Preface: To cope with Industrial automation and control system. The technology difference in between IT and OT are small. Perhaps they are close. For cyber security protection matters, seems they are no any difference.

Product background: Formerly known as RSLinx® Enterprise, FactoryTalk® Linx is included with most FactoryTalk software and functions as the premier data server
to deliver information from Allen‑Bradley control products to the control system. While FactoryTalk Linx interfaces with PLC-5®, SLC™ 500 and Micro800™ controllers, it is optimized to communicate with Logix 5000™ controllers using EtherNet/IP.
This gives the fastest data rates and capacity possible, while minimizing the impact on your automation networks and control system operation.
FactoryTalk Linx delivers a solution from small applications running on a single computer with a single controller, to large distributed and
even redundant data server configurations communicating with large automation systems.

Vulnerability details: A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the bypass of address space layout randomization (ASLR).

Observation: Vendor do not explicitly disclose the facts of the vulnerability. But most likely the vulnerability cause by java script based ASLR bypass attack.

Vendor announcement and remedy: https://us-cert.cisa.gov/ics/advisories/icsa-20-329-01

Do you doubt whether you are a victim? A quick way to confirm the vulnerability of Fortinet SSL-VPN ( CVE-2018-13379).

Preface: VPN client has design limitation causes information leakage not a news by today. However you should confirm your setup do not encounter this flaw.

Background: An unknown person left the information online. The details of such files are related to the IP address and details. However, Fortinet encountered this vulnerability a long time ago (2018). To confirm that he is not a victim. You can easily check the specific situation of the VPN firewall vulnerability status on your device. Please refer to the attached picture.

Headline News: A hacker has now leaked the credentials for almost 50,000 vulnerable Fortinet VPNs – https://www.bleepingcomputer.com/news/security/passwords-exposed-for-almost-50-000-vulnerable-fortinet-vpns/

Preface: Within this week, the impression of VMware products vulnerabilities draw attention with a lot of people. It is because the vulnerabilities was found are high risk rating. But VMware is one of the pillar of virtual machine machine world. Do not worry too much. A good product should have space for improvement.

Product background: Workspace ONE Access, (formerly VMware Identity Manager), provides multi-factor authentication, conditional access and single sign-on to SaaS, web and …

Vulnerability details: VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. But do not contempt this design fault because attacker require admin credential. However when attacker successful execute this vulnerability. It can compromise all the back end windows domain controller and critical system. It has workaround only provided by vendor currently. The goal of the workarounds do the hardening of web server config file and enforce the access control. For example, it is recommend to use “su” function instead of root. If you have interested of the details. Please refer to diagram.

Official announcement:

VMware – https://kb.vmware.com/s/article/81731

CERT Coordination Center – https://kb.cert.org/vuls/id/724367

Preface: Use After Free scenario can occur when “the memory in question is allocated to another pointer validly at some point after it has been freed.

Background: If there is a process named vmware-vmx[.]exe in the process list then there is a virtual machine that is currently powered on. The Virtual Machine Monitor (VMM) process is in charge of managing the virtual machine memory and transfers virtual machine storage and network I/O requests to the VMkernel. All other, non-critical to performance, I/O requests are forwarded by VMM to VMX.

Vulnerability details: Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004) VMware ESXi contains a use-after-free vulnerability in the XHCI USB controller. VMware ESXi contains a privilege-escalation vulnerability (CVE-2020-4005) that exists in the way certain system calls are being managed. A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system. Successful exploitation of this issue require cooperate with another vulnerability (e.g. CVE-2020-4004). If the attacker successfully exploited two different vulnerabilities. As a result, he can manipulate the entire system, including all VM guest OS.

Official announcement (workarounds): https://www.vmware.com/security/advisories/VMSA-2020-0026.html

Preface: There are two primary types of buffer overflow vulnerabilities: Stack overflow and Heap overflow.

Product background: The administrative command–line client is a program that runs on a file server, workstation, or mainframe. It is installed as part of the Tivoli Storage Manager server installation process. The administrative client can be accessed remotely. From the administrative client, you can issue any server commands.

Vulnerability details: The PoC shown that you can do the following on the IBM Tivoli Storage Manager. In the “id” field paste the Proof of concept text format file (xxx.txt) and press “ENTER.

Below example is the essential command. According to the below details, it will let you know how to execute above syntax.

Official reference: You can bypass this batch mode double quotation mark restriction for Windows clients by using the back slash () escape character. For example, on the OBJECTS parameter of the DEFINE CLIENT ACTION command, you could enter the string with the \ character preceding the double quotation marks in the command.

dsmadmc-id=admin-password=admin define clientaction test_node domain=test_dom action=restore objects=’\”C[:]\program files\test*\”’

The PoC text file details do not display on our discussion. However I would like to bring your focus to the function which appear on the file. It is the jmp esp feature. The details you can find on the picture.

Preface: Most SD-WAN suppliers have partnerships with leading cloud platforms, and they use a variety of methods to accelerate traffic coming to and from cloud platforms. But IT pros say, it should look for better security.

Background: The Orchestrator provides you with a JSON-RPC API, which means you call it over HTTPS. It’s not a RESTful API, as all calls go through a POST query and authentication is handled in a somewhat special way.

Vulnerability details: The SD-WAN Orchestrator allows an access to set arbitrary authorization levels leading to a privilege escalation issue.

Known Attack Vectors: An authenticated SD-WAN Orchestrator user may exploit an application weakness and call a vulnerable API to elevate their privileges.

Observation: According to VMware SD WAN 4.0 release note published on 18th Nov 2020. The Orchestrator API do the enhancement especially role base access control. A various new APIs used in the creation and management of custom roles. For example: role/getEligiblePrivilegesForCustomization – List privileges that eligible for customization for a given role. It is the effective solution to avoid misconfig of user role and access control.

Official announcement: https://www.vmware.com/security/advisories/VMSA-2020-0025.html

Preface: The interconnect component of the opensource application is the opensource software.

Background: Salt (sometimes referred to as SaltStack) is Python-based, open-source software for event-driven IT automation, remote task execution, and configuration management.

Vulnerability details: An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection. For more details, please refer to attached diagram.

Workaround:

1. Stop calling Popen with shell=True to prevent shell injection attacks on the netapi salt-ssh client.
2. Split a command string so that it is suitable to pass to Popen without shell=True. This prevents shell injection attacks in the options passed to ssh or some other command.

How to Mitigate: Install the CVE fix and ensure your Salt-API has been restarted.

Announcement by NIST: https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-16846

NATS Srv wiki – Cloud native messaging system made for developers and operators who want to spend more time doing their work and less
time worrying about how to do messaging.

End user of this product: Mastercard, Baidu, Alibaba Group, VMware, GE, Pivotal, Telia Company, netlify, htc, GE, Zephyr Project, tinder and ERICSSON

Vulnerability details: Some libraries treated tokens signed with the none algorithm as a valid token with a verified signature. The result? Anyone can create their own “signed” tokens with whatever payload they want, allowing arbitrary account access on some systems.

*In systems using HMAC signatures, verificationKey will be the server’s secret signing key
*In systems using an asymmetric algorithm, verificationKey will be the public key against which the token should be verified

Security focus: If a server is expecting a token signed with RSA, but actually receives a token signed with HMAC, it will think the public key is actually an HMAC secret key.

1. Targeting JWT library
2. Choose a payload for your token
3. Then, get the public key used on the server as a verification key (text-based PEM format).
4. Sign your token using the PEM-formatted public key as an HMAC key
   forgedToken = sign(tokenPayload, ‘HS256’, serverRSAPublicKey)

Result: Anyone with knowledge of the public key can forge tokens that will pass verification.

Reference: https://www.openwall.com/lists/oss-security/2020/11/02/2/2

Preface: CMDB is a repository that should contain only business critical items that you want to track. It should contain a record of information that allows you to answer business critical questions and helps you to connect business processes. CMDB should contain all the items that are important for your business or a service.

About SAP solution manager: SAP solution manager explicitly assists enterprise to fulfill above objectives. If you are planning to use SAP PI module then you should install Java Stack. Java Stack is currently being on Web based front ends and Stand-alone java portal. SAP NetWeaver Process Integration (SAP PI) is SAP enterprise application integration (EAI) software, a component of the NetWeaver product group used to facilitate the exchange of information among a company’s internal software and systems and those of external parties.

SAP Solution Manager – Multiple vulnerabilities due to lack of authentication check: For vulnerability details, please refer to link below. Apart from this, attached diagram can provide a quick way to understand the whole matters.

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571

Changes related to SAP Solution Manager – Because of the SAP update a new version of SAP Solution Manager will be required starting January 1st 2020. The enhancement shown as below:

SAP solution Manager 7.2 SPS05/SPS06 – Partial connectivity to SAP, manual effort required.