• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – SNAKE Ransomware – Active IOCs
August 23, 2021
Rewterz Threat Alert –Phobos Ransomware – Active IOCs
August 23, 2021

Rewterz Threat Advisory –Unpatched Microsoft WFP AppContainer Flaw Disclosed by Google Zero Experts

August 23, 2021

Severity

Low

Analysis Summary

Google Zero experts have disclosed the details of the WindowsApp Container flaw after Microsoft announced that they had no plans to fix it.  According to the expert Forshaw “Recently I’ve been delving into the inner workings of the Windows Firewall. This is interesting to me as it’s used to enforce various restrictions such as whether AppContainer sandboxed applications can access the network. Being able to bypass network restrictions in AppContainer sandboxes is interesting as it expands the attack surface available to the application, such as being able to access services on localhost, as well as granting access to intranet resources in an Enterprise.”

According to the security advisory shared “The default rules for the WFP connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege.”  “Connecting to an external network resource from an AppContainer is enforced through default rules in the WFP. For example, connecting to the internet via IPv4 will process rules in the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer. This layer can contain rules such as “InternetClient Default Rule” which will match if the caller is in an AC and has the Internet Capability. If a match is made then the connection is allowed. Eventually an AC process will match the “Block Outbound Default Rule” rule if nothing else has which will block any connection attempt.“

After going public with the disclosure of the vulnerability the status of the issue has been raised to “Started” which means that Microsoft has started to look into this and will be soon releasing a fix on this. 

Impact

  • Security Bypass
  • Privilege escalation

Affected Vendors

Microsoft

Affected Products

Microsoft WFP (Windows Filtering Platform)

Remediation

Microsoft is yet to release a patch for this vulnerability. More bug details can be found here.

https://bugs.chromium.org/p/project-zero/issues/detail?id=2207
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.