Users should patch immediately

A security vulnerability in a mobile device management software could allow attackers access to organizations’ internal and cloud networks, researchers warn.

Discovered by Assetnote, the server-side request forgery (SSRF) bug was found in VMWare Workspace One UEM.

Tracked as CVE-2021-22054, the vulnerability could risk credentials and other sensitive data falling into the hands of malicious attackers.

Read more of the latest news about security vulnerabilities

“We discovered a pre-authentication vulnerability that allowed us to make arbitrary HTTP requests, including requests with any HTTP method and request body,” the researchers wrote in a blog post.

“In order to exploit this SSRF, we had to reverse engineer the encryption algorithm used by VMWare Workspace One UEM.”

The team were able to breach “a number of” organizations using the software, accessing both their internal network and cloud services.

DON’T MISS VirusTotal debunks claims of a serious vulnerability in Google-owned antivirus service

Speaking to The Daily Swig, Assetnote’s Subham Shah said: “While I cannot share exact details about what companies were effected, there were a large number of enterprises that were vulnerable to this.

“In some cases, it was possible to use this vulnerability to breach the AWS accounts of the companies.”

Shah added: “The impact of this vulnerability is rather on the organization running the software, instead of the individual users that are using the products.

“Using the SSRF vulnerability, it is possible to reach arbitrary hosts on the internal network. On cloud networks such as AWS, it is possible to reach the metadata IP address and potentially steal security credentials.

“Using these security credentials, it is possible to escalate the vulnerability to gain access to other infrastructure belonging to a company.”

**Remediations**

The issue, which was first discovered in November 2021, has since been patched by the vendor.

Shah said that while VMware dealt with the issues “in a timely manner”, researchers agreed to the vendor’s request for more time to release more patches and allow customers to patch their instances before disclosure.

An advisory from VMWare contains details of fixes for the software.

Shah advised users of mobile management device software “if possible, do not expose the MDM solution to the external internet”.

YOU MAY ALSO LIKE IBM database updates address critical vulnerabilities in third-party XML parser

Security bug in VMWare Workspace ONE could allow access to internal, cloud networks

GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.

**Release notes****Bug**

GEOS-10308 GeoServer with OGCAPI fails to deploy

GEOS-10307 Remove the importer-bdb community module

GEOS-10306 Remove the community QOS module

GEOS-10305 Remove the community NSG module

GEOS-10304 Remove the WFS3 community module

GEOS-10301 Conflicting woodstox parser from ogcapi prevented editing sld styles

GEOS-10282 GeoServer translations files incorrectly decoded assuming UTF-8 causing translation files like GeoServerApplication\_de.properties leading characters represented as question marks

GEOS-10279 Upgrade to Jetty 9.4.44

GEOS-10278 Compatibility issues between FeaturesTemplating and Geofence REST

GEOS-10273 GeofenceAccesManager throws index out of bound when requesting nested layerGroups

GEOS-10266 Features Templating makes getfeatureinfo fail for raster data

GEOS-10264 Address startup warning File option not set for appender \[geoserverlogfile\]

GEOS-10263 WPSRequestBuilderTest assumes that JTS:area is the first process in the list

GEOS-10254 Features templating JSON-LD output should not encode all attributes as string

GEOS-10249 GWC produce NPE when it comes to race condition

GEOS-10245 jdbcconfig: prefixedName filter field not updated

GEOS-10235 Prevent double-quote to be specified as CSV separator

GEOS-10226 ResourcePool leaves empty files on failure

GEOS-10146 App-schema: support for multiple geometries with different CRS

**Improvement**

GEOS-10285 Add Google cloud support to the COG community module

GEOS-10265 WFS-T Bulk Transaction optimization

GEOS-10251 Refactor MapML vocabulary to map- custom elements HTML namespace

GEOS-10246 jdbcconfig: performance slow-down from unnecessary transactions

GEOS-10230 MarkFactory WMS rendering performance optimization

**New Feature**

GEOS-10287 Extend GeoServer freemarker templates support to read properties from a JSON file

GEOS-10274 Geofence follow up LayerGroup Style addition

GEOS-10252 Add Styles support to LayerGroup

GEOS-10228 Wrap the category text values of a legend

GEOS-10223 Support MBTiles in OGC Tiles API

**Task**

GEOS-10297 Remove unnecessary warning suppressions

GEOS-10296 Upgrade to ErrorProne 2.10.0

GEOS-10293 Upgrade to ErrorProne 2.9.0

GEOS-10269 Overriding JSON Object while Merging Feature Templates

GEOS-10268 Null Support in Features Templating

GEOS-10238 Test logging WARNING: Extension lookup, but ApplicationContext is unset

CVE-2021-40822: Releases · geoserver/geoserver

The package github.com/hoppscotch/proxyscotch before 1.0.0 are vulnerable to Server-side Request Forgery (SSRF) when interceptor mode is set to proxy. It occurs when an HTTP request is made by a backend server to an untrusted URL submitted by a user. It leads to a leakage of sensitive information from the server.

@@ -24,6 +24,7 @@ var (

sessionFingerprint string

allowedOrigins \[\]string

bannedOutputs \[\]string

bannedDests \[\]string

)

  

type Request struct {

@@ -49,6 +50,16 @@ type Response struct {

Headers map\[string\]string \`json:"headers"\`

}

  

func isAllowedDest(dest string) bool {

for \_, b := range bannedDests {

if b \== dest {

return false

}

}

  

return true

}

  

func isAllowedOrigin(origin string) bool {

if allowedOrigins\[0\] \== "\*" {

return true

@@ -68,13 +79,19 @@ func Initialize(

proxyURL string,

initialAllowedOrigins string,

initialBannedOutputs string,

initialBannedDests string,

onStatusChange statusChangeFunction,

withSSL bool,

finished chan bool,

) {

if initialBannedOutputs != "" {

bannedOutputs \= strings.Split(initialBannedOutputs, ",")

}

if initialBannedDests != "" {

bannedDests \= strings.Split(initialBannedDests, ",")

} else {

bannedDests \= \[\]string{}

}

allowedOrigins \= strings.Split(initialAllowedOrigins, ",")

accessToken \= initialAccessToken

sessionFingerprint \= uuid.New().String()

@@ -209,6 +226,13 @@ func proxyHandler(response http.ResponseWriter, request \*http.Request) {

proxyRequest.Method \= requestData.Method

proxyRequest.URL, \_ \= url.Parse(requestData.Url)

  

// Block requests to illegal destinations

if !isAllowedDest(proxyRequest.URL.Hostname()) {

log.Print("A request to a banned destination was made.")

\_, \_ \= fmt.Fprintln(response, "{\\"success\\": false, \\"data\\":{\\"message\\":\\"(Proxy Error) Request cannot be to this destination.\\"}}")

return

}

  

var params \= proxyRequest.URL.Query()

  

for k, v := range requestData.Params {

CVE-2022-25850: feat: ability to have a blacklist of target urls for proxy to make ca… · hoppscotch/proxyscotch@de67380

International cybersecurity authorities have published an overview of the most routinely exploited vulnerabilities of 2021.
The post The top 5 most routinely exploited vulnerabilities of 2021 appeared first on Malwarebytes Labs.

A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.

**1\. Log4Shell**

CVE-2021-44228, commonly referred to as Log4Shell or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.

When Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.

This made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.

The Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The CISA Log4j scanner is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.

**2\. CVE-2021-40539**

CVE-2021-40539 is a REST API authentication bypass vulnerability in ManageEngine’s single sign-on (SSO) solution with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that APT threat-actors were likely among those exploiting the vulnerability.

The vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.

For those that have never heard of this software, it’s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.

The ManageEngine site has specific instructions on how to identify and update vulnerable installations.

**3\. ProxyShell**

Third on the list are 3 vulnerabilities that we commonly grouped together and referred to as ProxyShell. CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207.

The danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:

*   **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.
*   **Take control** with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.
*   **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.

The vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.

Microsoft’s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.

**4\. ProxyLogon**

After the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name—ProxyLogon—for similar reasons. CVE-2021-26855, CVE-2021-26857, CVE-2021-2685, and CVE-2021-27065 all share the same description—”This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.”

While the CVE description is the same for the 4 CVE’s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws—CVE-2021-26858 and CVE-2021-27065—would allow an attacker to write a file to any part of the server.

Together these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

ProxyLogon started out as a limited and targeted attack method attributed to a group called Hafnium. Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

Microsoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a download link, user instructions, and more information can be found in the Microsoft Security Response Center.

**5\. CVE-2021-26084**

CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of Confluence Server and Data Center that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.

Shortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.

On the Confluence Support website you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.

**Lessons learned**

What does this list tell us to look out for in 2022?

Well, first off, if you haven’t patched one of the above we would urgently advise you to do so. And it wouldn’t hurt to continue working down the list provided by CISA.

Second, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:

*   **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.
*   **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.
*   **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.

So, if you notice or hear about a vulnerability that meets these “requirements” move it to the top of your “to-patch” list.

Stay safe, everyone!

The top 5 most routinely exploited vulnerabilities of 2021

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.

**CVE-2022-24449****Solar Appscreener XXE \[Suggested description\] An issue was found in Solar AppScreener SAST tool through 3.10.4. An unauthorized actor, may exploit effected hosts where vulnerable version is installed, by uploading specially crafted XML files on hosts, which has an expired or non-installed license. The lowest approved impact is XXE-SSRF.****\[Additional Information\] Fixed in >3.10.4****\[VulnerabilityType Other\] CWE-611: Improper Restriction of XML External Entity Reference****\[Vendor of Product\] SOLAR SECURITY LLC (https://en.rt-solar.ru/)****\[Affected Product Code Base\] Affected version: Solar Appscreener 3.10.4****\[Affected Component\] License update mechanism****\[Attack Type\] Remote****\[Impact Code execution\] true****\[Impact Denial of Service\] true****\[Impact Escalation of Privileges\] true****\[Impact Information Disclosure\] true****\[Attack Vectors\] An attacker able to upload specially crafted XML file via license update function****\[Discoverer\] Dmitry Kuramin (Jet Infosystems, jet.su)**

\[Reference\] https://jet.su

CVE-2022-24449: GitHub - jet-pentest/CVE-2022-24449: Solar Appscreener XXE

A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter.

CVE-2022-28117

Monstaftp v2.10.3 was discovered to allow attackers to execute Server-Side Request Forgery (SSRF).

Monstaftp 2.10.3 - Vulnerabilities - YouTube

CVE-2022-27469: Monstaftp 2.10.3 - Vulnerabilities

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

CVE-2022-29457: ADSelfService Plus Release Notes

We are excited to announce the addition of scenario-based bounty awards to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program. Through these new scenario-based bounty awards, we encourage researchers to focus their research on vulnerabilities that have the highest potential impact on customer privacy and security. Awards increase by up to 30% ($26,000 USD total) for eligible scenario submissions.

We are excited to announce the addition of scenario-based bounty awards to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program. Through these new scenario-based bounty awards, we encourage researchers to focus their research on vulnerabilities that have the highest potential impact on customer privacy and security. Awards increase by up to 30% ($26,000 USD total) for eligible scenario submissions.

**Dynamics 365 and Power Platform Bounty Program**

**Scenario**

**Maximum Award**

Cross-tenant information disclosure

$20,000

**M365 Bounty Program**

Eligible submissions may qualify for 15-30% bonuses on top of the general M365 bounty awards and will be awarded the single highest qualifying award.

**Scenario**

**Maximum Award**

Remote code execution through untrusted input (CWE-94 “Improper Control of Generation of Code (‘Code Injection’)”)

+30%

Remote code execution through untrusted input (CWE-502 “Deserialization of Untrusted Data”)

+30%

Unauthorized Cross-tenant and cross-identity sensitive data leakage (CWE-200 “Exposure of Sensitive Information to an Unauthorized Actor”)

+20%

Unauthorized cross-identity sensitive data leakage (CWE-488 “Exposure of Data Element to Wrong Session”)

+20%

“Confused deputy” vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 “Server-Side Request Forgery (SSRF)”)

+15%

These new bounty awards are part of our continued efforts to partner with the security research community as part of Microsoft’s holistic approach to defending against security threats. If you have any questions about these new scenarios or any other security research incentive program, please email us at bounty@microsoft.com.

_Lynn Miyashita and Madeline Eckert, MSRC_

Expanding High Impact Scenario Awards for Microsoft Bug Bounty Programs

Microsoft is excited to announce the addition of Exchange on-premises, SharePoint on-premises, and Skype for Business on-premises to the Applications and On-Premises Servers Bounty Program.
Through this expanded program, we encourage researchers to discover and report high-impact security vulnerabilities to help protect customers. We offer awards up to $26,000 USD for eligible submissions.

Microsoft is excited to announce the addition of Exchange on-premises, SharePoint on-premises, and Skype for Business on-premises to the Applications and On-Premises Servers Bounty Program.

Through this expanded program, we encourage researchers to discover and report high-impact security vulnerabilities to help protect customers. We offer awards up to $26,000 USD for eligible submissions. The following products are now eligible for bounty awards:

*   Exchange on-premises
*   SharePoint on-premises
*   Skype for Business on-premises

That’s not all! The bounty also includes high-impact scenarios offering the highest awards to research in areas with the highest potential impact to customer security.

**Security Impact**

**Severity Multiplier**

EXCHANGE ONLY: Server-Side Request Forgery allows an attacker to make server-side HTTP requests to arbitrary URLs.

20%

SHAREPOINT ONLY: Authenticated Server-Side Request Forgery allows an attacker to make authenticated server-side HTTP requests to arbitrary URL

20%

Insecure deserialization of user-controllable data, leading to remote code execution on server

30%

Arbitrary file write of user-controlled data on user-controlled location on the server.

20%

Authentication bypass allows for unauthenticated exploitation which results in mass exploitation of vulnerabilities

20%

Vulnerabilities within Exchange Emergency Mitigation Service (EEMS)

15%

To learn more about eligible scope and award amounts, please visit the Applications and On-Premises Servers Bounty Program page.

Microsoft’s bug bounty programs are just one of the many ways we invest in partnerships with the global security research community to help secure Microsoft customers. If you have any questions about the new On-Premises Servers scope or general inquiries about any other security research incentive program, please contact us at bounty@microsoft.com.

_Madeline Eckert and Lynn Miyashita, MSRC_

Tag

#ssrf