Skip to main content
Monthly Archives

February 2022

||

Why Log4j Keeps Getting Exploited

By Patch ManagementNo Comments

Why Log4j Keeps Getting Exploited

Cybercriminals are still using Log4j to rampage through enterprise after enterprise. What's the best way to protect your organization?

Log4j Still Being Targeted

It is a couple of months now since the Log4j vulnerability become public knowledge. Yet cybercriminals are still using it to rampage through enterprise after enterprise. Known as CVE-2021-44228, Log4j exploits Java servers that are ubiquitous in the enterprise. It has been spreading in the wild as fast as the Omicron variant of COVID-19. The sad part of the story is that the hacking world has jumped on it while many IT departments remain oblivious to it.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) keeps issuing warnings about it, attempting to raise awareness of the problem. Federal agencies have been ordered to search carefully through their systems for all Java servers and related dependences, and patch them all.

To make matters worse, nobody knows how long Log4j was being exploited by cybercriminals. Its discovery in early December 2021 does not mean that was the first time it was ever used by hackers. It could have been harnessed for months. Nevertheless, they are having a field day due to the number of potential systems at their disposal.

Consider the ubiquitous nature of Java:

  • About 9 million people are considered to be Java developers worldwide.
  • As many as 3 billion devices exist that are running Java in some form or another.
  • That includes nine of out ten desktops, laptops, and tablets.
  • Almost all enterprise desktops use Java.

That adds up to a lot of trouble for security personnel. As an analogy, imagine a relatively flat country like Poland trying to defend its borders while being attacked simultaneously by all the nations around it: Russia, Germany, Denmark, Sweden, Latvia, Belarus, Ukraine, Czech, and Slovakia – and having to deal with internal insurgency at the same time. Java is so pervasive that it offers hackers innumerable channels for exploitation. What worries security experts is that even a relatively thorough search for vulnerably Java servers might still miss one or two buried systems.

No wonder government agencies, open-source communities, and vendors have been issuing patches and remedies at a frantic pace. Here are a few highlights:

 

  • The Apache Software Foundation released a detailed series of fixes for Log4j on its software. This is the most recent of a series of Apache patches and fixes. The foundation made an early release of remedies and followed that up with another couple of releases due after finding more ways Log4j could exploit Apache.
  • Blumira announced the discovery of a nasty Log4j-related Javascript WebSocket attack vector that is very hard to detect.
  • Google announced that nearly vulnerable 20,000 Java packages were found inside the Maven Central repository.
  • JFrog found even more that are undetectable via dependency scanning.
  • Microsoft released a series of scanning tools a dashboard to detect Log4j vulnerabilities running on Windows and Linux.
  • CISA released a Log4J scanner.
  • CrowdStrike released its own scanner to find hidden vulnerabilities.

But as fast as fixes, scanner, and patches are issue, ransomware groups are harnessing Log4j in sophisticated ransomware scams. One Chinese gang, for example, is using Log4Shell to breach VMware server products. Another gang from Iran has found a way to use it to distribute a PowerShell toolkit to exploit Java applications.

Fixing the Log4j Mess

It isn’t easy to fix the mess left behind by vulnerable Java code. The advice from CISA is to draw up a detailed list of external facing devices that have Log4j installed. Take action on every alert on those devices. Install a web application firewall (WAF) that can automate alert consolidation and centralization. And patch, patch, and patch again.

There are scanners available such as those noted above, as well as quite a number of patches to install. The advice of the UK’s National Cyber Security Centre (NCSC) is to update all systems with the latest security patches.

“In the case of this vulnerability CVE-2021-44228, the most important aspect is to install the latest updates as soon as practicable.”

How to Protect Yourself from Log4j

Although a number of popular IT management and security tools are vulnerable, Syxsense is pleased to confirm that it does NOT use Log4j. Syxsense Secure and Enterprise customers can use the Syxsense security scanner to identify endpoints that are exposed to this new vulnerability.

Syxsense vulnerability scanner is not only a complete security management package, it is automated, repeatable, and generates quick results, delivering security and safety in a timely manner. With security scanning and patch management in one console, Syxsense Secure is the only product that not only shows you what’s wrong, but also deploys the solution.

It offers visibility into OS and third-party vulnerabilities like defects, errors, or misconfigurations of components, while increasing cyber resilience. And it is fully integrated with automated patch management software that lets you easily manage unpatched vulnerabilities with the click of a button.

Syxsense includes patch supersedence, patch roll back, and a wealth of automation features. In addition, it provides a three-hour turnaround for the testing and delivery of new patches as well as technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
||

New Google Chrome Zero Day Weaponized

By Patch ManagementNo Comments

Google Chrome Zero-Day Is Being Weaponized

Google has released 98.0.4758.102 today to the Stable Channel to resolve serious issues impacting Windows, Linux and Mac OS.  So far this year this is the first Google Zero Day version of the Chrome browser, on par with last year’s record cadence of 16 Weaponised versions throughout the year.  This vulnerability is being tracked under CVE-2022-0609 and are both Critical Severity.

A remote attacker can create a specially-crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

What’s the solution?

Upgrade to the latest version of Chrome stable channel using Syxsense Secure.

Syxscore Risk Alert

This vulnerability has a serious risk as this can be exposed over any network, with low complexity and without privileges.  The CVE carries a CVSS score of 8.8 (High Severity) and the vulnerability is being weaponized.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope (Jump Point): No
Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
||

Linux Vulnerabilities of the Week: February 14, 2022

By NewsNo Comments

Linux Vulnerabilities of the Week: February 14, 2022

See this week's top Linux issues and keep your IT environment protected from the latest February 2022 Linux vulnerabilities.

1. Integer overflow in function XML_GetBuffer in Expat (<2.4.4) affecting Red Hat Enterprise Linux 7 and 8

Severity: Critical         CVSS Score: 9.8

Expat (libexpat) is susceptible to a software flaw that causes process interruption. When processing many prefixed XML attributes on a single tag libexpat can terminate unexpectedly due to integer overflow.

The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Syxscore Risk Alert

This vulnerability has a critical risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2022-23852

2. JMSAppender in Log4j 1.2 flaw

Severity: Important    CVSS Score: 7.5

JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender, which is not the default, and to the attacker’s JNDI LDAP endpoint.

Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Syxscore Risk Alert

This vulnerability has a major risk as although this requires a complex attack to be exploited, this can be exposed over any network, with low privileges and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-4104

3. ASP.NET Core Krestel HTTP headers flaw

Severity: Important    CVSS Score: 7.5

This is a flaw in dotnet’s ASP.NET Core Krestel when pooling HTTP/2 and HTTP/3 headers. This vulnerability allows a remote, unauthenticated attacker to cause a denial of service.

The highest threat from this vulnerability is to system availability.

Syxscore Risk Alert

This vulnerability has a major risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2022-21986

4. Refcount leak in pep_sock_accept() in net/phonet/pep.c in the Linux kernel through 5.15.8

Severity: Medium       CVSS Score: 5.5

This is a memory leak flaw in the Linux kernel’s PhoNet (Phone Network protocol) functionality. A local user could use this flaw to starve the resources causing a denial of service.

The highest threat from this vulnerability is to confidentiality.

Syxscore Risk Alert

This vulnerability has a moderate risk as although this requires access to the same network as the device to be exploited, this can be exposed with a low complexity attack, low privileges, and without user interaction.

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-45095

5. A null pointer dereference in bond_ipsec_add_sa() in the Linux Kernel affecting Red Hat Enterprise Linux 8

Severity: Medium       CVSS Score: 5.5

This is a null pointer dereference in the Linux kernel’s bonding driver in the way a user bonds a non-existing or fake device. This vulnerability allows a local user to crash the system, causing a denial of service.

The highest threat from this vulnerability is to system availability.

Syxscore Risk Alert

This vulnerability has a moderate risk as although this requires access to the same network as the device to be exploited, this can be exposed with a low complexity attack, low privileges, and without user interaction.

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2022-0286

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
||

Linux Vulnerabilities of the Week: February 08, 2022

By NewsNo Comments

Linux Vulnerabilities of the Week: February 8, 2022

See this week's top Linux issues and keep your IT environment protected from the latest February 2022 Linux vulnerabilities.

1. SQL injection in Log4j 1.x when the application is configured to use JDBCAppender

Severity: Critical         CVSS Score: 9.8

This is a flaw in the Java logging library Apache Log4j in version 1.x, which makes JDBCAppender in Log4j 1.x vulnerable to SQL injection in untrusted data. A remote attacker can use this vulnerability to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.

The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Syxscore Risk Alert

This vulnerability has a critical risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2022-23305

2. A heap-based buffer overflow vulnerability in AIDE (<0.17.4) affecting Red Hat Enterprise Linux 6, 7 and 8

Severity: Important    CVSS Score: 7.8

AIDE allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), crash the program, and possibly execute arbitrary code, because of a heap-based buffer overflow.

The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Syxscore Risk Alert

This vulnerability has a major risk as although this requires access to the same network as the device to be exploited, this can be exposed with a low complexity attack, low privileges and without user interaction.

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-45417

CVE Reference(s): CVE-2021-44790

3. An uncontrolled resource consumption flaw in Go (< 1.16.12)

Severity: Important    CVSS Score: 7.5

This is a flaw in Golang’s net/http library in the canonicalHeader() function. It allows an attacker who submits specially crafted requests to applications linked with net/http’s http2 functionality to cause excessive resource consumption that could lead to a denial of service or otherwise impact system performance and resources.

The highest threat from this vulnerability is to system availability.

Syxscore Risk Alert

This vulnerability has a major risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-44716

4. Libreswan (4.2 through 4.5) flaw

Severity: Important    CVSS Score: 7.5

This is a flaw in Libreswan that remote attackers could exploit to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists. This is fixed in 4.6.

The highest threat from this vulnerability is to system availability.

Syxscore Risk Alert

This vulnerability has a major risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2022-23094

5. Incorrect IdentityHashMap size checks during deserialization in Open JDK

Severity: Medium       CVSS Score: 5.3

This is an easily exploitable flaw in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries) that allows an unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DoS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.

The highest threat from this vulnerability is to system availability.

Syxscore Risk Alert

This vulnerability has a moderate risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2022-21294

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
February Patch Tuesday 2021

February Patch Tuesday 2022 Fixes 51 Vulnerabilities

By Patch Management, Patch TuesdayNo Comments

February Patch Tuesday 2022 Fixes 51 Vulnerabilities

The second Patch Tuesday of 2022 has arrived — tackle the latest Microsoft updates and vulnerabilities for the month of February.

Microsoft Releases 51 fixes this month including 1 Public Aware threat

here are 50 Important fixes in this release and 1 Moderate.  Microsoft Windows and Windows Components, Azure Data Explorer, Kestrel Web Server, Microsoft Edge (Chromium-based), Windows Codecs Library, Microsoft Dynamics, Microsoft Dynamics GP, Microsoft Office and Office Components, Windows Hyper-V Server, SQL Server, Visual Studio Code, and Microsoft Teams.

Year 3 Extended Support – Windows 7 and Windows Server 2008 (including R2) have received some updates this month.

Robert Brown, Head of Customer Success for Syxsense said, “This is the first year we have a Microsoft release which has not consisted of a Critical severity vulnerability rated by the Vendor.  This is the reason it is essential to compare different severity systems instead of relying on a single source of truth, in this case the vendor rated severity.  There are still extremely important vulnerabilities to remediate this month, the lack of a Critical vulnerabilities does not allow you to relax just yet.”

 

Top February 2022 Patches and Vulnerabilities

Based on the Vendor Severity and CVSS Score, we have made a few recommendations below. As usual, we recommend our customers enter the CVE numbers below into your patch management solution and deploy as soon as possible.

1. CVE-2022-21989: Windows Kernel Elevation of Privilege Vulnerability

Windows does not properly impose security restrictions in Windows Kernel, which leads to security restrictions bypass and privilege escalation.

Syxscore

  • Vendor Severity: Important
  • CVSS: 7.8
  • Weaponised: No
  • Public Aware: Yes
  • Countermeasure: No

Syxscore Risk

  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges: Low
  • User Interaction: None
  • Scope (Jump Point): Yes

2. CVE-2022-21984: Windows DNS Server Remote Code Execution Vulnerability

This patch fixes a remote code execution bug in the Microsoft DNS server.  An attacker could completely take over your DNS and execute code with elevated privileges.

Syxscore

  • Vendor Severity: Important
  • CVSS: 8.8
  • Weaponised: No
  • Public Aware: No
  • Countermeasure: Yes – The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. 

Syxscore Risk

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges: Low
  • User Interaction: None
  • Scope (Jump Point): No

3. CVE-2022-21995: Windows Hyper-V Remote Code Execution Vulnerability

This patch fixes a guest-to-host escape in Hyper-V server and successful exploitation of this vulnerability may result in complete compromise of the system.

Syxscore

  • Vendor Severity: Important
  • CVSS: 7.9
  • Weaponised: No
  • Public Aware: No
  • Countermeasure: No

Syxscore Risk

  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges: None
  • User Interaction: Required
  • Scope (Jump Point): Yes
  • Scope (Jump Point): No

Syxsense Recommendations

Based on the Vendor Severity and CVSS Score, we have made a few recommendations below which you should prioritize this month. Please pay close attention to any of these which are Publicly Aware and / or Weaponized.

CVE Title Vendor Severity CVSS Score Countermeasure Publicly Aware Weaponised Highly Recommended
CVE-2022-21989 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 Yes No Yes
CVE-2022-21984 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 Yes No No Yes
CVE-2022-22005 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No Yes
CVE-2022-23274 Microsoft Dynamics GP Remote Code Execution Vulnerability Important 8.3 No No Yes
CVE-2022-23256 Azure Data Explorer Spoofing Vulnerability Important 8.1 No No Yes
CVE-2022-23272 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 8.1 No No Yes
CVE-2022-21991 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important 8.1 No No Yes
CVE-2022-21987 Microsoft SharePoint Server Spoofing Vulnerability Important 8 No No Yes
CVE-2022-21995 Windows Hyper-V Remote Code Execution Vulnerability Important 7.9 No No Yes
CVE-2022-21844 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No Yes
CVE-2022-21926 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No Yes
CVE-2022-21927 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No Yes
CVE-2022-22004 Microsoft Office ClickToRun Remote Code Execution Vulnerability Important 7.8 No No Yes
CVE-2022-22003 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No Yes
CVE-2022-21988 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No Yes
CVE-2022-22715 Named Pipe File System Elevation of Privilege Vulnerability Important 7.8 No No Yes
CVE-2022-21974 Roaming Security Rights Management Services Remote Code Execution Vulnerability Important 7.8 No No Yes
CVE-2022-23276 SQL Server for Linux Containers Elevation of Privilege Vulnerability Important 7.8 No No Yes
CVE-2022-22709 VP9 Video Extensions Remote Code Execution Vulnerability Important 7.8 No No Yes
CVE-2022-21996 Win32k Elevation of Privilege Vulnerability Important 7.8 No No Yes
CVE-2022-21981 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No Yes
CVE-2022-22000 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No Yes
CVE-2022-21994 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No Yes
CVE-2022-21992 Windows Mobile Device Management Remote Code Execution Vulnerability Important 7.8 No No Yes
CVE-2022-21999 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No Yes
CVE-2022-22718 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No Yes
CVE-2022-22001 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No Yes
CVE-2022-21971 Windows Runtime Remote Code Execution Vulnerability Important 7.8 No No Yes
CVE-2022-23263 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 7.7 No No Yes
CVE-2022-21986 .NET Denial of Service Vulnerability Important 7.5 No No
CVE-2022-21965 Microsoft Teams Denial of Service Vulnerability Important 7.5 No No
CVE-2022-21993 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No
CVE-2022-21957 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Important 7.2 No No
CVE-2022-23273 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 7.1 No No
CVE-2022-21997 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.1 No No
CVE-2022-22717 Windows Print Spooler Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-23269 Microsoft Dynamics GP Spoofing Vulnerability Important 6.9 No No
CVE-2022-23271 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 6.5 No No
CVE-2022-23262 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 6.3 No No
CVE-2022-23255 Microsoft OneDrive for Android Security Feature Bypass Vulnerability Important 5.9 No No
CVE-2022-22712 Windows Hyper-V Denial of Service Vulnerability Important 5.6 No No
CVE-2022-22716 Microsoft Excel Information Disclosure Vulnerability Important 5.5 No No
CVE-2022-23252 Microsoft Office Information Disclosure Vulnerability Important 5.5 No No
CVE-2022-22710 Windows Common Log File System Driver Denial of Service Vulnerability Important 5.5 No No
CVE-2022-21998 Windows Common Log File System Driver Information Disclosure Vulnerability Important 5.5 No No
CVE-2022-21985 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No
CVE-2022-22002 Windows User Account Profile Picture Denial of Service Vulnerability Important 5.5 No No
CVE-2022-23280 Microsoft Outlook for Mac Security Feature Bypass Vulnerability Important 5.3 No No
CVE-2022-23261 Microsoft Edge (Chromium-based) Tampering Vulnerability Moderate 5.3 No No
CVE-2022-23254 Microsoft Power BI Elevation of Privilege Vulnerability Important 4.9 No No
CVE-2022-21968 Microsoft SharePoint Server Security Feature Bypass Vulnerability Important 4.3 No No
Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo