Preface: A race condition allows an attacker to access a shared resource, which can lead to an attack by other participants using the resource.

Background: VMware Tools is a set of services and modules that enable several features in VMware products for better management of, and seamless user interactions with, guests operating systems.

Vulnerability details: The attacker can exploit this vulnerability because standard user entitled write permission from the directory. Apart from that this Common Agent Framework (CAF) subdirectory inherit the priviliges access control.

Remedy: To remediate this issue, it is recommended to upgrade VMware Tools to 11.0.0 or later.
However, if upgrading is not possible, exploitation of this issue can be prevented by correcting the ACLs on “C:\ProgramData\VMware\VMware CAF” directory in the Windows guests running VMware Tools 10.x.y versions. In order to correct ACLs for this directory, remove all write access permissions for Standard User from the directory.

Disable inheritance, remove all inherited permissions, grant “Full control” to local System account and Administrators group Correct the ACL from the Windows UI via Properties of the directory.

Official announcement: Please refer to URL – https://www.vmware.com/security/advisories/VMSA-2020-0002.html

Technical background: A layer 7 load-balancer takes routing decision based on IPs, TCP or UDP ports or any information it can get from the application protocol (mainly HTTP). It is a Linux operating system based of machine. HTTP and HTTPS are the predominant Layer 7 protocol for website traffic on the Internet. A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder.

Vulnerability: An issue was discovered in Citrix Application Delivery Controller (formly Netscaler) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. If this vulnerability exploited, could allow an unauthenticated attacker to perform arbitrary code execution. The fact is that it will impact the back end, perhaps it is a web portal or web server cluster. The Cybersecurity and Infrastructure Security Agency (CISA) has released a utility to conduct a test on specific product.

For more details, please refer to url. https://github.com/cisagov/check-cve-2019-19781

Preface: kdump is a feature of the Linux kernel that creates crash dumps in the event of a kernel crash. When triggered, kdump exports a memory image (also known as vmcore) that can be analyzed for the purposes of debugging and determining the cause of a crash.

Vulnerability details: Improper handling of specific IPv6 packets sent by clients mbuf and let memory leak occurs. This memory leak eventually leads to a kernel crash (vmcore), or the device hanging and requiring a power cycle to restore service, creating a Denial of Service (DoS) condition.

Official announcement and remedy solution:https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10982&cat=SIRT_1&actp=LIST

Additional possibilities – handling IPv6 packet design weakness

a. The server side sets IPV6_RECVPKTINFO on a listening socket, and the client side just sends a message to the server. Then the kernel panic occurs on the server.

b. net.ipv6.conf.eth0.max_addresses=16 It is not recommended to set this value too large (or to zero) because it would be an easy way to crash the kernel by allowing too many addresses to be created.

Preface: REST APIs are stateless. Stateful APIs do not adhere to the REST architectural style.

Background: SOAP is a protocol, and REST is an architectural style. A REST API can actually utilize the SOAP protocol, just like it can use HTTP. The Cisco Fabric Automation REST APIs for third party applications enables you to programmatically control Cisco Fabric Automation. All the REST API operations can also be performed using the DCNM GUI as DCNM uses these REST APIs to render the GUI.

Remark: From Release 10.0(1), by default, the Cisco DCNM supports HTTPS only.

Security Focus: Cisco Data Center Network Manager Authentication Bypass Vulnerabilities

Vulnerability Details:
CVE-2019-15975 – Cisco Data Center Network Manager REST API Authentication Bypass Vulnerability
CVE-2019-15976 – Cisco Data Center Network Manager SOAP API Authentication Bypass Vulnerability

If hacker already conducted infiltration to specific workstation before DCNM install. It will make this attack scenario straight forward. Because the network traffic before reach SSL tunnel not require any man-in-the-middle technique can capture the traffic. So it is easy to capture all the details through your web browser.
The design defect retain a secret key in end point during installation, so hacker can perform arbitrary actions through the REST API with administrative privileges. Since he know the user name and password. Therefore he can create a JSON Web Token and sign it using same secret key. Should you be interested, please read the details of attached diagram.

Cisco official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypass

Preface: Referring to the statistic posted by w3techs. The websites using OpenBSD as operating system less than 0.1 percentage. Perhaps OpenBSD footprints are in industry manufacturing. For instance, heard that oil industry is the heavy duty users of OpenBSD.

Vulnerability details: The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with approximately ARG_MAX colons. This can be abused to load libutil.so from an untrusted path, using LD_LIBRARY_PATH in combination with the chpass set-uid executable, resulting in privileged code execution.

Impact: This module has been tested successfully on OpenBSD 6.1 (amd64) and OpenBSD 6.6 (amd64).

Causes: This vulnerability is in the OpenBSD dynamic link library (ld.so). The reason for the vulnerability is that ld.so cannot properly delete the LD_LIBRARY_PATH environment variable that sets the user ID and group ID programs under insufficient memory conditions. Commands such as chpass and passwd for privilege elevation.

Remedy: After downloading the source code, switch to the old version before patching the vulnerability.

$git clone https://github.com/openbsd/src.git 
$git checkout d2ce55dbd7845b33dafe44529e6ceb6b1c8ec6d5