Nowadays, the trend of business industries are bring their application on top of Cloud services. But some of the firm has reluctant to cloud because they are concerning about data breaches, data ownership and different areas of law regulations. As a matter of fact, doing the cyber security protection on your own or without managed sercurity services looks not in the right direction. As a result , there are more project development priority to select cloud services application platform. The hottest one is the SAP.

Vendor SAP do the vulnerability managment looks fine since they are the market leader. As we know, the security patch day announced on 11th September 2018. Yes, it is above one week ago. I observe this round of patch management have 2 items awaken company CSO thinking. Even the medium piority of vulnerability items also contain potential risk. For instance CVE-2018-2454,CVE-2018-2455 and CVE-2018-2461. The first and second CVE issues (CVE-2018-2454 & CVE-2018-2455 )are lack of authorization check. In the sense that this type of indirect privileges escalation causes by insider threats. So a careless user will be jeopardize or compromised the system.The last one (CVE-2018-2461) indicate the vulnerability happend in SAP HCM. The SAP Fiori app suite for HCM makes use of SAP’s new UX strategy to help your employees, irrespective of any level, to trigger different HR needs, such as paid leave application, viewing of pay stubs. The vulnerability belongs to data privacy is also lack of authorization check. So medium severity of vulnerability sometimes will also be dangerous. Should you have interest to know more, please refer to below url.

SAP Security Patch Day – September 2018

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499356993

Does it a design flaw or it is a ………..?

While exploring her new home, a girl named Coraline discovers a secret door, behind which lies an alternate world that closely mirrors her own but,…..

Remediation announcement – Cisco Video Surveillance Manager Appliance Default Password Vulnerability – 2018 September 21 (below url for reference)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm

Similar vulnerability found on Cisco products within this year, is it a coincidence? (see below):

CVE-2018-0150 – Cisco IOS XE static credential default account
CVE-2018-0222 – Digital Network Architecture Center Static Credentials Vulnerability
CVE-2018-0268 – bypass for a Kubernetes container management subsystem embedded inside Cisco’s DNA Center.
CVE-2018-0271 – An authentication bypass in the DNA Center’s API gateway.
CVE-2018-0375 – vulnerability in the Cluster Manager of Cisco Policy Suite
CVE-2018-0329 – The hardcoded credentials resides in the read-only SNMP community string in the configuration file of the SNMP daemon,
CVE-2018-15427 – Cisco Video Surveillance Manager Appliance Default Password Vulnerability

SCADA helps people automate our world. It includes water, wastewater, and storm water management,Oil and Gas,Electricity,Transit systems and traffic,Facilities,Agriculture and Manufacturing.

OPC UA can be used for supervisory control, now eliminating the use of Windows-based intermediate systems to streamline the data transfer process from the field and control levels vertically to the management and enterprise levels. Recently found Buffer overflow in OPC UA applications. It allows remote attackers to trigger a stack overflow with carefully structured requests. Stack buffer overflow can be caused deliberately as part of an attack known as stack smashing. Buffer overflows in the stack segment may allow an attacker to modify the values of automatic variables or execute arbitrary code.

Official announcement shown as below URL:

https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2018-12086.pdf

What is BIND 9? BIND is open source software that enables you to publish your Domain Name System (DNS) information on the Internet, and to resolve DNS queries for your users.

On 2006, named.conf parser design limitation found by Anonymous Monk. He list out the following.

• BIND::Conf_Parser – doesn’t deal with 9.x
• BIND::Config::Parser – bails out with ‘Bad text’ on my named.conf
• Cpanel – near to impossible to cut out something usable outside cpanel
• Webmin – seems to deal only with bind 8.x
• the /usr/sbin/named-checkconf utility packed with bind.9 – gives just an OK/not ok verdict upon named.conf, no way to store the underlying structure.

Announce design flaw – Sep 2018

The krb5-subdomain and ms-subdomain update policy rule types permit updates from any client authenticated with a valid Kerberos or Windows machine principal from the REALM specified in the identity field, to modify records in the zone at or below the name specified in the name field.

Remark: A Kerberos realm is a set of managed nodes that share the same Kerberos database.

CVE-2018-5741: Update policies krb5-subdomain and ms-subdomain – https://kb.isc.org/docs/cve-2018-5741

Summary:

ISC BIND before releases 9.11.4-P2 and 9.12.2-P2 does not properly document the behaviour of the krb5-subdomain and ms-subdomain update policies.

Reference – Vulnerabilities announced last few months

8th Aug 2018 – ISC Releases Security Advisory for BIND

June 13, 2018 – ISC Releases Security Advisory for BIND

May 18, 2018 – ISC Releases Security Advisories for BIND

Adobe has released security updates to address vulnerabilities in Adobe Acrobat and Reader. Electronic document transform to an attacking tools are worry in cyber security world so far. The fact is that it is hard to detect such indirect attack. The simple we will know it is easy to evade the defense machanism. A malicious user can pass a `cff` font file to the application to cause a heap-based buffer overflow that can lead to an out-of-bounds write. This can cause the application to crash or overwrite values in the heap. If it overwrite chunk header, corrupt free(), but program doesn’t crash. It will be very dangerous!

Don’t underestimate! Offical URL shown as below:

https://helpx.adobe.com/security/products/acrobat/apsb18-34.html

Basic Understanding:

What is smart card? A smart card is a security token that has an embedded chip. Smart cards are typically the same size as a driver’s license and can be made out of metal or plastic

Basicaly you can get smart card in two states: either blank or initialized. For blank cards OpenSC has code to initialize the card in PKCS#15 format.

PKCS#11 – The PKCS#11 interface is used to communicate or access the cryptographic devices such as HSM (Hardware Security Modules) and smart cards. The primary purpose of HSM devices is to generate cryptographic keys and sign/encrypt information without revealing the private key to the others.

PKCS#15 – PKCS 15 (Public Key Cryptography Standard 15) defines the standard for the storage of keys on smart cards. OpenSC implements PKCS#15 and thus stores everything in the directory 5015, creates certain files in defined formats, subdirectories and so on. Not all software implement PKCS#15. Many cards in EU and elsewhere have ID cards for their citizens with keys for digital signatures and authentication, and often those cards and not in PKCS#15 format.

OpenSC implements the standard APIs to smart cards

OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the PKCS #15 standard and the PKCS #11 API. It is possible to use the Smartcard via OpenSC with the Microsoft CNG library. CNG can be used together with CryptoAPI.

Vulnerability Details

CVE-2018-16418

A buffer overflow when handling string concatenation in util_acl_to_str in tools/util.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

CVE-2018-16427

Various out of bounds reads when handling responses in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to potentially crash the opensc library using programs.

Reference: Fixed out of bounds writes

https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad

OpenSC before 0.19.0-rc1 vulnerabilities summary:

Highlight concerns

Buffer overflow – Attacker would use a buffer-overflow exploit to take advantage of a program that is waiting on a user’s input. There are two types of buffer overflows: stack-based and heap-based. Heap-based, which are difficult to execute and the least common of the two, attack an application by flooding the memory space reserved for a program. Stack-based buffer overflows, which are more common among attackers, exploit applications and programs by using what is known as a stack: memory space used to store user input.

Double free errors – Double free errors occur when free() is called more than once with the same … Calling free() twice on the same value can lead to memory leak.

Endless recursion vulnerability – This weakness describes a logic error within the application, which results in an endless loop.

OpenSC-019.0 released 14th Sep 2018

Fixed multiple security problems (out of bound writes/reads, #1447):

CVE-2018-16391, CVE-2018-16392, CVE-2018-16393, CVE-2018-16418, CVE-2018-16419, CVE-2018-16420, CVE-2018-16421, CVE-2018-16422, CVE-2018-16423, CVE-2018-16424, CVE-2018-16425, CVE-2018-16426, CVE-2018-16427

URL shown as below:

https://github.com/OpenSC/OpenSC/releases

We are free to download apps in Google Play Store and App Store. And we believe the Apps are secure without any problem. Apple has removed “Adware Doctor” from the macOS App Store and claims that the program was uploading browser histories. As far as we know, our browse history collect by 3rd party is not the first time. Even though your defense software will be collect your internet activities in silent way. The collection of internet activities is hard to avoid today. Since we are living in so called big data world. On the other hand, App Store (Apple) found that threat actors may craft a malicious code embedded in application put in App store. The goal is going to read persistent account identifier. It looks that it is the way to receive your credential to evade the detection. So there is an security announcement on apple products this week (see below):

iOS 12: https://support.apple.com/kb/HT209106

Apple Support 2.4 for iOS: https://support.apple.com/kb/HT209117

Safari 12: https://support.apple.com/kb/HT209109

watchOS 5: https://support.apple.com/kb/HT209108

tvOS 12: https://support.apple.com/kb/HT209107