Microsoft's May 2022 Patch Tuesday contains several bugs in ubiquitous software that could affect millions of machines, researchers warn.

Microsoft squashed 74 security vulnerabilities with its May 2022 Patch Tuesday update, including an important-rated zero-day bug that's being actively exploited in the wild and several that are likely widely present across enterprises.

It also patched seven critical flaws, 65 other important-rated bugs, and one low-severity issue. The fixes run the gamut of the computing giant's portfolio, including: Windows and Windows Components, .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office and Office Components, Windows Hyper-V, Windows Authentication Methods, BitLocker, Windows Cluster Shared Volume (CSV), Remote Desktop Client, Windows Network File System, NTFS, and Windows Point-to-Point Tunneling Protocol.

**3 Zero-Days, 1 Actively Exploited**  
The actively exploited bug (CVE-2022-26925) is a Windows LSA-spoofing vulnerability that rates 8.1 out of 10 on the CVSS vulnerability-severity scale – however, Microsoft notes in its advisory that it should be bumped up to critical (CVSS 9.8) if used in Windows NT LAN Manager (NTLM) relay attacks.

"\[A\]n unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM," Microsoft warns in its advisory – a concerning situation considering that domain controllers provide high-level access to privileges.

Now deprecated, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server – which they can then use to authenticate to the remote server with the compromised user's privileges.

That said, the bug is tougher to exploit than most, explains Trend Micro Zero Day Initiative (ZDI) researcher Dustin Childs in a Tuesday blog. "The threat actor would need to be in the logical network path between the target and the resource requested (e.g., man-in-the-middle), but since this is listed as under active attack, someone must have figured out how to make that happen."

Tyler Reguly, manager of security R&D at Tripwire, tells Dark Reading that the bug could be related to a previously seen threat known as PetitPotam, which emerged in July to allow attackers to force remote Windows systems to reveal easily crackable password hashes.

"Based on Microsoft’s provided links, this looks to be related to the previous PetitPotam patch," he notes, adding that researchers will be guessing about that. "This is a prime example of where detailed executive summaries that explain what is happening were useful in the past. It would be great if Microsoft could return to providing those on a regular basis," he says.

Microsoft also patched two other zero-days, including a critical bug (CVE-2022-29972, CVSS not available) in Insight Software's Magnitude Simba Amazon Redshift ODBC Driver – "a third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory," as ZDI's Childs explains.

He adds, "This update is complicated enough for Microsoft to blog about the bug and how it affects multiple Microsoft services."

The final zero-day (CVE-2022-22713, CVSS 5.6) is an important-rated bug in Windows Hyper-V that could allow denial-of-service (DoS).

**Leading Lights: Critical Microsoft Security Bugs to Patch Now**  
As far as other patches for admins to prioritize this month, some of the critical-rated issues are far-reaching across organizational infrastructure and could affect millions of companies, researchers warn.

"The big news is the critical vulnerabilities that need to be highlighted for immediate action," Chris Hass, director of security at Automox, tells Dark Reading. "This month features vulnerabilities in a number of applications that are prevalent in most enterprise organizations, including NSF, Remote Desktop Client, and Active Directory."

For instance, the critical bug affecting Windows Network File System, or NFS (CVE-2022-26937, CVSS 9.8) could allow unauthenticated remote code-execution (RCE) in the context of the highly privileged NFS service, according to Microsoft's advisory. To boot, its ubiquity is Log4j-like: It "is present in every Windows Server version from 2008 forward," Hass says, "which puts most organizations at risk if action isn't taken quickly."

Further, "these types of vulnerabilities will potentially appeal to ransomware operators as they could lead to the kind of exposure of critical data, often part of a ransom attempt," Kevin Breen, director of cyber threat research at Immersive Labs, tells Dark Reading.

In terms of who should especially prioritize the patch, "NFS isn't on by default, but it's prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix. If this describes your environment, you should definitely test and deploy this patch quickly," Childs warns.

As for other critical bugs to consider, Breen flags CVE-2022-22017 (CVSS 8.8), an RCE issue in the also-ubiquitous Remote Desktop (RDP) Client.

"With more remote workers than ever, enterprises need to put anything affecting RDP on the radar — especially given its popularity with ransomware actors and access brokers," he warns.

The Active Directory bug (CVE-2022-26923, CVSS 8.8) is found in Domain Services and could allow elevation of privilege thanks to an issue with the issuance of certificates. ZDI, which reported the bug, says that an attacker can gain access to a certificate to authenticate to a DC with a high level of privilege, allowing any domain-authenticated user to become a domain admin if Active Directory Certificate Services are running.

"This is a very common deployment," Childs says. "Considering the severity of this bug and the relative ease of exploit, it would not surprise me to see active attacks using this technique sooner rather than later."

Of less concern, Breen says, are a group of 10 RCE bugs in LDAP (the most severe, CVE-2022-22012, has a CVSS score of 9.8). These "appear particularly threatening; however, they have been marked by Microsoft as 'exploitation less likely' as they require a default configuration unlikely to exist in most environments," he notes. "It's not to say there is no need to patch these, rather a reminder that context is important when prioritizing patches."

**The Worst of the Rest**  
A handful of other vulnerabilities that also stood out to researchers are worth noting here, starting with Windows Print Spooler, which has long presented an attractive bull's-eye for cyberattackers.

"There were several Windows Print Spooler vulnerabilities patched this month, including two information disclosure flaws (CVE-2022-29114, CVE-2022-29140) and two elevation of privilege flaws (CVE-2022-29104, CVE-2022-29132)," Satnam Narang, staff research engineer at Tenable, tells Dark Reading. "All of the flaws are rated as important, and two of the three are considered more likely to be exploited. Windows Print Spooler continues to remain a valuable target for attackers since PrintNightmare was disclosed nearly a year ago. Elevation-of-privilege flaws in particular should be carefully prioritized, as we've seen ransomware groups like Conti favor them as part of its playbook."

Breen also highlighted two other important-rated bugs as patching priorities:

*   CVE-2022-29108, a remotely executable flaw in Sharepoint that could likely be abused by an attacker seeking to move laterally across an organization. "Requiring authenticated access to exploit, it could be used by a threat actor to steal confidential information or inject documents with malicious code or macros that could be part of a wider attack chain," Breen warns.
*   A bug in Azure Data Factory (no CVE assigned) is remotely exploitable and can expose an enterprise’s confidential data, according to Breen.

Virsec CTO and co-founder Satya Gupta says that overall, the broader context of Microsoft's patching trends is important to consider for defenders. Specifically, in the last year, more than a third of the patches (1,330, or 36%) are for RCE issues.

"This of course represents a massive opportunity for malicious actors to compromise nearly any customer," he says. "In total, several of May's vulnerabilities represent a Log4j level of exposure, particularly if you consider what it would take to patch millions of servers."

What to Patch Now: Actively Exploited Windows Zero-Day Threatens Domain Controllers

The incident was a devastating attack, but it exposed gaps in cybersecurity postures that otherwise would have gone unnoticed.

The Colonial Pipeline ransomware attack that took place exactly one year ago sent shockwaves across the nation that are still being felt today. A cyberattack with such massive real-world implications had never been seen before, let alone an attack on one of the largest critical infrastructure assets in the US that was initially started via an exposed virtual private network (VPN) password. During the attack, threat actors stole nearly 100GB of data, and not long after, the Colonial Pipeline took its systems offline for several days to prevent the further spread of ransomware. The Colonial Pipeline’s shutdown affected oil and fuel supplies in many states, and as a result, the US government declared a state of emergency.

Critical infrastructure, such as the infrastructure technology and operational technology systems managed by Colonial Pipeline, is often a prime target for cybercriminals. These national assets not only store highly valuable government, company, and consumer data in their systems but could also dramatically disrupt society if compromised. The fact that the Colonial Pipeline attack was due to a security lapse served as a wake-up call for companies all over the world to rethink their cybersecurity postures.

In the wake of the attack, President Biden immediately signed an Executive Order on "Improving the Nation’s Cybersecurity," which emphasized that incremental improvements are not enough; bold change and significant investments in cybersecurity must be made to defend critical infrastructure. Federal agencies and organizations were provided with a timeline and steps to advance their cybersecurity strategies and infrastructure. However, in the months following Colonial Pipeline, the US also witnessed several other critical incidents that made national headlines, including the Kaseya ransomware attack and the discovery of the Log4j vulnerability that was baked within the foundations of the world’s software applications. Thus, it is evident that many true changes have yet to be made. Let’s take a deeper look at the developments organizations must make to their cybersecurity postures to protect the nation’s critical infrastructure.

**Further Visibility into Business-Critical Applications is Crucial**  
Recent legislation, such as the Cybersecurity Executive Order and Cyber Incident Reporting for Critical Infrastructure Act, mark improvements for the nation’s cybersecurity landscape, as they impose specific regulatory requirements and provide further transparency into organizations’ cyber events. Despite these developments, many organizations responsible for the nation’s critical infrastructure are still operating without visibility into their business-critical applications’ security, as demonstrated by the influx of attacks that succeeded the Colonial Pipeline. Organizations must understand that systems, such as enterprise resource planning (ERP), supply chain management, and logistics management, are interconnected and support mission-critical operations that can be severely disrupted if they are compromised by adversaries. A universal shift in enterprise cybersecurity strategies is crucial to ensure organizations can swiftly recover from a cyberattack as detrimental as the Colonial Pipeline one.

**Taking Actions to Defend the Nation’s Critical Systems**  
Without stronger security controls, business-critical systems will remain vulnerable to attack. Proper defenses need to be in place to ensure America’s valuable data is protected. Below are several actions organizations must take to protect their sanctioned resources:

*   **Obtain visibility into critical assets:** Enterprises must gain full visibility into all critical and connected systems to eliminate any system blind spots. By obtaining a comprehensive view of the IT and OT systems, organizations can discover internal and external threats and assess their impact in real time.

*   **Implement vulnerability management tools:** As vulnerabilities are an easy point of entry into business-critical assets, organizations should incorporate advanced vulnerability management into their cybersecurity posture that includes automated tools that can scan for system weaknesses. Automated vulnerability management technologies identify where misconfigurations, authorization issues, and missing patches exist, and automatically apply the necessary mitigations.

*   **Adopt cybersecurity best practices:** Improving threat detection and response can help close many gaps that exist in cybersecurity postures; however, adopting cybersecurity best practices is absolutely essential to mitigate unauthorized access to privileged accounts. Enterprises must ensure their employees are cognizant of all threats they may face in their day-to-day operations, such as highly targeted phishing schemes.

  
While the Colonial Pipeline incident was a devastating attack, it exposed gaps in cybersecurity postures that otherwise would have gone unnoticed. Enterprises that make active efforts to strengthen their cybersecurity strategies will be able to proactively mitigate threats as they arise, exceed regulatory compliance requirements, and ultimately foster trust with their employees, customers, and the community as a whole. Moving beyond Colonial Pipeline is possible but cannot be done without real improvement in cybersecurity defenses.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Colonial Pipeline 1 Year Later: What Has Yet to Change?

Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version.

To accommodate better up-to-date content, all the mitigation technical step section has been moved to the “Log4j2 Issue (CVE-2021-44228)” section of Talend Documentation site. The section is locate at <https://document-link.us.cloud.talend.com/talend\_log4j2\_cve\_statement?lang=en&version=latest&env=prd\>

**Frequently Asked Questions**

**Does Talend employ affected versions of Log4j its software?  
**Yes. Certain Talend Services use Log4j2 or provide it to customers as part of their Services. Details regarding specific Talend Service versions and steps to address the issues are provided in the Security Incident Response.

**Is Log4j part of any functionality a Talend customer uses when working with Talend?  
**Yes.

**Does Talend have a patch available now or when will it be available?  
**Patches are specific to Talend Service, the version of the Talend Service, the severity of the risk, and other mitigating controls Talend maintains. While Talend has developed and implemented patches for the Apache Log4j2 vulnerability, the situation is dynamic, and updates are disclosed on a continuous basis. To stay up to date with the most relevant information, please refer to the table in the Summary section of this document.

**How will Talend notify its customers and how will customers receive the patch?** We have reached out to Customers via registered support contacts with instructions to monitor the Security Incident response page. This page is updated regularly and is the best source for up-to-date information.

**If Talend is hosting the customers Talend instance, is Talend using Apache Log4j on any of its systems?  
**Yes. Certain Talend Services use Log4j2, or provide it to customers as part of their Services.

**What steps has Talend taken to mitigate the threat?  
**Since disclosure of the Apache Log4j2 vulnerability, Talend has taken steps to identify all the instances where Apache Log4j2 is utilized within Talend Services, developed, and implemented patches where applicable and as needed, implemented other mitigating controls, and contacted Talend vendors regarding their exposure to Apache Log4j2.

Mitigation efforts, including software patches, are specific to Talend Service, the version of the Talend Service, and the severity of the risk. While Talend has developed patches for the Apache Log4j2 vulnerability, the situation is dynamic, and updates are disclosed on a continuous basis. To stay up to date with the most relevant information, please refer to the table in the Summary section of this document.

**Is Talend monitoring its systems for any indication of compromise (IOC)?  
**Yes.

**Have any of Talend's 3rd parties been affected by this threat?  
**Yes. Part of what makes the Apache log4j2 vulnerability so severe, is its widespread use. Talend is in the process of communicating with critical vendors to coordinate remediation.

**Will Talend publish information related to versions which have reached their end of life (e.g.** 5.X, 6.X, or earlier 7.X releases**)?**  
Yes. Currently supported products are our priority.  To determine if a version is supported or has reached its end-of-life, please refer to Talend's Product support lifecycle https://www.talend.com/technical-support/support-statements/. Please see summary table above for version-specific information.

**With use of the dynamic distribution feature of Talend to connect with a cluster; is it necessary to rebuild/republish jobs to remediate the log4j vulnerability?  
**Yes. 

**For Talend v7.3 and Talend v8.0, do I need to rebuild my Talend jobs and Routes after  
installing the Studio patch?**   
Yes.

CVE-2022-29943: Talend Security

Researchers have disclosed an unpatched vulnerability in the popular uClibc library that could allow attackers to use DNS poisoning.
The post Unfixed vulnerability in popular library puts IoT products at risk appeared first on Malwarebytes Labs.

Researchers have found a vulnerability in a popular C standard library in IoT products that could allow attackers to perform DNS poisoning attacks against a target device.

The library is known to be used by major vendors such as Linksys, Netgear, and Axis, but also by Linux distributions such as Embedded Gentoo. Because the library maintainer was unable to develop a fix, this vulnerability remains unpatched. For this reason, the affected devices were not mentioned in detail.

**Libraries**

In computing, a library is a set of resources that can be shared among processes. Often these resources are specific functions aimed at a certain goal. These functions can be called upon when needed so they do not have to be included in the code of the software that uses it. Another example of such a library that caused some havoc was Log4j.

A C standard library is a library for the C programming language itself. Such a library provides macros, type definitions, and functions for tasks such as string handling, mathematical computations, input/output processing, memory management, and several other operating system services. As you can imagine, such a standard library is called numerous times by many programs that depend on these basic functions.

**uClibc**

In this case, the library at hand is uClibc, one of the possible C standard libraries available, which focuses specifically on embedded systems because of its size. Because uClibc is a relatively small C standard library intended for Linux kernel-based operating systems for embedded systems and mobile devices. Features can be enabled or disabled to match space requirements.

The alternative uClibc-ng is a fork of uClibc that was announced after more than two years had passed without a uClibc release, citing a lack of any communication from the maintainer. Unfortunately uClibc-ng shares the same vulnerability.

Similar to other C standard libraries, uClibc provides an extensive DNS client interface that allows programs to readily perform lookups and other DNS-related requests.

**DNS poisoning**

DNS poisoning, also known as DNS cache poisoning or DNS spoofing, is a cyberattack method in which threat actors redirect web traffic, usually toward fake web servers and phishing websites.

In a typical home setup, there is:

*   A modem provided by your Internet Service Provider (ISP) which is your connection to the outside world.
*   A router that distributes the internet connection across all the devices (often wireless).
*   The devices like your laptop, phones, tablets and IoT (Internet of Things) devices such as TVs, temperature sensors, and security cameras.

These days, the modem and router are usually combined in the same device.

A DNS poisoning attack enables a subsequent Machine-in-the-Middle (MitM) attack because the attacker, by poisoning DNS records, is capable of rerouting network communications to a server under their control.

**The vulnerability**

One of the main ingredients to protect us against DNS poisoning is the transaction ID. This is a unique number per request that is generated by the client, added in each request sent, and that must be included in a DNS response to be accepted by the client as the valid one for that particular request. So while this transaction ID should be as random as possible, the researchers found that there is a pattern. At first the transaction ID is incremental, then it resets to the value 0x2, then it is incremental again.

While figuring out where this pattern comes from, the researchers eventually found out that the code responsible for performing the DNS requests is not part of the instructions of the executable itself, but is part of the C standard library in use, namely uClibc 0.9.33.2.

_Image courtesy of Nozomi networks_

Given that the transaction ID is now predictable, to exploit the vulnerability an attacker would need to craft a DNS response that contains the correct source port, as well as win the race against the legitimate DNS response incoming from the DNS server. As the function does not apply any explicit source port randomization, it is likely that the issue can easily be exploited in a reliable way if the operating system is configured to use a fixed or predictable source port.

**Mitigation**

Since the library maintainer has indicated he is unable to develop a fix, this vulnerability remains unpatched. The researchers are working with the maintainer of the library and the broader community in order to find a solution. The maintainer explicitly asked to publicly disclose the vulnerability, hoping for help from the community.

Because of the absence of a fix, the researchers did not disclose the specific devices that they found to be vulnerable. They did however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure.

The vulnerability was disclosed to 200+ vendors invited to the VINCE case by CERT/CC since January 2022, and a 30-day notice was given to them before the public release.

If you suspect that your router has been affected by DNS cache poisoning, have a look at our article DNS Hijacks: Routers where you will find some information on how to resolve such matters. When it is purely a case of router DNS caching, I have yet to find a router where resetting the router and leaving it off for at least 30 seconds did not clear the cache. But note that this does not resolve an ongoing attack or remove the vulnerability. It’s just a matter of symptom management.

Stay safe, everyone!

Unfixed vulnerability in popular library puts IoT products at risk

An OS Command Injection vulnerability in the configuration parser of Eve-NG Professional through 4.0.1-65 and Eve-NG Community through 2.0.3-112 allows a remote authenticated attacker to execute commands as root by editing virtualization command parameters of imported UNL files.

**Home**

EVE - The Emulated Virtual Environment  
For Network, Security and DevOps  
Professionals

EVE - The Emulated Virtual Environment  
For Network, Security and DevOps  
Professionals

EVE - The Emulated Virtual Environment  
For Network, Security and DevOps  
Professionals

EVE - The Emulated Virtual Environment  
For Network, Security and DevOps  
Professionals

EVE - The Emulated Virtual Environment  
For Network, Security and DevOps  
Professionals

**Important Note: LOG4J – CVE-2021-45046 CVE-2021-44228 CVE-2022-27903 DOES NOT affect EVE-NG.**

**EVE-NG Professional Edition:**

EVE-NG PRO platform is ready for today’s IT-world requirements. It allows enterprises, e-learning providers/centers, individuals and group collaborators to create virtual proof of concepts, solutions and training environments.

EVE-NG PRO is the first clientless multivendor network emulation software that empowers network and security professionals with huge opportunities in the networking world. Clientless management options will allow EVE-NG PRO to be as the best choice for Enterprise engineers without influence of corporate security policies as it can be run in a completely isolated environment.

   

EVE Professional Edition: 4.0.1-86 EVE-NG Professional (01 May 2022)

_Release notes link_

Download EVE Professional

**_Upgrade notes:_**

_**If you are upgrading your EVE PRO or EVE LC form Versions 3.0.1-16 or later, please follow the link below:**_

_Upgrade EVE Pro or LC to the newest version_

_**If you are upgrading your EVE PRO or EVE LC form Versions 2.0.6.52 or earlier, please Contact to the EVE Live Helpdesk:**_

_Live Helpdesk_

EVE-NG Professional/Learning Center Cookbook

**_EVE-NG PRO/LC Cookbook version 4.14 (23 October, 2021)_**_Download link EVE PRO/LC Cookbook_ **Section updates:** 3.3 Ubuntu download link update10.6 Remove Cloud interfaces for Editor and User14.1.5 Custom web page for server-gui docker14.1.6 Custom web page SSL for server-gui docker

****Some Features:****

EVE brings You the power You need to mastering your network within multivendor environment designing and testing.

  

*   KVM HW accelaration
*   Topology designer “click and play”
*   Import/export configuration
*   Labs xml file format
*   Picture import and maps “click and play”
*   Custom Kernel support for L2 protocols
*   Memory optimization ( UKSM )
*   CPU Watchdog
*   Full HTML5 User Interface
*   Ability to use without additionnals tools
*   Multiusers
*   Interaction with real network fully supported
*   Simultaneous lab instances
*   Derivated  from Ubuntu LTS 18.04 server for long term support 

****EVE-NG-PRO Emulation Software****

_The brand new structure is created with many updated features and improvements._  

*   Dynamic console porting, no limits, fixing issues for multi user consoling, Telnet porting choose is random
*   Hot links, interconnection running nodes, ports immediately response, shut no shut, Ethernet only
*   1024 nodes support per lab
*   Docker containers support
*   HTML desktop console to EVE management, clientless EVE management
*   Closing feature of running lab placing it to running folder, option run more than one lab simultaneously
*   Import/export configs for eve lab to/from local PC
*   Multiuser support, Administrator role only
*   EVE User account access time limitation
*   NAT cloud, integrated NAT option with DHCP on the EVE
*   Integrated Wireshark capture using docker, ethernet only
*   Multi configurations for single lab
*   Lab design features, links and objects
*   Custom template for own node deployment
*   Lab timer for self-training
*   EVE Labs control management
*   Information display of running labs and nodes per user. Admin control of processes
*   Link quality bandwidth, delay, jitter and loss set feature
*   EVE Cluster
*   Google Cloud EVE PRO support

_Upcoming features in EVE-NG PRO:_

*   Current version display and the newest available  
    
*   Fix permissions button on web  
    
*   New lab design options
*   Lab search option
*   Live lab resource widget, CPU, RAM
*   Lab timer, countdown improvement

CVE-2022-27903

A flaw in all versions of the popular C standard libraries uClibe and uClibe-ng can allow for DNS poisoning attacks against target devices.

A flaw in all versions of the popular C standard libraries uClibe and uClibe-ng can allow for DNS poisoning attacks against target devices.

An unpatched Domain Name System (DNS) bug in a popular standard C library can allow attackers to mount DNS poisoning attacks against millions of IoT devices and routers to potentially take control of them, researchers have found.

Researchers at Nozomi Networks Labs discovered the flaw affecting the implementation of DNS in all versions of uClibc and uClibc-ng, popular C standard libraries found in numerous IoT products, they revealed in a blog post this week.

“The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device,” Nozomi’s Giannis Tsaraias and Andrea Palanca wrote in the post.

In a DNS poisoning attack– also known as DNS spoofing and DNS cache poisoning–an attacker deceives a DNS client into accepting a forged response. This forces a program to perform network communications with an arbitrarily defined endpoint instead of the legitimate one.

****Numerous Affected Devices****

The scope of the flaw is vast, as major vendors such as Linksys, Netgear and Axis, as well as Linux distributions such as Embedded Gentoo, use uClibe in their devices. Meanwhile, uClibc-ng is a fork specifically designed for OpenWRT, a common OS for routers deployed throughout various critical infrastructure sectors, researchers said. Specific devices impacted by the bug were not disclosed as part of this research.

Moreover, if an attacker mounts a successful DNS poisoning attack on an affected device, they also can perform a subsequent man-in-the-middle attack, researchers said. This is because by poisoning DNS records, they can re-route network communications to a server under their control, researchers said.

“The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them,” researchers wrote. “The main issue here is how DNS poisoning attacks can force an authenticated response.”

Researchers are currently working with the maintainer of the uClibe library to develop a fix for the vulnerability, which leaves devices vulnerable, they said. Because of this, Nozomi researchers have declined to disclose specific details of the device on which they were able to reproduce the flaw to keep attackers at bay, they said.

****DNS as a Target****

News of the DNS vulnerability brings reminders of last year’s Log4Shell flaw, which sent ripples of concern within the cybersecurity community when it was discovered in December because of its scope. The flaw affects the ubiquitous open-source Apache Log4j framework—found in countless Java apps used across the internet. In fact, a recent report found that the flaw continues to put millions of Java apps at risk, though a patch exists for the flaw.

Though it affects a different set of targets, the DNS flaw also has a broad scope not only because of the devices it potentially affects, but also because of the inherent importance of DNS to any device connecting over IP, researchers said.

DNS is a hierarchical database that serves the integral purpose of translating a domain name into its related IP address. To distinguish the responses of different DNS requests aside from the usual 5-tuple–source IP, source port, destination IP, destination port, protocol–and the query, each DNS request includes a parameter called “transaction ID.”

The transaction ID is a unique number per request that is generated by the client and added in each request sent. It must be included in a DNS response to be accepted by the client as the valid one for request, researchers noted.

“Because of its relevance, DNS can be a valuable target for attackers,” they observed.

****The Vulnerability and Exploitation****

Researchers discovered the flaw while reviewing the trace of DNS requests performed by an IoT device, they said. They noticed something abnormal in the pattern of DNS requests from the output of Wireshark. The transaction ID of the request was at first incremental, then reset to the value 0x2, then was incremental again.

“While debugging the related executable, trying to understand the root cause, we eventually noticed that the code responsible for performing the DNS requests was not part of the instructions of the executable itself, but was part of the C standard library in use, namely uClibc 0.9.33.2,” they explained.

Researchers performed a source code review and found that the uClibc library implements DNS requests by calling the internal “\_\_dns\_lookup” function, which is located in the source file “/libc/inet/resolv.c.”

Eventually they found fault with some of the lines of code in the library—specifically line #1240, #1260, #1309, #1321 and #1335, to which they could attribute the anomaly in the DNS request pattern, which makes the transaction ID predictable, researchers said.

This predictability creates a scenario in which an an attacker would need to craft a DNS response that contains the correct source port, as well as win the race against the legitimate DNS response incoming from the DNS server to exploit the flaw, researchers said.

“It is likely that the issue can easily be exploited in a reliable way if the operating system is configured to use a fixed or predictable source port,” they explained.

To exploit the flaw also depends on how an OS applies randomization of source port, which means an attacker would have to bruteforce the 16-bit source port value by sending multiple DNS responses, while simultaneously beating the legitimate DNS response, researchers added.

**Mitigation**

Researchers explained, because the bug remains patched on millions of IoT devices, it is not disclosing the specific devices vulnerable to attack. In the interim, Nozomi Networks recommends that network administrators increase their network visibility and security in both IT and Operational Technology environments.

“This vulnerability remains unpatched, however we are working with the maintainer of the library and the broader community in support of finding a solution,” they wrote.

Unpatched DNS Bug Puts Millions of Routers, IoT Devices at Risk

Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. 
"This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys)," Trend

Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws.

"This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys)," Trend Micro researchers, Christoper Ordonez and Alvin Nieto, said in a Monday analysis.

"In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap NSE script."

AvosLocker, one of the newer ransomware families to fill the vacuum left by REvil, has been linked to a number of attacks that targeted critical infrastructure in the U.S., including financial services and government facilities.

A ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond double extortion by auctioning data stolen from victims should the targeted entities refuse to pay the ransom.

Other targeted victims claimed by the ransomware cartel are said to be located in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the U.A.E., the U.K., Canada, China, and Taiwan, according to an advisory released by the U.S. Federal Bureau of Investigation (FBI) in March 2022.

Telemetry data gathered by Trend Micro shows that the food and beverage sector was the most hit industry between July 1, 2021 and February 28, 2022, followed by technology, finance, telecom, and media verticals.

The entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code execution flaw in Zoho's ManageEngine ADSelfService Plus software (CVE-2021-40539) to run an HTML application (HTA) hosted on a remote server.

"The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the \[command-and-control\] server to execute arbitrary commands," the researchers explained.

This includes retrieving an ASPX web shell from the server as well as an installer for the AnyDesk remote desktop software, the latter of which is used to deploy additional tools to scan the local network, terminate security software, and drop the ransomware payload.

Some of the components copied to the infected endpoint are a Nmap script to scan the network for the Log4Shell remote code execution flaw (CVE-2021-44228) and a mass deployment tool called PDQ to deliver a malicious batch script to multiple endpoints.

The batch script, for its part, is equipped with a wide range of capabilities that allows it to disable Windows Update, Windows Defender, and Windows Error Recovery, in addition to preventing safe boot execution of security products, creating a new admin account, and launching the ransomware binary.

Also used is aswArPot.sys, a legitimate Avast anti-rootkit driver, to kill processes associated with different security solutions by weaponizing a now-fixed vulnerability in the driver the Czech company resolved in June 2021.

"The decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege)," the researchers pointed out. "This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection

Potential open redirection vulnerability when URL is crafted in specific format in NetIQ Access Manager prior to 5.0.2

This release includes the following new features and enhancements:

*   Identity Server Authentication APIs
    
*   Integration of Microsoft Windows Autopilot with Access Manager
    
*   Support for Specifying Scopes for a Client Application
    
*   Integration with Itsme
    
*   Analytics Dashboard Plug-in Support
    
*   Enhanced WS-Federation Service Provider
    
*   Enhancements to Upgrade Assistant
    
*   Support for Integration with Advanced Authentication as a Service
    
*   Enhanced UserInfo Endpoint to Decrypt Tokens Encrypted Using Custom Keys
    
*   Updates for Dependent Components
    
*   Videos
    

**1.1 Identity Server Authentication APIs**

This release introduces Identity Server authentication APIs. These APIs enable you to build your own end-to-end login experience replacing the built-in user portal login experience. You can use these APIs in the following scenarios:

Primary Authentication: Verifies the end-users' credentials using one of the following methods:

*   Name/Password - Basic
    
*   Name/Password - Form
    
*   Secure Name/Password - Basic
    
*   Secure Name/Password - Form
    

Multi-factor Authentication: When Access Manager is integrated with Advanced Authentication through the plug-in approach, the API supports multi-factor authentication for the following methods:

*   Smartphone
    
*   Voice call
    

For more information about these APIs, see Identity Server Authentication API.

You can also configure the default user attributes that you want in the authentication response.

For information about configuring the attributes list, see Identity Server Authentication APIs in the NetIQ Access Manager 5.0 Administration Guide.

**1.5 Analytics Dashboard Plug-in Support**

This release introduces Analytics Dashboard plug-in for the following products: NetIQ SecureLogin.

*   NetIQ SecureLogin
    
    For more information, see Analytics Dashboard in the NetIQ SecureLogin 9.0 Administration Guide.
    
*   NetIQ Secure API Manager
    

_NOTE:_The plug-in is not supported with Access Manager container deployment.

**1.8 Support for Integration with Advanced Authentication as a Service**

In addition to the integration with on-premises Advanced Authentication, Access Manager now supports integration with the Advanced Authentication as a Service.

For more information about how to integrate, see Multi-Factor Authentication Using Advanced Authentication.

**1.9 Enhanced UserInfo Endpoint to Decrypt Tokens Encrypted Using Custom Keys**

With this release, when JWT is encrypted using custom keys provided in the resource server, user info endpoint is able to decrypt the JWT and provide valid user info details in response.

**1.10 Updates for Dependent Components**

This release provides the following updated components:

*   Tomcat 9.0.55
    
*   Apache 2.4.53
    
*   Log4j 2.17.1
    
*   JDK 1.8.0\_312
    
*   OpenSSL 1.0.2zd
    

**1.11 Videos**

This release includes the following videos:

*   Access Manager Upgrade Assistant: Registration and Upgrade on RHEL and SLES
    

*   Integrating Access Manager with Itsme

CVE-2022-26326: Access Manager 5.0 Service Pack 2 Release Notes

Security must be precise enough to meet compliance requirements without impeding DevOps and developer productivity. Here's how to strike that balance.

Businesses are moving fast to modernize application development, but Kubernetes security has taken a back seat in many cases. While that deprioritization is increasingly risky, security strategies to mitigate threats to containerized environments must tread a careful path.

On the one hand, security must be precise enough to meet the rigorous compliance requirements — and stand up to audits — across all regulations a given organization must adhere to, whether that's SOC 2, PCI DSS, GPDR, HIPAA, or others. At the same time, whatever security processes are put into place must still ensure that DevOps and developer productivity isn't impeded. It's a delicate balancing act that doesn't leave much room for error on either side.

To ensure continuous compliance in containerized environments without creating obstacles to productivity, adhere to these six practices.

**1\. Get Automated**  
Implementing the right tools — and there are many great fully open source options — delivers the real-time threat responses and always-on monitoring necessary for achieving continuous compliance. For example, automated vulnerability scanning and security policy as code should be integrated into the pipeline. Logs and events should be processed with an automated Kubernetes audit log analyzer. SIEM technologies powered by machine learning can quickly and automatically identify attack patterns. You should also leverage CIS benchmarks and custom compliance checks to inspect Kubernetes configurations continuously.

**2\. Secure Kubernetes Itself**  
It's become absolutely crucial to treat Kubernetes itself as an attack surface — because attackers certainly are. With the sophistication of threats maturing, continuous compliance now requires that the full stack behind your container environments is actively secured. This includes initiating automatic monitoring, hardening against exploits, performing configuration auditing, and preparing automated mitigation. That's not only true for Kubernetes but also any service meshes, hosting VMs, plugins, or other targets that may come under attack.

**3\. Seeing an Attack Is Preventing an Attack**  
Attack kill chains often begin with the launch of an unrecognized container network connection or process, which escalates its own level of access by writing or changing existing files or exploiting unprotected entry points. Such nefarious methods will then utilize network traffic to send captured data to an external IP address, resulting in a data breach. Kill chains may similarly target the Kubernetes API service for man-in-the-middle attacks, and commonly perform zero-day, insider, and cryptomining attacks. Attacks leveraging the Apache Log4j exploit are also on the rise.

Strategies that incorporate data loss prevention (DLP) and web application firewall (WAF) protection can provide the visibility required to detect active kill chains, as well as automated responses ready to put suspicious processes and traffic to a halt before they do harm. In fact, many regulatory compliance frameworks now specifically require organizations to have DLP and WAF capabilities in place to protect their container and Kubernetes environments, including PCI DSS, SOC 2, and GDPR (HIPAA strongly suggests DLP as well).

**4\. Zero in on Zero Trust**  
By implementing a zero-trust model, you're no longer _reactively_ addressing threats recognized in log analysis or signature-based detections. Instead, a zero-trust strategy ensures you'll be blocking all attacks by allowing only approved processes and traffic to be active in your environments. The full cloud-native stack, along with access controls such as RBACs, must feature these zero-trust safeguards. The result is a more assured approach to achieving continuous compliance.

**5\. Take Advantage of Built-In Kubernetes Security**  
Built-in Kubernetes security features include log auditing, RBACs, and system log collection centralized by the Kubernetes API server. Leverage these available capabilities to collect and analyze all activity logs for evidence of attack or misconfigurations. Follow up by addressing any issues or run-time activities that fall short of compliance by implementing security patches or new policy-based protections.

In most cases, you'll want to go further and support existing Kubernetes security with tooling that enables container application security and continuous compliance auditing. The built-in Kubernetes Admission Controller should be used to closely coordinate Kubernetes with external registries and resource requests. This approach will more effectively prevent vulnerabilities and unauthorized behavior in application deployments.

**6\. Verify the Security of Your Cloud Host**  
Cloud platforms hosting Kubernetes handle their own systems and must ensure their continuous compliance. However, the stakes are too high not to check that those cloud hosting practices are indeed well-secured and that they fulfill your own compliance responsibilities. In fact, the shared responsibility model offered by many cloud providers leaves the burden of securing application access, network behavior, and other assets in the cloud squarely on the customer.

**Continuous Compliance in Real-Time Environments**  
Kubernetes and containerized environments are highly dynamic, with containers spinning in and out of existence far more rapidly than manual security checks can possibly safeguard. In addition, traditional security technologies such as network segmentation and firewalling required by many compliance regulations don't work in container networks.

Modern continuous development processes regularly introduce new code and containers as applications are built, shipped, and run in production environments. As a result, regulations require organizations to adopt automated real-time security and auditing measures that provide true continuous compliance.

6 Best Practices to Ensure Kubernetes Security Meets Compliance Regulations

International cybersecurity authorities have published an overview of the most routinely exploited vulnerabilities of 2021.
The post The top 5 most routinely exploited vulnerabilities of 2021 appeared first on Malwarebytes Labs.

A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.

**1\. Log4Shell**

CVE-2021-44228, commonly referred to as Log4Shell or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.

When Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.

This made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.

The Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The CISA Log4j scanner is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.

**2\. CVE-2021-40539**

CVE-2021-40539 is a REST API authentication bypass vulnerability in ManageEngine’s single sign-on (SSO) solution with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that APT threat-actors were likely among those exploiting the vulnerability.

The vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.

For those that have never heard of this software, it’s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.

The ManageEngine site has specific instructions on how to identify and update vulnerable installations.

**3\. ProxyShell**

Third on the list are 3 vulnerabilities that we commonly grouped together and referred to as ProxyShell. CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207.

The danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:

*   **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.
*   **Take control** with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.
*   **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.

The vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.

Microsoft’s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.

**4\. ProxyLogon**

After the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name—ProxyLogon—for similar reasons. CVE-2021-26855, CVE-2021-26857, CVE-2021-2685, and CVE-2021-27065 all share the same description—”This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.”

While the CVE description is the same for the 4 CVE’s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws—CVE-2021-26858 and CVE-2021-27065—would allow an attacker to write a file to any part of the server.

Together these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

ProxyLogon started out as a limited and targeted attack method attributed to a group called Hafnium. Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

Microsoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a download link, user instructions, and more information can be found in the Microsoft Security Response Center.

**5\. CVE-2021-26084**

CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of Confluence Server and Data Center that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.

Shortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.

On the Confluence Support website you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.

**Lessons learned**

What does this list tell us to look out for in 2022?

Well, first off, if you haven’t patched one of the above we would urgently advise you to do so. And it wouldn’t hurt to continue working down the list provided by CISA.

Second, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:

*   **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.
*   **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.
*   **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.

So, if you notice or hear about a vulnerability that meets these “requirements” move it to the top of your “to-patch” list.

Stay safe, everyone!

Tag

#log4j