Hello everyone! This is a new episode with my comments on the latest Information Security news.
Exchange ProxyShell
I want to start with something about attacks on Exchange. ProxyShell is in the news, the LockFile ransomware compromised more than 2000 servers. On the other hand, there is basically nothing to say here.
ProxyShell is the name for 3 vulnerabilities. The bulletins for Remote Code Execution CVE-2021-34473 and Server Elevation of Privilege CVE-2021-34523 were released on July 13, but were fixed by April Patch Tuesday patches. Yes, it happens sometimes. The bulletin for Security Feature Bypass CVE-2021-31207 was released on May 11. Users had 4 months to install the updates. Interestingly, 2 out of 3 vulnerabilities have the property “Less likely to be exploited”. As you can see, it’s pretty useless.
In addition to these spring vulnerabilities, there was also a set of July vulnerabilities (CVE-2021-31196, CVE-2021-31206, CVE-2021-33768, CVE-2021-34470). It is not yet clear if they will be used in real life attacks. Maybe yes, maybe no. But you need to install patches anyway.
One thing is clear, Exchange is a great target. It is used almost everywhere. It is a Windows host that is reachable at the perimeter of the network. It’s scary to patch it. When the email service stops working, it becomes very noticeable. And keeping Exchange without updates is even worse. Therefore, the only option is to change the infrastructure so that testing and installing the updates should take a minimum of time. The patch released on Tuesday should be ideally installed on Wednesday. Everything else is dangerous. I’m not even talking about the pathologies when the organization continues to use Exchange 2010, for which there are no more updates.
Zoom RCE
Have you already seen a nice analysis of a Zoom Remote Code Execution, that does not require any user interaction? About two minutes of magic with call/message notifications and a calculator window appears on the target host. Very cool and effective.
And here it should be noted that Zoom does not force updates. To update you need to go to Settings and click the “Check for Updates” button. I had version 2.7.4 and Zoom was not showing any notifications. After clicking on “Check for Updates”, Zoom has updated to 2.7.6. Forced updates are not configurable in any way via the GUI, but in a corporate environment it seems like it can be enabled using group policies: EnableClientAutoUpdate, EnableSilentAutoUpdate, AlwaysCheckLatestVersion.
Citrix Canceled PT Acknowledgments
Cool story. Citrix quietly removed Positive Technologies employees Klyuchnikov and Medov from the acknowledgment sections for CVE-2019-19781 and CVE-2020-8209 vulnerabilities. There was a mention in March, but not in August. Citrix canceled their “thanks”, so to speak. And it is clear why – the US sanctions against Positive Technologies. And when Citrix was pointed out and shamed on Twitter, they returned everything back. Also quietly. Well, such cuties, huh? ^_^
Cisco No Patch Router RCEs
Not news, but an interesting feature of the brave new world. How it used to be: you buy hardware and use it until it breaks. Now any hardware requires constant updating for safe operation. And after a certain moment the vendor shrugs his shoulders and says “sorry, End Of Life”. For example, this is how Cisco responded to the RCE vulnerability CVE-2021-34730 (CVSS score: 9.8) in the UPnP service for SMB routers RV110W, RV130, RV130W and RV215W. They write that either disable UPnP completely, or throw out the router and buy a new one. On the one hand, UPnP is certainly not secure and you don’t need to use it. But come on, this is a legitimate feature, and Cisco doesn’t want to fix vulnerabilities in it for not-so-old hardware released in 2011-2013. Moreover, this is not the first RCE in these routers that they do not want to fix, in April there was CVE-2021-1459 in the admin web interface. In terms of functionality, the devices are quite adequate, given that they now cost less than $ 100.
“The RV130W Wireless-N Router offers investment protection as your small business needs evolve. This multifunctional networking device features:
- Gigabit Ethernet connections, including a four-port managed switch
- USB 3G/4G failover support
- Built-in, high-speed wireless-N access point
- IP Security (IPsec) VPN for flexible remote access
- Support for separate virtual networks and wireless guest access”.
And formally they are right. But I would like the support period to be longer, and critical vulnerabilities were fixed even after this period, and there was an opportunity to install alternative firmware, and there was mandatory marking when the device “turns into a pumpkin.” There is a lot to wish for. 🙂
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: В комментах в ВК (а туда всё дублируется и вы можете там комментить) мне написали, что в последнем посте слишком много аббревиатур и непонят