Microsoft security bulletin
Microsoft has published its January security bulletin in which it has fixed a total of 97 bugs, including six 0-day vulnerabilities and nine bugs classified as critical. Regarding the 0-days, no active exploitation of these has been detected, but it should be noted that several of them have public proofs of concept, so it is likely that they will be exploited in the short term. Regarding the security flaws classified as critical, it is worth highlighting CVE-2022-21907 (CVSS 9.8), which affects the latest versions of Windows in its desktop and server versions. This is a vulnerability in the HTTP protocol stack, the exploitation of which would result in remote code execution and which has been labelled as “wormable”. The other flaw to note is another remote code execution in this case in Microsoft Office (CVE-2022-21840 CVSS 8.8), patched for Windows versions, but not yet for macOS devices. Similarly to what happened with the 0-days, according to Microsoft, no exploits have been detected for these two vulnerabilities either.
More info: https://msrc.microsoft.com/update-guide/releaseNote/2022-Jan
New JNDI vulnerability in H2 database console
Researchers at JFrog have discovered a critical unauthenticated remote code execution vulnerability in the H2 database console. The vulnerability shares its origin with the Log4Shell (JNDI remote class loading) vulnerability and has been assigned the identifier CVE-2021-42392. H2 is a popular open source Java SQL database widely used in various projects. Despite being a critical vulnerability and sharing features with Log4Shell, the researchers indicate that its impact is minor for several reasons. Firstly, this flaw has a direct impact because the server that processes the initial request is the same server that is affected by the flaw, making it easier to detect vulnerable servers. Secondly, the default configuration of H2 is secure, unlike with Log4Shell where default configurations were vulnerable. And finally, many vendors use the H2 database but not the console, so while there are vectors to exploit the flaw beyond the console, these other vectors are context-dependent and less likely to be exposed to remote attacks. Despite attributing less risk to this new flaw than to Log4Shell, the researchers warn that for anyone running an H2 console exposed to the LAN, the flaw is critical and they should upgrade to version 2.0.206 as soon as possible. The firm has also shared guidance for network administrators to check if they are vulnerable to the new flaw.
All the details: https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/
Five new URL parsing confusion flaws
Researchers at Team82 and Snyk have published a research paper in which they have studied in depth how different libraries parse URLs, and how these differences in the way they parse URLs can be exploited by attackers, by analysing URL parsing confusion bugs. They have analysed a total of 16 different URL (Uniform Resource Locator) parsing libraries and have detected five kinds of inconsistencies present in some of them, which could be exploited to cause denial-of-service conditions, information exposure or even, under certain circumstances, remote code execution. The five inconsistencies observed are: scheme confusion, slash confusion, backslash confusion, URL encoded data confusion and scheme mixup. In addition to the identification of these inconsistencies, they point to the detection of eight vulnerabilities that directly affect different frameworks or even programming languages and that have already been patched except in some unsupported versions of Flask: Flask-security (Python, CVE-2021-23385), Flask-security-too (Python, CVE-2021-32618), Flask-User (Python, CVE-2021-23401), Flask-unchained (Python, CVE-2021-23393), Belledonne’s SIP Stack (C, CVE-2021-33056), Video. js (JavaScript, CVE-2021-23414), Nagios XI (PHP, CVE-2021-37352) and Clearance (Ruby, CVE-2021-23435). In their study, they give a high relevance to this type of error in URL parsing, using Log4Shell as an example, since the bypass of Apache’s initial bug fix was achieved thanks to the presence of two different URL parsers within the JNDI search process, each of which parsed in a different way.
More: https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/
MuddyWater: Link to Iran and technical issues
The Cyber National Mission Force (CNMF) of the US cybersecurity command has published a note linking the APT known as MuddyWater to Iran’s Ministry of Intelligence and Security (MOIS) and details some technical aspects that have been associated with the group. MuddyWater was first identified in 2017, with targets located primarily in the Middle East, Europe and North America, and in the telecommunications, government and oil industry sectors. The release identifies some open source tools used by this malicious actor, including variants of PowGoop, samples of the Mori backdoor or sideloading DLL files to trick legitimate programmes into executing malware.
0-day vulnerabilities detected in AWS CloudFormation and AWS Glue
Security researchers at Orca Security have detected two 0-day vulnerabilities in different Amazon Web Services (AWS) services. The first of the flaws was in the AWS CloudFormation service and consisted of an XXE (XML External Entity) vulnerability, which allowed threat actors to disclose confidential files located on the vulnerable service machine, as well as the disclosure of credentials for internal AWS infrastructure services. The second vulnerability discovered affected the AWS Glue service, which stemmed from an exploitable feature that allowed the credentials needed to access the internal service’s API to be obtained and could gain administrator permissions. The AWS spokesperson assured that no customer data has been affected due to the vulnerabilities in both services. It should be noted that both vulnerabilities were fixed by the AWS security team after they were reported by researchers.
All the details: https://orca.security/resources/blog/aws-glue-vulnerability/
