Express-fileupload module design weakness (CVE-2020-7699) – 4th Aug 2020

Preface: A large number of mobile apps and websites allow users to upload profile pictures and other files. Therefore, handling files upload is a common requirement while building a REST API with Node.js & Express (Express-fileupload). Express-fileupload is a middleware.

Technical background: How express-fileupload works? It makes the uploaded files accessible from req[.]files property. For example, if you are uploading a file called my-profile[.]jpg, and your field name is avatar, you can access it via req[.]files[.]avatar.

Vulnerability details: CVE-2020-7699 – This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution. For more details, please refer to attached diagram. Besides, you can find proof of concept details in following link. https://blog.p6.is/Real-World-JS-1/

Currently, only a few antivirus vendors can successfully detect it. Preventive control should be apply. (03-08-2020)

Preface: In 2017, Honeypot detected that malware spread a new payload targeting 60001 TCP port. The ultimate goal is the JAWS Web Server & MVPower DVR. It turns out that there will be a Shell Command Execution vulnerability. Security expert has doubt on IoT device especially DVR which make use of TCP 60001 port.

Observation: There is an unknown malware ultimate goal to spread the remote access Trojan to IT world. Even though the authority Virus Total shows that only one vendor can correctly detect and isolate this malware (see attached picture). What’s going on?

Since there are many versions of Media Feature Pack nowadays. The fact is that the Media Feature Pack version that corresponds to your Windows OS build. So a lot of time the installer won’t copy ml.dll in place. As a result cyber criminal relies above matter to do a distribution a free copy of crafted ml.dll file on Internet for download.

After the loader has finished decrypting “svchost.dll”, the loader now has a decrypted version of Taidoor, which is a DLL. The loader then uses the API calls GetProcessHeap, GetProcAddress, and LoadLibrary to load the following DLLs, KERNEL32.dll, ADVAPI32.dll, and WS2_32.dll, which Taidoor will utilize.

Advises:
– Maintain up-to-date antivirus signatures and engines.
– Keep operating system patches up-to-date.
– Scan all software downloaded from the Internet prior to executing.

Umbraco cms 7.12.4 RCE vulnerability overview (3rd Aug 2020)

Preface: When we read the vulnerability article, we will despise those vulnerabilities that require authentication to execute. However, this type of design flaw should be considered because it is not limited to the inside threat area.

Background: Umbraco is the #1 Microsoft open source CMS in the world
Popular Sites Using Umbraco, For example: Instagram,slideshare,flickr,zippyshare,cnblogs,wattpad,…etc.

Technical details: Umbraco is primarily written in C#. It stores all data in relational database (Microsoft SQL Server) working on Microsoft IIS. For preventive protection, IT admin will install Reverse proxy in front of IIS server.

Vulnerability: Umbraco CMS design limitation causes Remote Code Execution. In this discussion, we predict that attackers can exploit previous vulnerabilities. For example: Umbraco CMS 8.2.2 cross-site request forgery CSRF. Exploitation of this vulnerability is usually carried out through malicious social engineering, such as tricking the victim into sending a fake email or link to the server. Therefore, stealing user credentials is not only a theory. For current vulnerabilities, the web server will encounter unknown risks. For details, please refer to attached diagram.

Staying Alert! GRUB2 bootloader design weakness – 31st Jul, 2020.

Preface: From some perspectives, the operating system and related components are designed to provide functionality. Therefore, network security does not involve its design scope. Even if network security has been included in their design. However, product technology changes with each passing day. Therefore, we often hear information about vulnerabilities.

Why do I need a system bootloader?
The bootloader exists because there is no standardized protocol to load the first code, because it depends on the product design. Sometimes, the code can be loaded via a serial port, flash memory or even a hard disk. Locate it as a bootloader function.

Vulnerability details: The GRUB2 boot loader is vulnerable to buffer overflow, which results in arbitrary code execution during the boot process, even when Secure Boot is enabled.
An attacker could use it to plant malware known as bootkit that loads before the operating system (OS).

Hacker can modify “grub [.] cfg” because it lacks any integrity protections such as a digital signature. Since “grub [.] cfg” is a text file.

Official reference: GRUB2 bootloader is vulnerable to buffer overflow. Click on the URL for details – https://www.kb.cert.org/vuls/id/174059

Adobe Releases Security Updated for Magento (29th July, 2020)

Preface: To be precise, over 250,00 active sites use Magento.
Only 11,000 of those run on Magento 2, though. Many well-known international companies have chosen Magento as their e-commerce solutions, including Coca-Cola, Nike, Harpers Bazar, Fiji Water and Olympus.

Vulnerability details: Adobe has released security updates to address vulnerabilities in Magento Commerce 2 (formerly known as Magento Enterprise Edition) and Magento Open Source 2 (formerly known as Magento Community Edition). An attacker could exploit some of these vulnerabilities to take control of an affected system.

Remedy by Magento:

  • The template filter in legacy mode can be vulnerable to remote code execution (RCE). Enabling strict mode by default ensures that RCE attacks cannot be deliberately enabled.
  • In order to avoid the opportunity of execute arbitrary JavaScript, Data rendering for UI data providers is now disabled by default.
  • PHP could allow for arbitrary code execution (Eval class during preload causes class to be only half available)
  • 2FA is enabled by default and cannot be disabled. This extra step of authentication makes it harder for malicious users to log in to the Admin without authorization.

Official announcement: For more details, please refer to the link – https://helpx.adobe.com/security/products/magento/apsb20-47.html

CallStranger – CVE-2020-12695 (Reflected Amplified TCP DDOS via UPnP SUBSCRIBE Callback) – 29th July 2020

Preface: In the cyber world, many defense mechanisms can accomplish tasks well. However, the daily operations involves different business expectations and change management. As a result it create a lot of opportunity to the cyber criminals.

Security focus today: With reference of US CERT announcement on 8th July 2020. US Cert urge the information technology and Operational technology zones that the design weakness of UPnP may have impact to users environment. Down to the details. The Universal Plug and Play (UPnP) protocol in effect prior to April 17, 2020 can be abused to send traffic to arbitrary destinations using the SUBSCRIBE functionality. So the impact of this design weakness shall be wide. For instance, cyber criminals can transform this design weakness as a cyber weapon to conducting the data exfiltration. Besides, it can exploit this feature bypass Proxy server and firewall.
The data stealer will make use of a compromised device as proxy, then establish a secure tunnel (SSL) to external server. Since there is no blacklist database install in this printer. So, it will led the traffic send to external without difficulties. Apart from that , SSL traffic bypass firewall content filtering. So, the data can be exfiltrated. For the details of this matters, please refer to attached diagram for reference.

Reference: Vulnerability Note VU#339275 – https://kb.cert.org/vuls/id/339275

Highlights: An attacker can use this vulnerability for:

  • Bypassing DLP for exfiltrating data
  • Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS / SYN Flood
  • Scanning internal ports from Internet facing UPnP devices

Joint alert from CISA & NCSC – Potential Legacy Risk from Malware Targeting QNAP NAS Devices – 27th JUL, 2020

Preface: Do a simple search in Shodan and you will find many QNAPs on the Internet.

Installation status of NAS(QNAP) around the world: We are not surprised that NAS (QNAP) equipment has a huge customer footprint. Because the price is reasonable (RAID-5), it is cost-effective. As a result, business operations including medium-sized enterprises are willing to use it. Maybe the IT team knows about patch management, so NAS (QNAP) devices will connect to the Internet.

Vulnerability details: All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes.

Important Note: Not exposing your NAS to the internet isn’t going to stop an attack on your write permission SMB shares on your client machine that are attacked. The only solution is to disconnect all your mapped drives once you are finished using them. Or do the patch management.

CISA and NCSC also share the following mitigations to prevent future attacks:
• Verify that you purchased QNAP devices from reputable sources. If sources are in question, run a full factory reset on the device prior to completing the firmware upgrade.
• Block external connections when the device is intended to be used strictly for internal storage.

CISA urges F5 users to stay vigilant to deal with CVE-2020-5902 (24th Jul2020)

Preface: As of today, F5 BIG-IP Platform has market share 72%.

Background: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published on 24th July, 2020. They urge to F5 customers that it should be stay alert. They has evidence proof that attackers are active exploit the vulnerability (CVE-2020-5902 – unauthenticated remote code execution (RCE) vulnerability) on F5 product ADC feature).

Vulnerability detail: With reference to the attached picture, security experts pointed out that attackers can use the HTTP/HTTPS transport protocol to attack. Key flaws include allowing attackers to infiltrate and execute code remotely. In addition, an attacker can also read credential storage or files on the F5 operating system.

CISA alert: CISA recommends all organizations to go through the following action list while hunting for exploitation signs:

Quarantine or take offline potentially affected systems
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections
Deploy a CISA-created Snort signature to detect malicious activity (available in the alert under Detection Methods)

F5 network remedy plan https://support.f5.com/csp/article/K52145254

Corrective control suggested by vendor – To mitigate this vulnerability for affected F5 products, you should permit management access to F5 products only over a secure network.

Citrix Workspace app for Windows Security Update CVE-2020-8207 (23-07-2020)

Preface: Input validation will be difficult if the environment contains different features. Even though software developer follow the guideline. Because it use http or https connection design , so it increase the difficulties!

Background: Citrix Workspace app consists of the Citrix Receiver core, HDX engine, the new embedded browser engine, files view and mobile app aggregation.
By default, Citrix Workspace Updates is disabled on the VDA. This includes RDS multi-user server machines, VDI and Remote PC Access machines.

Vulnerability details: Improper access control in Citrix Workspace app for Windows 1912 CU1 and 2006.1 causes privilege escalation and code execution when the automatic updater service is running. Official details are shown below the URL:

https://support.citrix.com/article/CTX277662

Observation: One of the possible methods – refer below connection method. If suspicious workstation installed Citrix workspace application. Attacker can use https or http connection to exploit SMB design weakness to compromise the Active Directory system. The concept can be found on attached diagram.
Remark: There is a design weakness happened on Citrix workspace application. Seems the input validation requires improvement.

Vulnerabilities in SICAM MMU, SICAM T and SICAM SGU (Jul 2020)

Preface: In industries, power plants and substations, the SICAM MMU
is applied to measure and calculate parameters.

Product background: SICAM T (transducer) is a digital measuring sensor that allows the measurement of electricity in non-electrical networks in a single unit. ICAM-MMU (Measurement and Monitoring Unit) is a power monitoring device that allows the measurement of electricity in the power grid.

Remark: SICAM SGU has been discontinued.

Security Focus: CVE-2020-10042 – A buffer overflow in various positions of the web application might enable an attacker with access to the web application to execute arbitrary code over the network.

My observation:

Fundamental theory: For custom application software, all code that accepts input from users via the HTTP request must be reviewed to ensure that it can properly handle arbitrarily large input.

A buffer overflow in various positions of the web application might enable an attacker with access to the web application to execute arbitrary code over the network.

Possibility: According to the definition of CWE-120. Buffer overflow related to this vulnerability will be caused by looping correction. The function does not work after JavaScript updates the Field (Update fields dynamically in javascript).

Synopsis: By sending carefully crafted input to an application, an attacker can cause the application to execute arbitrary code, possibly taking over the machine.

Official announcement: https://cert-portal.siemens.com/productcert/pdf/ssa-305120.pdf

antihackingonline.com