CVE-2019-12256 The industrial, and medical devices has been affected by IPV 4 component design flaws in VxWorks 7 & VxWorks 6.9 (Aug 2019)

Background: Wind River’s VxWorks is widely used in communications, military, aerospace, industrial control and other fields for its high reliability and excellent real-time performance. For example, it is used in the US F-16, FA-18 fighters, B-2 stealth bombers and Patriot missiles. The most famous is the Mars probe that landed on the surface of Mars in April 1997 and landed in May 2008. The Phoenix, and the Curiosity Rover, which landed on Mars in August 2012, also used VxWorks 7.

Vulnerability details: Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the IPv4 component. There is an IPNET security vulnerability: Stack overflow in the parsing of IPv4 packets? IP options.

Official announcement: CVE-2019-12256 Not affected by user-application code, this vulnerability resides in the IPv4 option parsing and may be triggered by IPv4 packets containing invalid options.The most likely outcome of triggering this defect is that the tNet0task crashes. In the worst-case scenario, this vulnerability can potentially lead to RCE.

Remedy: Fixed in Vx7 SR620 .Customers are advised to contact Wind River Customer Support.

When CVE-2019-14809 was announced, do you think you need to adjust your e-commerce operations? Aug 2019

Background: Google Go Language is suitable for web development especially front-end development. Quite a lot of companies using GO. For instance Facebook, Twitter, YouTube, Apple, Dropbox, Docker, Soundcloud, Mozilla Firefox, The New York Times, Github, GOV.UK and UBER.

Vulnerability details: A vulnerability in the net/url package in Golang Go could allow an unauthenticated, remote attacker to bypass security restrictions on a targeted system. The affect product inlcudes version prior 12.12.7 and prior 1.11.12.

Observation: CVE-2018-12123 was addressed Hostname spoofing in URL parser for javascript protocol on Node.js.
However CVE-2019-14809 found that vulnerability occurs in the net/url package in Golang Go could allow an unauthenticated, remote attacker to bypass security restrictions on a targeted system. It was because because the net/url package in the affected software mishandles parameter (mishandles malformed “hosts:) in URLs. For more details, please see attached diagram for reference.

Remedy: Golang has released software updates at the following – link: https://github.com/golang/go/releases

Previous NFS 4.1 vulnerability (CVE-2018-16884) show linux kernel design weakness.

Preface: A vulnerability in the NFS41+ subsystem of the Linux Kernel could allow an authenticated, adjacent attacker execute arbitrary code on a targeted system. The vulnerability exists because the bc_svc_process() function of the affected software uses the wrong back-channel ID. use-after-free in svc_process_common

The defect not only affected software uses the wrong back-channel ID. Furthermore it causes access freed memory because of use-after-free vulnerability in svc_process_common(). Perhaps Use-After-Free Vulnerabilities in Linux Kernel are common. Most likely causes by the following factors.

  • use an object without checking whether the pointer is valid
  • free an object without cleaning the pointer

Doubt: If all the objects in a cache are freed, the whole space of the cache is going to be recycled by the kernel.
Was the space definitely to be re-used for a cache storing the objects of the original type? No.
So it is benefit for attacker.

For NFS 4.1 matter, it was highly recommended to following Best Practices guideline. For instance, If you use NFS version 3 and NFS version 4.1, do not mix them on the same volumes/data shares. Separate the backend storage NFS network from any client traffic.

For remedy of the “use after free” vulnerability of NFS41 – Please refer to url: https://patchwork.kernel.org/patch/10733769/

Closer look: CVE-2019-1162 Windows ALPC Elevation of Privilege Vulnerability

Preface: ALPC (Advanced/Asynchronous Local Procedure Call) is a C/S model technology developed by Microsoft to replace LPC for native RPC.

Vulnerability details: Tasks created by the Task Scheduler will create the folder and file in “c:\windows\system32\ tasks”. This function original to be designed to write the discretionary access control list of the task in this place. For some reason, it also checks if the .job file exists under c:\ windows \ tasks and tries to set the DACL

Since users belonging to the guest group, can create files in this folder, we can simply create a hard link to another file (we only need to read access). Due to the hard link, we can let the task scheduler write any DACL (see the second parameter of SchRpcSetSecurity) to the file of our choice. Therefore, any file we read is accessed as a user, and the system has write DACL permissions, we can go to full control and overwrite it.

Vendor announcement : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162

THE GREATER THE POWER OF THE COUNTRY, THE STRONGER THE SUPERCOMPUTER.

Summit, launched in 2018, delivers 8 times the computational performance of Titan’s 18,688 nodes, using only 4,608 nodes. Summit still carry the flags tell the world that he keep the fast run record.

Over the past decade, Linux Clusters founded and starting the competition with mainframe computer. The most famous IBM crossbar switch encounter doubt to technical world. Does he better than Linux Clusters? Crossbar – The processors are connected with non-internally blocking crossbar switch and communicate with each other via global interleaved memory.

The record shown on the diagram, even though the supercomputer CPU core increase 4 times compare to submit. But it do not have significant growth. Perhaps you may feeling that the bottleneck given from CPU. My personal comment is that crossbar coexists CPU and I/O direct way. Linux cluster form virtual matrix hoop up. But the design limitation is the server hardware instead of CPU. We keep our eye open to see who is the winner on next round? A crossbar switch, as part of a crossbar topology, channels data or signals between two different points in a network.

Remark: The crossbar setup is a matrix where each crossbar switch runs between two points, in a design that is intended to hook up each part of an architecture to every other part.

CVE-2019-10099 Apache Spark Unencrypted Data Vulnerability Aug 2019

Background: Apache Spark is the tailor made for big data industry.Spark’s advanced acyclic processing engine can operating as a stand-alone mode or a cloud service.

Synopsis: Spark supports encrypting temporary data written to local disks. This covers shuffle files, shuffle spills and data blocks stored on disk (for both caching and broadcast variables). It does not cover encrypting output data generated by applications with APIs such as saveAsHadoopFile or saveAsTable. It also may not cover temporary files created explicitly by the user.

Vulnerability details: The vulnerability is due to a cryptographic issue in the affected software that allows user data to be written to the local disk unencrypted in certain situations, even if the spark.io.encryption.enabled property is set to true.

Security focus: This vulnerability did not category as critical. But the level of risk will be depends on the system architecture and classification level of data. For instance, it is a machine learning function and install on top of public cloud computer farm. If this is the case, a serious access restriction control to Spark infrastructure area must be apply.

Remedy: Apache has released software updates at the following link – https://spark.apache.org/downloads.html

CVE-2019-14544 Gogs Permission Checking vulnerability Aug 2019

Preface: If you are not yet ready to share your project on GitHub. You can host your own Private GitHub. It is Gogs.

Product background: The goal of Gogs is to make the easiest, fastest, and most painless way of setting up a self-hosted Git service. So all the design concept, program code and perhaps intellectual properties all keep in this place. Since the intension is not go for public and therefore it will be installed on private cloud or a single machine.

Vulnerability details: A design defect found in source code file (routes/api/v1/api.go). The impact causes affected software does not properly perform permission checks for routes.
Since there is no preventive control and therefore an attacker could exploit this vulnerability to perform unauthorized actions on a targeted system. Should you have interested of this issue, see top right hand side of the diagram. You will find part of the enhancement features. Perhaps you will speculate what is the actual problem.

Remedy – See url https://github.com/gogs/gogs/blob/master/routes/api/v1/api.go

CVE-2019-11042 PHP flaw form a way to read past the allocated buffer. This may lead to information disclosure or crash. Aug 2019

Preface: We knew Python programming language has large footprint in IoT world. Have you heard PHPoC (PHP on Chip) – a programming language and an IoT hardware platform? So, PHP programming language still have survival space.

Background: The EXIF headers tend to be present in JPEG/TIFF images generated by digital cameras. In order to read meta data generated by digital cameras , software application simply using the standard exif_read_data() function.

Vulnerability details: When PHP EXIF extension is parsing EXIF information from an image (e.g. via exif_read_data() function).
Such defect possible to supply it with data what will cause it to read past the allocated buffer and causes data leak.

Affected version: in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8

How smart of the smartcity, depends on your vulnerability management (CVE-2019-14462 & CVE-2019-14463) Aug 2019

Preface: Why should we driven Artificial Intelligence like a maniac? We are mankind!

MODBUS techincal background: Modbus is a communication protocol developed by Modicon systems. In simple terms, it is a method used for transmitting information over serial lines between electronic devices. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves.

Possible way – A string is properly null-terminated if a null terminator is present at or before the last element in the array. If a string lacks the terminating null character, the program may be tricked into reading or writing data outside the bounds of the array. A successful exploit could trigger an out-of-bounds read condition that the attacker could use to execute arbitrary code or cause a DoS condition.

Remedy – Official release updated to include important fixes: https://libmodbus.org/2019/stable-and-development-releases/

Australian Cyber Security Centre urge his citizen beware of Password Spraying Attacks

Preface: Even though you company install full set of cyber defense mechanism. More than 70% of feature is detective and preventive. Perhaps SIEM can do a predictive action. May be you have doubt, but it is factual.

Details: Australian Cyber Security Centre urge his citizen beware of Password Spraying Attacks (refer below url): https://www.cyber.gov.au/sites/default/files/2019-08/2019-130_-_password_spray_attacks_detection_and_mitigation_strategies.pdf
Such activities has been observed by U.S. Homeland security for long time. Consolidate their evaluation results, summary shown as below:

Part A: Commonly used ports are used when password spraying.

SSH (22/TCP)
Telnet (23/TCP)
FTP (21/TCP)
NetBIOS / SMB / Samba (139/TCP & 445/TCP)
LDAP (389/TCP)
Kerberos (88/TCP)
RDP / Terminal Services (3389/TCP)
HTTP/HTTP Management Services (80/TCP & 443/TCP)
MSSQL (1433/TCP)
Oracle (1521/TCP)
MySQL (3306/TCP)
VNC (5900/TCP)

Part B: Cyber Attack Group & Commonly used malware

Group name: APT3,APT33,Dragonfly 2.0(Berserk Bear),Threat Group-3390,Lazarus Group , OilRig(APT35),Leafminer,Turla

Malware types:
Chaos (malware)
Linux Rabbit(malware)
SpeakUp (Trojan backdoor)
Xbash (malware)
PoshC2 is an open source remote (written in powershell)
Emotet (malware)

SIEM Definition – Firing Rules criteria (see below):
1. Failed attempts over a period of time
2. Large numbers of bad usernames
3. High number of account lockouts over a defined period of time
4. Unknown “appDisplayName” – Active Directory PowerShell
5. Ratio of login success verses login failure per IP address

Remark: If your IT infrastructure is a Cloud IaaS deployment, perhaps you need to do the monitoring by yourself.

If the above 5 items triggers your SIEM rules. Even though the activities not in high amount. But you requires to observe the continuity level. Most likely on those activities alert that cyber attack group is interested of your company.

antihackingonline.com