Closer look of CVE-2020-1953 – it was impact Oracle OHF Self Service Analytics (20th Oct 2020)

Preface: As healthcare organizations look to reduce cost, IT rationalization and process transformation is accelerating as providers adopt cloud strategies.

Background: Oracle Healthcare Foundation is a feature-rich analytics platform that supports more than 35 subject areas relevant to health data analytics,giving healthcare providers more granular data regarding the requirements of individuals and populations.

Vulnerability details: YAML is a human-readable data serialization standard that can be used in conjunction with all programming languages and is often used to write configuration files. A flaw was found in the Apache Commons Configuration, where it uses a third-party library to process YAML files, which by default, allows the instantiation of classes if the YAML includes special statements. Oracle Healthcare Foundation Self-Service Analytics was impact by this vulnerability.

Official announcement https://www.oracle.com/security-alerts/cpuoct2020.html The articles is bulky, use keyword “CVE-2020-1953” find out the details.

Security Focus – ESXi OpenSLP RCE vulnerability (CVE-2020-3992)

Preface: If you like open source application. You should also like the bug he given.

OpenSLP has been ported to a wide variety of systems. For example: Linux (32/64),Windows (32/64),SCO Unix,FreeBSD,Solaris,Tru64,Mac OS X,Darwin,… OpenSLP eliminates the need for users to know the names of network hosts. With OpenSLP, the users need only know the description of the service they want to use. Based on this description, OpenSLP is then able to return the URL of the requested service.

Vulnerability details: A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. To exploit the vulnerability, a malicious user must send a malformed SLP packet to the target system.

Remedy: https://www.vmware.com/security/advisories/VMSA-2020-0023.html

Comment: Regarding to my observation, similar of OpenSLP vulnerability found few years ago. However there is no official patch to do the remediation. Strongly believe that this bug will be exploit by cyber criminal. So it is highly recommended to disable this function.

Does it whether a myth or it is true? Quantum entanglement in Pyramid internal compartment.

Preface: The pyramid of Egypt. It is a mystery to mankind on the Earth. What is it use for? According to scientists evaluation by far. It is hard to believed that the ancient mankind have such knowledge and capabilities to build this facility.

This article was used current known materials. Furthermore, it includes my imagination and logic. So, you can treat as fiction or unknown scientific matters. Finally, I would like to pay tribute to my father of enlightenment (Zecharia Sitchin and Erich Von Daniken).

I hereby to give my respects to Osiris, Isis and Horus.

Background: Einstein opposed the Danish physicist Bohr’s theory of quantum mechanics. In March 1935, he and two of his colleagues proposed to questioning the Bohr’s theory of quantum mechanics. He wants Bohr to prove that the universe has a “ghostly ultra-distance effect” that exceeds the speed of light. Meanwhile they are formulated the famous EPR paradox.

Bohr’s theory awaken in 1982. A French Aspect team conducted experiments with calcium atoms and finally proved that there was indeed a “ghostly super-distance effect” exceeding the speed of light. This phenomenon is called “quantum entanglement.”

Does it whether a myth or it is true? Are there advanced civilizations beings in the cosmos?

People who is interested of Pyramid of Egypt will query that what is the objective of Pyramid design. The design architecture shown that the whole structure pointing to the different constellations. For example: The star shaft of King’s Chamber inside Pyramid is pointed to Orion’s belt (see below diagram for reference). Orion the brightest stars in Earth’s sky. Orion’s stars lie at distances ranging from 243 to 1360 light years. The belt stars are members of the Orion OB1b association, along with many other stars in this region, and they travel together through space. Are there advanced civilization beings in the cosmos? Furthermore, the star shaft of the pyramid points to constellations. But what is the objective? Whether for communication or else?

Reference 1: The late Sumerian civilization expert (Zecharia Sitchin), his book “The 12th Planet”. Sitchin analysis the Sumerian Cuneiform. The Sumerian clay tablets described that the creation of the ancient Sumerian culture is the Anunnaki. 

Anunnaki was a race of extraterrestrials from a planet beyond Neptune called Nibiru. However this New Planet in our Solar System not been confirmed.

Reference 2: NASA using mathematics calculation speculate that there is a new planet in space. So called Planet-X. This discovery does not mean there is a new planet in our solar system. The existence of this distant world is only theoretical at this point and no direct observation of the object nicknamed “Planet 9” have been made.

About Star Shaft of Pyramid – my observation and analysis

Engineer Christopher Dunn proposes his idea regarding the function of the Queen’s Chamber in which the chemical Hydrochloric acid (HCl) found in the southern shaft was mixed with the northern shaft chemical hydrated Zinc Chloride (ZnCl2) to produce Hydrogen (H2) gas. Part of my analysis is base on his theory. OK, be my guest to read below details.

Overview of the architecture

The diagram shown below shown ancient Egyptian fill in chemical on both left and right side of the pyramid. In realty carrying bucket of chemical not enough to support this operations. As we know, the Great Pyramid height of 455.2 ft (138.7 m). The star shaft locate in the middle of the pyramid. So refill the chemical seems not easy.And therefore it has reason to believe they are made use of other method. Please be reminded that this procedure not covered in this article.

Step 1. In order to explore the secret function of King’s Chamber. The beginning phase of my imagination will following theory founded by Christopher Dunn. For more details, please refer to below diagram. The bottom of the right hand side of diagram shown a yellow color pipe. I thought the original design has a component was lost. The overall function of this facility mainly provide a hydrlic pump function. In this article, I do not provide analysis in this area.

Step 2 & 3: According to the step 2 and step 3 shown in diagram. The chemical reaction generate heat, explosion and hydrogen when two different encounter. In additional water keep run into Subterranean Chamber, so the air pressure inside Queen’s Chamber Growth.As a result heat, explosion and hydrogen will be migrated to Grand Gallery.

Step 4: The phenomenon of this step not similar to engineer Christopher Dunn concept. Refer to below diagram, my comment is that Grand Gallery major function similar as silencer function. Apart from that it has feature which reduce the destructive vibration inside the pyramid. The Grand Gallery design in slope shape goal to reduce the possibilities to damage during chemical explosion. It was because the chemical will stay in Queens’s and low level part of Grand Gallery. Since hot air pressure will be raise up and such a way let high air pressure go to King’s Chamber. The constructed material of King’s and Queen’s chamber consists of granite. The ingredient of granite contains high density of Quartz.The chemical reaction let the internal air pressure raised. Thus huge volume of air pressure press towards to the granite. So it triggered the piezoelectric effect.

Step 5: 1935, researchers predicted that under certain high-pressure conditions, hydrogen could take on metallic properties.

The piezoelectric effect occurs through compression of a piezoelectric material. Quartz is one of the piezoelectric material. The method is placed the Quartz between the two metal plates. Under the circumstance of king’s chamber.

High pressure press towards the granite surface.The opposite side of quartz embedded in granite equivalent a electricity grounding because granite is a very good conductor of electricity. Therefore it reproduce electricity. Conceptual theory displayed as below:

Step 6: Since the whole King’s Chamber of cavity contains of hydrogen. The surface of granite covered positive electric load. Since it is a non electron equilibrium energy distribution environment. It such a way obtaining coherent microwave radiation from crystals and gases. The microwave beam will be emitted by start shaft. In additional of the star shaft points to Orion constellation. So we can go to final step. That is find out the function of pyramid. Before provide the final details of my idea. Let do a quick review of quantum entanglement.

What is quantum entanglement? A large particle quickly decays into two small particles and flies away in two opposite directions at the speed of light. When one of the particles is disturbed alone, the other particle will instantly sense at the same time, even though the two particles move away at twice the speed of light. This phenomenon that is several times faster than the speed of light is called “quantum entanglement.”

Only quantum entanglement can open the wormhole.

Time travel to the past is theoretically possible in certain general relativity spacetime geometries that permit traveling faster than the speed of light, such as traversable wormhole.

Quantum is a collective term! Photons, electrons, quarks, and neutrinos can all be said to be quantum. There is no concept of speed in quantum mechanics! Because there is no speed operator, there is no speed eigenstate and speed eigenvalue.

Highlight (QE) : Because the electronic transition is actually an entangled system formed by electrons and other particles, changing the energy state of other particles can change the energy state of the electron. The entanglement system’s “ghost-like over-distance action” has an infinite speed of action and does not require time.

The long story describe above. We found the key elements inside King’s Chamber are Hydrogen and Microwave. Refer to the following element characteristics:

A Hydrogen atom consists of a proton and an electron which are “bound” together – the proton (positive charge) and electron (negative charge) stay together and continually interact with each other.

Phonons at GHz frequencies can pass through materials that are opaque to photons, the particles that carry light.

Remark: Phonons are particles of sound or heat.

Therefore, we can apply concept and make the thing happen. Re-use theory of statement (Highlight QE) above.The electronic transition is actually an entangled system formed by electrons and other particles, changing the energy state of other particles can change the energy state of the electron. The entanglement system’s “ghost-like over-distance action” has an infinite speed of action and does not require time. So “ghost-like over-distance action” had appear. Make the dream come true. Perhaps we can tell Albert Einstein!

So, if the advanced civilization people or the people who build pyramid. He put a Hadron Collider to create a black-hole. So they can do a time travel. My comment is that the stone coffin installed in King’s Chamber is not a coffin. It is the stand of a machine. Perhaps it is a Hadron Collider.

Reference: Can Large Hadron Collider cause black hole? First of all, yes, it is true that the LHC might create microscopic black holes. … To date, the collider still has not produced any collisions, and it is the extreme energy of those collisions — up to 14 tera-electron volts — that could potentially create a microscopic black hole.

————————–End of Document——————————————

CVE-2020-16951 – SharePoint users staying alert! (17th Oct 2020)

Preface: Perhaps it is a design limitation. SharePoint did not check the source markup of an application package which provides an opportunity to attacker. However when you read the prerequisite requirement of the proof of concept. You will feel that it might have difficulties to exploit this vulnerability. However it found a way to trigger this vulnerability. So we must be aware of it.

Vulnerability details: An authenticated attacker can craft pages to trigger a server-side include that can be leveraged to leak the web[.]config file. The attacker can leverage this to achieve remote code execution.

Prerequisite: the attacker needs AddAndCustomizePages permission enabled which is the default.

Hints: Add and Customize Pages permission is from site level, the permission is not in list permission level. When you get full control in list permission level, you may not get the permission from site level. You can add a new permission level which only includes Add and Customize Pages permission, and then create new SharePoint group with this permission level. Then add yourself into the SharePoint group and you will get the Add and Customize Pages permission from site level.
If it is in the site level, please make sure you have enable Custom Scripting in SharePoint admin center. Go to SharePoint admin center> Settings> Custom Script.

Remedy: The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952

CVE-2020-13943 – Apache Tomcat HTTP/2 DoS (16th Oct 2020)

Preface: Slow HTTP attacks are denial-of-service (DoS) attacks. It was happened near decade ago. Such vulnerability let the people aware application security.

Background: Why do we need HTTP/2?

HTTP/2 allows the client to synchronously send multiple requests to the server through the same TCP connection, and the server can also use the same TCP connection to send back synchronously, thereby reducing additional RTT (round trip time). More……

Vulnerability details: On Jun 26 2020, vulnerability found on Apache Tomcat – limitation of system resources handling when Apache Tomcat upgrade to HTTP/2.
Above matter cause by the multi protocol function. Such design limitation cause Apache TomCat did not release the HTTP/1.1 resources. Whereby, it let the Apache Tomcat consumed all the memory thus trigger a denial of service.

Remedy (official announcement): Refer to link – http://mail-archives.us.apache.org/mod_mbox/www-announce/202010.mbox/%3C2b767c6e-dcb9-5816-bd69-a3bc0771fef3%40apache.org%3E

Microsoft Addresses Windows TCP/IP RCE/DoS Vulnerability – US Homeland security urge for public attention. (14th Oct 2020)

Preface: Before the release of IP version 6, we had a good impression of its features.

Technical background: The official technical article provides the definition of IPv6 RDNS option address length (Details refer to attached diagram – point 3).

Potential Impact: If an even length value is provided, the attacker intentionally causes the Windows TCP/IP stack to incorrectly increase the size of the network buffer by 8 bytes. Therefore it failing to account for the case where a non-RFC compliant length value is used ( because the stack internally counts in 16-byte increments). This mismatch results in the stack interpreting the last 8 bytes of the current option as the start of a second option, ultimately leading to a buffer overflow and potential RCE.

Remedy: The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898

Comment: Vulnerability hit by Microsoft cause by IP V6 design feature. Perhaps, it is a fundamental design matter. Predict that may be other vendor will encountered same matter soon.

Homograph Attack (Puny-code) – CVE-2020-25779

Preface: In order to avoid malware attack, DNS is the 1st door for quarantine. This step not difficult, see whether the domain name which calling will be included in the black list.

What is Punycode?
Unicode that converts words that cannot be written in ASCII.

Background: There are two different scenarios for the cyber threat actor to exploit.

  1. Attacker build a deceptive IDNs (Internet Domain Name) that are likely to be misled internet user.
  2. Phishing Attack is Almost Impossible to Detect when encounter Puny-code vulnerability.

Synopsis: If the DNS filter mechanism is not convert the IDN domains in its Punycode form to do the verification, it make a possibility, let the blacklist domain ignore by filter.

Example: The domain “xn--eqru1b157l[.]co” is equivalent to “黑名單[.]co”. Whereby “xn--eqru1b157l” is the Puny-code.

Vulnerability details: Trend Micro Antivirus for Mac 2020 (Consumer) Bypass Web Threat Protection via Internationalized Domain Name Homograph Attack (Puny-code) Vulnerability.

Remedy: Trend Micro has released a new build of Trend Micro Antivirus for Mac Security (Consumer). Please refer to link – https://helpcenter.trendmicro.com/en-us/article/TMKA-09949

CVE-2020-26947 – Monero-wallet-gui design weakness (12th Oct 2020)

Preface: Monero price US$132.36 today – (12th Oct 2020). Monero (XMR) stands at the top of the list. This cryptocurrency’s popularity has been on the rise, primarily due to its ability to help anonymize users. Monero transactions are much more difficult to trace because they use ring signatures and stealth addresses.

Vulnerability details: monero-wallet-gui in Monero GUI 0.17.0.1 includes the . directory in an embedded RPATH (with a preference ahead of [/]usr[/]lib), which allows local users to gain privileges via a Trojan horse library in the current working directory.

Supplement: Potential risk: local privilege escalation (similar to dll hijacking on windows)
Condition: if the current directory allow user to have write and execute permission.
And therefore the vulnerability risk level will be depending on default program and .so privileges control. If the specify dynamically linked shared object libraries had granted tight access permission. So, the severity of risk will be significant drop down.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-26947

Official alert – APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations (9th Oct 2020)

Preface: Zero-day attacks don’t have signatures; no one in the security community has analyzed the exploited vulnerability yet. It was probably only discovered after the victim reported it. And therefore we should setup a comprehensive vulnerability management program.

Risk management – In reality, it’s not easy applying every patch as soon as it comes out. This is why it’s important for us to craft a comprehensive vulnerability management program through which we can use a risk profile to prioritize security flaws.

How to detect zero day vulnerability?
DNS sink hole setup can assists systems evaluate programs and try to anticipate whether their actions are actually intended, or linked to a deliberate change in function. With time, these systems are exposed to the entire operations profile of programs and are able to raise alerts when they detect suspicious data access attempts.

Within this year, we are noticed that there are critical vulnerabilities found. Perhaps we cannot imagine that famous secuirty solution vendor also become a victim (see below):
– Citrix NetScaler CVE-2019-19781
– MobileIron CVE-2020-15505
– Pulse Secure CVE-2019-11510
– Palo Alto Networks CVE-2020-2021
– F5 BIG-IP CVE-2020-5902
– Fortinet FortiOS VPN vulnerability CVE-2018-13379
The federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure are also make use of their products.
On 9th October 2020, CISA and FBI Release Joint Advisory Regarding APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.

Offical announcement, please refer to link – https://us-cert.cisa.gov/ncas/alerts/aa20-283a

CVE-2020-12505 & CVE-2020-12506 CODESYS impacting WAGO, not sure who is the next victim? – 7th Oct 2020

Preface: CODESYS is the leading manufacturer-independent IEC 61131-3 automation software for engineering control systems.However the design weakness jeopardize the Industrial world.

Highlights: According to the CVE announcement on 30th September 2020. A series of WAGO PLC-ETHERNET fieldbus controllers are vulnerable to cyber attack.

Vulnerability details: The authentication can be disabled for the port 11740 when it is in use for uploading PLC applications to the device. So it can let attacker to do the authentication bypass. A design flaw occured since it required application logic following IEC 61131 standards, arbitrary code could be executed directly on the device with the privileges associated with the Codesys runtime.”

Official Mitigation method:
– Restrict network access to the device.
– Do not directly connect the device to the internet.
– Disable unused TCP/UDP ports.
– Disable web-based management ports 80/443 after the configuration phase

Reference:

https://cert.vde.com/en-us/advisories/vde-2020-027

https://cert.vde.com/en-us/advisories/vde-2020-028

antihackingonline.com