Posts

0-days in Microsoft exchange servers


Published: 2021-03-02
CVE-2021-26855
CVE-2021-26857
CVE-2021-26858 
CVE-2021-27065 

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.”

As these vulnerabilities are currently being exploited and used in targeted attacks, patching should be done as soon as possible.
Along with attack details and information about these vulnerabilities, Microsoft also published how to scan exchange log files for indicators of compromise, which is also recommended to do.

Update 2020-03-07: There are currently many published exploits for this vulnerability. Patching this vulnerability is not enough, one must also investigate for potential breaches.

Internally this is being tracked in BF-VLN-2229454.

Microsoft Windows Multiple Security Updates Affecting TCP/IP | CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086

Published: 2021-02-09
MITRE CVE-2021-24074
MITRE CVE-2021-24094
MITRE CVE-2021-24086

“Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.”

CVSS Base Score is 9.8, 9.8 and 7.5.

All have potential workarounds that should have a minimal operational impact.

Currently there is no exploit in the wild. If an exploit is published this vulnerability will become critical to mitigate as fast as possible.

We are tracking this internally as BF-VLN-2216447 with the highest priority and is currently evaluating this vulnerability and how to best handle it and ensure operational stability for all our customers.

For further general details we point to the Microsoft Security Response Center blog post about the topic.

CVE-2020-17095 | Windows Hyper-V Remote Code Execution Vulnerability

Published: 2020-12-08
MITRE CVE-2020-17095

“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data.”

This is especially bad for “hotel” environment with multiple different tenants that should not be able to influence each other, but it is also bad for environments with different levels of security sensitivity within the same tenant.

There is no workarounds or possible mitigations in the configuration.

CVSS Base Score is 8.5

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2180090 with the highest priority.

CVE-2020-16891 | Windows Hyper-V Remote Code Execution Vulnerability

Published: 2020-10-13
MITRE CVE-2020-16891

“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.”

This is especially bad for “hotel” environment with multiple different tenants that should not be able to influence each other, but it is also bad for environments with different levels of security sensitivity within the same tenant.

There is no workarounds or possible mitigations in the configuration.

CVSS Base Score is 8.8

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2140691with the highest priority.

CVE-2020-3992 | ESXi OpenSLP remote code execution vulnerability

Published: 2020-10-20
MITRE CVE-2020-3992

“A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.”

The workaround is to stop and disable the SLP service.

CVSS Base Score is 9.8

Basefarm and VMware recommends that you install the updates for this vulnerability as soon as possible. Basefarm also recommends that the management services of ESXi servers are not available for regular users, but are places on a protected network.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2146240 with the highest priority.

CVE-2020-0618 | Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability

Published by Microsoft: 02/11/2020
MITRE CVE-2020-0618

“A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account.”

There exists a proof of concept and write-up.

Basefarm considers this a Base CVSS Score: 9.8 (Critical) – but there exists an official fix from Microsoft, bringing the Temporal CVSS Score down to a 9.4 (Critical).

And we consider most of our users do not expose Microsoft SQL Server Reporting Service directly to the internet, so this CVSS Environmental Score can be lowered down to a 7.6 (High).

Per Basefarm Vulnerability process we still consider this a priority 1 (of 3) issue, and we will not wait until normal patch window to mitigate this issue. Internally we are tracking this progress in BF-VLN-1990987, registered 2020-02-18.

Security Software & Tools Tips – December 2019

In this monthly post, we try to make you aware of five different security-related products.
This is a repost from my personal website Ulyaoth

This month we have chosen for the following:
* Azure Arc
* CloudGuard Dome9
* Flan Scan
* Lynis
* Wapiti

Azure Arc

Information from the Azure Arc website:

Azure Arc extends management & security to any infrastructure.

Website:

https://azure.microsoft.com/en-us/services/azure-arc/

CloudGuard Dome9

Information from the CloudGuard Dome9 website:

The Dome9 Arc agentless SaaS platform delivers full visibility and control of security and compliance in AWS, Azure and Google Cloud environments. Minimize your attack surface and protect against vulnerabilities, identify theft and data loss.

Website:

https://dome9.com/

Flan Scan

Information from the Flan Scan website:

Flan Scan is a lightweight network vulnerability scanner. With Flan Scan you can easily find open ports on your network, identify services and their version, and get a list of relevant CVEs affecting your network.

Website:

https://github.com/cloudflare/flan

Lynis

Information from the Lynis website:

Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing.

Website:

https://cisofy.com/lynis/

Wapiti

Information from the Wapiti website:

Wapiti is a vulnerability scanner for web applications. It currently search vulnerabilities like XSS, SQL and XPath injections, file inclusions, command execution, XXE injections, CRLF injections, Server Side Request Forgery, Open Redirects…

Website:

https://sourceforge.net/projects/wapiti/

Image by MasterTux from Pixabay

Security Software & Tools Tips – November 2019

In this monthly post, we try to make you aware of five different security-related products.
This is a repost from my personal website Ulyaoth

This month we have chosen for the following:
* Kismet
* MAGNET RAM Capture
* RedLock
* SQLMap
* Wazuh

Kismet

Information from the block-doh website:

Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework.

Website:

https://kismetwireless.org/

MAGNET RAM Capture

Information from the MAGNET RAM Capture website:

MAGNET RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory.

Website:

https://www.magnetforensics.com/resources/magnet-ram-capture/

RedLock

Information from the RedLock website:

RedLock Enables Cloud Threat Defense: Threat defense in the cloud requires a new AI-driven approach that correlates disparate security data sets including network traffic, user activities, risky configurations and threat intelligence, to provide a unified view of risks across fragmented cloud environments.

Website:

https://redlock.io/

SQLMap

Information from the SQLMap website:

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.

Website:

https://github.com/sqlmapproject/sqlmap

Wazuh

Information from the Wazuh website:

Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

Website:

https://wazuh.com/

Image by StockSnap from Pixabay

Security Software & Tools Tips – October 2019

In this monthly post, we try to make you aware of five different security-related products.
This is a repost from my personal website Ulyaoth

This month we have chosen for the following:
* block-doh
* DisableWinTracking
* P0f
* GitGuardian
* Sandboxie

block-doh

Information from the block-doh website:

DoH provides “privacy” at the expense of security. The prominent providers do NOT filter malicious websites, domains, and IP addresses. This has the effect of creating a mechanism by which hackers bypass security policy and this has been observed in the wild. Organizations that use DNS to protect their constituents are directly harmed by DoH.

Website:

https://github.com/bambenek/block-doh

DisableWinTracking

Information from the DisableWinTracking website:

A tool that uses some of the known methods of disabling tracking in Windows 10.

Website:

https://github.com/10se1ucgo/DisableWinTracking

P0f

Information from the P0f website:

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way.

Website:

http://lcamtuf.coredump.cx/p0f3/

GitGuardian

Information from the GitGuardian website:

GitGuardian is a cybersecurity bot. It prevents public exposure of your secrets from your Github repo. It is also the first platform scanning all GitHub public activity in real time for API secret tokens, database credentials or vault keys.

Website:

https://www.gitguardian.com/

Sandboxie

Information from the Sandboxie website:

Sandboxie uses isolation technology to separate programs from your underlying operating system preventing unwanted changes from happening to your personal data, programs and applications that rest safely on your hard drive.

Website:

https://www.sandboxie.com/

Image by 200 Degrees from Pixabay

Security Software & Tools Tips – September 2019

In this monthly post, we try to make you aware of five different security-related products.
This is a repost from my personal website Ulyaoth

This month we have chosen for the following:
* CipherCloud
* CodeDiaper
* N-Stalker
* Passhunt
* SonarTS

CipherCloud

Information from the CipherCloud website:

The CipherCloud CASB+ platform provides deep visibility, end-to-end data protection, advanced threat protection, and comprehensive compliance capabilities for enterprise embracing cloud-based applications.

Website:

https://www.ciphercloud.com/ciphercloud-overview/

CodeDiaper

Information from the CodeDiaper website:

You can search for a specific string from all the source code on GitHub and check if it has been posted illegally.

Website:

https://github.com/future-architect/code-diaper

N-Stalker

Information from the N-Stalker website:

N-Stalker Web Application Security Scanner X Free Edition provides a restricted set of free Web Security Assessment checks to enhance the overall security of your web server infrastructure, using the most complete web attack signature database available in the market – “N-Stealth Web Attack Signature Database”.

Website:

https://www.nstalker.com/products/editions/free/

Passhunt

Information from the Passhunt website:

Passhunt is a simple tool for searching of default credentials for network devices, web applications and more. Search through 523 vendors and their 2084 default passwords.

Website:

https://github.com/Viralmaniar/Passhunt

SonarTS

Information from the SonarTS website:

Static code analyzer for TypeScript detecting bugs and suspicious patterns in your code.

Website:

https://github.com/SonarSource/SonarTS

Image by Pete Linforth from Pixabay