SonicWall Releases Advisory Regarding Critical Vulnerabilities in SMA 100 Series Products

 

Summary

25 January Update

 

Researchers found attackers attempting to exploit CVE-2021-20038, a critical unauthenticated stack-based overflow vulnerability affecting SonicWall SMA 100 Series products. Attackers appear to be attempting to exploit the vulnerability in the wild, as well as trying to conduct password spraying attacks against known SonicWall default passwords.

 

While attacks are ongoing in the wild, SonicWall released a statement saying it is currently unaware of any successful attacks. Still, organizations should ensure they are mitigating attacks by applying the patch for CVE-2021-20038 which SonicWall released in December 2021, as well as updating default SonicWall product passwords.

 

Original Content

 

SonicWall released a security advisory detailing a number of vulnerabilities affecting its SMA 100 Series products, including SMA 200, 210, 400, 410, and 500v appliances. In total, the advisory details two critical vulnerabilities, four high-risk vulnerabilities, and two medium-risk vulnerabilities.

 

The critical vulnerabilities are:

• CVE-2021-20038 (CVSS 9.8), an unauthenticated stack-based buffer overflow vulnerability
• CVE-2021-20045 (CVSS 9.4), which are multiple unauthenticated file explorer heap-based and stack-based overflow vulnerabilities

The high-risk vulnerabilities are:

• CVE-2021-20043 (CVSS 8.8), a getBookmarks heap-based overflow vulnerability
• CVE-2021-20041 (CVSS 7.5), an unauthenticated CPU exhaustion vulnerability
• CVE-2021-20039 (CVSS 7.2), an authenticated command injection as root vulnerability
• CVE-2021-20044 (CVSS 7.2), a post-authentication remote code execution vulnerability

SonicWall is currently unaware of any exploitation of these vulnerabilities in the wild.

Analysis

Affected Products and Versions

 

The vulnerabilities affect SMA 100 series products, including SMA 200, 210, 400, 410, and 500v appliances. The majority of these vulnerabilities also affect SMA 100 series appliances that have WAF enabled. A full matrix of impacted firmware and fixed firmware can be found here .

 

Potential Impact

 

Successful exploitation of the most severe of these vulnerabilities could lead to arbitrary code execution. This could allow attackers to install programs; view, modify, or delete data; or create new user accounts with full permissions. Additionally, in July 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) warned of attackers targeting known and previously patched vulnerabilities in SonicWall SMA 100 appliances to potentially launch ransomware attacks.

 

Recommendations

SonicWall has released updated firmware for the affected appliances and is urging organizations to immediately patch the appliances.Recommends organizations apply the patches as soon as possible after conducting the appropriate testing.

References

https://www.sonicwall.com/support/product-notification/product-security-notice-sma-100-series-vulnerability-patches-q4-2021/211201154715443/
https://www.cisa.gov/uscert/ncas/current-activity/2021/07/15/ransomware-risk-unpatched-eol-sonicwall-sra-and-sma-8x-products
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/08/sonicwall-releases-security-advisory-sma-100-series-appliances
https://www.bleepingcomputer.com/news/security/attackers-now-actively-targeting-critical-sonicwall-rce-bug/
https://twitter.com/buffaloverflow/status/1485671824725786633

Cisco Releases Multiple High-to-Critical Severity Security Updates

 Summary

Cisco recently released security updates to address vulnerabilities in multiple Cisco products, to include two vulnerabilities rated as ‘critical’ and three rated as ‘high’ severity.   These vulnerabilities include:   CVE-2022-20648 and CVE-2022-20649 (CVSS: 9.0) are critical severity vulnerabilities in the Cisco Redundancy Configuration Manager (RCM) for Cisco StarOS Software. These vulnerabilities could allow an unauthenticated, remote attacker to gain root-level privileges through remote code execution (RCE), further allowing an attacker to disclose sensitive information or execute arbitrary commands as the root user in the context of the configured container.   CVE-2022-20655 (CVSS: 8.8) is a high severity vulnerability in the implementation of the CLI on a device that is running ConfDdue to insufficient validation of a process argument on an affected device. This vulnerability could allow an authenticated, local attacker to perform a command injection attack.   This CVE also addresses a vulnerability in the implementation of the CLI for multiple Cisco products due to insufficient validation of a process argument on an affected product. Successful exploitation could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with the privileges of the management framework process, which are commonly root privileges.   CVE-2022-20685 (CVSS: 7.5) is a high severity vulnerability in the Modbus preprocessor of the Snort detection engine due to an integer overflow while processing Modbus traffic. This vulnerability could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.   Cisco is not aware of these vulnerabilities being exploited in the wild. Analysis Affected Versions   Various versions are affected based on each specific vulnerability. Please refer to the Cisco Security Advisory site for further details.   Potential Impact   Successful exploitation of these vulnerabilities could potentially allow attackers up to root-level access on an affected device, cause a denial-of-service (DoS) condition, execute arbitrary commands, or manipulate device configuration, potentially resulting in the disclosure of sensitive information or system downtime.     Recommendations Cisco has released software updates to address the vulnerabilities; no workarounds are available for any of these vulnerabilities.   Recommends clients apply software updates as soon as possible after appropriate evaluation and testing have been completed. References https://tools.cisco.com/security/center/publicationListing.x https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rcm-vuls-7cS3Nuq https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-confdcli-cmdinj-wybQDSSh https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-dos-9D3hJLuj

Be Aware of Potential COVID-19 Omicron-related Phishing Campaigns

 Summary

UPDATE: 12 January 2022

 

Researchers recently disclosed that a file, “Omicron Stats.exe”, was discovered that appears to be a variant of Redline Stealer malware.

 

Further details, including indicators of compromise (IoCs), are available at the following blog post.

 

Users should be aware of this file, which may be attached to phishing emails or campaigns related to the COVID-19 Omicron variant.

 

Original Content

 

People continue to have high awareness of COVID-19 and are often interested in news related to COVID-19, vaccines, and new variants. Any development in the spread of COVID-19, or the fight against it, tends to receive strong user attention.

 

News about the emerging Omicron variant has once again increased user attention to COVID-19 developments.

Analysis

News about the Omicron variant is still developing. Omicron, officially labelled as B.1.1.529 by the World Health Organization, varies greatly depending on the news or social media site. Research into the Omicron variant is ongoing and has yet to determine if the variant is more contagious, whether it causes more severe disease, and how effective current vaccines are against it.

 

But with emerging news, comes higher user interest. That increased user interest is something that hostile threat actors are likely to take advantage of as they include alleged Omicron updates in phishing emails. Attackers commonly use current news as subject lines in phishing emails, and historically, COVID-19 has proven no exception. Any additional news regarding the Omicron variant is likely to encourage attackers to send a new round of phishing emails, all designed to entice readers to click a fraudulent or malicious link to learn about any potential new COVID-19 development.

 

Users should expect to see phishing emails alleging to contain news about Omicron. These are likely to include some form of sensationalism to increase the chances of getting a user reaction. Based on previous COVID-19 phishing lures, users and organizations should expect to receive phishing emails with subject lines similar to (but not limited to) the following:

• Subject: Omicron variant most deadly yet
• Subject: Omicron in your area
• Subject: Order your PCR test for Omicron
• Subject: Your vaccine appointment

Potential impact

Phishing attacks are designed to entice users to click through to the attacker’s hostile sites and/or download malware. Depending on the malware, the impact of a successful phishing attack could include compromise and full control of the user’s system and all other accessible systems in the user’s corporate environment. Phishing attacks are often the first step of attacks, leading to the installation of remote access malware and ransomware.

 

Recommendations

 Other safeguards against a successful phishing attack include the following:

• Microsoft’s guide to assist organizations in configuring recommended settings in Microsoft Defender for Office 365, found here ,
• Applying anti-phishing Safe Links, found here , and
• Applying Safe Attachments policies, found here .

Instituting these policies can ensure real-time protection and scan malicious emails as they are delivered and opened. Organizations can further enhance security to mitigate with Microsoft 365 Defender, found here , which correlates signals from emails, endpoints, and other domains.

References

https://www.cnn.com/2021/11/26/health/omicron-variant-what-we-know/index.html
https://www.cisa.gov/sites/default/files/publications/CISAInsights-Cyber-EnhanceEmailandWebSecurity_S508C.pdf
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-safe-links-policies?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-safe-attachments-policies?view=o365-worldwide
https://www.microsoft.com/en-us/security/business/threat-protection/microsoft-365-defender
https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer

New Windows Server monthly patch updates cause DC boot loops, break Hyper-V

 

The latest Windows Server updates are causing severe issues for administrators, with domain controllers having spontaneous reboots, Hyper-V not starting, and inaccessible ReFS volumes until the updates are rolled back

Yesterday, Microsoft released the Windows Server 2012 R2 KB5009624 update, the Windows Server 2019 KB5009557 update, and the Windows Server 2022 KB5009555 update as part of the January 2022 Patch Tuesday.

After installing these updates, administrators have been battling multiple issues that are only resolved after removing the updates.

Windows domain controller boot loops

The most serious issue introduced by these updates is that Windows domain controllers enter a boot loop, with servers getting into an endless cycle of Windows starting and then rebooting after a few minutes.

As first reported by BornCity, this issue affects all supported Windows Server versions.

"Looks KB5009557 (2019) and KB5009555 (2022) are causing something to fail on domain controllers, which then keep rebooting every few minutes," a user posted to Reddit.

A Windows Server administrator told BleepingComputer that they see the LSASS.exe process use all of the CPU on a server and then ultimately terminate.

As LSASS is a critical process required for Windows to operate correctly, the operating system will automatically restart when the process is terminated.

The following error will be logged to the event viewer when restarting due to a crashed LSASS process, as another user on Reddit shared.

"The process wininit.exe has initiated the restart of computer [computer_name] on behalf of user for the following reason: No title for this reason could be found Reason Code: 0x50006 Shutdown Type: restart Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart."

Hyper-V no longer starts

In addition to the boot loops, BleepingComputer has been told by Windows administrators that after installing the patches, Hyper-V no longer starts on the server.

This bug primarily affects Windows Server 2012 R2 server, but other unverified reports say it affects newer versions of Windows Server.

As Hyper-V is not started, when attempting to launch a virtual machine, users will receive an error stating the following:

"Virtual machine xxx could not be started because the hypervisor is not running."

Microsoft released security updates to fix four different Hyper-V vulnerabilities yesterday (CVE-2022-21901, CVE-2022-21900, CVE-2022-21905, and CVE-2022-21847), which are likely causing this issue.

ReFS file systems are no longer accessible

Finally, numerous admins are reporting that Windows Resilient File System (ReFS) volumes are no longer accessible or are seen as RAW (unformatted) after installing the updates.

The Resilient File System (ReFS) is a Microsoft proprietary file system that has been designed for high availability, data recovery, and high performance for very large storage volumes.

"Installed these updates tonight, in a two server Exchange 2016 CU22 DAG, running on Server 2012 R2. After a really long reboot, the server came back up with all the ReFS volumes as RAW," explained a Microsoft Exchange administrator on Reddit.

"NTFS volumes attached were fine. I realize this is not exclusively an exchange question but it is impacting my ability to bring services for Exchange back online."

Uninstalling the Windows Server updates made the ReFS volumes accessible again.

Yesterday, Microsoft fixed seven remote code execution vulnerabilities in ReFS, with one or more likely behind the inaccessible ReFS volumes.

These vulnerabilities are tracked as CVE-2022-21961, CVE-2022-21959, CVE-2022-21958, CVE-2022-21960, CVE-2022-21963, CVE-2022-21892, CVE-2022-21962, CVE-2022-21928.

How to fix?

Unfortunately, the only way to fix these issues is to uninstall the corresponding cumulative update for your Windows version.

Admins can do this by using one of the following commands:

Windows Server 2012 R2: wusa /uninstall /kb:KB5009624 
Windows Server 2019: wusa /uninstall /kb:KB5009557 
Windows Server 2022: wusa /uninstall /kb:KB5009555

As Microsoft bundles all security fixes into the single update, removing the cumulative update may fix the bugs, but will also remove all fixes for recently patched vulnerabilities.

Therefore, uninstalling these updates should only be done if absolutely necessary.

Not to be outdone by Windows Server, Windows 10 and Windows 11's updates are also breaking L2TP VPN connections.

Related Articles:

Microsoft January 2022 Patch Tuesday fixes 6 zero-days, 97 flaws

Microsoft Defender Log4j scanner triggers false positive alerts

Microsoft Azure App Service flaw exposed customer source code

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws

Windows 11 KB5008215 update released with application, VPN fixes

Heap-Overflow Vulnerability Impacting Multiple VMware Products

 

GTIC-SB-202201-001: Heap-Overflow Vulnerability Impacting Multiple VMware Products   Intents: Threat Report   Tags: Admiralty Code - Completely reliable, Admiralty Code - Confirmed by other sources, Targeted Technology - VMWare, Theme - Vulnerability Intelligence, gtic-pap:EVDA   Summary CVE: CVE-2021-22045 CVSS: 7.7 Affected Products: VMware ESXi, VMware Workstation, VMware Fusion, VMware Cloud Foundation   VMware released a security advisory regarding a heap-overflow vulnerability in multiple products. CVE-2021-22045 is due to how virtual machines emulate CD-ROM devices in virtual machines. Successful exploitation of this vulnerability requires a CD image to be attached to the targeted machine.   At this time, VMware is unaware of any attackers attempting to exploit this vulnerability in the wild. Analysis Affected Products   A matrix of affected products and versions can be found here .   Potential Impact   Successful exploitation of this vulnerability could allow an attacker with access to a virtual machine with an emulated CD-ROM device to exploit this vulnerability to execute code on the hypervisor from a targeted virtual machine. Recommendations VMware released updates which address this vulnerability in the affected products. VMware also released workarounds which can be used as temporary solutions until the updates are deployed. Workaround for VMware ESXi Hosts Workaround for VMware Workstation VM Workaround for VMware Fusion VM NTT recommends organizations apply the update for affected products after conducting the appropriate evaluation and testing. References https://www.vmware.com/security/advisories/VMSA-2022-0001.html https://kb.vmware.com/s/article/87249 https://kb.vmware.com/s/article/87206 https://kb.vmware.com/s/article/87207