Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

/0 Comments/in , /by

Microsoft Windows has recently updated, causing a high-risk Security Vulnerability (CVE-2021-36934) with a CVSS score of over 7 on July 23, 2021. This vulnerability is originated from the loose access policy for some system files, such as the Security Accounts Manager (SAM) databases. Users with malicious intent can use this vulnerability to elevate privileges to execute malicious code, view, change and even delete data, or create a new user account with full authority, etc.

From testing, the devices currently affected are mainly Windows 10 and Windows 11, however from the official information released by Microsoft, Windows Server 2019 is also affected. We must pay special attention to this issue, as there is currently no patch for this update that will safeguard against this vulnerability. As a short-term solution, there is an official workaround. For example, you can delete the affected Volume Shadow Copy Service. (Please refer to: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934)

Looking at this issue from the perspective of PCI DSS Compliance, the CVSS score of this vulnerability, which is 7.8 in Base Score Metrics, is of high-risk as it is a higher score than 7. This should be patched within 30 days if possible. Otherwise, other safeguard solutions must be found. If the ASV (Approved Scanning Vendor) external vulnerability scan encounters this problem, the vulnerability scan will not pass.

In addition, Windows 10 is commonly used as a springboard in the server room. Because of the Windows springboard, this may be assigned to different personnel. It is also important to pay attention whether there are ordinary users who will use this vulnerability for other purposes such as unauthorized activities.

This begs the question: How can one maintain the integrity of your security and systems with this vulnerability? We at Secure Vectors propose the following suggestions:

  1. Firstly, restrict access to specific system directories and delete backup copies from the Volume Shadow Copy Service (VSS). The reason for doing this is so that the system cannot be restored through backup/restoration tools. During this period while a patch is being developed, you can prevent the restoration operation from happening.
  2. Temporarily restrict “non-host management authority (Administrator)” personnel from logging into the host. General user accounts are usually able to access the core configuration files, SAM databases, etc. By doing this, non-host management authority personnel will not be able to access these files and thus your organization can avoid attacks from hackers through elevation of authority.
  3. Remember to update the scanning database of the internal vulnerability scanning tool to the latest version and perform a scan to check if the current tool can identify the problem.

Secure Vector consultant

Bryan Cheng

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

- Payment Card Industry Security, IT Security Management, Cloud Service Management
- Professional Certification:PCI DSS QSA, CISSP, ISO27001 LA, BS10012 LA, MCSE, MCITP, TUViT Privacy Protection Consultant

Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.

You might also like


[GCP] Be careful using GCP's CI/CD service Google Cloud Build!

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

PCI 3DS 驗證 3 步驟_Max

PCI DSS Compliance Process and Requirements

online-payment-security-3dss

PCI 3DS Assessment and Certification

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.



Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

/0 Comments/in , /by

An out-of-bounds write flaw was found in the Linux kernel’s seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations.

From PCI DSS point of views, primary concerns are operating system user account security.  Verification on the necessities of allowing access given to System, restrict only the mandatory rights to login with logging, ePBF etc. Patch management, especially critical, should be complete in 30 days.


  • PCI DSS Requirements 2.1 : Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.  Verify /etc/password have proper settings, delete or set to “nologin”, preventing non mandatory users can login using vulnerability to compromise the system.
  • PCI DSS Requirements 6.2 : Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

Verify Operating System vendors have releasing relate patch and complete patch update within 1 month.  If there are no updates from the vendors, necessary mitigation process should be in place.


Patch updates resolving this vulnerability (CVE-2021-33909) noted by Qualys Security Research Team, see following form for Patch listing:


SourceRisk level
NESSUS
https://www.tenable.com/cve/CVE-2021-33909		CVSS (v2) 7.2
NIST NVD
https://nvd.nist.gov/vuln/detail/CVE-2021-33909		CVSS (v3) 7.8
Redhat
https://access.redhat.com/security/cve/cve-2021-33909		CVSS (v3) 7.0
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909		Source: MITRE

Update on 2021/09/10

Qualys Security Research Team has proven vulnerability by accessing root rights in vulnerable OS of : Ubuntu 20.04、Ubuntu 20.10、Ubuntu 21.04、Debian 11 and Fedora 34 Workstation.  Other Linux OS may result in I.O.C. generate from this vulnerability.  Linux Servers patch fix as follow:


Operating SystemSecurity patch link
Redhathttps://access.redhat.com/security/cve/cve-2021-33909
CentOShttps://centosfaq.org/centos/its-been-six-days-since-cvd-2021-33909-was-patched-in-rhel-whats-the-holdup-for-stream-8/

https://centos.pkgs.org/8-stream/centos-baseos-x86_64/kernel-4.18.0-326.el8.x86_64.rpm.html

SUSEhttps://www.suse.com/security/cve/CVE-2021-33909.html
ubuntuhttps://ubuntu.com/security/CVE-2021-33909

Update on 2021/09/10

If there are no updates from the vendors, necessary mitigation process should be in place.

sysctl kernel.unprivileged_userns_clone=1   # unprivileged_userns_clone set as 0

sysctl kernel.unprivileged_bpf_disabled=1   # unprivileged_bpf_disabled set as 1

For technical details, please refer to below link:

https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt


Max Tsai

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

• Payment Card Industry Security, IT Security Management, Cloud Service Management
• Professional certification: PCI DSS QSA, CISSP, ISMS LA



Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.



You might also like


[GCP] Be careful using GCP's CI/CD service Google Cloud Build!

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

PCI 3DS 驗證 3 步驟_Max

PCI DSS Compliance Process and Requirements

online-payment-security-3dss

PCI 3DS Assessment and Certification

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.


Payment Security Market to Reach $24.6 Billion by 2022: Driven by the Need to Adhere to PCI DSS Guidelines & the Rise in Fraudulent Activities in Ecommerce

/in /by

The Payment Security Market by Solution, Service, Organization Size, Industry Vertical, and Region in 2022

The global payment security market size is expected to grow from USD 11.39 Billion in 2017 to USD 24.63 Billion by 2022, at a Compound Annual Growth Rate (CAGR) of 16.7%. The major growth drivers of the market include increased adoption of digital payment modes, need to adhere to PCI DSS guidelines, and rise in fraudulent activities in Ecommerce. The payment security market is segmented by component (solution and service), organization size, industry vertical, and region. The solutions segment in the market is expected to have a larger market size than the services segment during the forecast period. The reason behind the high growth rate is the increased need to secure online business sensitive transactions from advanced cyber-attacks.

The support services segment is expected to grow at a higher CAGR during the forecast period with the largest market size. The large enterprises segment is expected to account for a larger market size in 2017. However, the Small and Medium-Sized Enterprises (SMEs) segment is expected to grow at a higher CAGR during the forecast period, as SMEs are mainly adopting payment security solutions to protect the customer-sensitive bank account data from network vulnerabilities and attacks.

Payment security solutions and services are deployed across various industry verticals, including retail; travel and hospitality; IT and telecom; healthcare; education; media and entertainment; and others. The education vertical is expected to grow at the highest CAGR during the forecast period. However, the retail vertical is expected to have the largest market size in 2017, as retailers are using various interesting ways such as, offers and discounts to attract customers for online shopping. Therefore, the adoption of the payment security solutions is increasing in the retail sector.

On the basis of regions, the global payment security market has been segmented into North America, Europe, Asia Pacific (APAC), Middle East and Africa (MEA), and Latin America to provide a region-specific analysis. The North American region, followed by Europe, is expected to be the largest revenue-generating region for payment security service vendors in 2017. In the developed economies of the US and Canada, there is a high focus on innovations obtained from Research and Development (R&D) and payment security technologies. The APAC region is expected to be the fastest-growing region in the market. The growth in this region is primarily driven by the increasing adoption of advanced payment technologies within organizations to perform business transactions.

 

 

 

 

Research and Market, dated 1 August 1, 2017
http://www.researchandmarkets.com