Home > Blogs & News > Spotit SOC Security Blog #1

Spotit SOC Security Blog #1

Oktober 2021

Spotit Blogt

Bij spotit zitten we niet stil. We groeien hard, organiseren allerhande events, verbeteren onze werking en communicatie met klanten en zijn daarbovenop hard aan onze toekomst aan het timmeren. Security, en dus onze core business, is meer dan ooit hot topic en de maand oktober staat dan ook niet meer dan terecht volledig in het teken van cybersecurity en alles wat daar bij komt kijken. Via deze handige update kan u al het nieuws – heet van de naald – nalezen over onze activiteiten en geven we een handig overzicht mee van onze security vulnerability bulletins. 

Afgelopen maand zijn er allerhande problemen geweest met o.a. Azure Cloud, VMware, Microsoft Windows en – Office. Problemen zonder oplossingen? Onbestaande in IT (en bij spotit) en dus geven we in deze blog graag enkele belangrijke details mee. Scrol gerust naar onderen om per categorie alles te weten te komen over de ‘in’s and out’s’.

Ten slotte hebben we ook enkele interessante webinars op de agenda staan. Benieuwd naar wat we nog in petto hebben? Bekijk onze agenda hier en mis geen enkele webinar in de toekomst!

Security & Networks Day 2021

Ieder jaar organiseren we met groot enthousiasme onze security & network day. Een dag waarbij we onze klanten, partners en collega’s ontvangen voor een dag vol kennisdeling, netwerken én plezier. Dit jaar konden we iedereen terug in levende lijven uitnodigen en ontmoeten op de toplocatie Quartier Papier te Zaventem. We hebben genoten én bijgeleerd van de verschillende interessante lezingen waaronder:

  • Industry 4.0: digital transformation security challenges in OT environments
  • Why a people-centric cyber defense is crucial
  • Information protection & governance
  • Improved visibility and security maturity through spotit SOC services
    • Technology
    • Enrichment and Automation
    • Advisory and Support

Een event zonder lekker eten en een afsluiter? Zo doen we het niet bij spotit. Na de interessante uiteenzettingen konden genodigden genieten van een lekker buffet en een optreden van Tourist LeMc. Of het geslaagd was? Geen twijfel mogelijk! We kijken al uit naar de volgende editie.

Jürgen Verniest, CEO

Kom in onderstaand stuk alles te weten over de recente security vulnerability bulletins. Handig samengevat voor jou per topic.

VMware has published an advisory on 19 vulnerabilities in vCenter Server, the worst being an arbitrary file upload vulnerability (CVE-2021-22005) with CVSS base score of 9.8 (Critical)

CVE-2021-22005 is currently being exploited in targeted attacks and Proof of Concept is available.

VMware released patches to address the 19 vulnerabilities on 21/09/2021.

Mitigation
Spotit recommends that its customers with affected versions of VMware vCenter Server (previously known as VMware Cloud Foundation) install the latest versions of these products from VMware Customer Connect.

Affected Products
This bulletin applies to the following VMware products:
vCenter Server (Cloud Foundation) 3.x
vCenter Server (Cloud Foundation) 4.x
vCenter Server 6.5
vCenter Server 6.7
vCenter Server 7.0

Palo Alto Networks has published security advisories on multiple vulnerabilities in PAN-OS. [1]

The vulnerabilities are as follows:
CVE-2020-10188 PAN-OS: Impact of Telnet Remote-Code-Execution (RCE) Vulnerability (CVE-2020-10188) (Severity: HIGH)
CVE-2021-3052 PAN-OS: Reflected Cross-Site Scripting (XSS) in Web Interface (Severity: HIGH)
CVE-2021-3053 PAN-OS: Exceptional Condition Denial-of-Service (DoS) (Severity: HIGH)
CVE-2021-3054 PAN-OS: Unsigned Code Execution During Plugin Installation Race Condition Vulnerability (Severity: HIGH)
CVE-2021-3055 PAN-OS: XML External Entity (XXE) Reference Vulnerability in the PAN-OS Web Interface (Severity: MEDIUM)

Palo Alto Networks has patched all of the above vulnerabilities.

Mitigation
Spotit recommends that its customers install the latest updates for each affected PAN-OS version as applicable.

Versions Affected Unaffected
PAN-OS 10.1 none 10.1.*
PAN-OS 10.0 < 10.0.6 >= 10.0.6
PAN-OS 9.1 < 9.1.9 >= 9.1.9
PAN-OS 9.0 < 9.0.14 >= 9.0.14
PAN-OS 8.1 < 8.1.20 >= 8.1.20

Alternatively, workarounds and mitigations are described by Palo Alto Networks in the CVE advisories at [1].

References
1. https://security.paloaltonetworks.com/

Microsoft has published an advisory on an unpatched Remote Code Execution vulnerability affecting MSHTML which is exploited through the browser rendering engine in Microsoft Office documents. [1]

This vulnerability is currently being exploited in targeted attacks and Proof of Concept code is available.

Microsoft is yet to release a security patch for this vulnerability however mitigation advice is available below.

CVSS 3.0 Base Score : 8.8 (High)
Mitigation
Spotit recommends that its customers continue to advise their users that they should:
– Never open e-mail attachments from unknown senders.
– Never disable ‘Protected View’ in the ‘Trust Settings’ of Microsoft Office.

Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack. This can be accomplished for all sites by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To disable ActiveX controls on an individual system:
1. To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the .reg file extension:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
“1001”=dword:00000003
“1004”=dword:00000003
2. Double-click the .reg file to apply it to your Policy hive.
3. Reboot the system to ensure the new configuration is applied.

Impact of workaround.
This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes. New ActiveX controls will not be installed. Previously-installed ActiveX controls will continue to run.

How to undo the workaround
Delete the registry keys that were added in implementing this workaround.

Affected Products
All versions of Microsoft Office on Microsoft Windows.
References
2. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

CVE-2021-26084 [1] is a Remote Code Execution vulnerability in Atlassian Confluence Server and Confluence Data Center. This vulnerability can allow an authenticated or unauthenticated attacker to execute arbitrary code. The attacker could then install programs; view, change, or delete data; or run programs on the affected server instance.

US Cyber Command has issued an alert [2], due to an ongoing and accelerating mass exploitation of vulnerable server instances.

Proof of Concept code has been publicly available since 31st of August 2021, and cyber researchers have observed active exploitation since 2nd of September.

This vulnerability affects products with “Allow people to sign up to create their account” enabled. See below for affected product versions.

Atlassian has released patch updates for every affected product version.
CVSS 3.1 Base Score : 9.8 (Critical)

Mitigation
Spotit recommends that its customers with affected versions of Confluence Server and Confluence Data Center apply the appropriate patch update from the Atlassian Download Center [3].

Affected Products
Confluence Server and Confluence Data Center:
All 4.x.x versions
All 5.x.x versions
All 6.0.x versions
All 6.1.x versions
All 6.2.x versions
All 6.3.x versions
All 6.4.x versions
All 6.5.x versions
All 6.6.x versions
All 6.7.x versions
All 6.8.x versions
All 6.9.x versions
All 6.10.x versions
All 6.11.x versions
All 6.12.x versions
All 6.13.x versions before 6.13.23
All 6.14.x versions
All 6.15.x versions
All 7.0.x versions
All 7.1.x versions
All 7.2.x versions
All 7.3.x versions
All 7.4.x versions before 7.4.11
All 7.5.x versions
All 7.6.x versions
All 7.7.x versions
All 7.8.x versions
All 7.9.x versions
All 7.10.x versions
All 7.11.x versions before 7.11.6
All 7.12.x versions before 7.12.5

Not affected:
6.13.23
7.4.11
7.11.6
7.12.5
7.13.0

Confluence Cloud customers are not affected.
References
3. https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
4. https://twitter.com/CNMF_CyberAlert/status/1433787671785185283
5. https://www.atlassian.com/software/confluence/download-archives

Cisco issued a security advisory on 1st September 2021 for CVE-2021-34746 [1], which is a Software Authentication Bypass vulnerability in the Cisco Enterprise NFV Infrastructure (NFVIS) product. This vulnerability allows an unauthenticated remote attacker to bypass authentication and log into an affected device as an administrator.

According to Cisco, Proof of Concept code that exploits the vulnerability exists, however it has not detected successful weaponization in the wild.

This vulnerability affects Cisco Enterprise NFVIS release 4.5.1 if the TACACS external authentication method is configured.

Cisco has released software updates to address this vulnerability.
CVSS 3.1 Base Score : 9.8 (Critical)

Mitigation
Spotit recommends its customers with affected versions of Cisco Enterprise NFVIS install the 4.6.1 (or later) update.

Information on installing the 4.6.1 update, and on confirming that TACACS external authentication is configured, is available at [1].

Affected Products
Cisco Enterprise NFVIS 4.5.1 if the TACACS external authentication method is configured.

References
1. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-g2DMVVh

Microsoft has published an advisory on multiple vulnerabilities affecting Azure Cloud servers running on Linux which are exploited through the Open Management Infrastructure (OMI) tool. The worst vulnerability being Remote Code Execution.

This vulnerability is currently being exploited in targeted attacks and Proof of Concept is available.

Security researchers discovered that Remote Code Execution on OMI can be obtained by sending a request with the ‘Authorization’ header removed.

Microsoft has patched OMI to address these vulnerabilities.

• CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8)
• CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8)
• CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8)
• CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0)

Mitigation
Spotit recommends that its customers with Azure Cloud Linux instances install at least version 1.6.8-1 of OMI which has resolved these vulnerabilities.
OMI Version 1.6.8-1 can be obtained here or upgraded as follows:

• Debian-based systems: ‘sudo apt-get install omi’
• RedHat-based systems: ‘sudo rpm -qa omi’

Affected Products
Azure customers with Linux instances are at risk if they are using OMI before version 1.6.8-1.

OMI is automatically installed with root privileges with the following tools:
• Azure Automation
• Azure Automatic Update
• Azure Operations Management Suite (OMS)
• Azure Log Analytics
• Azure Configuration Management
• Azure Diagnostics

CVE-2021-33766 [1], aka ‘ProxyToken’, is a vulnerability in Microsoft Exchange Server that allows an unauthenticated attacker to perform configuration actions on mailboxes belonging to arbitrary users, including intercepting mail, and forwarding mail to external mail servers.

Microsoft issued a patch for this vulnerability in the April 2021 Security Update [2].
Proof of Concept information for this vulnerability has been published [3].
CVSS 3.0 Base Score : 7.3

Mitigation
spotit recommends its customers with affected versions of Microsoft Exchange Server apply the April 2021 Security Update.

Affected Products
Microsoft Exchange Server 2019 Cumulative Update 9
Microsoft Exchange Server 2019 Cumulative Update 8
Microsoft Exchange Server 2016 Cumulative Update 20
Microsoft Exchange Server 2016 Cumulative Update 19
Microsoft Exchange Server 2013 Cumulative Update 23

References
1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33766
2. https://msrc-blog.microsoft.com/2021/04/13/april-2021-update-tuesday-packages-now-available/
3. https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server

Thanks for reading and if you would like to talk to us or have questions about our events please reach out!

James Guthrie, spotit SOC