CVE-2019-13470 MatrixSSL ASN.1 Handling Out-of-Bounds Read Vulnerability – Jul 2019

Preface: The product of MatrixSSL is used by many companies. Since MatrixSSL design in low memory footprint.
Whereby, they can partner with smart city infrastructure and IoT devices.

Vulnerability details: A vulnerability in MatrixSSL could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Our speculation:

  1. x509 is the name for certificates which are defined for informal internet electronic mail, IPsec, and WWW applications.
  2. X.509 original ver 1, and then a ver 2. But now we use the version 3.
  3. Reading the corresponding RFC the structure shown as below:
    Certificate ::= SEQUENCE {
    tbsCertificate TBSCertificate,
    signatureAlgorithm AlgorithmIdentifier,
    signatureValue BIT STRING }
  4. Above are ASN.1 structures.
  5. If attacker send a crafted certificate to the targeted system.
  6. An error in parsing a maliciously formatted ASN.1 Bit Field primitive could cause a crash due to a memory read beyond allocated memory.

Vendor release software updateshttps://github.com/matrixssl/matrixssl/releases

Tiny world and tiny storm – CVE-2018-20815,CVE-2019-10638 & CVE-2019-10639

Preface: Cyber attack similar real world. There are different types of ideas and concepts in the world make humans become extreme. So we have war and different arguments. Besides, there are bacteria and virus try to infect our body. Kernel like tiny world, they also hits above circumstances.

Vulnerability details:

CVE-2019-10639 – Linux Kernel IP ID Values Information Disclosure Vulnerability. The vulnerability exists because it is possible to extract the Kernel Address Space Layout Randomization (KASLR) kernel image offset of the affected software using the IP ID values that the kernel produces for connectionless protocols.

CVE-2019-10638 – Linux Kernel Connectionless Protocols IP ID Values Information Disclosure Vulnerability. The vulnerability exists because the affected software uses the IP ID values that the kernel produces for connectionless protocols.

Reference: The IDR provides the ability to map an ID to a pointer, while the IDA provides only ID allocation, and as a result is much more memory-efficient.

CVE-2018-20815 – The vulnerability is due to buffer errors in the deprecated load_image function, as defined in the device_tree.c source code file of the affected software.

Summary: The impact of above vulnerability especially CVE-2018-20815, a large footprint of impact to virtual machine software provider. IP ID Values Information Disclosure Vulnerabilities has been addressed by Kernel.org.
But Linux user must staying alert.

CVE-2019-10638, CVE-2019-10639 – https://www.kernel.org/

CVE-2018-20815 – https://git.qemu.org/?p=qemu.git;a=commitdiff;h=da885fe1ee8b4589047484bd7fa05a4905b52b17

it might be new path way in cyber attack. yes, it is uefi.

Preface: UEFI has slowly come to replace BIOS. Whereby Intel schedule to completely replace BIOS with UEFI on all chipsets by 2020.

Quote: Firmware is software, and is therefore vulnerable to the same threats that typically target software.

Technical details: From technical point of view, EFI Runtime services are usually located below 4GB. As a result it has a way into Linux on high memory EFI booting systems.

What is the different when malware alive into these areas?

  • Malware injected into the address space is transient, and will be cleaned up on the next boot.
  • Malware injected into the firmware flash regions is persistent, and will run on every subsequent boot

Using the follow command can display x509 v3 digital certificate and confirm thatgrubx64.efi can read (/boot/efi/EFI/fedora/)grub.cfg. Oh! It is easy to access this file when you have root privileges. But do not contempt this issue.

  • sudo tree /boot/efi
  • sudo hexdump -C /boot/efi/EFI/fedora/shim.efi | egrep -i -C 2 ‘grub|g.r.u.b’
  • sudo strings /boot/efi/EFI/fedora/grubx64.efi | grep grub.cfg

Sound interesting. Should you have interested, please refer below guide book :NIST Special Publication 800-147 BIOS Protection Guidelines https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-147.pdf

Multiple high vulnerabilities in Advantech WebAccess/SCADA -CVE-2019-10989,CVE-2019-10991 & CVE-2019-10993

Preface: Cyber Security expert not suggest access SCADA Dashboard from external area (internet). But we can use VPN establish connection then sign on as a workaround.

Background: Advantech WebAccess/SCADA is a browser-based SCADA software package for supervisory control, data acquisition and visualization.

Vulnerability details: In WebAccess/SCADA Versions 8.3.5 and prior, multiple heap-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data.

CVE-2019-10989 – The specific flaw exists within the implementation of the 0x113d1 IOCTL in the webvrpcs process.

CVE-2019-10991 – The specific flaw exists within bwclient.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process.

CVE-2019-10993 – The specific flaw exists within the implementation of the 0x27E9 IOCTL in the webvrpcs process.

Summary: Stack based & heap based buffer overflow and untrusted pointer dereference Remote Code Execution are all found in this product. Ioctl is a function in the device driver that manages the device’s I/O channels. The so-called I/O channel management is to control some characteristics of the device.

Reference: A stack-based buffer overflow vulnerability exists in a call to strcpy. Strcpy is one of the functions of the C language. It comes from the C standard library, defined in string.h, which can copy a memory block with a null end character into another memory block.
So attacker can leverage this vulnerability to execute code under the context of Administrator.

Advantech has issued an update to correct this vulnerability – https://www.us-cert.gov/ics/advisories/icsa-19-178-05

China raised the security level for its vessels heading through the Strait of Malacca. Perhaps cyber security vulnerabilities causes shipping traffic jam in that place! Jul 2019

Preface: The string of attacks last month on tankers near Hormuz. It alerting to related industry and countries about bottleneck on supply chain.

Quote: The head of Indonesian Maritime Security Agency, said it’s looking into the issue. And it doesn’t see why China raised the alert status?

From technical point of view: As a matter of fact, it is not difficult to make trouble to world by cyber attack nowadays. For example, Ransomware or exploit the vulnerability on the computer system. As far as we know, on the tankers side, it install GPS and management system. Those systems are the Windows or Linux OS base of machines. If you are belongs to marine industry especially shipping company, see whether you are require to re-cofirm the patch level of your maritime bandwidth management system. Do not let those vulnerabilities causes shipping traffic jam. For more details, please see below url for reference.

Perhaps not merely the specified vulnerability. Should you interested if the Headline news. Please refer below:

https://www.bloomberg.com/news/articles/2019-07-03/china-raises-warning-for-shipping-in-malacca-strait-people-say

Status update on 8th July 2019: U.S. Coast Guard recommendation: the maritime community can help strengthen their defenses by implementing the following basic cybersecurity measures:

  • Implement network segmentation.
  • Create network profiles for each employee, require unique login credentials, and limit privileges to only those necessary.
  • Be wary of external media.
  • Install anti-virus software.
  • Keep software updated.

CVE-2019-10141 Red Hat OpenStack openstack-ironic-inspector Introspection SQL Injection Vulnerability – JUl 2019

Preface:The cloud can be managed with a web-based dashboard or command-line clients, which allow administrators to control.At the same time it lures the arrival of cyber attackers.

Product background: Red Hat OpenStack Platform provides the foundation to build a private or public Infrastructure-as-a-Service (IaaS) cloud on top of Red Hat Enterprise Linux.

Vulnerability details:

A SQL-injection vulnerability was found in openstack-ironic-inspector’s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results
An attacker could exploit this vulnerability by submitting malicious introspection data to the targeted system. A successful exploit could allow the attacker to conduct SQL injection attacks on the targeted system.

Remediation: Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.

802.1AB is the burden of Cisco Nexus 9000 series Fabric switches. it let cisco increase one more vulnerability (CVE-2019-1890) – 3rd Jul 2019

Preface: Switched Fabric or switching fabric is a network topology in which network nodes interconnect via one or more network switches.

What is Cisco ACI? – Cisco ACI is a tightly coupled policy-driven solution that integrates software and hardware. The hardware for Cisco ACI is based on the Cisco Nexus 9000 family of switches. The software and integration points for ACI include a few components, including Additional Data Center Pod, Data Center Policy Engine, and Non-Directly Attached Virtual and Physical Leaf Switches.

Vulnerability background & details: 802.1AB(LLDP) build in May 2005. LLDP was developed as an open and extendable standard. It was modeled on and borrowed concepts from the numerous vendor proprietary discovery protocols such as Cisco Discovery Protocol (CDP), Extreme Discovery Protocol (EDP) and others. At that time cyber security not as serious today. So the design weakness extend till today and causes an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN.

We seen the impact posted by Cisco. They state that if strict mode is configured, this vulnerability cannot be exploited. Strict mode enforces further firmware security checks before allowing a connection.

Remark: Only Cisco Discovery Protocol provides an additional capability not found in LLDP-MED that allows the switch to extend trust to the phone. That is the phone will be trusted to mark the packets received on the PC port accordingly.

Official announcementhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-n9kaci-bypass

2nd Jul 2019 – VMware product updates address Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK) (CVE-2019-11477, CVE-2019-11478)

Preface: ESXi is not built upon the Linux kernel, but uses an own VMware proprietary kernel (the VMkernel) and software, and it misses most of the applications and components that are commonly found in all Linux distributions.

In common Linux circumstances to avoid SACK vulnerabilities. The workaround are:

CVE-2019-11477
Workground – Disable sack:
sudo sysctl -w net.ipv4.tcp_sack=0

CVE-2019-11478
Workground – Disable sack:
sudo sysctl -w net.ipv4.tcp_sack=0

CVE-2019-11479
Filter command:
Sudo iptables -A INPUT -p tcp -m tcpmss –mss 1:500 -j DROP

Turn off tcp_mtu_probing:
Sysctl net.ipv4.tcp_mtu_probing

Perhaps this is VMWARE. So you must follow below solution by vendor.

https://www.vmware.com/security/advisories/VMSA-2019-0010.html

cve-2019-7225 hmi hardcoded credentials vulnerability (jul 2019)

Preface: As time goes by, As time goes by, the common software design mistake found on business computer world now extend to industrial area. The impact includes SCADA , PLC and graphical user interfaces software.

Design defect: On systems, a default administration account exists which is set to a simple default password which is hard-coded into the program or device.From cyber security point of view, it is not the best practices. Meanwhile it boots up the overall risk level.

Vulnerability details: Design limitation encountered on ABB HMI components: A hidden administrative accounts embedded. This credential will be used during the provisioning phase of the HMI interface. Apart from that the credentials allow the provisioning tool “Panel Builder 600” to flash a new interface and Tags (MODBUS coils) mapping to the HMI.

Impact: An attacker can use these credentials to login to ABB HMI to control the operations. Those credentials are used over both HTTP(S) and FTP. Furthermore it let the attacker receive the read/write authority. As a result, it provide a pathway to implant malware into the system.

Official announcement ABB PB610 – https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch

Official announcement ABB CP635 HMI – https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch

Official announcement ABB CP651 HMI – https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch

Orvibo smart home devices leak billions of user records – customer must staying alert – Jul 2019

Preface: If victim is not negligence. Can we give an excuse to him?

Company background: Orvibo, a Chinese smart home solutions provider.

Story begin: A technical report shown to the world that Orvibo (ElasticSearch cluster) leaked more than two billion user logs containing sensitive data of customers from countries all over the world.
Does the admin using easy to guess password or………

Impact: Diminished reputation of the company only. Perhaps more, GDPR penalty, phishing scam,..etc. Most likely customer do not aware and let the attacker hunt the victim easier because criminal will counterfeit their personal information.

If you are aware your personal information has been stolen by above incident. What should You do?

Since hacker know your personal details and therefore they will using your information to conducting criminal activities on other public media. Our suggestion is that changing your password and update the virus signature or OS patching are not enough. You must observer your mail box whether scam mail activities is growth rapidly after this incident. If result shown positive, you must contact your email service provider and looking for their recommendations.

Headline News – https://www.dailymail.co.uk/sciencetech/article-7202675/Maker-smart-home-software-continues-leave-database-containing-users-passwords-OPEN-online.html

antihackingonline.com