Highlight From Security Analysis – Message From The Head Of Security Analysis

Last quarter Help AG security analysis team has been busy with several security assessments around application layer security and red teaming exercises. Having done so, we are continuously seeing a lot of vulnerabilities around application core weakness; while organizations rely on web application firewall, logical attacks are still a huge risk factor, which is not blocked by firewall. This is where penetration testing comes handy to find vulnerabilities based on access control-based attacks and bypass of security attack prevention technologies.

We advise organizations to perform continuous security assessment and penetration testing during the application development stage and during every new feature addition instead of solely relying on web application firewalls. Prior to being presented for public usage, strength of the web application must be assessed against logical attacks and business process exploitation. Another trend we saw gaining prominence during last quarter was an increase in mass attacks using social engineering for financial gains. In other instances, information gathered from public networks was turned into spear phishing techniques, wherein the attackers threaten to release the information publicly unless cryptocurrency payment is carried out. In these scenarios of social engineering and ransomware attacks, we advise customers not to pay the fees and not to trust the information claimed to have been obtained by attackers as ends up encouraging them further. Some recommendations to keep in mind:

• Perform regular code analysis.
• Perform penetration testing and business logic attacks.
• Keep track of changes on features and application functionalities which are critical.
• Perform regular cyber hygiene trainings against phishing attacks.
• Financial sectors should include Red Teaming on top of their agenda for infrastructure penetration testing.
• Don’t use company laptop for personal work.

I would like to end with one final thought – Never underestimate the importance of application and customer data and try to secure them both on the application layer as well as how they are stored on the back end.

Most Exploited Vulnerabilities

1) CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability

Quarter 3 of the year 2021 witnessed many new vulnerabilities out of the shell, one of them is on Microsoft Exchange Server which is used globally by many organizations. The vulnerability/exploit which is also known as ProxyShell Exploit Chain can be targeted to the unpatched Microsoft Exchange Server which is usually hosted on-premises and accessible from the internet.

Remediation

It is important to install the Microsoft release patch on the servers and follow guidelines set by Microsoft.

Follow the MS Exchange update guides and https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473

2) CVE-2021-35211 – Remote code execution (RCE) vulnerability in the SolarWinds Serv-U

Remote code execution vulnerability on SolarWinds Server-U version 15.2.3 HF1 which was release on May 5,2021. Microsoft team discovered this exploit which allows an attacker to gain privileged access to the machine hosting Serv-U only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.

Remediation

SolarWinds has released upgrade instruction based on the version being used:

Affected Serv-U Version – Upgrade Instructions

15.2.3 HF1:

1. Apply the 15.2.3 HF2 patch

15.2.3:

1. Apply the 15.2.3 HF1 patch
2. Apply the 15.2.3 HF2 patch

Below 15.2.3:

1. Upgrade to 15.2.32.
2. Apply the 15.2.3 HF1 patch
3. Apply the 15.2.3 HF2 patch

3) CVE-2021-20509 – CSV injection leads to arbitrary command execution

IBM Maximo Asset Management is vulnerable to CSV injection which allows a remote attacker to execute arbitrary command on the system which is caused by improper validation of csv file contents.

The affected version for this vulnerability is reported to be IBM Maximo Asset Management 7.6.0.x and 7.6.1.xAn attacker can remotely compromise the storage zone controller on version below 5.11.20 by manipulating input which leads to privilege escalation vulnerability.

Remediation

It is recommended by IBM to download the appropriate Interim Fix or Fix Pack from Fix Central and apply for the affected product based on the version.

4) CVE-2021-22941 – Improper Access Control in Citrix ShareFile storage zones controller

An attacker can remotely compromise the storage zone controller on version below 5.11.20 by manipulating input which leads to privilege escalation vulnerability.

Remediation

It is recommended that you should upgrade to ShareFile Storage Zones Controller 5.11.20 or the latest version available.

5) CVE-2021-33907 – Improper Certificate Validation vulnerability in Zoom Meetings

Zoom is a widely used online teleconferencing software used for meetings by professionals and online classes for students, on 09/27/2021 a 0-day vulnerability was shared in public with no exact exploit available publicly. The exploit allows an attacker to use an unknown code of component MSI file handler which leads to weak authentication vulnerability.

Remediation

It is recommended to download the later version of Zoom for windows which is Version 5.8.3Zones Controller 5.11.20 or the latest version available.