Category Archives: Advisories

F5 Releases August 2021 Security Advisory Including Critical CVE-2021-23031

Read Time:3 Minute, 40 Second

FortiGuard Labs is aware that F5 released a security advisory on August 24th about vulnerabilities affecting multiple versions of BIG-IP and BIG-IQ. The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory the next day urging the customers to apply the fixes or put necessary mitigations in place. Of the 13 vulnerabilities that are rated high by the vendor, CVE-2021-23031 is given the highest CVSS score of 8.8 out of 10 and affects BIG-IP Advanced WAF and Application Security Manager (ASM). When abused, the vulnerability allows “an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services,” which may result in the attack gaining complete control of the system. However, the CVSS score and rating jumps to 9.9 and Critical, respectively, when the products are running in Appliance mode. As Appliance mode is described as ” designed to meet the needs of customers in especially sensitive sectors”, CVE-2021-23031 requires additional attention and care.When Did the Vendor Post the Advisory?The vendor released the advisory on August 24th, 2021.What is the Breakdown of the Advisory?The advisory has 13 high vulnerabilities, 15 medium vulnerabilities, 1 low vulnerability and 6 security exposures affecting multiple versions of BIG-IP and BIG-IQ. However, high rating for CVE-2021-23031 is elevated to critical when the affected products are running in Appliance mode.For more details, see the Appendix for a link to “K50974556: Overview of F5 vulnerabilities (August 2021)”What is the Result of Successful Exploitation of CVE-2021-23031?Successful exploitation allows “an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services.” In the worst case scenario, the vulnerability enables the attack to take complete control of the system.What are the Technical Details of CVE-2021-23031?The advisory does not offer much technical details, nor why there are two separate ratings for the vulnerability other than the 9.9 rating applies to “the limited number of customers using Appliance mode.”For more details, see the Appendix for a link to “K41351250: BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2021-23031″What is Appliance Mode?The following is provided by F5 in regard with Appliance mode:BIG-IP systems have the option of running in Appliance mode. Appliance mode is designed to meet the needs of customers in especially sensitive sectors by limiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device.For more details, see the Appendix for a link to “K12815: Overview of Appliance mode”.How Does That Affect Overall Severity of CVE-2021-23031?Combining the facts that the vulnerability allows an authenticated attacker to take complete control of the system, the CVSS score is 9.9 when the affected products are running in Appliance mode. Since Appliance mode is designed especially for sensitive sectors, the actual severity could be even higher.What Products Are Vulnerable to CVE-2021-23031?BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) are vulnerable to CVE-2021-23031.Which Versions of WAF and ASM Are Vulnerable to CVE-2021-23031?The following versions are listed as vulnerable per F5:16.0.0 – 16.0.115.1.0 – 15.1.214.1.0 – 14.1.413.1.0 – 13.1.312.1.0 – 12.1.511.6.1 – 11.6.5Is the Vulnerability Exploited in the Wild?At the time of this writing, FortiGuard Labs is not aware of the vulnerability being exploited in the wild.FortiGuard Labs will continue to monitor the situation and provide updates as they become available.Is There Any Mitigation for CVE-2021-23031?According to the advisory, “the only mitigation is to remove access (to the Configuration utility) for users who are not completely trusted”.Has the Vendor Released Patches for the Vulnerabilities in their August 2021 Advisory?Yes, the vendor has released patches for all vulnerabilities listed in the advisory, including CVE-2021-23031.What is the Status of Coverage?As this time of writing, there is not sufficient information and Proof-of-Concept code available for FortiGuard Labs to create protections.FortiGuard Labs will continue to monitor the situation and provide updates as they become available.

Read More

ProxyToken (CVE-2021-33766): Authentication Bypass in Microsoft Exchange Server

Read Time:1 Minute, 53 Second

UPDATE 9/17 – An IPS signature has been released in definitions (18.160) as “MS.Exchange.Server.SecurityToken.Authentication.Bypass”FortiGuard Labs is aware of a new disclosure dubbed PROXYTOKEN, which is an authentication bypass in Microsoft Exchange server. The vulnerability was reported by security researcher Le Xuan Tuyen of the Zero Day Initiative (ZDI) in March 2021, and patched by Microsoft in the July 2021 release.Assigned CVE-2021-33766, this vulnerability allows an unauthenticated attacker to configure actions on mailboxes belonging to arbitrary users on the mail server. An example of this usage allows the threat actor to forward all emails addressed to an arbitrary user and forward them to an attacker controlled account.What are the Technical Details of this Vulnerability?Microsoft Exchange server creates two reference sites in IIS, one listening on port 80 HTTP and the other port 443 HTTPS. These pages are known as the Exchange Front End, and the Exchange Back End runs on port 81 HTTP and port 444 for HTTPS respectively. The front end is essentially a proxy to the back end. When forms require authentication, pages are served via /owa/auth/logon/aspx. Essentially, the issue lies when an Exchange specific feature called “Delegated Authentication” is deployed, the front end is unable to perform authentication on its own and passes each request directly to the back end and ultimately relies on the back end to determine if the incoming request is properly authenticated.Is there a Patch Available?Yes. Microsoft has released patches for this in the July 2021 release.What is the Status of Coverage?Customers running the latest definitions are protected by the following IPS signature:MS.Exchange.Server.SecurityToken.Authentication.BypassWhat Products are Affected?Microsoft Exchange Server 2019, 2016, 2013 are affected.Any Other Suggested Mitigation?Disconnect vulnerable Exchange servers from the internet until a patch can be applied.Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.

Read More

CVE-2021-21708

Read Time:25 Second

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.

Read More

CVE-2020-27958

Read Time:10 Second

The Job Composer app in Ohio Supercomputer Center Open OnDemand before 1.7.19 and 1.8.x before 1.8.18 allows remote authenticated users to provide crafted input in a job template.

Read More

CVE-2020-36516

Read Time:12 Second

An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim’s TCP session or terminate that session.

Read More

Disclosure of DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4

Read Time:23 Second

Posted by YEUNG, Tsz Ko on Feb 24

Hi all,

I would like to disclose
the DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4

Details as below:

Vulnerable Software and Version:

1. Technitium Installer v4.4

Vulnerable software download link:
https://technitium.com/tmac/

Date discovered and reported:
25 Feb 2022

Description:
Technitium Installer v4.4 is suffering from DLL Hijacking by placing x86
SXS.dll in the same directory as the installer , which could cause…

Read More

Disclosure of DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4

Read Time:23 Second

Posted by YEUNG, Tsz Ko on Feb 24

Hi all,

I would like to disclose
the DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4

Details as below:

Vulnerable Software and Version:

1. Technitium Installer v4.4

Vulnerable software download link:
https://technitium.com/tmac/

Date discovered and reported:
25 Feb 2022

Description:
Technitium Installer v4.4 is suffering from DLL Hijacking by placing x86
SXS.dll in the same directory as the installer , which could cause…

Read More

DSA-5087 cyrus-sasl2 – security update

Read Time:14 Second

It was discovered that the SQL plugin in cyrus-sasl2, a library
implementing the Simple Authentication and Security Layer, is prone to a
SQL injection attack. An authenticated remote attacker can take
advantage of this flaw to execute arbitrary SQL commands and for
privilege escalation.

Read More