Article: Microsoft: New critical Windows HTTP vulnerability is wormable

Update 3/21/22: I found some PoC exploits on GitHub for this vulnerability: https://github.com/search?q=CVE-2022-21907

Microsoft has patched a critical flaw tagged as wormable and found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022.

The bug, tracked as CVE-2022-21907 and patched during this month’s Patch Tuesday, was discovered in the HTTP Protocol Stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) web server.

Successful exploitation requires threat actors to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets.

Microsoft recommends users prioritize patching this flaw on all affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and “in most situations,” without requiring user interaction.

Links

Article: VMware Patches Important Bug Affecting ESXi, Workstation and Fusion Products

VMWare has shipped updates to Workstation, Fusion, and ESXi products to address an “important” security vulnerability that could be weaponized by a threat actor to take control of affected systems.

The issue relates to a heap-overflow vulnerability — tracked as CVE-2021-22045 (CVSS score: 7.7) — that, if successfully exploited, results in the execution of arbitrary code. The company credited Jaanus Kääp, a security researcher with Clarified Security, for reporting the flaw.

“A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine,” VMware said in an advisory published on January 4. “Successful exploitation requires [a] CD image to be attached to the virtual machine.”

Links

Article: Microsoft warns of easy Windows domain takeover via Active Directory bugs

Microsoft warned customers today to patch two Active Directory domain service privilege escalation security flaws that, when combined, allow attackers to easily takeover Windows domains.

The company released security updates to address the two security vulnerabilities (tracked as CVE-2021-42287 and CVE-2021-42278 and reported by Andrew Bartlett of Catalyst IT) during the November 2021 Patch Tuesday.

Redmond’s warning to immediately patch the two bugs — both allowing attackers to impersonate domain controllers — comes after a proof-of-concept (PoC) tool that can leverage these vulnerabilities was shared on Twitter and GitHub on December 11.

Links

Article: WHEN HONEY BEES BECOME MURDER HORNETS (New MikroTik vulnerability)

What do you do when two million cheap and powerful devices become the launchpad for one of the most powerful botnets ever? You stop treating the threat like a newly discovered and unexpected honey bee hive and you start remediating like you’ve discovered a Murder Hornet nest.

Based in Latvia, MikroTik may not be a household name, but it has been a popular supplier of routers and wireless ISP devices since 1996 with more than 2,000,000 devices deployed worldwide. These devices are both powerful, and as our research shows, often highly vulnerable. For the money, there is hardly a more powerful device a consumer can get their hands on.

This has made MikroTik devices a favorite among threat actors who have commandeered the devices for everything from DDoS attacks, command-and-control (aka “C2”), traffic tunneling, and more. The ability to proxy and manipulate traffic should be of particular interest to enterprise security teams. With the increase in users working from home, attackers now have a wealth of easily discoverable, vulnerable devices that can provide attackers with easy access to both the employee’s home devices, as well as devices and resources of the enterprise. In effect, the perimeter has as many holes as a bee’s nest has hexagons.

And while threat actors have the tools to find vulnerable MikroTik devices, many enterprises do not. Even the default Shodan searches for MikroTik leave entire swaths of these devices undiscovered. Part of our research aim is to shine a light on this problem by mapping the MikroTik attack surface and providing researchers and security teams with tools that they can use to find both vulnerable and already-compromised MikroTik devices.

Given such a vast percentage of these devices have been in a vulnerable state for many years on end, it is simply not enough to find ‘old’ (vulnerable) devices. Instead, we need to leverage the very same tactics, techniques, and procedures (TTPs) the attackers use. We need to discover whether a given device might already be compromised and determine whether it is patched or not. Even non-vulnerable device firmware versions can still be readily configured for malicious purposes.

Links

Article: Log4Shell – What You Need To Know Log4j Vulnerability – CVE 2021-44228

h0w1tzr’s Commentary: This is a REALLY nasty bug that has been not only seen in the wild but wormable payloads have also been seen. This is just the tip of the iceberg. It affects everything from Apache Web Servers to VMware vSphere to Atlassian Jira to Ghidra to ICS devices. Essentially anything that is written in Java could be potentially be exploited. This is probably the worst bug since Heartbleed with even more ramifications. The good news, if there is any, is that this vulnerability doesn’t break out of the Java Virtual Machine (JVM) but you can remotely load Java classes that are being used to download a secondary payload.

On December 9, 2021, the Log4j vulnerability, tracked as CVE-2021-44228, was publicly revealed via the project’s GitHub. This page collects all the intelligence that Randori has gathered since the release of the vulnerability that impacts many types of software, and likely billions of devices.

This vulnerability, which was discovered by Chen Zhaojun of Alibaba Cloud Security Team, impacts Apache Log4j 2 versions 2.0 to 2.14.1.

This weakness allows arbitrary code execution. A logging utility such as Log4j is meant to allow developers to log various types of data within their applications, this data is typically based on user inputs, but does not have to be.

The Log4j vulnerability allows an attacker to load any code they want via the Log4j logging structure. Threat actors can point the logging protocol to a Java library of their choosing, and it would automatically load the target.

We estimate Log4j to be as far reaching as the Heartbleed vulnerability and Shellshock combined. More than 2.5 billion devices running Java, coupled with the fact this vulnerability is extremely easy to exploit, means the impact is likely very far reaching

Links

Scanners

Article: Kali Linux 2021.4 released with 9 new tools, further Apple M1 support

​Kali Linux 2021.4 was released yesterday by Offensive Security and includes further Apple M1 support, increased Samba compatibility, nine new tools, and an update for all three main desktop.

Kali Linux is a Linux distribution allowing cybersecurity professionals and ethical hackers to perform penetration testing and security audits against internal and remote networks.

With this release, the Kali Linux Team introduces a bunch of new features, including:

    • Apple M1 support for the VMware Fusion Public Tech Preview
    • Wide compatibility is enabled for Samba
    • Making it easier to switch to Cloudflare’s package manager mirror
    • Kaboxer updated with support for window themes and icon theme
    • Updates to the Xfce, GNOME and KDE desktops
    • Raspberry Pi Zero 2 W + USBArmory MkII ARM images
    • Nine more tools!

Links

Article: 8-year-old HP printer vulnerability affects 150 printer models

Researchers have discovered several vulnerabilities affecting at least 150 multi-function (print, scan, fax) printers made by Hewlett Packard.

Since the flaws discovered by F-Secure security researchers Alexander Bolshev and Timo Hirvonen date back to at least 2013, they’ve likely exposed a large number of users to cyberattacks for a notable amount of time.

HP has released fixes for the vulnerabilities in the form of firmware updates for two of the most critical flaws on November 1, 2021.

These are CVE-2021-39237 and CVE-2021-39238. For a complete list of the affected products, click on the tracking numbers for the corresponding advisories.

The first one concerns two exposed physical ports that grant full access to the device. Exploiting it requires physical access and could lead to potential information disclosure.

The second one is a buffer overflow vulnerability on the font parser, which is a lot more severe, having a CVSS score of 9.3. Exploiting it gives threat actors a way to remote code execution.

CVE-2021-39238 is also “wormable,” meaning a threat actor could quickly spread from a single printer to an entire network.

As such, organizations must upgrade their printer firmware as soon as possible to avoid large-scale infections that start from this often ignored point of entry.

Links

*** Found via Bleeping Computer ***

Article: Microsoft Exchange servers hacked to deploy BlackByte ransomware

h0w1tzr’s Comments: These CVEs affect all MS Exchange Server versions from 2013-2019.

The BlackByte ransomware gang is now breaching corporate networks by exploiting Microsoft Exchange servers using the ProxyShell vulnerabilities.

ProxyShell is the name for a set of three Microsoft Exchange vulnerabilities that allow unauthenticated, remote code execution on the server when chained together.

These vulnerabilities are listed below and were fixed by security updates released in April and May 2021:

    • CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
    • CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
    • CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)

Since researchers disclosed the vulnerabilities, threat actors have begun to exploit them to breach servers and install web shells, coin miners, and ransomware.

Links

*** Found via LinkedIn ***