CERT/CC

VU#240785: Atlassian Bitbucket on Windows is vulnerable to privilege escalation due to weak ACLs
Atlassian Bitbucket on Windows fails to properly set ACLs, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges.
DescriptionThe Atlassian Bitbucket Windows installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\Atlassian\Bitbucket\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.
ImpactBy placing a specially-crafted DLL file in the Bitbucket installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Bitbucket software installed. See DLL Search Order Hijacking for more details.
Solution Apply an updateThis issue has been addressed in the Bitbucket Windows installer for versions 7.10.1, 7.6.4, and 6.10.9. Please see https://jira.atlassian.com/browse/BSERV-12753 for more details.
AcknowledgementsThis vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
VU#466044: Siemens Totally Integrated Automation Portal vulnerable to privilege escalation due to Node.js paths
Siemens Totally Integrated Administrator (TIA) fails to properly set the module search path to be used by a privileged Node.js component, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges. The PCS neo administration console is reported to be affected as well.
DescriptionSiemens TIA runs a privileged Node.js component. The Node.js server fails to properly set the module search path. Because of this, Node.js will look for modules in the C:\node_modules\ directory when the server is started. Because unprivileged Windows users can create subdirectories off of the system root, a user can create this directory and place a specially-crafted .js file in it to achieve arbitrary code execution with SYSTEM privileges when the server starts.
ImpactBy placing a specially-crafted JS file in the C:\node_modules\ directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Siemens TIA or PCS neo administration console software installed.
Solution Apply an updateThis issue is addressed in TIA Administrator V1.0 SP2 Upd2. PCS neo administration console users should apply the mitigations described in Industrial Security in SIMATIC PCS neo.
For more details see Siemens Security Advisory SSA-428051.
AcknowledgementsThis vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
VU#589825: Devices supporting Bluetooth BR/EDR and LE using CTKD are vulnerable to key overwrite
Devices supporting both Bluetooth BR/EDR and LE using Cross-Transport Key Derivation (CTKD) for pairing are vulnerable to key overwrite, which enables an attacker to to gain additional access to profiles or services that are not restricted by reducing the encryption key strength or overwriting an authenticated key with an unauthenticated key. This vulnerability is being referred to as BLURtooth.
DescriptionAs detailed in both the Bluetooth Core Specification versions 4.2 and 5.0, Bluetooth CTKD can be used for pairing by devices that support both Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) transport methods, which are known as "dual-mode" devices. CTKD pairing allows the devices to pair once using either transport method while generating both the BR/EDR and LE Long Term Keys (LTK) without needing to pair a second time. Dual-mode devices using CTKD to generate a LTK or Link Key (LK) are able to overwrite the original LTK or LK in cases where that transport was enforcing a higher level of security.
ImpactSeveral potential attacks could be performed by exploiting CVE-2020-15802, including a Man in the Middle (MITM) attack. The vulnerability is being referred to as BLURtooth and the group of attacks is being referred to as the BLUR attacks. Vulnerable devices must permit a pairing or bonding to proceed transparently with no authentication, or a weak key strength, on at least one of the BR/EDR or LE transports in order to be susceptible to attack. For example, it may be possible to pair with certain devices using JustWorks pairing over BR/EDR or LE and overwriting an existing LTK or LK on the other transport. When this results in the reduction of encryption key strength or the overwrite of an authenticated key with an unauthenticated key, an attacker could gain additional access to profiles or services that are not otherwise restricted.
SolutionThe Bluetooth SIG has released recommendations for mitigating this issue that include additional conformance tests to ensure that the overwrite of an authenticated key or a key of a given length with an unauthenticated key or a key of reduced length is not permitted in devices supporting Bluetooth Core Specification version 5.1 or greater. They also recommend that potentially vulnerable implementations introduce the restrictions on CTKD mandated in Bluetooth Core Specification versions 5.1 and later. Implementations should disallow overwrite of the LTK or LK for one transport with the LTK or LK derived from the other when this overwrite would result in either a reduction of the key strength of the original bonding or a reduction in the MITM protection of the original bonding (from authenticated to unauthenticated). This may require that the host track the negotiated length and authentication status of the keys in the Bluetooth security database.
The Bluetooth SIG further recommends that devices restrict when they are pairable on either transport to times when user interaction places the device into a pairable mode or when the device has no bonds or existing connections to a paired device. In all cases, it is recommended that devices restrict the duration of pairing mode and overwrite an existing bonding only when devices are explicitly in pairing mode.
AcknowledgementsThanks to the reporter who wishes to remain anonymous.
This document was written by Madison Oliver.
VU#794544: Heap-Based Buffer Overflow in Sudo
A heap-based overflow has been discovered in sudo, which may allow a local attacker to execute commands with elevated administrator privileges.
DescriptionFrom the Sudo Main Page:
Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.
It is possible for a local Non-administrative user to exploit this vulnerability to elevate their privileges so that they can execute commands with administrator privileges. The team at Qualys assigned this vulnerability CVE-2021-3156 and found multiple *nix operating systems were vulnerable, including Fedora, Debian, and Ubuntu. A blog update from February 3, 2021, reports that macOS, AIX, and Solaris may be vulnerable, but Qualys had not yet confirmed this. There is additional reporting that other operating systems are affected, including Apple’s Big Sur.
ImpactIf an attacker has local access to an affected machine then it is possible for them to execute commands with administrator privileges.
SolutionApply an Update
Apply an update if operationally feasible. Update sudo to the latest version to address this vulnerability when operationally feasible. There have been no reports of issues with updates when the patches have been made available.
AcknowledgementsThis vulnerability was researched and reported by the Qualys Research Team.
This document was written by Timur Snoke.
VU#125331: Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs
Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.
DescriptionThe Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.
ImpactBy placing a specially-crafted DLL file in the ColdFusion installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable ColdFusion software installed. See DLL Search Order Hijacking for more details.
Solution Use the Server Auto-Lockdown InstallerBy default, ColdFusion does not configure itself securely. In order to secure ColdFusion with respect to service privileges, ACLs, and other attributes, the ColdFusion Server Auto-Lockdown installer must be installed in addition to installing ColdFusion itself.
Mitigation steps will vary based on the version of ColdFusion being used:
ColdFusion 2016: Apply the changes outlined in the ColdFusion 2016 Lockdown Guide.
ColdFusion 2018: Run the ColdFusion 2018 Auto-Lockdown installer and ensure that it completes without error.
ColdFusion 2021: Run the ColdFusion 2021 Auto-Lockdown installer and ensure that it completes without error.
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
VU#434904: Dnsmasq is vulnerable to memory corruption and cache poisoning
Dnsmasq is vulnerable to a set of memory corruption issues handling DNSSEC data and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory on a vulnerable system and perform cache poisoning attacks against a vulnerable environment.
These vulnerabilities are also tracked as ICS-VU-668462 and referred to as DNSpooq.
DescriptionDnsmasq is widely used open-source software that provides DNS forwarding and caching (and also a DHCP server). Dnsmasq is common in Internet-of-Things (IoT) and other embedded devices.
JSOF reported multiple memory corruption vulnerabilities in dnsmasq due to boundary checking errors in DNSSEC handling code.
- CVE-2020-25681: A heap-based buffer overflow in dnsmasq in the way it sorts RRSets before validating them with DNSSEC data in an unsolicited DNS response
- CVE-2020-25682: A buffer overflow vulnerability in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data
- CVE-2020-25683: A heap-based buffer overflow in get_rdata subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries
- CVE-2020-25687: A heap-based buffer overflow in sort_rrset subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries
JSOF also reported vulnerabilities in DNS response validation that can result in DNS cache poisoning.
- CVE-2020-25684: Dnsmasq does not validate the combination of address/port and the query-id fields of DNS request when accepting DNS responses
- CVE-2020-25685: Dnsmasq uses a weak hashing algorithm (CRC32) when compiled without DNSSEC to validate DNS responses
- CVE-2020-25686: Dnsmasq does not check for an existing pending request for the same name and forwards a new request thus allowing an attacker to perform a "Birthday Attack" scenario to forge replies and potentially poison the DNS cache
Note: These cache poisoning scenarios and defenses are discussed in IETF RFC5452.
ImpactThe memory corruption vulnerabilities can be triggered by a remote attacker using crafted DNS responses that can lead to denial of service, information exposure, and potentially remote code execution. The DNS response validation vulnerabilities allow an attacker to use unsolicited DNS responses to poison the DNS cache and redirect users to arbitrary sites.
Solution Apply updatesThese vulnerabilities are addressed in dnsmasq 2.83. Users of IoT and embedded devices that use dnsmasq should contact their vendors.
Follow security best-practicesConsider the following security best-practices to protect DNS infrastructure:
- Protect your DNS clients using stateful-inspection firewall that provide DNS security (e.g., stateful firewalls and NAT devices can block unsolicited DNS responses, DNS application layer inspection can prevent forwarding of anomalous DNS packets).
- Provide secure DNS recursion service with features such as DNSSEC validation and the interim 0x20-bit encoding as part of enterprise DNS services where applicable.
- Prevent exposure of IoT devices and lightweight devices directly over the Internet to minimize abuse of DNS.
- Implement a Secure By Default configuration suitable for your operating environment (e.g., disable caching on embedded IoT devices when an upstream caching resolver is available).
Moshe Kol and Shlomi Oberman of JSOF researched and reported these vulnerabilities. Simon Kelley (author of dnsmasq) worked closely with collaborative vendors (Cisco, Google, Pi-Hole, Redhat) to develop patches to address these security vulnerabilities. GitHub also supported these collaboration efforts providing support to use their GitHub Security Advisory platform for collaboration.
This document was written by Vijay Sarvepalli.
VU#843464: SolarWinds Orion API authentication bypass allows remote comand execution
The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.
DescriptionThe SolarWinds Orion Platform is a suite of infrastructure and system monitoring and management products. The SolarWinds Orion API is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. The authentication of the API can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request to the API, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.
ImpactThis could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.
SolutionApply an Update
Users should update to the relevant versions of the SolarWinds Orion Platform:
- 2019.4 HF 6 (released December 14, 2020)
- 2020.2.1 HF 2 (released December 15, 2020)
- 2019.2 SUPERNOVA Patch (released December 23, 2020)
- 2018.4 SUPERNOVA Patch (released December 23, 2020)
- 2018.2 SUPERNOVA Patch (released December 23, 2020)
More information can be found on the SolarWinds Security Advisory.
Harden the IIS Server
Especially in cases when updates cannot be installed, we recommend that users implement these mitigations to harden their IIS server.
AcknowledgementsThis document was written by Madison Oliver and Will Dormann.
VU#429301: Veritas Backup Exec is vulnerable to privilege escalation due to OPENSSLDIR location
Veritas Backup Exec contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.
DescriptionCVE-2019-1552
Veritas Backup Exec includes an OpenSSL component that specifies an OPENSSLDIR variable as /usr/local/ssl/. On the Windows platform, this path is interpreted as C:\usr\local\ssl. Backup Exec contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
ImpactBy placing a specially-crafted openssl.cnf in the C:\usr\local\ssl directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Veritas software installed.
Solution Apply an updateThis vulnerability is addressed in Backup Exec 21.1 Hotfix 657517 (Engineering version 21.0.1200.1217) and Backup Exec 20.6 Hotfix 298543 (Engineering version 20.0.1188.2734).
Create a C:\usr\local\ssl directoryIn cases where an update cannot be installed, this vulnerability can be mitigated by creating a C:\usr\local\ssl directory and restricting ACLs to prevent unprivileged users from being able to write to this location.
AcknowledgementsThis vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
VU#815128: Embedded TCP/IP stacks have memory corruption vulnerabilities
Multiple open-source embedded TCP/IP stacks, commonly used in Internet of Things (IoT) and embedded devices, have several vulnerabilities stemming from improper memory management. These vulnerabilities are also tracked as ICS-VU-633937 and JVNVU#96491057 as well as the name AMNESIA:33.
DescriptionEmbedded TCP/IP stacks provide essential network communication capability using TCP/IP networking to many lightweight operating systems adopted by IoT and other embedded devices. These software stacks can also be seen in the latest technologies such as Edge Computing. The following embedded TCP/IP stacks were discovered to have 33 memory related vulnerabilities included in this advisory:
- uIP: https://github.com/adamdunkels/uip
- Contiki-OS and Contiki-NG: https://www.contiki-ng.org/
- PicoTCP and PicoTCP-NG: http://picotcp.altran.be
- FNET: http://fnet.sourceforge.net/
- Nut/OS: http://www.ethernut.de/en/software/
These software stacks can be integrated in various ways, including compiled from source, modified and integrated, and linked as a dynamic or static libraries, allowing for a wide variety of implementations. As an example, projects such as Apache Nuttx and open-iscsi have adopted common libraries and software modules, thus inheriting some of the vulnerabilities with varying levels of impact. The diversity of implementations and the lack of supply chain visibility has made it difficult to accurately assess the impact, usage as well as the potential exploitability of these vulnerabilities.
In general, most of these vulnerabilities are caused by memory management bugs, commonly seen in lightweight software implementations in Real Time Operating Systems (RTOS) and IoT devices. For specific details on the vulnerabilities introduced by these vulnerabilities, see the Forescout advisory that provides technical details.
ImpactThe impact of these vulnerabilities vary widely due to the combination of build and runtime options customized while including these in embedded devices. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause the vulnerable device to behave in unexpected ways such as a failure (denial of service), disclosure of private information, or execution of arbitrary code.
Solution Apply updatesUpdate to the latest stable version of the affected embedded TCP/IP software that address these recently disclosed vulnerabilities. If you have adopted this software from an upstream provider, contact the provider to get appropriate updates that need to be integrated into your software. Concerned end-users of IoT and embedded devices that implement of these vulnerable TCP/IP software stacks should contact their vendor or the closest reseller to obtain appropriate updates.
Follow best-practicesWe recommend that you follow best practices when connecting IoT or embedded devices to a network:
- Avoid exposure of IoT and embedded devices directly over the Internet and use a segmented network zone when available.
- Enable security features such as deep-packet inspection and firewall anomaly detection when available to protect embedded and IoT devices.
- Ensure secure defaults are adopted and disable unused features and services on your embedded devices.
- Regularly update firmware to the vendor provided latest stable version to ensure your device is up to date.
Jos Wetzels, Stanislav Dashevskyi, Amine Amri and Daniel dos Santos of Forescout Technologies researched and reported these vulnerabilities.
This document was written by Vijay Sarvepalli.
VU#724367: VMware Workspace ONE Access and related components are vulnerable to command injection
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. This could allow a remote attacker to execute commands with unrestricted privileges on the underlying operating system.
DescriptionVMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. This could allow a remote attacker with access to the administrative configurator on port 8443 and a valid password to execute commands with unrestricted privileges on the underlying operating system. For additional details, please see VMware's security advisory.
ImpactThis could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.
SolutionThe CERT/CC is currently unaware of a practical solution to this problem.
WorkaroundsPlease see the workarounds provided by VMware.
AcknowledgementsThanks to VMware for coordinating this vulnerability.
This document was written by Madison Oliver.
VU#231329: Replay Protected Memory Block (RPMB) protocol does not adequately defend against replay attacks
The Replay Protected Memory Block (RPMB) protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area.
DescriptionThe RPMB protocol "...enables a device to store data in a small, specific area that is authenticated and protected against replay attack." RPMB is most commonly found in mobile phones and tablets using flash storage technology such as eMMC, UFS, and NVMe. The RPMB protocol allows an attacker to replay stale write failure messages and write commands, leading to state confusion between a trusted component and the contents of an RPMB area. Additional details are available in Replay Attack Vulnerabilities in RPMB Protocol Applications.
ImpactAn attacker with physical access to a device can cause a mismatch between the write state or contents of the RPMB area and a trusted component of the device. These mismatches can lead to the trusted component believing a write command failed when in fact it succeeded, or the trusted component believing that certain content was written when in fact different content (unmodified by the attacker) was written. Further implications depend on the specific device and use of RPMB. At least one affected vendor has confirmed that denial of service
SolutionPlease see the Vendor Information section below. Further vendor information is available in Replay Attack Vulnerabilities in RPMB Protocol Applications.
AcknowledgementsRotem Sela and Brian Mastenbrook of Western Digital identified this vulnerability. Western Digital coordinated its disclosure with the affected vendors. Thanks Western Digital PSIRT!
This document was written by Eric Hatleback.