Activity Feed

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Technical Analysis

Details

The vulnerability affects Internet Explorer 11 on all Windows Versions. It is located in the jscript9.dll library, which is used to execute javascript.

Possible attack vectors:

  • website content
  • activeX components in office documents

Google Project Zero released a PoC on 13.05.2021, which triggers the vulnerability and causes a crash. At the time of writing I could not find any weaponized exploit.

Rating explanation

My rating of the exploitability score was affected by the availability of the PoC and the Microsoft exploitability rating. In year 2020, Operation PowerFall was using a similar vulnerability (CVE-2020-1380) in IE. I expect to see exploits for CVE-2021-26419 in a similar context.

Attackers might gain direct control over the host after exploitation without a sandbox escape. IE 11 does have a enhanced protected mode (EPM), which runs IE in an AppContainer and acts as a sandbox. EPM was introduced with Windows 8 and is disabled by default.

Sources

3
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Technical Analysis

The vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.

The semi-annual channel versions are not that common in bigger organisations. This affected my rating on attacker value. I would argue , that most of them use the LTSC of older Windows versions. The attacker value is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.

Microsoft rates this vulnerability “Exploitation more likely”. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my Exploitability scoring towards Easy on this vulnerability.

Sources:

https://twitter.com/GossiTheDog/status/1392211087601410054
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166

2
Technical Analysis

Please read @ccondon-r7’s excellent assessment of CVE-2020-4006. The following is a technical analysis of the vulnerability.

I decided to revisit CVE-2020-4006 after it (and other vulnerabilities) received renewed attention for use in a nation state actor’s TTPs. I also managed to obtain the software this time. I did not manage to obtain the patch, so the following analysis is a “best effort” attempt to deduce the vulnerability.

CVE-2020-4006 is a post-auth command injection in VMware Workspace ONE Access and multiple related products. The vulnerability lies in the /cfg/ssl/installSelfSignedCertificate endpoint within the “Appliance Configurator” service on TLS port 8443. By specifying a malicious san parameter in a POST request to the endpoint, arbitrary shell commands may be executed. Note that the service may restart. Activity is logged in the /opt/vmware/horizon/workspace/logs/configurator.log file.

  @RequestMapping(method = {RequestMethod.POST}, value = {"/installSelfSignedCertificate"})
  @ResponseBody
  public AjaxResponse installSelfSignedCertificate(MultipartHttpServletRequest request) {
    try {
      log.debug("Generating and installing self-signed sslCertificate");
      this.workspacePreAuthFilter.storePasswordInSession((HttpServletRequest)request);
      this.applianceSslCertificateService.generateAndInstallSelfSignedCertificate(request);
    } catch (AdminPortalException e) {
      return new AjaxResponse(Messages.getMessage(e.getErrorId(), e.getArgs()), Integer.valueOf(2), false);
    }
    return new AjaxResponse(Messages.getMessage("configurator.configure.ssl.installingCertificate"), Integer.valueOf(0), true);
  }
  public void generateAndInstallSelfSignedCertificate(MultipartHttpServletRequest request) throws AdminPortalException {
    String generateSelfSignedCertCmd[], installSelfSignedCertificateCmd[], sanValue = request.getParameter("san");

    String vmName = this.configHelper.getApplianceFqdn();


    if (StringUtils.isAllEmpty(new CharSequence[] { sanValue })) {
      sanValue = vmName;
    } else if (!sanValue.contains(vmName)) {
      sanValue = sanValue + "," + vmName;
    }

    if (Const.isWindowsDeployment) {
      generateSelfSignedCertCmd = new String[] { "cmd", "/c", "\"\"" + SELF_SIGNED_CERTIFICATE_CMD + "\"" + " -host " + vmName + " -san " + "\"" + sanValue + "\"" + " -force" + "\"" };
    } else {
      generateSelfSignedCertCmd = new String[] { "/bin/sh", "-c", SELF_SIGNED_CERTIFICATE_CMD + " --makesslcert " + vmName + " " + vmName + " " + sanValue };
    }

    log.info("Executing command {}", Arrays.toString((Object[])generateSelfSignedCertCmd));

    try {
      CommandUtils.executeCommand(generateSelfSignedCertCmd);
      log.info("Command {} succeeded", Arrays.toString((Object[])generateSelfSignedCertCmd));
    } catch (IOException e) {
      log.error("Command {} failed: {}", Arrays.toString((Object[])generateSelfSignedCertCmd), e.getMessage());
      throw new AdminPortalException(null, "configurator.configure.ssl.errorGeneratingSelfSignedCertificate", null);
    }



    if (Const.isWindowsDeployment) {
      installSelfSignedCertificateCmd = new String[] { "cmd", "/c", "\"\"" + SELF_SIGNED_CERTIFICATE_CMD + "\"" + " -host " + vmName + " -install" + "\"" };
    } else {
      installSelfSignedCertificateCmd = new String[] { "/bin/sh", "-c", String.format("nohup %s > /usr/local/horizon/log/installSelfSignedCert.log &", new Object[] { SELF_SIGNED_CERTIFICATE_CMD }) };
    }

    log.info("Executing command {}", Arrays.toString((Object[])installSelfSignedCertificateCmd));
    try {
      CommandUtils.executeCommand(installSelfSignedCertificateCmd);
      log.info("Command {} succeeded", Arrays.toString((Object[])installSelfSignedCertificateCmd));
    } catch (IOException e) {
      log.error("Command {} failed: {}", Arrays.toString((Object[])installSelfSignedCertificateCmd), e.getMessage());
      throw new AdminPortalException(null, "configurator.configure.ssl.errorInstallingCertificate", null);
    }

    if (Const.isWindowsDeployment &&
      !this.tomcatUtils.restartApplianceService((HttpServletRequest)request)) {
      throw new AdminPortalException("configurator.configure.workspaceUrl.errorRestartingService", null);
    }
  }
1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Technical Analysis

Be careful it actually modifies the code of the application.

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Technical Analysis

Be careful it actually modifies the code of the application.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Unauthenticated RCE with default config, this is critical.

3
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Technical Analysis

This is just a security bypass allowing an attacker to perform a brute-force attack on the authentication form without being blocked after 10 attemps.
So 9.8 CVSS score is way too high for this vuln.

2
Ratings
Technical Analysis

As per SentinelLabs’ blog post:

  • SentinelLabs has discovered five high severity flaws in Dell’s firmware update driver impacting Dell desktops, laptops, notebooks and tablets.
  • Attackers may exploit these vulnerabilities to locally escalate to kernel-mode privileges.
  • Since 2009, Dell has released hundreds of millions of Windows devices worldwide which contain the vulnerable driver.
  • SentinelLabs findings were proactively reported to Dell on Dec 1, 2020 and are tracked as CVE-2021-21551, marked with CVSS Score 8.8.
  • Dell has released a security update to its customers to address this vulnerability.
  • At this time, SentinelOne has not discovered evidence of in-the-wild abuse.

I expect this to be a long-lived LPE, since it affects so many devices, exploitation is straightforward, and patching is somewhat inconvenient.

ETA: @smcintyre-r7 has written an exploit for CVE-2021-21551.