CERT/CC

Atlassian Bitbucket on Windows fails to properly set ACLs, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges.

The Atlassian Bitbucket Windows installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\Atlassian\Bitbucket\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.

By placing a specially-crafted DLL file in the Bitbucket installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Bitbucket software installed. See DLL Search Order Hijacking for more details.

This issue has been addressed in the Bitbucket Windows installer for versions 7.10.1, 7.6.4, and 6.10.9. Please see https://jira.atlassian.com/browse/BSERV-12753 for more details.

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Siemens Totally Integrated Administrator (TIA) fails to properly set the module search path to be used by a privileged Node.js component, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges. The PCS neo administration console is reported to be affected as well.

Siemens TIA runs a privileged Node.js component. The Node.js server fails to properly set the module search path. Because of this, Node.js will look for modules in the C:\node_modules\ directory when the server is started. Because unprivileged Windows users can create subdirectories off of the system root, a user can create this directory and place a specially-crafted .js file in it to achieve arbitrary code execution with SYSTEM privileges when the server starts.

By placing a specially-crafted JS file in the C:\node_modules\ directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Siemens TIA or PCS neo administration console software installed.

This issue is addressed in TIA Administrator V1.0 SP2 Upd2. PCS neo administration console users should apply the mitigations described in Industrial Security in SIMATIC PCS neo.

For more details see Siemens Security Advisory SSA-428051.

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Devices supporting both Bluetooth BR/EDR and LE using Cross-Transport Key Derivation (CTKD) for pairing are vulnerable to key overwrite, which enables an attacker to to gain additional access to profiles or services that are not restricted by reducing the encryption key strength or overwriting an authenticated key with an unauthenticated key. This vulnerability is being referred to as BLURtooth.

As detailed in both the Bluetooth Core Specification versions 4.2 and 5.0, Bluetooth CTKD can be used for pairing by devices that support both Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) transport methods, which are known as "dual-mode" devices. CTKD pairing allows the devices to pair once using either transport method while generating both the BR/EDR and LE Long Term Keys (LTK) without needing to pair a second time. Dual-mode devices using CTKD to generate a LTK or Link Key (LK) are able to overwrite the original LTK or LK in cases where that transport was enforcing a higher level of security.

Several potential attacks could be performed by exploiting CVE-2020-15802, including a Man in the Middle (MITM) attack. The vulnerability is being referred to as BLURtooth and the group of attacks is being referred to as the BLUR attacks. Vulnerable devices must permit a pairing or bonding to proceed transparently with no authentication, or a weak key strength, on at least one of the BR/EDR or LE transports in order to be susceptible to attack. For example, it may be possible to pair with certain devices using JustWorks pairing over BR/EDR or LE and overwriting an existing LTK or LK on the other transport. When this results in the reduction of encryption key strength or the overwrite of an authenticated key with an unauthenticated key, an attacker could gain additional access to profiles or services that are not otherwise restricted.

The Bluetooth SIG has released recommendations for mitigating this issue that include additional conformance tests to ensure that the overwrite of an authenticated key or a key of a given length with an unauthenticated key or a key of reduced length is not permitted in devices supporting Bluetooth Core Specification version 5.1 or greater. They also recommend that potentially vulnerable implementations introduce the restrictions on CTKD mandated in Bluetooth Core Specification versions 5.1 and later. Implementations should disallow overwrite of the LTK or LK for one transport with the LTK or LK derived from the other when this overwrite would result in either a reduction of the key strength of the original bonding or a reduction in the MITM protection of the original bonding (from authenticated to unauthenticated). This may require that the host track the negotiated length and authentication status of the keys in the Bluetooth security database.

The Bluetooth SIG further recommends that devices restrict when they are pairable on either transport to times when user interaction places the device into a pairable mode or when the device has no bonds or existing connections to a paired device. In all cases, it is recommended that devices restrict the duration of pairing mode and overwrite an existing bonding only when devices are explicitly in pairing mode.

Thanks to the reporter who wishes to remain anonymous.

This document was written by Madison Oliver.

A heap-based overflow has been discovered in sudo, which may allow a local attacker to execute commands with elevated administrator privileges.

From the Sudo Main Page:

Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.

It is possible for a local Non-administrative user to exploit this vulnerability to elevate their privileges so that they can execute commands with administrator privileges. The team at Qualys assigned this vulnerability CVE-2021-3156 and found multiple *nix operating systems were vulnerable, including Fedora, Debian, and Ubuntu. A blog update from February 3, 2021, reports that macOS, AIX, and Solaris may be vulnerable, but Qualys had not yet confirmed this. There is additional reporting that other operating systems are affected, including Apple’s Big Sur.

If an attacker has local access to an affected machine then it is possible for them to execute commands with administrator privileges.

Apply an Update

Apply an update if operationally feasible. Update sudo to the latest version to address this vulnerability when operationally feasible. There have been no reports of issues with updates when the patches have been made available.

This vulnerability was researched and reported by the Qualys Research Team.

This document was written by Timur Snoke.

Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.

The Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.

By placing a specially-crafted DLL file in the ColdFusion installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable ColdFusion software installed. See DLL Search Order Hijacking for more details.

By default, ColdFusion does not configure itself securely. In order to secure ColdFusion with respect to service privileges, ACLs, and other attributes, the ColdFusion Server Auto-Lockdown installer must be installed in addition to installing ColdFusion itself.

Mitigation steps will vary based on the version of ColdFusion being used:
ColdFusion 2016: Apply the changes outlined in the ColdFusion 2016 Lockdown Guide.
ColdFusion 2018: Run the ColdFusion 2018 Auto-Lockdown installer and ensure that it completes without error.
ColdFusion 2021: Run the ColdFusion 2021 Auto-Lockdown installer and ensure that it completes without error.

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Dnsmasq is vulnerable to a set of memory corruption issues handling DNSSEC data and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory on a vulnerable system and perform cache poisoning attacks against a vulnerable environment.

These vulnerabilities are also tracked as ICS-VU-668462 and referred to as DNSpooq.

Dnsmasq is widely used open-source software that provides DNS forwarding and caching (and also a DHCP server). Dnsmasq is common in Internet-of-Things (IoT) and other embedded devices.

JSOF reported multiple memory corruption vulnerabilities in dnsmasq due to boundary checking errors in DNSSEC handling code.

• CVE-2020-25681: A heap-based buffer overflow in dnsmasq in the way it sorts RRSets before validating them with DNSSEC data in an unsolicited DNS response
• CVE-2020-25682: A buffer overflow vulnerability in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data
• CVE-2020-25683: A heap-based buffer overflow in get_rdata subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries
• CVE-2020-25687: A heap-based buffer overflow in sort_rrset subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries

JSOF also reported vulnerabilities in DNS response validation that can result in DNS cache poisoning.

• CVE-2020-25684: Dnsmasq does not validate the combination of address/port and the query-id fields of DNS request when accepting DNS responses
• CVE-2020-25685: Dnsmasq uses a weak hashing algorithm (CRC32) when compiled without DNSSEC to validate DNS responses
• CVE-2020-25686: Dnsmasq does not check for an existing pending request for the same name and forwards a new request thus allowing an attacker to perform a "Birthday Attack" scenario to forge replies and potentially poison the DNS cache

Note: These cache poisoning scenarios and defenses are discussed in IETF RFC5452.

The memory corruption vulnerabilities can be triggered by a remote attacker using crafted DNS responses that can lead to denial of service, information exposure, and potentially remote code execution. The DNS response validation vulnerabilities allow an attacker to use unsolicited DNS responses to poison the DNS cache and redirect users to arbitrary sites.

These vulnerabilities are addressed in dnsmasq 2.83. Users of IoT and embedded devices that use dnsmasq should contact their vendors.

Consider the following security best-practices to protect DNS infrastructure:

• Protect your DNS clients using stateful-inspection firewall that provide DNS security (e.g., stateful firewalls and NAT devices can block unsolicited DNS responses, DNS application layer inspection can prevent forwarding of anomalous DNS packets).
• Provide secure DNS recursion service with features such as DNSSEC validation and the interim 0x20-bit encoding as part of enterprise DNS services where applicable.
• Prevent exposure of IoT devices and lightweight devices directly over the Internet to minimize abuse of DNS.
• Implement a Secure By Default configuration suitable for your operating environment (e.g., disable caching on embedded IoT devices when an upstream caching resolver is available).

Moshe Kol and Shlomi Oberman of JSOF researched and reported these vulnerabilities. Simon Kelley (author of dnsmasq) worked closely with collaborative vendors (Cisco, Google, Pi-Hole, Redhat) to develop patches to address these security vulnerabilities. GitHub also supported these collaboration efforts providing support to use their GitHub Security Advisory platform for collaboration.

This document was written by Vijay Sarvepalli.

The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.

The SolarWinds Orion Platform is a suite of infrastructure and system monitoring and management products. The SolarWinds Orion API is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. The authentication of the API can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request to the API, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.

This could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.

Apply an Update

Users should update to the relevant versions of the SolarWinds Orion Platform:

• 2019.4 HF 6 (released December 14, 2020)
• 2020.2.1 HF 2 (released December 15, 2020)
• 2019.2 SUPERNOVA Patch (released December 23, 2020)
• 2018.4 SUPERNOVA Patch (released December 23, 2020)
• 2018.2 SUPERNOVA Patch (released December 23, 2020)

More information can be found on the SolarWinds Security Advisory.

Harden the IIS Server

Especially in cases when updates cannot be installed, we recommend that users implement these mitigations to harden their IIS server.

This document was written by Madison Oliver and Will Dormann.

Veritas Backup Exec contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.

CVE-2019-1552

Veritas Backup Exec includes an OpenSSL component that specifies an OPENSSLDIR variable as /usr/local/ssl/. On the Windows platform, this path is interpreted as C:\usr\local\ssl. Backup Exec contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.

By placing a specially-crafted openssl.cnf in the C:\usr\local\ssl directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Veritas software installed.

This vulnerability is addressed in Backup Exec 21.1 Hotfix 657517 (Engineering version 21.0.1200.1217) and Backup Exec 20.6 Hotfix 298543 (Engineering version 20.0.1188.2734).

In cases where an update cannot be installed, this vulnerability can be mitigated by creating a C:\usr\local\ssl directory and restricting ACLs to prevent unprivileged users from being able to write to this location.

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Multiple open-source embedded TCP/IP stacks, commonly used in Internet of Things (IoT) and embedded devices, have several vulnerabilities stemming from improper memory management. These vulnerabilities are also tracked as ICS-VU-633937 and JVNVU#96491057 as well as the name AMNESIA:33.

Embedded TCP/IP stacks provide essential network communication capability using TCP/IP networking to many lightweight operating systems adopted by IoT and other embedded devices. These software stacks can also be seen in the latest technologies such as Edge Computing. The following embedded TCP/IP stacks were discovered to have 33 memory related vulnerabilities included in this advisory:

• uIP: https://github.com/adamdunkels/uip
• Contiki-OS and Contiki-NG: https://www.contiki-ng.org/
• PicoTCP and PicoTCP-NG: http://picotcp.altran.be
• FNET: http://fnet.sourceforge.net/
• Nut/OS: http://www.ethernut.de/en/software/

These software stacks can be integrated in various ways, including compiled from source, modified and integrated, and linked as a dynamic or static libraries, allowing for a wide variety of implementations. As an example, projects such as Apache Nuttx and open-iscsi have adopted common libraries and software modules, thus inheriting some of the vulnerabilities with varying levels of impact. The diversity of implementations and the lack of supply chain visibility has made it difficult to accurately assess the impact, usage as well as the potential exploitability of these vulnerabilities.

In general, most of these vulnerabilities are caused by memory management bugs, commonly seen in lightweight software implementations in Real Time Operating Systems (RTOS) and IoT devices. For specific details on the vulnerabilities introduced by these vulnerabilities, see the Forescout advisory that provides technical details.

The impact of these vulnerabilities vary widely due to the combination of build and runtime options customized while including these in embedded devices. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause the vulnerable device to behave in unexpected ways such as a failure (denial of service), disclosure of private information, or execution of arbitrary code.

Update to the latest stable version of the affected embedded TCP/IP software that address these recently disclosed vulnerabilities. If you have adopted this software from an upstream provider, contact the provider to get appropriate updates that need to be integrated into your software. Concerned end-users of IoT and embedded devices that implement of these vulnerable TCP/IP software stacks should contact their vendor or the closest reseller to obtain appropriate updates.

We recommend that you follow best practices when connecting IoT or embedded devices to a network:

• Avoid exposure of IoT and embedded devices directly over the Internet and use a segmented network zone when available.
• Enable security features such as deep-packet inspection and firewall anomaly detection when available to protect embedded and IoT devices.
• Ensure secure defaults are adopted and disable unused features and services on your embedded devices.
• Regularly update firmware to the vendor provided latest stable version to ensure your device is up to date.

Jos Wetzels, Stanislav Dashevskyi, Amine Amri and Daniel dos Santos of Forescout Technologies researched and reported these vulnerabilities.

This document was written by Vijay Sarvepalli.

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. This could allow a remote attacker to execute commands with unrestricted privileges on the underlying operating system.

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. This could allow a remote attacker with access to the administrative configurator on port 8443 and a valid password to execute commands with unrestricted privileges on the underlying operating system. For additional details, please see VMware's security advisory.

This could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.

The CERT/CC is currently unaware of a practical solution to this problem.

Please see the workarounds provided by VMware.

Thanks to VMware for coordinating this vulnerability.

This document was written by Madison Oliver.

The Replay Protected Memory Block (RPMB) protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area.

The RPMB protocol "...enables a device to store data in a small, specific area that is authenticated and protected against replay attack." RPMB is most commonly found in mobile phones and tablets using flash storage technology such as eMMC, UFS, and NVMe. The RPMB protocol allows an attacker to replay stale write failure messages and write commands, leading to state confusion between a trusted component and the contents of an RPMB area. Additional details are available in Replay Attack Vulnerabilities in RPMB Protocol Applications.

An attacker with physical access to a device can cause a mismatch between the write state or contents of the RPMB area and a trusted component of the device. These mismatches can lead to the trusted component believing a write command failed when in fact it succeeded, or the trusted component believing that certain content was written when in fact different content (unmodified by the attacker) was written. Further implications depend on the specific device and use of RPMB. At least one affected vendor has confirmed that denial of service

Please see the Vendor Information section below. Further vendor information is available in Replay Attack Vulnerabilities in RPMB Protocol Applications.

Rotem Sela and Brian Mastenbrook of Western Digital identified this vulnerability. Western Digital coordinated its disclosure with the affected vendors. Thanks Western Digital PSIRT!

This document was written by Eric Hatleback.