Top Middle East Cyber Threats – 27 September 2021
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Chrome Patches Two Publicly Exploited Vulnerabilities
On 14 September 2021, Google Chrome released a patch for a total of 9 CVEs, 2 of which are actively exploited in the wild. CVE-2021-30632 fixes an Out-of-Bounds (OOB) Write, while CVE-2021-30633 fixes a Use-After-Free bug. Both could lead to code execution at the level of the logged-on user. All of the bugs fixed in this release received a “High” severity rating from Google.
The CVE-2021-30632 OOB vulnerability, has been classified as critical. It affects some unknown functionality of the component v8, where manipulation with an unknown input leads to a memory corruption vulnerability. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction.
The CVE-2021-30633 UAF bug, has been classified as critical. It affects some unknown functionality of the component Indexed DB API. The manipulation with an unknown input leads to a memory corruption vulnerability.
RECOMMENDATIONS
- If using Chrome or Edge browser, patch your software to the newest version.
- Make efforts to increase visibility through endpoint detection, response, and logging. Endpoint monitoring tools are critical for detecting suspicious activity in an environment after other controls have been circumvented.
Google Chrome Zero-Day Widely Exploited
Google has released Chrome 94.0.4606.61 for Windows, Mac, and Linux, an emergency update addressing a high-severity zero-day vulnerability exploited in the wild.
The bug, tracked as CVE-2021-37973, is a use after free weakness in Portals, Google’s new web page navigation system for Chrome.
Successful exploitation of this vulnerability can let attackers execute arbitrary code on computers running unpatched Chrome versions.
RECOMMENDATIONS
- Install patches and keep systems up to date.
- Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
Microsoft Security Updates – September 2021
As part of its September 2021 updates, Microsoft fixed 66 security flaws in Windows components and Microsoft Windows, Microsoft Edge (Chromium, iOS, and Android), Office and Office Components, SharePoint Server, Azure, Microsoft Windows DNS, and Windows Subsystem for Linux.
The official notification identified three critical vulnerabilities, 62 important vulnerabilities, and one moderate severity vulnerability.
Among the most severe are:
- CVE-2021-40444 – CVSS 8.8 Microsoft MSHTML Remote Code Execution Vulnerability
This patch fixes a bug currently being exploited via Office documents.
A specially crafted ActiveX control is embedded in an Office document and then sent to a target. If opened on an affected system, code executes at the level of the logged-on user.
- CVE-2021-36965 – CVSS 8.8 Windows WLAN AutoConfig Service Remote Code Execution Vulnerability
This patch fixes a vulnerability that could allow network adjacent attackers to run their code on affected systems at SYSTEM level. The vulnerability could allow remote code execution, if a client or server with a wireless network interface enabled receives specially crafted wireless frames.
- CVE-2021-38647 – CVSS 9.8 OMI Remote Code Execution Vulnerability
This patch fixes an RCE bug in the Open Management Infrastructure (OMI). Some Azure products, such as Configuration Management, expose an HTTP/S port listening to OMI (typically port 5986). This configuration where the HTTP/S listener is enabled could allow remote code execution.
- CVE-2021-36968 – CVSS 7.8 Windows DNS Elevation of Privilege Vulnerability
This Elevation of Privilege (EoP) patch addresses a publicly known zero-day flaw in Windows DNS.
This month’s release contains two fixes for security feature bypasses (SFBs). CVE-2021-38632 addresses a vulnerability that could authorize an attacker with physical access to a powered-off system to gain access to encrypted data.
RECOMMENDATIONS
- Review the September 2021 “Release Notes” and “Deployment Information” for more details and apply the necessary patches as soon as possible.
- Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
- Make efforts to increase visibility through endpoint detection, response, and logging. Endpoint monitoring tools are critical for detecting suspicious activity in an environment after other controls have been circumvented.
Cisco Advisory Patches Three Critical Flaws
Cisco released an advisory addressing 31 vulnerabilities in different components of the IOS XE software as well as Cisco Access Points platform and Cisco SD-WAN vManage Software.
Three of them assigned with critical impact level affecting IOS XE software.
The most severe of the critical bugs is CVE-2021-34770, which Cisco calls a “logic error” that occurs during the processing of CAPWAP (Control And Provisioning of Wireless Access Points) packets that enable a central wireless Controller to manage a group of wireless access points.
A successful exploit could allow the attacker to execute arbitrary code with administrative privileges or cause the affected device to crash and reload, resulting in a DoS condition.
The next two critical bugs both have a rating of 9.8 out of 10 on the CVSS scale. The first of these is a software-buffer-overflow issue (CVE-2021-34727) in Cisco’s SD-WAN software (which can be enabled via IOS XE software), which could allow unauthenticated RCE as root and DoS attacks. It arises in the vDaemon process.
The last critical bug is CVE-2021-1619, a vulnerability in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE Software that could allow an unauthenticated, remote attacker to bypass NETCONF or RESTCONF authentication.
RECOMMENDATIONS
- Install patches and keep systems up to date. More details are provided here.
- Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
References:
- Zero Day Initiative — The September 2021 Security Update Review
- CVE-2021-36968 – Security Update Guide – Microsoft – Windows DNS Elevation of Privilege Vulnerability
- CVE-2021-38647 – Security Update Guide – Microsoft – Open Management Infrastructure Remote Code Execution Vulnerability
- CVE-2021-36965 – Security Update Guide – Microsoft – Windows WLAN AutoConfig Service Remote Code Execution Vulnerability
- CVE-2021-40444 – Security Update Guide – Microsoft – Microsoft MSHTML Remote Code Execution Vulnerability
- CVE-2021-30632 | Microsoft Edge v8 out-of-bounds write (vuldb.com)
- CVE-2021-30633 | Google Chrome Indexed DB API use after free (vuldb.com)
Google Chrome update advisory - https://tools.cisco.com/security/center/publicationListing.x
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html
- https://www.zerodayinitiative.com/blog/2021/9/14/the-september-2021-security-update-review-kpgpb