vulnerability allows someone with business authorization to upload any files (including script files) without the proper file format validation. CVSS score: 9.9.
• CVE-2021-38163 affects SAP NetWeaver (Visual Composer 7.0 RT) versions 7.30, 7.31, 7.40, and 7.50. A party authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable. CVSS score: 9.9.
• CVE-2021-37531 is a Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms) versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50. It allows a non-administrative authenticated user to perform unauthorized functions that could lead to a full compromise of the system. CVSS score: 9.9.
• CVE-2021-38176 is a SQL Injection vulnerability in SAP Near Zero Downtime (NZDT) Mapping Table Framework. The following SAP products that use NZDT are affected: S/4HANA, LT Replication Server, LTRS for S/4HANA, Test Data Migration Server, and Landscape Transformation. CVSS score: 9.9.
• SAP Contact Center was affected by four vulnerabilities tracked as CVE-2021-33672, CVE-2021-33673, CVE-2021-33674, and CVE-2021-33675. All of these are assigned with a CVSS score of 9.6.

Recommendations

• If you are using any of the vulnerable SAP products, ensure you have the latest updates installed.

References 

• SAP Security Notes