Security Intelligence FeedWe’ve got your back, even when you don’t know it.

Our analysts are on top of the latest developments in cyber security. This feed is our way to share our findings and research to help you better understand the ever-changing security landscape while continuing to give you the peace of mind that Covalence is always protecting you.

Get the RSS Follow us on Twitter

Researchers Find Multiple Vulnerabilities in NicheStack

Researchers published details on a set of 14 vulnerabilities affecting NicheStack, a TCP/IP stack commonly used by  industrial automation companies. Several vendors will be releasing updates to fix the flaws. Timely updates are recommended.

Details

  • Collectively dubbed INFRA:HALT, this set of vulnerabilities affects NicheStack prior to 4.3. NicheStack is a proprietary TCP/IP stack for embedded systems developed by InterNiche Technologies.
  • HCC Embedded, the company that acquired the networking business of InterNiche Technologies in 2016, released security advisories and the updates. Device vendors using vulnerable versions of the stack will be releasing their own firmware updates to their customers.
  • The majority of the vulnerabilities have been rated as high-severity. Two of the flaws were rated as critical:
    • CVE-2020-25928 is an out-of-bounds read/write when parsing DNS responses, leading to remote code execution. CVSS score: 9.8.
    • CVE-2021-31226 is a heap buffer overflow flaw when parsing HTTP post requests, leading to remote code execution. CVSS score: 9.1.
  • Researchers report finding 2,500 systems from 21 vendors that are vulnerable to INFRA:HALT with a wide range of issues including: remote code execution, denial of service (DoS), information leaks, TCP spoofing, and DNS cache poisoning.
  • An active scanning tool to identify the affected products on the networks was published. Care should be taken if leveraging these tools, as they have only been validated in test environments and perform active scanning on the network.

Recommendations

  • We recommend monitoring for vendor update releases and timely patching of affected devices.

References

Apple Releases Out-of-band Update

On 26 July 2021, Apple released an out-of-band security update to address an actively exploited vulnerability. Timely updates are recommended.

Details

  • The issue, tracked as CVE-2021-30807, is in the subsystem of the IOMobileFramebuffer kernel extension. It is a local privilege escalation (LPE) flaw allowing a local application to trigger memory corruption and execute malicious code with kernel privileges.
  • Apple reported that this issue may have been actively exploited.
  • The versions of Apple products fixing this vulnerability are iOS 14.7.1, iPadOS 14.7.1, and macOS Big Sur 11.5.1.

Recommendations

  • If you are using any of the vulnerable Apple products, ensure you have the latest updates installed.
  • Check for and install software updates on your device manually by going to Settings > General > Software Update.

References

New NTLM Relay Attack Method Published

On 23 July 2021, Microsoft issued a security advisory on Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS). The advisory provides mitigations steps for a security issue that could be used to access domain services such as Windows domain controllers or other Windows servers.

Details

  • Last week, researchers published a proof-of-concept (PoC) for a new Windows NT LAN Manager (NTLM) relay attack, dubbed PetitPotam. Threat actors could use this code to force a remote Windows server, including Domain Controllers, to authenticate with a malicious destination and share Microsoft NTLM authentication details and certificates. An attacker would need to be on your network or be connected to your domain without a VPN.
  • PetitPotam abuses the EfsRpcOpenFileRaw function of the Microsoft’s Encrypting File System Remote (MS-EFSRPC) protocol API. MS-EFSRPC allows Windows machines to perform operations on encrypted data stored on remote systems.
  • Microsoft stated that systems potentially vulnerable to this attack have NTLM authentication enabled in their domain and are using Active Directory Certificate Services (AD CS) with Certificate Authority Web Enrollment or Certificate Enrollment Web Service. The AD CS is a public key infrastructure (PKI) server commonly used to authenticate users, services, and machines on a Windows domain.
  • Microsoft recommends disabling NTLM authentication on a Windows domain controller. When NTLM cannot be turned off for compatibility reasons, Microsoft provided alternative mitigation steps available in their KB5005413 article.

Recommendations

  • If you have NTLM enabled, review and apply the mitigation steps in the Microsoft KB5005413 article listed below.
  • Exercise caution before disabling NTLM as some legacy applications still rely on NTML authentication to function properly.
  • We recommend a detailed audit of NTLM requests in your environment using a GPO setting in the Active Directory located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
  • When possible, we recommend migrating from using NTLM to Kerberos which relies on encryption rather than password hashing. For some legacy applications that require NTLM, we recommend using a more recent version, NTLMNv2 and allowing an exception for just those applications to minimize the risk.
  • Enforce SMB Session Signing, LDAP signing and LDAPS channel binding on domain controllers to prevent NTLM relay attacks.
  • Please note that disabling the Encrypting File System (EFS) service does not mitigate the risk.

References : KB5005413Microsoft Security Advisory

Apple Security Updates Address Vulnerabilities in Multiple Products

This week Apple released security updates to address multiple vulnerabilities in its products. The most critical of these flaws could be exploited to execute arbitrary code. Timely patching is recommended.

Details

  • The updates for macOS Mojave, Catalina, and Big Sur address multiple vulnerabilities that could be exploited to execute arbitrary code.
  • Issues addressed in iOS 14.7 and iPadOS 14.7 include arbitrary code execution, denial-of-service (DOS), bypass of code signing checks and kernel memory mitigations, and information leaks among others.
  • Notably, Apple addressed CVE-2021-30800, a flaw commonly known as WiFiDemon, affecting devices running iOS versions prior to 14.7. The issue was previously misclassified as DOS only. Researchers later found that joining a malicious Wi-Fi network using affected devices may also result in remote code execution with no user interaction required.
  • The fixes also address four memory corruption issues (CVE-2021-30799, CVE-2021-30797, CVE-2021-30795, and CVE-2021-30758) in WebKit that could allow arbitrary code execution via maliciously-crafted Web content.
  • Other notable fixes include:
    • CVE-2021-3518, a remote arbitrary code execution flaw due to an issue in libxml2.
    • CVE-2021-30765, CVE-2021-30766, CVE-2021-30703, CVE-2021-30793, issues allowing an application to execute arbitrary code with kernel privileges.
    •  CVE-2021-30672, a memory corruption issue in Bluetooth that could allow a malicious application to gain root privileges.

Recommendations

  • If you are using any of the vulnerable Apple products, ensure you have the latest updates installed.
  • Check for and install software updates on your device manually by going to Settings > General > Software Update.

References

July 2021 Oracle Critical Patch Update Addresses 327 Flaws

On 20 July 2021, Oracle Critical Patch Update (CPU) released fixes for 327 vulnerabilities; 43 of these are remotely executable flaws requiring no authentication to exploit. Timely patching is recommended.

Details

  • The July 2021 CPU addresses vulnerabilities in multiple Oracle product families and its third-party components; 49 of them have a CVSS 3.1 score above 9.
  • Of note is a critical vulnerability in Essbase Analytic Provider Services 21.2 (component: JAPI), tracked as CVE-2021-2244, that received a CVSS 3.1 score of 10. An unauthenticated threat actor with network access via HTTP could compromise an unpatched product remotely.
  • Oracle Fusion Middleware was the most affected product with 48 fixes overall. Nine of these vulnerabilities have a score above 9 and are remotely exploitable with no authentication required.
  • Oracle MySQL received 41 patches. Ten of these vulnerabilities may be exploited remotely without requiring user credentials.
  • Other products with multiple critical fixes include Oracle E-Business Suite, Oracle Database Server, Oracle PeopleSoft, Oracle Retail Applications, Oracle Financial Services Applications, Oracle Communications Applications, and Oracle Communications among others.

Recommendations

  • If you are using any of the products mentioned in the Oracle Critical Patch Update Advisory, check for the updates on the advisory page noted below.
  • Timely implementation of the updates and all applicable mitigations is recommended.

References Oracle Critical Patch Update Advisory