Appsec Phoenix

AppSec Phoenix Wide

Security Vulnerability of the Week 20/06/22


Date Posted: 19th June 2022

Previous Issues of vulnerability Weekly



This week we deep dive into Couchbase releasing several vulnerabilities, SPLUNK, CISCO, Azure Synapse vulnerability and oracle cloud’s latest vulnerabilities.


Appsec

Couchbase 

Couchbase Server is a modern cloud-native distributed database that fuses the greatest strengths of relational and NoSQL. 

10 CVEs so far have been registered against several version of the Couchbase Server version for versions early than 7.0.4 and Sync Gateway 3x before 3.0.2. Amongst the CVEs identified few one have a very high severity due to bypassing of authentication and credentials. Some other CVEs have also medium due to leaked credentials exploit.

The CVSS Severity one of which is critical, can really be swayed and bumped up to critical for the system cli, admin console and Gateway that are Externally exposed. As always fix and protect systems that are externally facing 

Upgrade to the latest version of Gateway > 3.0.2 or later 

Upgrade to the latest version of sever> 7.0.4

There are currently no available exploit in metaexploit for those vulnerabilities 

  • CVE-2022-32565 – CVSS Low 1.8 –  Backup service log leak
  • CVE-2022-32564 – CVSS High 7.8 – Couchbase CLI couchbase-cli, server-eshell leaks the Cluster Manager cookie
  • CVE-2022-32192 – CVSS Medium 5.5 – couchbase-cli leaks Secrets Management master password as a command-line argument.
  • CVE-2022-32563 – CVSS Critical 9.8 – Couchbase Sync Gateway 3x before version 3.0.2 – CVSS 6.8 as credentials not authenticated using X509 certificate. When Sync Gateway is configured to authenticate with Couchbase Server using X.509 client certificates, the admin credentials provided to the Admin REST API are ignored, resulting in privilege escalation for unauthenticated users 
  • CVE-2022-32562 – Server Before 7.0.4 –  CVSS High 8.8 – mitigation from CVE-2018-15728  were insufficient 
  • CVE-2022-32561 – Server Before 7.0.4 – CVSS High 8.8 Previous mitigations for CVE-2018-15728 were found to be insufficient when it was discovered that diagnostic endpoints could still be accessed from the network.
  • CVE-2022-32560 – Server Before 7.0.4 – CVSS Medium 4.0 – XDCR – lacks role checking when changing internal settings
  • CVE-2022-32559 – Server Before 7.0.4 – CVSS High 7.4 – HTTP Request leads to leaked credentials 
  • CVE-2022-32558 – Server Before 7.0.4 – CVSS Medium 6.4 – Bucket loading might leak user credentials
  • CVE-2022-32557 – Server Before 7.0.4 – CVSS HIGH 8.2-  Index Service does not enforce authentication for TCP/TLS servers

For all the latest security updates: https://forums.couchbase.com/tag/security  and https://www.couchbase.com/alerts 

WordPress Ninja Form Vulnerability

WordPress Vulnerability Update

The recent vulnerability in WordPress could affect up to 730K and more servers. The vulnerability affects Ninja Forms with more than 1 million installations. 

Ninja form is a popular free plugin used to capture form information and customer details

Wordfence threat analyst Ramuel Gall discovered when reverse-engineering the patch that unauthenticated attackers can exploit this bug remotely to call various Ninja forms classes using a flaw in the Merge Tags feature.

OWASP Describes as following deserialization attacks

Deserialization is the reverse of turning some object into a data format. Deserialization is taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML.

Leveraging deserialization an attacker can have the ability to inject code resulting in remote code execution and potential takeover of the whole website

The researcher discovered the ability to make unauthenticated calls to a number of Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” Wordfence threat intelligence lead Chloe Chamberland said.

FIX:

There is currently not an official update out but most websites have been force-updated based on the number of downloads since this flaw was patched on June 14.

Currently, there are 49598 downloads of the form with a total32 Million downloads and an active 1 million installations.

Samuel Wood, a WordPress developer, said in October 2020 that Automattic had used forced security updates to push “security releases for plugins many times” since WordPress 3.7 was released.

According to bleeping computer WordPress has forced updates for other critical and highly popular vulnerabilities

Jetpack Contact Form block in December 2018, a critical bug in the way some Jetpack shortcodes 

February 2022, 3 UpdraftPlus WordPress plugins were force-patched 

​​


INFRA/Network

SPLUNK ENTERPRISE

On 2022 June 14 the security advisory from SPLUNK sent out the advertisement for vulnerability on SPLUNK enterprise server. The vulnerability exploits on the Universal Forwarder endpoint can result in an RCE (remote code execution) 

For full CVSS code: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:H/MPR:H/MUI:N/MC:N/MI:H/MA:H

CVSS Critical for For more details: https://www.splunk.com/en_us/product-security/announcements/svd-2022-0608.html 

Announcement on Twitter:  https://twitter.com/i/web/status/1536837525221675008 

Hurricane Labs is aware of the recent vulnerability involving Splunk Enterprise deployment servers. 

An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server. 

All Splunk Enterprise deployment servers prior to version 9.0 are vulnerable. No patch or workarounds are currently available for older Splunk versions. Splunk has indicated that they do not intend to port the fix for this issue to older versions of Splunk Enterprise. 

CONFIRM www.splunk.com/en_us/product-security/announcements/svd-2022-0608.html

Currently, there are no Active exploits of the vulnerability 

To fix the vulnerability upgrade to version 9.0 

At the time of this writing (2022-06-14), there is no patch available for any supported versions of Splunk, and there are no plans to backport the fix to prior Splunk versions, including Splunk 8.2.x and older. 

Mitigations

  • Upgrade to 9.0 – the current recommendation
  • For version 8.2.x and before 
    • Temporarily disable access to the deployment server. (This option is only practical if you have a standalone deployment server.)
  • Enable host firewall rules on the deployment server to limit management traffic to Splunk infrastructure only. Remove these host firewall rules on this instance only when making changes to forwarders or other deployment clients.

CISCO Email Security Critical bug update

Cisco issued  fixes to address a critical security flaw affecting Email Security Appliance (ESA) and Secure Email and Web Manager on Wednesday 15/6/22

The vulnerability if exploited could bypass the authentication. 

 CVE-2022-20798, currently rated 9.8 CVSS affects the Lightweight Directory Access Protocol (LDAP) for external authentication. 

Cisco Announced:

“An attacker could exploit this vulnerability by entering a specific input on the login page of the affected device,” Cisco noted in an advisory. “A successful exploit could allow the attacker to gain unauthorized access to the web-based management interface of the affected device.”

The vulnerability got identified during a technical assistance call (TAC centre for cisco)

The Vulnerability Impacts ESA and Secure Email and Web Manager running vulnerable AsyncOS software versions 11 and earlier, 12, 12.x, 13, 13.x, 14, and 14.x and when the following two conditions are met –

  • The devices are configured to use external authentication, and
  • The devices use LDAP as the authentication protocol

For full details: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-esa-auth-bypass-66kEcxQD 

CISCO Small Business Router unpatchable vulnerability

Cisco has identified another critical vulnerability on Small Business RV110W, RV130, RV130W, and RV215W routers. 

CVE-2022-20825 (CVSS score: 9.8) – the vulnerability affects HTTP packet.

CISCO will not release a patch as the product are end of life

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-overflow-s2r82P9v

For full details: https://tools.cisco.com/security/center/publicationListing.x


Cloud

SYN LAPSE Azure Data analytical Service RCE

https://nvd.nist.gov/vuln/detail/CVE-2022-29972 score 7.8

Another vulnerability has been disclosed by ORCA security team named SYNLAPSE  

In may Orca had issued together with Microsoft a disclosed quickly fixed 

Orca Security is issuing this security advisory for CVE-2022-29972 to address hazards in the use of the Microsoft Azure Synapse service https://orca.security/resources/blog/azure-synapse-analytics-security-advisory/

The vulnerability originally identified and disclosed on January 4th got recent attention by Microsoft security.

Orca has recently disclosed a new variation of the vulnerability after Microsoft fixes

 Tzah Pahima is credited with discovering SynLapse—a critical Synapse Analytics vulnerability in Microsoft Azure, also affecting Azure Data Factory. It permitted attackers to bypass tenant separation while including the ability to:

  • Gain Credential of customer accounts (Azure Synapse)
  • Control azure Synapse workspace 
  • Execute code on target customer
  • Leak customer credentials 

Why this vulnerability is bad?

  • An attacker can gain access to a customer account acting as synapse workspace
  • An attacker can leak the credentials of a customer in their synapse workspace
  • An attacker can leverage the vulnerability to run code (RCE) on any customer’s integration runtimes 

What is SYN Lapse

Azure Synapse Analytics is an important service that is leveraged by many services that process a high quantity of data  (e.g., CosmosDB, Azure Data Lake, and external sources such as Amazon S3).

When reporting the issue ORCA suggested to Microsoft to implement a few mitigations, mainly:

  1. A sandbox – Move the shared integration runtime to a sandboxed ephemeral VM. This means that if an attacker could execute code on the integration runtime, it is never shared between two different tenants, so no sensitive data is in danger.
  2. Limit API access – Implement least privilege access to the internal management server, this will prevent attackers from using the certificate to access other tenants’ information. 

At the beginning of June Microsoft shared with ORCA that they have implemented all recommendations and Synapse Integration Runtime is now using ephemeral nodes and scoped low-privileged API tokens.

ORCA has then removed the security advisory 

Timeline (100 Days to fix)

  • January 4 – The Orca Security research team disclosed the vulnerability to the Microsoft Security Response Center (MSRC), along with keys and certificates we were able to extract.
  • February 19 & March 4 – MSRC requested additional details to aid its investigation. Each time, we responded the next day.
  • Late March – MSRC deployed the initial patch.
  • March 30 – Orca was able to bypass the patch. Synapse remained vulnerable.
  • March 31 – Azure awards us $60,000 for our discovery.
  • April 4 (90 days after disclosure)  – Orca Security notifies Microsoft that keys and certificates are still valid. Orca still had Synapse management server access.
  • April 7 – Orca met with MSRC to clarify the implications of the vulnerability and the required steps to fix it in its entirety.
  • April 10 – MSRC patches the bypass, and finally revokes the Synapse management server certificate. Orca was able to bypass the patch yet again. Synapse remained vulnerable.
  • April 15 – MSRC deploys the 3rd patch, fixing the RCE and reported attack vectors.
  • May 9 – Both Orca Security and MSRC publish blogs outlining the vulnerability, mitigations, and recommendations for customers.
  • End of May – Microsoft deploys more comprehensive tenant isolation including ephemeral instances and scoped tokens for the shared Azure Integration Runtimes.

Previous response to vulnerabilities: https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972/ 

Oracle Cloud Medium Vulnerability

CVE-2022-21503 on Oracle Cloud infrastructure has been confirmed on 18/6/2022

Score for the moment is 4.9 but with potential confidential impact Vector: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 

Current versions of the exploit are being reported to be easy. It is possible to launch the attack remotely. Additional levels of successful authentication are required for 

exploitation. The technical details are unknown and an exploit is not available

CWE is classifying the issue as CWE-200. This is going to have an impact  

Previous Issues of vulnerability Weekly


Share this article

[ssba]

Categories

x Logo: ShieldPRO
This Site Is Protected By
ShieldPRO