Jaewon Min of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 
Cisco Talos recently discovered an out-of-bounds read vulnerability in the ESTsecurity Corp.’s Alyac antivirus software that could cause a denial-of-service condition.  
If successful, an attacker could...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_Jaewon Min of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw._ 

Cisco Talos recently discovered an out-of-bounds read vulnerability in the ESTsecurity Corp.’s Alyac antivirus software that could cause a denial-of-service condition.  

If successful, an attacker could trigger this vulnerability to stop the program from scanning for malware, which would be crucial in a potential attack scenario. Alyac is an antivirus software developed for Microsoft Windows machines. 

TALOS-2022-1452 (CVE-2022-21147) is a vulnerability that exists in a specific Alyac module that, eventually, leads to a crash of Alyac’s scanning process, which effectively neutralizes the antivirus scan. 

Cisco Talos worked with ESTsecurity to ensure that this issue is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy. 

Users are encouraged to update these affected products as soon as possible: ESTsoft Alyac, version 2.5.7.7. Talos tested and confirmed this version is affected by this vulnerability. 

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 59014 and 59015. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Vulnerability in Alyac antivirus program could stop virus scanning, cause denial of service 

Suspected DDoS attack took place one hour before Russia invaded Ukraine

Suspected DDoS attack took place one hour before Russia invaded Ukraine

The EU has blamed Russia for a powerful cyber-attack that disrupted satellite broadband services in Ukraine and “helped facilitate President Vladimir Putin’s invasion of the country”.

Thousands of modems were knocked offline by the attack on the KA-SAT network, which took place one hour before Russia’s invasion of Ukraine commenced on February 24.

The suspected distributed denial-of-service (DDoS) attack caused communication outages and other disruptions for government websites and banks in Ukraine, and affected several EU Member States that also use the KA-SAT network.

**‘Unacceptable’**

The KA-SAT satellite and network is operated by US telecoms giant Viasat, which provides connectivity to military as well as commercial customers.

“This unacceptable cyber-attack is yet another example of Russia’s continued pattern of irresponsible behaviour in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine,” reads a statement issued today (May 10) by the Council of the EU.

Read more of the latest cybersecurity news from Ukraine

Cyber-attacks against critical infrastructure “could spill over into other countries and cause systemic effects putting the security of Europe’s citizens at risk”, it warned.

“The European Union, working closely with its partners, is considering further steps to prevent, discourage, deter and respond to such malicious behaviour in cyberspace. The European Union will continue to provide coordinated political, financial and material support to Ukraine to strengthen its cyber resilience.”

**Russian cyber-war**

Although Russian-backed cybercrime groups have apparently been less active since war broke out in Ukraine than many experts predicted, Microsoft last month claimed that at least six Russian nation-state actors had launched damaging cyber-attacks against the country since the invasion began.

As reported by _The Daily Swig_, Microsoft researchers tracked at least 237 “cyber operations” originating from Russia that “have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership”.

Kremlin-backed groups were also suspected of being involved in another assault on telecoms infrastructure on March 28, when the networks of a Ukrainian internet service provider (ISP) that supplies the country’s military were taken offline.

**RELATED** Microsoft report unmasks at least six Russian actors responsible for cyber-attacks against Ukraine

Russia behind cyber-attack on satellite internet network KA-SAT that disrupted Ukrainian infrastructure – EU

Hotel Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at the login page.

**Contributor(s):** kingthorin  

**Overview**

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

**Threat Modeling**

*   SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
*   SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.
*   The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.

**How to Avoid SQL Injection Vulnerabilities**

See the OWASP SQL Injection Prevention Cheat Sheet. See the OWASP Query Parameterization Cheat Sheet.

**How to Review Code for SQL Injection Vulnerabilities**

See the OWASP Code Review Guide article on how to Review Code for SQL Injection vulnerabilities.

**How to Test for SQL Injection Vulnerabilities**

See the OWASP Testing Guide for information on testing for SQL Injection vulnerabilities.

**How to Bypass Web Application Firewalls with SQLi**

See the OWASP Article on using SQL Injection to bypass a WAF

**Description**

SQL injection attack occurs when:

1.  An unintended data enters a program from an untrusted source.
2.  The data is used to dynamically construct a SQL query

The main consequences are:

*   **Confidentiality**: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
*   **Authentication**: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.
*   **Authorization**: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL Injection vulnerability.
*   **Integrity**: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL Injection attack.

**Risk Factors**

The platform affected can be:

*   Language: SQL
*   Platform: Any (requires interaction with a SQL database)

SQL Injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind.

Essentially, the attack is accomplished by placing a meta character into data input to then place SQL commands in the control plane, which did not exist there before. This flaw depends on the fact that SQL makes no real distinction between the control and data planes.

**Examples****Example 1**

In SQL: select id, firstname, lastname from authors

If one provided: Firstname: evil'ex and Lastname: Newman

the query string becomes:

select id, firstname, lastname from authors where firstname = 'evil'ex' and lastname ='newman'

which the database attempts to run as:

Incorrect syntax near il' as the database tried to execute evil.

A safe version of the above SQL statement could be coded in Java as:

    String firstname = req.getParameter("firstname");
    String lastname = req.getParameter("lastname");
    // FIXME: do your own validation to detect attacks
    String query = "SELECT id, firstname, lastname FROM authors WHERE firstname = ? and lastname = ?";
    PreparedStatement pstmt = connection.prepareStatement( query );
    pstmt.setString( 1, firstname );
    pstmt.setString( 2, lastname );
    try
    {
        ResultSet results = pstmt.execute( );
    }
    

**Example 2**

The following C# code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user.

    ...
    string userName = ctx.getAuthenticatedUserName();
    string query = "SELECT * FROM items WHERE owner = "'"
                    + userName + "' AND itemname = '"
                    + ItemName.Text + "'";
    sda = new SqlDataAdapter(query, conn);
    DataTable dt = new DataTable();
    sda.Fill(dt);
    ...
    

The query that this code intends to execute follows:

    SELECT * FROM items
    WHERE owner =
    AND itemname = ;
    

However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string "name' OR
'a'='a" for itemName, then the query becomes the following:

    SELECT * FROM items
    WHERE owner = 'wiley'
    AND itemname = 'name' OR 'a'='a';
    

The addition of the OR 'a'='a' condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:

SELECT * FROM items;

This simplification of the query allows the attacker to bypass the requirement that the query only return items owned by the authenticated user; the query now returns all entries stored in the items table, regardless of their specified owner.

**Example 3**

This example examines the effects of a different malicious value passed to the query constructed and executed in Example 1. If an attacker with the user name hacker enters the string "name'); DELETE FROM items; --" for itemName, then the query becomes the following two queries:

    SELECT * FROM items
    WHERE owner = 'hacker'
    AND itemname = 'name';
    
    DELETE FROM items;
    
    --'
    

Many database servers, including Microsoft® SQL Server 2000, allow multiple SQL statements separated by semicolons to be executed at once. While this attack string results in an error in Oracle and other database servers that do not allow the batch-execution of statements separated by semicolons, in databases that do allow batch execution, this type of attack allows the attacker to execute arbitrary commands against the database.

Notice the trailing pair of hyphens (--), which specifies to most database servers that the remainder of the statement is to be treated as a comment and not executed. In this case the comment character serves to remove the trailing single-quote left over from the modified query. In a database where comments are not allowed to be used in this way, the general attack could still be made effective using a trick similar to the one shown in Example 1. If an attacker enters the string "name'); DELETE FROM items; SELECT \* FROM items WHERE 'a'='a", the following three valid statements will be created:

    SELECT * FROM items
    WHERE owner = 'hacker'
    AND itemname = 'name';
    
    DELETE FROM items;
    
    SELECT * FROM items WHERE 'a'='a';
    

One traditional approach to preventing SQL injection attacks is to handle them as an input validation problem and either accept only characters from an allow list of safe values or identify and escape a deny list of potentially malicious values. An allow list can be a very effective means of enforcing strict input validation rules, but parameterized SQL statements require less maintenance and can offer more guarantees with respect to security. As is almost always the case, deny listing is riddled with loopholes that make it ineffective at preventing SQL injection attacks. For example, attackers can:

*   Target fields that are not quoted
*   Find ways to bypass the need for certain escaped meta-characters
*   Use stored procedures to hide the injected meta-characters

Manually escaping characters in input to SQL queries can help, but it will not make your application secure from SQL injection attacks.

Another solution commonly proposed for dealing with SQL injection attacks is to use stored procedures. Although stored procedures prevent some types of SQL injection attacks, they fail to protect against many others. For example, the following PL/SQL procedure is vulnerable to the same SQL injection attack shown in the first example.

    procedure get_item (
        itm_cv IN OUT ItmCurTyp,
        usr in varchar2,
        itm in varchar2)
    is
        open itm_cv for ' SELECT * FROM items WHERE ' ||
                'owner = '''|| usr ||
                ' AND itemname = ''' || itm || '''';
    end get_item;
    

Stored procedures typically help prevent SQL injection attacks by limiting the types of statements that can be passed to their parameters. However, there are many ways around the limitations and many interesting statements that can still be passed to stored procedures. Again, stored procedures can prevent some exploits, but they will not make your application secure against SQL injection attacks.

*   SQL Injection Bypassing WAF
*   Blind SQL Injection
*   Code Injection
*   Double Encoding
*   ORM Injection

**References**

*   SQL Injection Knowledge Base - A reference guide for MySQL, MSSQL and Oracle SQL Injection attacks.
*   GreenSQL Open Source SQL Injection Filter - An Open Source database firewall used to protect databases from SQL injection attacks.
*   An Introduction to SQL Injection Attacks for Oracle Developers
    *   This also includes recommended defenses.

Category:Injection

CVE-2022-28110: SQL Injection | OWASP Foundation

An email warning of supposed chemical attacks that delivers Jester Stealer malware is being sent to people in Ukraine.
The post “Chemical attack” email warnings deliver Jester Stealer malware appeared first on Malwarebytes Labs.

Jester Stealer, a malicious file capable of large amounts of data theft, is on the prowl again. The Ukrainian Computer Emergency Response Team (CERT-UA) has warned of a large distribution campaign abusing a “chemical attack” theme. Receiving an email like this in the invasion-affected regions of Ukraine is likely to cause huge alarm.

**From bogus attack warnings to data theft malware**

As per Bleeping Computer, the mail reads as follows:

> _“Today the information was received that chemical weapons will be used at 01.00 at night, the authorities are trying to hide it in order not to panic the population. Urgently get acquainted with the places where chemical weapons will be used and the places of special shelters where we will be safe._
> 
> _Help us to disseminate the information attached to the document in the letter as much as possible. map of the zone of chemical damage._
> 
> _We need to save as many lives as possible!”_

Source: CERT-UA

Although the mail is being described as phishing, there is no direct request for passwords or logins linked to in the mail itself. Instead, there’s a link to an Excel document which has been booby-trapped with harmful macros.

A rogue file called JesterStealer is downloaded to the victim’s PC and executes when the document is opened with macros enabled. At this point, the device is infected. CERT-UA notes that the infection files are being hosted on “compromised web resources”. When organisations don’t keep their services updated and vulnerabilities patched, this is the unfortunate knock-on effect.

**Impact on affected systems**

Once infected, the system is at serious risk of data theft. The list of potential target areas includes:

*   Internet browsers
*   MAIL/FTP/VPN clients
*   Cryptocurrency wallets
*   Password managers
*   Messengers
*   Game programs

Jester Stealer is also capable of swiping screenshots and stealing network passwords.

There’s some anti virtual machine/debug/sandbox tactics in play to hamper researchers analysing the file. The malware also removes itself once closed, helping attackers evade suspicion from those affected as they may well never realise the malware was present.

**Tips for avoiding this attack**

1.  Stick to official news sources for breaking information in affected areas. You’re more likely to see a genuine warning on the President’s page, or similar messaging from official sources on Twitter, than from random emails.
2.  Think carefully about attachment types in emails. Does it make much sense that a warning like this requires an Excel spreadsheet? Why not just put the full warning in the email? If it’s urgent, breaking information, people need everything in one place. Having to open up websites to download, and open files seems a long-winded and very odd way to accomplish this goal.
3.  Macros in Office files have been a long running problem. Microsoft has made several changes to try and minimise the risk of harm. Downloading macros from the internet results in an automatic block with regard to being able to run. Some individuals and organisations will always need macros available to some degree. This is why the “learn more” button will ultimately allow you to enable if you definitely need them.

**What Microsoft has to say about enabling macros**

Microsoft’s advice for this is very good. Here’s what it suggests in relation to macros:

*   **Were you expecting to receive a file with macros?** Never open a file attachment you weren’t expecting, even if it appears to come from somebody you trust. Phishing attacks often appear to come from a person or organization you trust in an effort to get you to open them.
*   **Are you being encouraged to enable content by a stranger?** A common tactic of attackers is to create some pretense such as cancelling an order or reading a legal document. They’ll have you download a document and try to persuade you to allow macros to run. No legitimate company will make you open an Excel file to cancel an order and you don’t need macros just to read a document in Word.
*   **Are you being encouraged to enable content by a pop-up message?** If you downloaded the file from a website, you may see pop-ups or other messages encouraging you to enable active content. Those are also common tactics of attackers and should make you suspicious that the file is actually unsafe.

Think carefully about enabling macros from random documents sent your way, and follow the tips above. Rogue mails which do nothing but compromise or damage your computer may make it more difficult to receive genuine alerts, and that’s definitely an additional problem you can do without.

“Chemical attack” email warnings deliver Jester Stealer malware

Microsoft on Monday disclosed that it mitigated a security flaw affecting Azure Synapse and Azure Data Factory that, if successfully exploited, could result in remote code execution.
The vulnerability, tracked as CVE-2022-29972, has been codenamed "SynLapse" by researchers from Orca Security, who reported the flaw to Microsoft in January 2022.

"The vulnerability was specific to

Microsoft on Monday disclosed that it mitigated a security flaw affecting Azure Synapse and Azure Data Factory that, if successfully exploited, could result in remote code execution.

The vulnerability, tracked as CVE-2022-29972, has been codenamed "**SynLapse**" by researchers from Orca Security, who reported the flaw to Microsoft in January 2022.

"The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole," the company said.

"The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant."

In other words, a malicious actor can weaponize the bug to acquire the Azure Data Factory service certificate and access another tenant's Integration Runtimes to gain access to sensitive information, effectively breaking tenant separation protections.

The tech giant, which resolved the security flaw on April 15, said it found no evidence of misuse or malicious activity associated with the vulnerability in the wild.

That said, the Redmond-based company has shared Microsoft Defender for Endpoint and Microsoft Defender Antivirus detections to protect customers from potential exploitation, adding it's working to bolster the security of third-party data connectors by working with driver vendors.

The findings come a little over two months after Microsoft remediated an "AutoWarp" flaw impacting its Azure Automation service that could have permitted unauthorized access to other Azure customer accounts and take over control.

Last month, Microsoft also resolved a pair of issues — dubbed "ExtraReplica" — with the Azure Database for PostgreSQL Flexible Server that could result in unapproved cross-account database access in a region.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Mitigates RCE Vulnerability Affecting Azure Synapse and Data Factory

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?**

The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20220412**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20220412)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2022-29108: Microsoft SharePoint Server Remote Code Execution Vulnerability

**Is the Preview Pane an attack vector for this vulnerability?**

No, the Preview Pane is not an attack vector.

Tag

#microsoft