VMware Releases Security Updates – (CVE-2018-3646 – L1 Terminal Fault: VMM)

From technical point of view, the Intel CPU design limitation jeopardize downstream product vendor. VMware is one of the vendor do the remediation immediately. A memory bank built into the CPU chip. Also known as the “primary cache,” an L1 cache is the fastest memory in the computer and closest to the processor. Let’s think it over? If memory is allocated by the VMkernel and virtualized by monitor. CPU is controlled by scheduler and virtualized by monitor. If address translations may allow unauthorized disclosure of information residing in the L1 data cache? So, the attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis equilvant as a monitor.

As such , VMware do the following:

https://www.vmware.com/security/advisories/VMSA-2018-0020.html

 

14th Aug 2018 – Intel side-channel L1TF vulnerability

An official announcement state that there are three more data-leakage security holes found in Intel chips:

  • CVE-2018-3615 – L1 Terminal Fault: SGX
  • CVE-2018-3620 – L1 Terminal Fault: OS/SMM
  • CVE-2018-3646 – L1 Terminal Fault: VMM

Across the board, Intel’s desktop, workstation, and server CPUs are vulnerable.

Official announcement shown as below:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

Reminder: I am using window 7 instead of windows 10. In retrospect, I did patch management which focus for spectre on Jan 2018. It behind my seen that CPU vulnerability still valid on my PC. The cache-misses as compared to missed-branches data collected from Spectre is possible on my PC (see attached screen-shot for reference). So I believe that this flaw (L1TF) substained. Furthermore the vendor known earlier. May be the vendor believe that this is the appropriate timeframe to announce.

Below historical record for reference:

CPU vulnerability remediation status update – especially Spectre

The accomplice – The accomplice – Oracle design limitation let compromise JVM do the privileges escalation in Oracle DB (CVE-2018-3110)

When I was young, the comics story attracting my seen. The comics picture similar provides like a virtual speaker tell a story to me.

Oracle has released a security alert to address a vulnerability in multiple versions of Oracle Database yesterday. A remote attacker could exploit this vulnerability to take control of an affected system. See whether below picture can tell a story to you. If not, go ahead below official hyperlink for reference.

Symptom: The vulnerability allows low-privileged attackers that have Create Session privilege with network access via Oracle Net to compromise the Java VM component.

http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-5032149.html

About vulnerabilities of PHP – Aug 2018

PHP is a popular open source general-purpose scripting language. It capable for web development and can be embedded into HTML. Perhaps a fundamental weakness of PHP and therefore we seen common problem especially SQL Injection and Trusting user input to execute code happens in frequent.

Below details are the php vulnerabilities found on Aug 2018.

(CVE-2018-14883) An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c

https://bugs.php.net/bug.php?id=76423

(CVE-2018-14851) Allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.

https://bugs.php.net/bug.php?id=76557

(CVE-2018-14884) Inappropriately parsing an HTTP response leads to a segmentation fault because http_header_value in ext/standard/http_fopen_wrapper.c can be a NULL value that is mishandled in an atoi call.

https://bugs.php.net/bug.php?id=75535

Reference: Vulnerability found on Jul 2018

Jul 2018 – PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file)

KEYCLOAK design weakness – Aug 2018

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties. If you ask me, what is the design objective of SAML. It make your life simple.Also this is the aim for computer system. But a pin does not have two points. For those who use single sign on also provides a benefits to attacker. Keycloak is an open source software product to allow single sign-on with Identity Management and Access Management aimed at modern applications and services. As of March 2018 this JBoss community project is under the stewardship of Red Hat who use it as the upstream project for their RH-SSO product. Docker had already built a great deal of momentum since 2015. Docker product such a way integrated the open source products integrate to business world especially cloud computing platform. So it does not lack of single sign on, right. From technical point of view, take the easy way and make it simple, it coincident equivalent with boolean expression theory.
Keycloak has vulnerability occured. In Keycloak 3.4.3, a handling of certifciate method has design weakness. A expired certificates let a malicious user could use this to access unauthorized data or possibly conduct further attacks. See below url for reference.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10894

Aug 2018 – Malware (KEYMARBLE)

My friend informed that a new malware wreak havoc. Meanwhile US-Cert issued the technical articles described the details and let’s the world staying alert! US-CERT also provides the Indicator of compromise (IOC) file for reference. I am interested and therefore I put the this file into the sandbox see whether what exact issue will be happened. The facts is that threat actor embedded malicious code lure victim to open this document. The overall procedure similar word document ask you to excecute a XML contents. The whole procedure may not be trigger the antivirus alert (antivirus may detect this issue now, but not absolute sure) till the infection stage go to phase two. Yes, download a malicious executable file. If similar scenario happen in your company, sounds like you IT campus has a cat doing the monitoring. The cat will catch the mouse once he appears. How does your cat know this Rat appear. All relies on Yara rule (see attached diagram for reference). May be people will be scared of the web page contains hyperlink on top. And therefore this time not provided.

–End–

8th Aug 2018 – ISC Releases Security Advisory for BIND

If you are easy nervous, seems IT job not suitable for you! The Domain Name System (DNS) is the backbone of the modern internet. The workstation similar a blind people searching the correct pathway in the dark. ISC releases security advisory for BIND yesterday. My roughly statistic shown to me that this is the third times within this year!

A technical feature so called “Deny-answer-aliases” design to protect end users against DNS rebinding attack. A defact causes an INSIST assertion failure in named. causing the named process to stop execution and resulting in denial of services to client. What is Named. The Named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. Named will read the default configuration file /etc/named.conf, read any initial data, and listen for queries. For more details about this vulnerability. Please refer the following – https://kb.isc.org/article/AA-01639/0

ISC BIND vulnerabilities details on May and June this year.

June 2018

June 13, 2018 – ISC Releases Security Advisory for BIND

 

May 2018

May 18, 2018 – ISC Releases Security Advisories for BIND

Aug 2018 – Less than one month, VMware out-of-bounds read vulnerability happen again!

VMware announce that a bug found on their Horizon Connection Server, Horizon Agent, and Horizon Clien. However Horizon Agents on Linux-based systems and Horizon Clients on non-Windows systems are not affected. The symptom is that out-of-Bounds Memory Read Error in Message Framework Lets Local Users View Portions of System Memory on the Target System. From technical point of view, what is out of bound read? That is software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.But the out of bound memory read problem not a new issue. Do you remember? That is CVE-2018-6968 (The Out-of-Bounds Memory Read Error lets Local Users on a Guest System Gain Elevated Privileges on the Guest System). Just happen less than a month.

The key word vulnerability similar human being caugh, flu or headache. No worries!

Offical announcement shown as below:

https://www.vmware.com/security/advisories/VMSA-2018-0019.html

Insufficient Input Validation – Intel Distribution for Python (IDP) – Jul 2018

Mozilla’s bleach library is a security-related library. The design goals of Bleach is to sanitize input of malicious content. Furthermore it let software developer safely create links.

IPython is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language, that offers introspection, rich media, shell syntax, tab completion, and history.

Given a fragment of HTML, Bleach will parse it according to the HTML5 parsing algorithm and sanitize any disallowed tags or attributes.

But Intel announce the following statement in Jul 2018 (see below):

Synopsis – Insufficient Input Validation in Bleach module in Intel® Distribution for Python (IDP) version IDP 2018 Update 2 potentially allows an unprivileged user to bypass URI sanitization and cause a Denial of Service via local vector.

Any interest? Perhaps you have this domain knowledge. Should you have interest, please refer below hyperlink.

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00129.html

antihackingonline.com