Update 1/11 – “What is the Status of Coverage” section updatedFortiGuard Labs is aware of newly discovered vulnerability in H2 Database software. The vulnerability is an unauthenticated remote code execution in the H2 database console and similar to Log4j, it is JNDI-based and has an exploit vector similar to it. This vulnerability has been assigned CVE-2021-42392 and was found by security researchers at JFrog. What is H2 Database?H2 is a relational database management system written in Java and is open source. It can be embedded in Java applications or run in client-server mode and data does not need to be stored on disk. What are the Technical Details?In a nutshell, the vector is similar to Log4Shell, where several code paths in the H2 database framework pass unfiltered attacker controlled URLs to the javax.naming.Context.lookup function, which allows for remote codebase loading (remote code execution). The H2 database contains a web based console which listens for connections at http://localhost:8082. The console will contain parameters that are passed by JdbcUtils.getConnection and a malicious URL controlled by the attacker.This vulnerability affects systems with H2 console installed. The vulnerability does not affect machines with H2 database installed in standalone mode. The vulnerability (by default) looks for connections from localhost, or a non remote connection. However, this vulnerability can be modified to listen for remote connections, therefore allowing susceptibility to remote code execution attacks. How Severe is This? Is it Similar to Log4j?According to the report, this is not believed to be as severe as Log4j, because of several factors. The first factor requires H2 console to be present on the system as both the console and database are able to operate independently of each other. Second, the default configuration of accepting connections from localhost must be edited to listen for external connections, which means that default installations are safe to begin with. What is the CVSS score?At this time, details are not available. What Mitigation Steps are Available?FortiGuard Labs recommends that users of H2 database software upgrade to version 2.0.206 immediately. If this is not possible, placing a vulnerable instance behind a firewall or removing access from the public facing internet is suggested. For further details on mitigation, please refer to the JFrog blog “The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console” located in the APPENDIX. What is the Status of Coverage?Customers running the latest IPS definitions (19.237) are protected against exploitation of CVE-2021-42392 with the following signature:H2.Database.Console.JNDI.Remote.Code.Execution
Category Archives: Advisories
Wormable Windows Vulnerability (CVE-2022-21907) Patched by Microsoft
UPDATE January 13 2022: Protection section has been updated with a IPS signature information.FortiGuard Labs is aware that a total of 96 vulnerabilities were patched by Microsoft on January 11th, 2022 as part of regular MS Patch Tuesday. In those vulnerabilities, CVE-2022-21907 (HTTP Protocol Stack Remote Code Execution Vulnerability) is one of the nine vulnerabilities that are rated critical. In the advisory, Microsoft warned that CVE-2022-21907 is wormable and “recommends prioritizing the patching of affected servers”.Why is this Significant?This is significant because CVE-2022-21907 is considered wormable as such malware can exploit the vulnerability to self-propagate without any user interaction nor elevated privilege. CVE-2022-21907 targets the HTTP trailer support feature that is enabled by default in various Windows 10 and 11 versions, as well as Windows Server 2022. The vulnerability also has a CVSS score of 9.8 (max score 10).What is CVE-2022-21907?CVE-2022-21907 is a remote code execution vulnerability in HTTP protocol stack (http.sys). HTTP.sys is a legitimate Windows component that is responsible for parsing HTTP requests. An unauthenticated attacker could craft and send a malicous packet to an affected server utilizing the HTTP Protocol Stack (http.sys) to process packets, which leads to remote code execution.Which Versions of Windows are Vulnerable?Per the Microsoft advisory, the following Windows versions are vulnerable:Windows Server 2019Windows Server 2022Windows 10Windows 11Note that the HTTP trailer support feature is inactive by default in Windows Server 2019 and Windows 10 version 1809. As such, they are not vulnerable unless the feature is enabled.Is the Vulnerability Exploited in the Wild?FortiGuard Labs is not aware of CVE-2022-21907 being exploited in the wild at the time of this writing.Has the Vendor Released a Fix?Yes. Microsoft released a fix for CVE-2022-21907 on January 11th, 2022 as part of regular Patch Tuesday.What is the Status of Coverage? (Updated January 13 2022)FortiGuard Labs has released the following IPS signature in version 19.241:MS.Windows.HTTP.Protocol.Stack.CVE-2022-21907.Code.Execution (default action is set to pass)Any Mitigation?Microsoft provided the following mitigation in the advisory:In Windows Server 2019 and Windows 10 version 1809, the the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:HKEY_LOCAL_MACHINESystemCurrentControlSetServicesHTTPParameters”EnableTrailerSupport”=dword:00000001This mitigation does not apply to the other affected versions.
DSA-5068 chromium – security update
Multiple security issues were discovered in Chromium, which could result
in the execution of arbitrary code, denial of service or information
disclosure.
Multiple Vulnerabilities in Cisco Products Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Cisco Products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated, remote attacker to execute code on the affected systems. Depending on the privileges associated with the targeted user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users configured to have fewer privileges on the system could be less impacted than those who operate with elevated privileges.
DSA-5067 ruby2.7 – security update
Several vulnerabilities have been discovered in the interpreter for
the Ruby language and the Rubygems included, which may result
in information disclosure or denial of service.
DSA-5066 ruby2.5 – security update
Several vulnerabilities have been discovered in the interpreter for the
Ruby language and the Rubygems included, which may result in
XML roundtrip attacks, the execution of arbitrary code, information
disclosure, StartTLS stripping in IMAP or denial of service.
Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.
A Vulnerability in Samba Could Allow for Arbitrary Code Execution
A vulnerability has been discovered in Samba which could allow for arbitrary code execution. Samba is the standard Windows interoperability suite of programs for Linux and Unix. Successful exploitation of this vulnerability could result in arbitrary code execution as root on affected Samba installations that use the VFS module vfs_fruit. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.