{"id":4130,"date":"2021-05-31T09:36:22","date_gmt":"2021-05-31T07:36:22","guid":{"rendered":"https:\/\/xopero.com\/blog\/?p=4130"},"modified":"2024-05-15T12:56:02","modified_gmt":"2024-05-15T10:56:02","slug":"new-critical-security-bug-in-vmware-vcenter-allows-a-full-takeover","status":"publish","type":"post","link":"https:\/\/xopero.com\/blog\/en\/new-critical-security-bug-in-vmware-vcenter-allows-a-full-takeover\/","title":{"rendered":"New critical security bug in VMware vCenter allows a full takeover"},"content":{"rendered":"\n

Last week turned out to be extremely unfavorable for Apple. First, the world heard about a new 0-day vulnerability that allows attackers to secretly perform print screens. Yes, let\u2019s forget about any privacy\u2026 And then just a few days later, news about M1RACLES has come to our attention too. What is all the hype about? The bug is a result of a flaw in the M1 design. And what is even worse\u2026 That information you will find below. In this issue, we also describe a new variant of the Rowhammer attack. Half-Double – this is the name it got – allows bypassing all current defenses. However, today’s Security Center<\/a> opens the news about a new critical bug detected in VMware vCenter. Given the scale of the threat (9.8\/10 CVSS!), exploiting the vulnerability is trivial. Hence the pressure from security experts and the vendor itself to urgently update vulnerable systems.<\/p>\n\n\n\n\n\n\n\n

<\/div>\n\n\n\n<\/a>\n\n\n

VMware vCenter with critical 9.8\/10 severity bug – patch ASAP!<\/strong><\/h2>\n\n\n

VMware\u2019s virtualization management platform, vCenter Server, has a critical severity bug – rated as 9.8 out of 10. The company is urging customers to patch it \u201cas soon as possible\u201d. Successful exploitation would allow an attacker to execute arbitrary commands on the underlying vCenter host and take control of a company\u2019s affected system.<\/p>\n\n\n

VMware vCenter bug – why such a high CVSS rating?<\/h5>\n\n\n

The vulnerability tracked as CVE-2021-21985 impacts a popular vCenter Server platform used to administer VMware\u2019s market-leading vSphere and ESXi host products. Specifically impacts the Virtual SAN Health Check plugin, which is enabled by default in vCenter Server even if the plugin is not actually being used.<\/p>\n\n\n\n

Exploiting the vulnerability is trivial. All an attacker would need to do is be able to access the vCenter Server over port 443. So even if an organization has not exposed vCenter Server externally, attackers can still exploit this flaw once inside a network. <\/p>\n\n\n\n

Earlier last week, VMware reported another bug – CVE 2021-21986. This second bug has a medium CVSS severity rating of 6.5 and is tied to an authentication mechanism issue in vCenter Server plugins.<\/p>\n\n\n\n

Workarounds and updates are already available to mitigate both flaws. In addition to the patches, VMware has made some improvements to plugin authentication in the vCenter Server plugin framework.<\/p>\n\n\n\n

Sources 1<\/a> | 2<\/a><\/p>\n\n\n\n

<\/div>\n\n\n\n<\/a>\n\n\n

Rowhammer problem won\u2019t go away soon – new Half-Double variant proofs it<\/strong><\/h2>\n\n\n

Google researchers discovered a new variant of this attack against DRAM chips, dubbed \u201cHalf-Double,\u201d that allows bypassing all current defenses. <\/p>\n\n\n\n

The new Half-Double hammering technique hinges on the weak coupling between two memory rows that are not immediately adjacent to each other but one row removed in an attempt to tamper with data stored in memory and attack a system.<\/p>\n\n\n\n

\"\"<\/a>
Source: Google<\/figcaption><\/figure><\/div>\n\n\n\n

We have described unusual Rowhammer techniques<\/a> last month – Rowhammer refers to a class of DRAM vulnerabilities whereby repeated accesses to a memory row („aggressor”) can induce an electrical disturbance big enough to flip bits stored in an adjacent row („victim”), thereby allowing untrusted code to escape its sandbox and take over control of the system.<\/p>\n\n\n\n

It works because DRAM cells have been getting smaller and closer together.<\/p>\n\n\n\n

While DRAM manufacturers deployed countermeasures like Target Row Refresh (TRR) to thwart such attacks, the mitigations have been limited to two immediate neighbors of an aggressor row, thus excluding memory cells at a two-row distance. The imperfect protection gave an opportunity for new Rowhammer attacks such as TRRespass, SMASH, and now Half-Double. <\/p>\n\n\n\n

Google said it’s currently working with Partners to identify possible solutions for Rowhammer exploits.<\/p>\n\n\n\n

Source<\/a><\/p>\n\n\n\n

<\/div>\n\n\n\n<\/a>\n\n\n

Hackers used macOS 0-days to bypass privacy features and take sneaky screenshots<\/h2>\n\n\n

Apple has patched a critical bug in macOS that could be exploited to take screenshots of someone\u2019s computer and capture images of their activity within applications or on video conferences without that person knowing.<\/p>\n\n\n\n

Researchers have discovered that the XCSSET spyware was using the vulnerability, tracked as CVE-2021-30713, to take screenshots of the user\u2019s desktop without requiring any additional permissions.<\/p>\n\n\n\n

The flaw works by bypassing the Transparency Consent and Control (TCC) framework, which controls what resources applications have access to. For example \u2013 granting  video collaboration software access to the webcam and microphone, in order to participate in virtual meetings. Then, the exploit could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user\u2019s explicit consent.<\/p>\n\n\n\n

Good news is that Apple already addressed the vulnerability in the latest version of macOS, Big Sur 11.4.<\/p>\n\n\n\n

Source<\/a><\/p>\n\n\n\n

<\/div>\n\n\n\n<\/a>\n\n\n

M1RACLES, the unpatchable bug in Apple M1 chips is an effect of its design<\/strong><\/h2>\n\n\n

Software engineer Hector Martin from Asahi Linux has discovered a vulnerability (CVE-2021-30747) in the new Apple M1 chips, dubbed M1RACLES, that cannot be fixed.<\/p>\n\n\n\n

The M1RACLES vulnerability allows two apps running on the same device to exchange data through a covert channel at the CPU\u2019s level, without using memory, sockets, files, or any other normal operating system features<\/p>\n\n\n\n

The flaw stems from the fact that the Arm system register encoded as s3_5_c15_c10_1 contains two bits that can be read and written at EL0 (Exception Level 0, application level privilege) from all cores simultaneously.<\/p>\n\n\n\n

\n