Technical Intelligence ISSUE: 19.04.21
The CyberScotland Technical Threat Intelligence Bulletin is designed to provide you with information about updates, exploits and countermeasures. We hope that you benefit from this resource and we ask that you circulate this information to your networks, adapting where you see fit.
Jump To
TECHNICAL THREAT AWARENESS AND HUNTING
Microsoft Patch Tuesday (April 2021)
Adobe Patches Slew of Critical Security Bugs
Patch Chrome to Remediated In-The-Wild 0-Day Exploits
F5 urges customers to patch critical BIG-IP pre-auth RCE bug
Wordpress Privilege-Escalation and Authentication Bypass
Apple rushes to patch zero‑day flaw in iOS, iPadOS
Cisco Will Not Patch Critical RCE Flaw Affecting End-of-Life Business Routers Threat Intelligence Bulletin
Technical Threat Awareness and Hunting
Microsoft Patch Tuesday (April 2021)
Microsoft released its monthly security update Tuesday 13th April 2021, disclosing 114 vulnerabilities across its suite of products1.
Four new remote code execution vulnerabilities in Microsoft Exchange Server are included, beyond those that were release out-of-band last month. The detection of the vulnerabilities which led to these patches has been attributed to the US’s National Security Agency (NSA)2.
Given the recent focus on Microsoft Exchange by varying threat actors, NCSC has produced an alert encouraging organisations to install the critical updates immediately3.
More patches are likely to follow for Microsoft’s Exchange servers as, at a recent hacking contest called pwn2own a team called DEVCORE combined an authentication bypass and a local privilege escalation to complete take over the Exchange server. As a result they won $200,000.4
In all, there are 20 critical vulnerabilities as part of this release and one considered of “moderate” severity. The remainder is all “important.”
Twelve of the critical vulnerabilities exist in the remote procedure call runtime — all of which require no user interaction and could allow an attacker to execute remote code on the victim machine. For a full rundown of these CVEs, head to Microsoft’s security update page.
This month’s security update provides patches for several other pieces of software, including Microsoft Office, the Windows Kernel and Visual Studio5.
SNORT rules are available for CVE-2021-28310, CVE-2021-28324, and CVE-2021-28325. The GID’s for which can be found here.6
1 https://www.zerodayinitiative.com/blog/2021/4/13/the-april-2021-security-update-review 2 https://www.enterprisetimes.co.uk/2021/04/14/nsa-and-fbi-move-to-help-microsoft-with-its-exchange-server- vulnerabilities/ 3 https://www.ncsc.gov.uk/news/security-updates-released-microsoft-exchange-server 4 https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results 5 https://blog.talosintelligence.com/2021/04/microsoft-patch-tuesday-for-april-2021.html#more 6 https://snort.org/advisories/talos-rules-2021-04-13
2
Threat Intelligence Bulletin
A full list of Microsoft’s April 2021 Patches, their CVE’s Severities, scores, exploits, and disclosures can be found here: SANS Internet Storm Centre 7
Adobe Patches Slew of Critical Security Bugs For April, Adobe released four patches addressing 10 CVEs in Adobe Photoshop, Digital Editions, RoboHelp, and Bridge. The update for Bridge fixes six CVEs, all of which were reported through the ZDI program. Four of these bugs are rated Critical and could allow arbitrary code execution if exploited. The patch for Photoshop fixes two Critical-rated CVEs. Both of these buffer overflows could all arbitrary code execution. The update for Digital Editions fixes a Critical-rated privilege escalation bug that could lead to an arbitrary file system write. Finally, the patch for RoboHelp fixes a single privilege escalation bug. None of the CVEs addressed by Adobe are listed as publicly known or under active attack at the time of release.8
Patch Chrome to Remediated In-The-Wild 0-Day Exploits
Google on Tuesday 13th April 2021 released a new version of Chrome web-browsing software for Windows, Mac, and Linux with patches for two newly discovered security vulnerabilities for both of which it says exploits exist in the wild, allowing attackers to engage in active exploitation.
One of the two flaws concerns an insufficient validation of untrusted input in its V8 JavaScript rendering engine (CVE-2021-21220), which was demonstrated by Dataflow Security's Bruno Keith and Niklas Baumstark at the Pwn2Own 2021 hacking contest last week.
While Google moved to fix the flaw quickly, security researcher Rajvardhan Agarwal published a working exploit over the weekend by reverse-engineering the patch that the Chromium team pushed to the open- source component, a factor that may have played a crucial role in the release.9
Security researcher Rajvardhan Agarwal tweeted a GitHub link to the exploit code — the result of the Pwn2Own ethical hacking contest held online last week — on Monday 12th April 2021.
“Just here to drop a chrome 0day,” Agarwal wrote in his tweet. “Yes you read that right.”10
7 https://isc.sans.edu/forums/diary/Microsoft+April+2021+Patch+Tuesday/27306/ 8 https://www.zerodayinitiative.com/blog/2021/4/13/the-april-2021-security-update-review 9 https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html 10 https://threatpost.com/chrome-zero-day-exploit-twitter/165363/
3
Threat Intelligence Bulletin
In an email, Agarwal confirmed that there is one more vulnerability affecting Chromium-based browsers that has been patched in the latest version of V8, but has not been included in the Chrome release rolling out today, thereby leaving users potentially vulnerable to attacks even after installing the new update.11
F5 urges customers to patch critical BIG-IP pre-auth RCE bug
F5 Networks, a leading provider of enterprise networking gear, announced in March, four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions.
F5 BIG-IP software and hardware customers include governments, Fortune 500 firms, banks, internet service providers, and consumer brands (including Microsoft, Oracle, and Facebook), with the company claiming that "48 of the Fortune 50 rely on F5." 12
Successful exploitation of critical BIG-IP RCE vulnerabilities could lead to full system compromise, including the interception of controller application traffic and lateral movement to the internal network.
The seven vulnerabilities are fixed in the following BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3, according to F5.
CVE-2021-22986, the pre-auth RCE flaw, also affects BIG-IQ (a management solution for BIG-IP devices), and it was fixed in 8.0.0, 7.1.0.3, and 7.0.0.2.
Wordpress Privilege-Escalation and Authentication Bypass
The Plus Addons for Elementor plugin for WordPress has a critical security vulnerability that attackers can exploit to quickly, easily and remotely take over a website. First reported as a zero-day bug, researchers said it’s being actively attacked in the wild.
The plugin, which has more than 30,000 active installations according to its developer, allows site owners to create various user-facing widgets for their websites, including user logins and registration forms that can be added to an Elementor page. Elementor is a site-building tool for WordPress.
The bug (CVE-2021-24175) is a privilege-escalation and authentication-bypass issue that exists in this registration form function of the Plus Addons for Elementor. It rates 9.8 on the CVSS vulnerability scale, making it critical in severity.
11 https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html 12 https://www.bleepingcomputer.com/news/security/f5-urges-customers-to-patch-critical-big-ip-pre-auth-rce-bug/
4
Threat Intelligence Bulletin
Site admins should upgrade to version 4.1.7 of The Plus Addons for Elementor to avoid compromise, and they should check for “any unexpected administrative users or plugins you did not install,” according to Wordfence. The Plus Addons for Elementor Lite does not contain the same vulnerability, the firm added. 13
Additionally, Facebook has fixed two critical vulnerabilities in its popular WordPress plugin which could have been exploited to enable full site takeover, according to Wordfence.
The security company revealed yesterday that it disclosed the bugs to the social network on December 22 last year and January 27 2021. Patches for each were released on January 6 and February 7 2021, respectively.
The vulnerabilities affected the plugin formerly known as Official Facebook Pixel, which is said to be installed on around half a million sites globally. The software is designed to integrate Facebook’s Pixel conversion measurement tool with WordPress sites so it can monitor traffic and record specific user actions.
Users are urged to upgrade to the latest version of Facebook for WordPress (3.0.5) 14
Apple rushes to patch zero‑day flaw in iOS, iPadOS
Apple has released an emergency update for its iOS, iPadOS, and watchOS operating systems to patch a zero-day security flaw that is being actively exploited in the wild. The vulnerability affects multiple models of iPhone, iPad, Apple Watch, and iPod touch.
“Apple is aware of a report that this issue may have been actively exploited,” reads Apple’s security advisory describing the security hole that is being plugged with the release iOS 14.4.2 and iPadOS 14.4.2.
The list of impacted devices includes iPhone 6s and later, all versions of the iPad Pro, iPad Air 2 and later, the 5th generation of iPad and later, iPad mini 4 and later, and the 7th generation of the iPod touch. The Cupertino-based tech giant also issued security updates for its Apple Watch products (watchOS 7.3.3).
13 https://threatpost.com/cyberattackers-exploiting-critical-wordpress-plugin-bug/164663/ 14 https://www.infosecurity-magazine.com/news/patch-facebook-for-wordpress-site/
5
Threat Intelligence Bulletin
Given the seriousness of the threat, Apple also rolled out an update (iOS 12.5.2) for older devices such as iPhone 5s and iPhone 6. In an effort to protect its customers, the company did not release any information about the perpetrators or the targets of the attacks. Meanwhile, Computer Emergency Response Teams (CERTs) from the United States, Hong Kong, and Singapore issued alerts urging users of the affected devices to apply the updates immediately.15
Cisco Will Not Patch Critical RCE Flaw Affecting End-of-Life Business Routers
Networking equipment major Cisco Systems has said it does not plan to fix a critical security vulnerability affecting some of its Small Business routers, instead urging users to replace the devices.
The bug, tracked as CVE-2021-1459, is rated with a CVSS score of 9.8 out of 10, and affects RV110W VPN firewall and Small Business RV130, RV130W, and RV215W routers, allowing an unauthenticated, remote attacker to execute arbitrary code on an affected appliance.
"The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process," the firm said. "Customers are encouraged to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers."16
15 https://www.welivesecurity.com/2021/03/29/apple-rushes-patch-zero-day-flaw-ios-ipados/ 16 https://thehackernews.com/2021/04/cisco-will-not-patch-critical-rce-flaw.html
6