CVE-2021-2018 Vulnerability in the Advanced Networking Option component of Oracle DB Srv (20-01-2021)

Preface: When Oracle has security advisory announce each time, I feel headache because vendor not willing to provide the details.

Vulnerability details: CVE-2021-2018 -Please refer to the link for details: https://nvd.nist.gov/vuln/detail/CVE-2021-2018

Technical Supplement: A large computer foot print around the world in the office is Microsoft window base machine. Therefore DB infrastructure integrate to Active Directory is common. Windows AD server classic way is Kerberos authentication. Oracle database competence support Kerberos. So called configuring the Kerberos authentication adapter. On Nov 2020 Microsoft do the remediation of Kerberos KDC Security Feature Bypass Vulnerability (CVE-2020-17049). When you read the official of Oracle vulnerability (CVE-2021-2018), it say, it is only affects Windows platform only. OK, be my guest. Using your imagination to understand this vulnerability. Great day, great fun!

Ref 1: To setup Kerberos on oracle DB. We will need to make changes in three places: DB Server, Client Workstation & Active Directory.

Ref 2: Kerberos KDC Security Feature Bypass Vulnerability – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

Bugs in popular chat apps let attackers spy on users. (21-01-2021)

Preface: I found logic bugs that allow audio or video to be transmitted without user consent in five mobile applications including Signal, Duo and Facebook Messenger, said Natalie Silvanovich.

Background: Bugs in Signal, Google chat apps let attackers spy on users. Such vulnerability is given by programming code, and was not due to WebRTC functionality. Furthermore , expert found that facebook messenger is vulnerable to this matter perhaps they are not using WebRTC. Facebook official say that they use ‘fbthrift’. What is Thrift. Facebook’s branch of Apache Thrift, including a new C++ server.\ \.

For the details of vulnerability. You can found on the following website – https://googleprojectzero.blogspot.com/2021/01/the-state-of-state-machines.html

Supplement: Discovering this vulnerability let us know the function of Frida hook framework. Frida is a hook framework based on python + javascript. To exploit the design weakness on Facebook Messenger. It was not straightforward because of the amount of reverse engineering required. Finally Frida hook framework complete the task.

Reference: Instrumentation technology

Instrumentation technology refers to injecting additional code into the program to collect runtime information. It can be divided into two types:

(1) Source Code Instrumentation (SCI): Additional code is injected into the program source code.

(2) Binary Instrumentation: Extra code is injected into the binary executable file.

●Static Binary Instrumentation (SBI): Insert additional code and data before program execution to generate a permanently changed executable file.

●Dynamic Binary Instrumentation (DBI): Insert additional code and data in real time while the program is running, without any permanent changes to the executable file.

Cyber security focus – dnsmasq vulnerabilities (20th Jan, 2021)

Preface: On August 27, 2015 Cisco announced it has completed the acquisition of OpenDNS (now branded as Cisco Umbrella). Perhaps they predict that this day will come.

Background: dnsmasq is free software providing Domain Name System (DNS) caching, a Dynamic Host Configuration Protocol (DHCP) server,
router advertisement and network boot features, intended for small computer networks. Dnsmasq is common in Internet-of-Things (IoT) and other embedded devices.

Vulnerability details: Dnsmasq is vulnerable to memory corruption and cache poisoning. For more details, please see the follow links: https://kb.cert.org/vuls/id/434904

Workarounds:

  • Configure dnsmasqnot to listen on WAN interfaces
  • Reduce the maximum queries (–dns-forward-max=). The default is 150.
  • Do a patching
  • Use protocols that provide transport security for DNS (DoT or DoH)
  • Reducing the maximum size of EDNS message (Recommendations related to RFC5625)

Are you worried about UEFI BIOS attacks? (19th Jan, 2021)

Preface: Quite a lot of UEFI vulnerabilities and hardware misconfigurations have been found in past. This is an alert signal. As a matter of fact, the problem is that it’s very difficult to get malicious code into UEFI systems.

Background: Reading the first sector from a disk and loading it to 0x7C00 is a BIOS specific booting protocol. But it never been use. It is a old technology. UEFI bootloaders are loaded from a filesystem. UEFI requires the firmware and operating system loader (or kernel) to be size-matched; for example, a 64-bit UEFI firmware implementation can load only a 64-bit operating system (OS) boot loader or kernel.

Synopsis: A local attacker with access to system memory may exploit the UEFI vulnerability attack. Perhaps this is not the only way.

Dell mitigates design flaws in a specific product (Inspiron 5675). Please refer to the link below. https://www.dell.com/support/kbdoc/zh-hk/000180645/dsa-2020-247-dell-client-platform-security-update-for-uefi-bios-runtimeservices-overwrite-vulnerability

CVE-2021-24122 Apache Tomcat Information Disclosure (14th Jan 2021)

Synopsis:
What is a Reparse Point? According to official information by Microsoft, In NTFS Filesystem, there is a concept called “reparse point. The traditional NTFS junctions and Win10 “Unix-like” symlinks are two different kinds of reparse points.
Starting in Windows 10, version 1607, for the unicode version of this function (FindFirstFileW), you can opt-in to remove the MAX_PATH character limitation without prepending “\\?\”.

Vulnerability details: The existing design weakness affects the function File.getCanonicalPath of the component NTFS File System Handler. The manipulation with an unknown input leads to source code disclosure vulnerability. For details, see attached diagram

Vendor announcement: http://mail-archives.us.apache.org/mod_mbox/www-announce/202101.mbox/%3Cf3765f21-969d-7f21-e34a-efc106175373%40apache.org%3E

Fixed in:
– 10.0.x for 10.0.0-M10 onwards
– 9.0.x for 9.0.40 onwards
– 8.5.x for 8.5.60 onwards
– 7.0.x for 7.0.107 onwards

Stack-based buffer overflow – the biggest enemy of IoT world

Preface:ASLR, NX Zones, and Stack Canaries is hard to avoid such memory design weakness exploit by malware authors.

Background: EIP is a register in x86 architectures (32bit). It is a register that points to the next instruction. In order to avoid malware infiltration. How to keep track of memory location when instructions that are being executed is very important.The EIP register cannot be accessed directly by software; it is controlled implicitly by control-transfer instructions (such as JMP, Jcc, CALL, and RET), interrupts, and exceptions. The only way to read the EIP register is to execute a CALL instruction and then read the value of the return instruction pointer from the procedure stack.

Potential cyber attack: Refer to diagram,the malware listens on TCP port 80, sending an HTTP GET request with 300 or more bytes will trigger buffer overflow overwriting EIP. When malware reach the EIP and overwrite it with a new address that points to his shell code, then it will add something called NOP (No Operation) , then finally the shellcode. And breakdown everything espcially access control of priviliges.

Status: under observation.

While astrologers view planetary alignments as foretellers of disasters. Or is this a rare astronomical phenomenon?

This article was published in January 2021.

Preface: If nine different balls are running on a circular orbit. They always have chance to meet up.

Synopsis: The order of magnitude of the nine planets is Jupiter, Saturn, Uranus, Neptune, Earth, Venus, Mars, Mercury, and Pluto. The moon orbits the Earth once every 27.322 days. It also takes approximately 27 days for the moon to rotate once on its axis. The moon’s rate of rotation nearly matches its orbital period, which keep the same side facing Earth. As a result, the moon does not seem to be spinning but appears to observers from Earth to be keeping almost perfectly still. This is synchronous rotation.

The above shows the moon actual state. Moon running is a synchronous rotation (only one face is visible from the Earth). The moon’s rate of rotation nearly matches its orbital period, which keep the same side facing Earth. Therefore we are not feeling that moon is rotating.

The moon is the Earth’s only satellite,the moon rotation and revolution synchronization affect the Earth’s tides,the moon is located at Lagrange point.So it can be parked and fixed in a certain location.

Reference: Lagrange point – a planet’s small mass can operate in a constant mode, and the gravity of two large masses is exactly equal to the centripetal force required for a small object to move with it.So it can be parked and fixed in a certain location.

A great conjunction

Great conjunctions occur approximately every 20 years when Jupiter “overtakes” Saturn in its orbit. According to NASA, the Jupiter-Saturn phenomenon in 2020 will occur at night for the first time nearly 800 years apart, and it is the closest double star in the past 400 years.

Including the blue moon,13 full moons appear in 2020. In addition, at least three full moons are considered supermoons (it appear larger and brighter than usual). Perhaps of above issues, let people feeling that 2020 is a special year.

Let’s take a review astronomical phenomenon of 2020 (see below):

What will be the astronomical phenomenon in 2021?

What is triple conjunction? A triple conjunction is an astronomical event where two planets or a planet and a star meet each other three times in a short period, either in opposition or at the time of inferior conjunction, if an inferior planet is involved.

On 8th Jan, 2021, rare three-planet conjunction of Mercury, Jupiter and Saturn to illuminate the sky. What’s the next?

Refer to link – https://solarsystem.nasa.gov/whats-up-skywatching-tips-from-nasa/ or table below.

Since ancient age, the witch and foretellers will exploit astronomical phenomenon to do prediction. It is hard to say it is correct or not correct. My idea is that the genesis of earth looks mystery. For instance, the location of moon looks special. It looks that it is artificial.

Some said, the Black Death is created on March 20, 1345, coincidentally a triple conjunction of Saturn, Jupiter and Mars occurs. Ref: https://www.history.com/this-day-in-history/black-death-is-created-allegedly

Does it true or it is a neuroticism. All depends on the decision making by yourself.

End of article.

NSA releases urgent Guidance (ORN U/OO/800922-17), thus urge to public that not to use obsolete TLS configurations (6th Jan,2020)

Preface: However, obsolete TLS configurations are still in use in U.S. Government systems. Perhaps it is being change. According to the Office of Management and Budget (OMB) memorandum M-15-13 all public accessible federal websites and web services are require to only provide through secure connections.

Synopsis: The Internet Engineering Task Force (IETF) published TLS 1.3 in August 2018. TLS 1.2, the version it replaced, was standardized a decade previous, in 2008. Attached diagram shown the examples of TLS Vulnerabilities and Attacks.

Consequent: Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected.
Network connections employing obsolete encryption protocols are at an elevated risk of exploitation and decryption.

Recommendation: NSA recommends that only TLS 1.2 or 1.3 be used. As a result, SSL 2.0,3.0,TLS 1.1 not be used anymore.If additional interoperability support is need, configurations should use non-deprecated options from NIST SP 800-52r2 as necessary.

Official announcement (NSA Releases Guidance on Eliminating Obsolete TLS Protocol Configurations): https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF

CVE-2020-27780 – Linux-pam vulnerability – Improper Authentication (18th Dec 2020)

Background: Linux pam originated from the open source implementation of the software DCE-RFC of Sun, a well-known manufacturer later acquired by Oracle. PAM is called Pluggable Authentication Modules, which can be inserted into authentication modules. Various authentication modules and plug-ins can be dynamically introduced for authentication without reloading the system, very flexible.

Vulnerability details: When the user doesn’t exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.

Reason: The default options set on pam_pwquality above include local_users_only, which tells pam_pwquality to ignore users that are not in the local [/]etc[/]passwd file. However, the blank check could return 1 if root had empty password
because in the second case (refer to diagram) the password hash of root was used.

Remediation: https://github.com/linux-pam/linux-pam/releases

CVE-2021-3006 (Loopring(LRC) Protocol Incident)- If you are passionate about cryptocurrency. You should be alert of this. (4th Jan 2021)

Background: In November 2020, lots of DeFi platforms in Ethereum encounters a security incident, such as Pickle Finance, 88mph.

What Is Decentralized Finance (DeFi)?
By deploying immutable smart contracts on Ethereum, DeFi developers can launch financial protocols and platforms that run exactly as programmed and that are available to anyone with an Internet connection.

What Are Flash Loans in DeFi?
A loan from strangers is possible in DeFi. In order to fulfill this request. The individuals should repay the lender in the same transaction that issued the funds.

Vulnerability details: The Farm contract is deployed in every Seal pool and the function breed() in the contract is used to issue new Seal tokens.However there is no access control designed for the breed() function, anyone can calls the breed() function of the Farm contract.

CVE-2021-3006 Detail – https://nvd.nist.gov/vuln/detail/CVE-2021-3006

antihackingonline.com