A Month In Breaches: September

Patches are urgently needed for against bugs for organisations' cybersecurity needs and requirements.

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. This month, we have seen the threat landscape plagued with bugs, prompting patching updates from multiple players in the industry – such as VMware, Google and Cisco.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening on the expansive and scary internet.

VMware Warns of Ransomware Bugs in vCentre Server (CVE-2021-22005)   

Malicious actors are scanning honeypots, looking for servers vulnerable to the critical arbitrary file upload flaw in vCenter servers. VMware has released a security update that includes patches for 19 CVEs that affect the company’s vCenter Server virtualization management platform and its hybrid Cloud Foundation platform for managing VMs and orchestrating containers. One of them, CVE-2021-22005, is a critical arbitrary file upload vulnerability in the Analytics service that’s been assigned the maximum CVSSv3 base score of 9.8. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of the vCenter Server. Hence, attackers are even leveraging Phishing attacks to compromise a device so that they can reach vCenter.

The quickest way to resolve these serious issues is to patch vCenter Server. If that’s not possible, VMware has workarounds, but only for the critical vulnerability, CVE-2021-22005. The workaround is listed in the response matrix at the bottom of VMware’s VMware Security Advisory (VMSA), VMSA-2021-0020. The workaround involves editing a text file on the VCSA and restarting services. CTRL Group recommends immediately patch your VMware vCenter to prevent any open loopholes.

 

Cisco Bugs Allows for Code Execution on Wireless, SD-WAN  

3 new critical vulnerabilities were discovered and patched in Cisco Systems IOS XE network operating system. These vulnerabilities could potentially be leveraged by attackers to execute arbitrary code with the level of administrative privileges. As well as a vulnerability to trigger a DoS attack on the vulnerable devices.

The 3 top CVSS exploits patched on the 22nd of September patch release was:

  1. CVE-2021-34770(CVSS score: 10.0) – Cisco IOS XE Software for Catalyst 9000 Family Wireless Controllers CAPWAP Remote Code Execution Vulnerability

Affected Devices:

    • Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
    • Catalyst 9800 Series Wireless Controllers
    • Catalyst 9800-CL Wireless Controllers for Cloud
    • Embedded Wireless Controller on Catalyst Access Points

 

  1. CVE-2021-34727(CVSS score: 9.8) – Cisco IOS XE SD-WAN Software Buffer Overflow Vulnerability

Affected Devices:

    • 1000 Series Integrated Services Routers (ISRs)
    • 4000 Series ISRs
    • ASR 1000 Series Aggregation Services Routers
    • Cloud Services Router 1000V Series

 

  1. CVE-2021-1619(CVSS score: 9.8) – Cisco IOS XE Software NETCONF and RESTCONF Authentication Bypass Vulnerability

Affects devices running:

    • Cisco IOS XE software, if configured for autonomous or controller mode
    • Cisco IOS XE SD-WAN software

 

Not many CVSS’s manage to score a 10 CVSS score meaning this was quite a serious find/patch. This vulnerability would allow an attacker to send specially crafted CAPWAP packets to an affected device, on succession this would allow for arbitrary Remote Code Execution on the wireless controllers elevating the attackers’ privileges to Administrator levels or would potentially cause the device to crash and then reload, effectively creating a Denial of Service.

Evidently, these are only 3 vulnerabilities listed here that affect a large range of devices. It is recommended by CTRL Group to patch every Cisco device you have to their most current patch to mitigate any potential exploitation of these highly malicious and exploitable security bugs by threat actors.

 

Urgent Chrome Update Released to Patch Actively Exploited Zero-Day Vulnerability 

Google has rolled out an emergency security patch to its Chrome web browser to address a security flaw that’s known to have an exploit in the wild. This 0 day is being tracked as CVE-2021-37973, which has been described as use after free in Portals API, a web page navigation system that enables a page to show another page as an inset and “perform a seamless transition to a new state, where the formerly-inset page becomes the top-level document.”

The update arrives a day after Apple moved to close an actively exploited security hole in older versions of iOS and macOS (CVE-2021-30869), which the TAG noted as being used in conjunction with a N-day remote code execution targeting WebKit.

Chrome users are advised to update to the latest version (94.0.4606.61) for Windows, Mac, and Linux by heading to Settings > Help > ‘About Google Chrome’ to mitigate the risk associated with the flaw.

With the latest fix, Google has addressed a total of 12 zero-day flaws in Chrome since the start of 2021:

 

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS,  Murray, Vignesh and Manharsh.