Cisco Security Advisory – Texas Instruments Bluetooth Low Energy Denial of Service and Remote Code Execution Vulnerability – Last Updated: 13th Dec 2018.

Preface: Key component of smart city are the IoT devices. The communication protocol of the IoT devices are Lora, SigFox and NarrowBand (NB).

Background: In realistic, smart city cannot lack of wifi setup for assistance. So, WiFi is one the key component in this family (Smart City).

Vendor Cisco follow up TI BLE chips vulnerability – CVE-2018-16986: Suggest verify with the following command on wireless AP device. If device show not support BLE function and therefore confirm device not vulnerable.

ap# show controllers bleRadio 0 interface
BLE not supported on this platform

If it is supported, please review below URL:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap

Facebook 6.8 million users’ private photos leaked – Suspected it was happened in developers environment.

Facebook looks bad luck this year. It is better to invite Chinese Feng Shui master provides suggestion. Yes, it is kidding.

Perhaps Facebook intend to improve their image. It immediately let’s public know what is happening in the moment. It is talking about 6.8 million users’ private photos leakage. But suspected that the loophole was happened in developers environment.
My comment is that may be vulnerability happens in call to action function. A design limitation keep the CTA access token. And therefore it provides unauthorize access.

Headline News: https://www.theverge.com/2018/12/14/18140771/facebook-photo-exposure-leak-bug-millions-users-disclosed

Pixars Tractor – Vulnerability Note VU#756913 (13th Dec, 2018)

Preface: As time goes by, an evolution in technology offers best-of-class in rendering for both VFX and feature film animation.

What does VFX stand for?
Visual effects (abbreviated VFX) is the process by which imagery is created or manipulated outside the context of a live action shot in film making.
RenderMan offers a combination of unbiased and biased rendering techniques which provide both accuracy and technical efficiency

Vulnerability details:
Pixar’s Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability.

Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.
In most of the cases, cross-site scripting attack is being used to steal the other person‘s cookies. As we know, cookies help us to log in automatically. Therefore with stolen cookies, we can login with the other identities. Cope with above vulnerability, the stored information is displayed when a user requests information about the node. An attacker could insert Javascript into this note field that is then saved and displayed to the end user.

Reference: https://kb.cert.org/vuls/id/756913/

Something 101 – Are you aware Docker containers safety?

Preface: Docker’s introduction of the standardized image format has fueled of interest in the use of containers in the enterprise recently. A Docker container look likes a Virtual machine.

It is without antivirus or malware detector facilities install to Docker container platform. Is that secure?

On the market, there is no such product available in the market. However if you would like to find out something 101 about preventive control. It can find on this short discussion.

Hints: When a container accesses a database or service it will require a secret, like an API key or username and password. An attacker that gains access to the secret will also have access to the service. For more details, please refer to attached diagram.

Recommendation:

  1. Ensure that processes in containers do not run as root, so when attacker try to exploiting privileges command, it will be restricted by role base control.
  2. Cut down on the kernel calls that a container can make to reduce the potential attack surface.

So called “something 101” as usual technical details not suitable describe in long format. See whether we have chance to discuss more in future.

CVE-2018-1002105 (kubernetes) : authentication/authorization bypass in the handling of non-101 responses – Dec 2018

Preface: Since we launched it in 2014, Kubernetes running strong. It is becoming “the Linux of the cloud,” according to Jim Zemlin, Executive Director of the Linux Foundation. Analysts estimate that 54 percent of Fortune 100 companies use Kubernetes across a spectrum of industries including finance, manufacturing, media, and others.

Giant will sick as normal people (so called vulnerability):
Critical – CVE-2018-1002105 kubernetes: authentication/authorization bypass in the handling of non-101 responses. Reference: https://access.redhat.com/security/cve/cve-2018-1002105

CVE-2018-1002101 – In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection. Reference:
Reference:  https://github.com/kubernetes/kubernetes/issues/65750

CVE-2018-1002103 – The attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard, create a new Kubernetes Deployment running arbitrary code. If minikube mount is in use, the attacker could also directly access the host filesystem.
Reference: https://github.com/kubernetes/minikube/issues/3208

Microsoft Patch Tuesday (Highlights) – 11th Dec 2018

Preface:
Remote code execute and Privileges escalation are the critical vulnerabilities topics which lure end user attentions. On patch Tuesday (remedy program) issued by Microsoft this week. Their product design limitation contains priviliges escalation vulnerability.

CVE-2018-8611 – Vulnerability details:
With reference of CVE-2018-8611 inform customer that exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.

Technical background:
So far, the the win32k.sys kernel module is a well-known attack surface. The function NtUserSetWindowLongPtr replaces the target window’s spmenu field with the function’s argument without any checks when using GWLP_ID and the target window’s style is WS_CHILD.
NtUserSetWindowLongPtr is a win32k service function which can be called from user mode (use the corresponding system call ID).
In the nutshell, this gives a way to attacker to replace the target window’s spmenu value to anything.

Microsoft remedy: 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611

Amazon Web Services (AWS) FreeRTOS security advisory – Dec 2018



Preface: A Real-Time Operating System is a Necessity for IoT.

FreeRTOS is a real-time operating system kernel for embedded devices that has been ported to 35 microcontroller platforms. It is distributed under the MIT License.

Amazon Web Services (AWS) FreeRTOS vulnerabilities checklist:

CVE-2018-16522 Remote code execution

CVE-2018-16525 Remote code execution

CVE-2018-16526 Remote code execution

CVE-2018-16528 Remote code execution

CVE-2018-16523 Denial of service

CVE-2018-16524 Information leak

CVE-2018-16527 Information leak

CVE-2018-16599 Information leak

CVE-2018-16600 Information leak

CVE-2018-16601 Information leak

CVE-2018-16602 Information leak

CVE-2018-16603 Information leak

CVE-2018-16598 Other

Relevant Operating Systems: FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), AWS FreeRTOS up to V1.3.1, WHIS OpenRTOS and SafeRTOS

Comment: Stay alert!

Functional issues let remediation solution require fallback – Cisco Prime License Manager SQL Injection Vulnerability 10th Dec 2018

Background:
On 28th Nov 2018, a SQL injection vulnerability found on Cisco Prime License Manager. Vendor (Cisco) with immediate action release the patch to remediate this design weakness.

Technical issue found on patch:
Update (2018-December-10): Installing the ciscocm.CSCvk30822_v1.0.k3.cop.sgn patch may cause functional issues. Workarounds are available for some of these issues. Rolling back this patch as described in the Fixed Releases section will correct these functional issues, but the device will be affected by this vulnerability again when the patch is not in place. See the Fixed Releases section for details.
An official announcement in regard to this issue.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181128-plm-sql-inject

So what is the next action of customer:

USING SIEM EVENT CORRELATION TO DETECT SQL INJECTION & XSS ATTACK.

We can detect SQL injection following the methods below.

1. Network IDS spotting SQL injection

2. Host IDS detecting SQL injection by watching file activity

Foreshadow vulnerabilities spread to Siemens Industrial Products – Nov 2018

Preface: Intel Software Guard Extensions (SGX) is a set of central processing unit instruction codes from Intel that allows user-level code to allocate private regions of memory, called enclaves, that are protected from processes running at higher privilege levels.

SGX design limitation:
L1 Terminal Fault aka Foreshadow found in August 2018. Foreshadow enables an attacker to extract SGX sealing keys, previously sealed data can be modified and re-seal.

The Foreshadow / L1-terminal-fault attack were assigned the following CVE numbers:
CVE-2018-3615 for attacking SGX.
CVE-2018-3620 for attacking the OS Kernel and SMM mode.
CVE-2018-3646 for attacking virtual machines.

Remedy:

Regarding to this vulnerability. Siemens Security Advisory by Siemens Product has following announcement to their product. For more details, please see below:

https://cert-portal.siemens.com/productcert/pdf/ssa-254686.pdf

Virus, malware and ransomware may be can help mankind once AI develop become extreme.

Preface: What is your expectation from our robot counterparts in the future?

Before Professor Stephen Hawking leave the world. The final warning for humanity: AI is coming for us. In the world now in preparing the 5G mobile technology, Big Data technology and Smart City. A silent force unintend to drive human go to next generation of world. We believe all the regime in the world now get into this competitions. A quick idea to you is that the term so called Smart or intelligence most likely are efficiency and productivity. All the components within the earth are running fast in the moment. But what is your expectation from our robot counterparts in the future? Because they are coming!

Why do we recommend thinking about it at this time?
For instance, the global surface temperature increases while climate change includes global warming and everything else. The extreme changes was began in mid 80’s. Why? Manufacturer cost allocation & development country boots up their power. Now we understand the impact. But seems too late!
So this is the right time to consider.

Reference: https://www.vox.com/future-perfect/2018/10/16/17978596/stephen-hawking-ai-climate-change-robots-future-universe-earth


antihackingonline.com