Two OpenSSL Vulnerabilities for this week

After the busy week with PoC, DoS is coming. 

Two critical OpenSSL vulnerabilities released yesterday and I just see them in my mailbox.

In CVE-2021-3449, a denial-of-service condition exists in the default renegotiation configuration of TLSv1.2, can be triggered by malicious ClientHello requests. This means all the internet-facing systems are potentially be targeted with this hard-to-detect (but easy to assess) application level attack. This attack can be triggered by NULL pointer de-reference if renegotiation is enabled (in TLSv1.2 only), and can be assessed with SSLScan:

CVE-2021-2449

In CVE-2021-2450, a high severity vulnerability, is a CA certificate check bypass issue where the "valid CA certificate check result" can be overwritten. In another word the "check that ensuring non-CA certificates must not be able to issue other certificates" can be bypassed.

This is a new feature introduced since 1.1.1h, and thus only affecting this version. Upgrade to 1.1.1k version to fix the issue, and run the following command to check the version:

$ openssl version -a

Links:

• https://attackerkb.com/topics/DMtqBir1bn/openssl-tls-server-crash-null-pointer-dereference-cve-2021-3449#rapid7-analysis
• https://attackerkb.com/topics/3R2Ftv4qHX/cve-2021-3450#rapid7-analysis
• https://www.openssl.org/news/secadv/20210325.txt
  

Webinar: Securing Your Windows Infrastructure on Premises and in the Cloud

Today webinar is interesting. It covers 4 demos, and some interesting pentest methodologies on Windows server infrastructure. 

From introducing the Cyber killchain and how NTLM protocol works, a quick demo shows how a hacker can use "pass the hash" technique to compromise from local to domain admin.

Then follow by using "pass the ticket" technique to leverage Kerberos to steal identity/ticket.  

Next, the webinar shows how can we protect LSASS memory by introducing "Credential Guard". 

Last, there is a demo on a techniques to maintain persistence in a Windows system with a Windows Hello, a not so common technique that used by advanced hackers.

Great presentation.

Busy Weeks for PoC

Many PoC for old vulnerabilities have been released in the past few weeks. Here're a few that hopefully we all still remember them. :)

March 12 - Spectre PoC released

The Spectre vulnerability (disclosed in Jan 2018), makes use of a class of processor (CPU) design vulnerabilities that allow an attacker to change the intended program control flow.

• https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html
• https://leaky.page/
  
• https://github.com/google/security-research-pocs/tree/master/spectre.js
• https://www.youtube.com/watch?v=V_9cQP60ZGI&t=2s

March 12 - Ghostcat  (PoC for CVE-2020-1938)

In vulnerable Apache Tomcat, it shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected that this Connector would be disabled if not required.

• https://0day.today/exploits/34028
• https://github.com/nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC
• Ghostcat (rapid7.com)

March 3 - MS Exchange Server PoC released

CVE-2020-24085 is a Microsoft Exchange Server spoofing vulnerability released as part of Microsoft’s February Patch Tuesday advisories. The vulnerability allows remote attackers to escalate privileges on affected installations of Microsoft Exchange Server; successful exploitation requires authentication and user interaction (visiting a malicious page). Security research shows that a public proof-of-concept exploit available since February 15, 2021.

• https://github.com/sourceincite/CVE-2021-24085
  

March 2 - VMware vCenter Server (CVE-2021-21972) PoC released

There are at least 4 proof-of-concept (PoC) exploits publicly available. vCenter Server customers who have not patched and who have vCenter exposed to the internet should strongly consider conducting incident response investigations. Strting from March 2, it is confirmed that wild exploitation has been detected to deliver web shells and malware.

• https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972
• https://swarm.ptsecurity.com/unauth-rce-vmware/
  
• GitHub - horizon3ai/CVE-2021-21972: Proof of Concept Exploit for vCenter CVE-2021-21972
  

Feb 23 - WebLogic

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). 

• https://github.com//jas502n//CVE-2020-14882
• https://github.com/jas502n/CVE-2020-14882
• https://github.com/projectdiscovery/nuclei-templates/pull/599/commits/b175c2117cdf50765f547eda42e5d48650ef1b6b
• https://github.com/foospidy/web-cve-tests
• https://www.youtube.com/watch?v=t-sxvcZNFZo&feature=youtu.be
• https://github.com/wsfengfan/cve-2020-14882
• https://github.com/pprietosanchez/CVE-2020-14750
• https://github.com/corelight/CVE-2020-14882-weblogicRCE
• https://www.rapid7.com/db/modules/exploit/multi/http/weblogic_admin_handle_rce/

T0pCyber / Hawk

Hawk is an open-source, PowerShell-driven, community-developed tool network defenders can use to quickly and easily gather data from O365 and Azure for security investigations. Incident responders and network defenders can investigate specific user principals or the entire tenant. Data it provides include IP addresses and sign-in data. Additionally, Hawk can track IP usage for concurrent login situations.

Hawk users can review login details for administrator accounts and take the following steps.

1. Investigate high-value administrative accounts to detect anomalous.
2. Enable PowerShell logging.
3. Look for users with unusual sign-in locations, dates, and times.
4. Check permissions of service principals and applications in M365/Azure AD.
5. Detect the frequency of resource access from unusual places.
6. Review mailbox rules and recent mailbox rule changes.
   

Links:

• https://github.com/T0pCyber/hawk 
• https://myseq.blogspot.com/2021/03/crowdstrike-crt.html
• https://myseq.blogspot.com/2021/03/cisagov-sparrow.html
• Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
• Detecting Abuse of Authentication Mechanisms 
  

CrowdStrike / CRT

CrowdStrike's Azure Reporting Tool can help analyzing Microsoft Azure AD and M365 environment in their Azure AD tenant and service configuration. 

This tool has minor overlap with Sparrow; it shows unique items, but it does not cover the same areas. CISA is highlighting this tool because it is one of the only free, open-source tools available to investigate this activity and could be used to complement Sparrow.

Links:

• https://github.com/CrowdStrike/CRT
  

cisagov / Sparrow

Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.

The tool is intended for use by incident responders, and focuses on the narrow scope of user and application activity endemic to identity and authentication based attacks seen recently in multiple sectors.

Sparrow.ps1 will check and install the required PowerShell modules on the analysis machine, check the unified audit log in Azure/M365 for certain indicators of compromise (IoC's), list Azure AD domains, and check Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool then outputs the data into multiple CSV files that are located in the user's default home directory in a folder called 'ExportDir' (ie: Desktop/ExportDir).

Links:

• https://github.com/cisagov/Sparrow
  

3 Tools for ProxyLogon (Exchange 0day vuln)

On March 2nd, Microsoft disclosed that four Exchange Server zero-day vulnerabilities were being used in attacks against exposed OWA servers. These vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.

These vulnerabilities, aka 'ProxyLogon', are being used to steal mailboxes, harvest credentials, and deploy web shells to access the internal network.

And thus, Microsoft thas released a tool called Microsoft Safety Scanner, also known as the Microsoft Support Emergency Response Tool (MSERT), is a standalone portable antimalware tool that includes Microsoft Defender signatures to scan for and remove detected malware.

MSERT is an on-demand scanner and good to be used for spot scans.

Microsoft Safety Scanner

• https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

If you would like to scan for web shells without removing them, you can use a new PowerShell script named detect_webshells.ps1 created by CERT Latvia.

• https://github.com/cert-lv/exchange_webshell_detection

Microsoft also released a PowerShell script called Test-ProxyLogon.ps1 that can be used to search for indicators of compromise (IOC) related to these attacks in Exchange and OWA log files.

• https://github.com/microsoft/CSS-Exchange/tree/main/Security
  

CVE-2017-8461 - RRAS

This is a vulnerability released in June 2017, with CVSS 7.0 (High) for RRAS. The vulnerability is also known as “Windows RPC Remote Code Execution Vulnerability.”

With this vulnerability, Windows RPC with Routing and Remote Access (enabled in Windows XP and Windows Server 2003) allows an attacker to execute code on a targeted RPC server which has Routing and Remote Access enabled.

Recently, a new metasploit module is released. This module exploits an overflow in the Windows Routing and Remote Access Service (RRAS) to execute code as SYSTEM.

The RRAS DCERPC endpoint is accessible by unauthenticated users via SMBv1 browser named pipe on Windows Server 2003 and Windows XP hosts. (However, this module targets Windows Server 2003 only)

Since the service is hosted inside svchost.exe, a failed exploit
attempt can cause other system services to fail as well.

The module has been successfully tested on:

• Windows Server 2003 SP0 (x86)
• Windows Server 2003 SP1 (x86)
• Windows Server 2003 SP2 (x86)
• Windows Server 2003 R2 SP2 (x86)

Links:

• https://attackerkb.com/topics/cH3SJNSMsg/cve-2017-8461 
• http://packetstormsecurity.com/files/161672/Microsoft-Windows-RRAS-Service-MIBEntryGet-Overflow.html
  

What we can Learn from SolarWind Incident?

Lesson learned from SolarWind incident:

1. Your risk boundary is not your network boundary.
   
2. An attack timeline, from start till release date, can take almost 19 months.
3. Identity is the new "perimeter".
4. Behavioral analysis techniques are required to identify an identity compromise.
5. Network baselining and abnormal behavior analytics are instructive.
   
6. Think if you built software using third party library.
   
7. Think if you are using products/services from any compromised parties, including open source software. 
8. Think who you trust and when did you last validate?
9. Build capability to detects TTP, not IOC.
   
10. CTI likes to use different code name to identify malware.
    

0-day Attack on Exchange Server (By HAFNIUM)

Your organization should have in incident response mode now if there is any OWA server exposed to the Internet between 02/26 ~ 03/03.

Microsoft has detected multiple zero-day exploits being used to attack on-premises Exchange server, and allowed installation of web shell to facilitate long-term access at vulnerable servers.

Vulnerabilities Summary 

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Remediation

Microsoft has provided scripts to check the patch level at Exchange server, and scan the Exchange logs for indication of compromise.

Links:

• https://arstechnica.com/gadgets/2021/03/tens-of-thousands-of-us-organizations-hit-in-ongoing-microsoft-exchange-hack/
  
• https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
• https://github.com/microsoft/CSS-Exchange
  

Public POC released for CVE-2021-24085

CVE-2020-24085 is a Microsoft Exchange Server spoofing vulnerability released as part of Microsoft’s February Patch Tuesday advisories. The vulnerability allows remote attackers to escalate privileges on affected installations of Microsoft Exchange Server; successful exploitation requires authentication and user interaction (visiting a malicious page). 

A public proof-of-concept exploit is available, at https://github.com/sourceincite/CVE-2021-24085.

Links:

• https://attackerkb.com/topics/taeSMPFD8J/cve-2021-24085
  

Vulnerability Scanning

Have you ever wonder if you have perform all the vulnerability scanning for your company? Or do you know how many types of vulnerability scanning are needed for a comprehensive vulnerability management program?

In general, here are what you should budget in your vulnerability scanning capability:

1. Network/Host scanning
2. Web application scanning
3. Cloud scanning

Network/Host scan:

• This is the minimum and most common scan.
• Covering credential and network scans for mostly on-premises infrastructure.
• Eg: Tenable Nessus, Rapid7 InsightVM, Qualys.
  

Web Application Scan:

• Covering the web applications but not a substitution of penetration testing.
• Scanning methodology includes SAST(white box) and DAST (black box), and need to be configured by subject matter experts. 
• Eg: HCL (IBM) Appscan, Rapid7 InsightAppSec, Netsparker Enterprise.
  

Cloud scan:

• This is very new and cannot be substituted by network/host scan.
• Scanning vulnerability (or misconfiguration) on public cloud, container, and CI/CD pipeline. 
• Eg: Prisma Cloud, AquaSec, Netskope Cloud Security, BlackDuck.

Note that, each of these scans are for different purpose, and have a very different classification of vulnerability. I see many have mistakenly use network/host scan to substitute cloud scanning, and give false sense of security. 

The traditional network/host scan focus 80% on CVE (missing patch) and 20% on mis-configuration, while the cloud scan will focus 80% on mis-configuration. In another word, under the shift-left principle, the cloud scan will treat an unpatch CVE as a mis-configuration (due to software defined network and automation).

Prisma Cloud Monitoring and Securing

Today, just completed the training on Prisma Cloud Monitoring and Securing (RETIRED), and score at 95% (23/24).