The world cup 2018 – malicious game website and phishing email also involved in this competition. This like malware transformation of football shooting.

THE 2018 WORLD CUP lure hacker interest, a breeding ground for hackers. The phishing campaign linked to the start of the FIFA World Cup where cyber-criminals attempt to lure would-be victims into downloading. For instance, Games, email and related information. Such download contain malware and let the downloader become cyber attack victim.

How do you defend against this football (malware)? 1. Use and maintain antivirus software. 2. Keep software and operating systems up-to-date. 3. Be wary of downloading files from websites. 4. Think before you Click!

Headline News :

https://www.independent.co.uk/sport/football/world-cup/world-cup-live-streaming-free-streams-fifa-2018-football-matches-risk-fans-watch-a8419266.html

Sometimes RESTful API jeopardize your personal data privacy

Ticketmaster Hacked! The company sold 500 million tickets to 86 million people last year. It is important for you to select the best API to create chatbot. Common way call a RESTful API from your Chatbot. What makes RESTful APIs even more attractive is that the same REST API could potentially be used both by a web application, as well as other clients such as a mobile application. But RESTful API require hardening. Otherwise it is not in secure way.

Common REST API security risk (see below):

  • unencrypted payload
  • Lack of input  sanitisaton

And therefore payments or approvals process must put into a secure place which is usually not the client app.

Should you have interest of the Ticketmaster data breach incident, please refer below url for reference.

Ticketmaster admits personal data stolen in hack attack

https://www.bbc.com/news/technology-44628874?intlink_from_url=https://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-story

30thJune2018 – status update (Inbenta and the Ticketmaster Data Breach FAQ’s – official announcement)

https://www.inbenta.com/en/inbenta-and-the-ticketmaster-data-breach-faqs/

 

See whether does it a defect on GNU Binutils (status update on 25th June 2018)

 

Bug (CVE-2018-7642) found GNU Binutils 2.30 on 24th Feb 2018. GNU Binary Utilities, or binutils, are a set of programming tools for creating and managing binary programs, object files, libraries, profile data, and assembly source code. The GNU compiler Collection (gcc) play a important role of software development. If a bug will be happened in compiler. We might imagine that it will effect the software development life cycle (SDLC). A bug found earlier this year on GNU Binutils hits system crash. But bug found on April 2018 looks expanded and not only system crash. Should you have interest, please refer below url for reference.

CVE-2018-12700 – https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454

CVE-2018-12700 – https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454

CVE-2018-12699 – https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454

CVE-2018-12641 – https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452

CVE-2018-12698 – https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454

Bug found GNU Binutils 2.30 on 24th Feb 2018

CVE-2018-7642 – GNU Binutils 2.30

 

Found buffer overflow, integrate overflow & memory corruption in redis – Jun 2018

If you have a database of geo-located data, what is the appropriate database setup? The geospatial require fastest database so Redis is one of the option.Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker. It supports data structures such as strings, hashes, lists, sets, sorted sets with range queries, bitmaps, hyperloglogs and geospatial indexes with radius queries. Found buffer overflow, integrate overflow & memory corruption in redis. Technical details shown as below:

CVE-2018-12326, CVE-2018-11218 & CVE-2018-11219: https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES

https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES

CVE-2018-12453: https://gist.github.com/fakhrizulkifli/34a56d575030682f6c564553c53b82b5

Dark power (malware) jeopardize the open geospatial data:

Dark power (malware) jeopardize the open geospatial data

 

Will satellites be affected by a buffer overflow vulnerability?

Will satellites be affected by a buffer overflow vulnerability? Heard that hacker interested of the satellite device. This news let you imagine that it is a APT attack, right? It looks that political issues run around the world. Who’s right? Who’s wrong? Perhaps god also doesn’t know. On 16th Jan 2018, the confirmation of Solaris and SPARC Spectre vulnerabilities comes as Oracle delivers its Meltdown/Spectre patches for its x86 servers. Meldown and Spectre look like a AIDS or ebola disease.

The CDMU (Command and Data Management Unit) is used for spacecraft control especially satellities. It is composed of the following functional element. The LEON-3 CPU, developed by Gaisler Research, is a 32 bit synthesisable processor core based on the SPARC V8 architecture. Oh! As far as I know, hacker can be exploiting SPARC Buffer Overflow vulnerabilities. Perhaps it is not easy to do the patch management on the sky? Should you have interest of this topic, please refer below url for references.

http://www.nspo.narl.org.tw/en2016/aboutNSPO/gs.html

“With great power comes great responsibility” (CVE-2018-6961)

Sometimes we review the vulnerability check list. We are aim to address high severity of vulnerabilities items in first piority. From technical point of view it looks correct. Since some medium vulnerabilities especially cookie or cross site scripting issue may spend more time to do the remediation. A security advisories announced by VMware on 15th May 2018 bring to my attentions. That is CVE-2018-6961 (see attached diagram). It looks that the orginal Web UI function is a dilemma! Web UI in frequent have design weakness thus let attacker do the code injection. Since there is no prefect item in the world. The attacker might relies on CVE-2018-6961 execute Use-After-Free vulnerability. As a result it affected drag-and-drop functionality and triggered through the Backdoor RPC interface.

Remark:  Staying alert of this directory (lib/include/backdoor_def.h)

Reference – Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud :

https://www.vmware.com/security/advisories/VMSA-2018-0011.html

Not seen attack related to CVE-2018-7559, but require considerations and stay alert.

US Homeland security has announcement three times within this year ( April 16, 2018,May 29, 2018 and June 14, 2018) thus to urge the world staying alert malicious attack.Perhaps the industrial sector especailly oil and gas, power supplier facilities has detective and preventive control in placed. Hacker will be facing difficulties for attack. As far as we know, OPC source code on GitHub contains a flaw let remote attacker use the Server’s private key to decrypt and sign messages by using information obtained by sending invalid UserIdentityTokens encrypted with the Basic128Rsa15 security policy. The successful result could allow an attacker to decrypt passwords even if they are encrypted with another security policy such as Basic256Sha256. This flaw found on April this year and remediation has been announced. However, I believe that cyber security attacks exploit of this vulnerability will be happened soon.

Official announcement (OPC Foundation Security Bulletin Security Update for the OPC UA Stacks – April 2018)

https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2018-7559.pdf

 

June 2018 Node.js Security Releases

Node.js runs on top of a Javascript engine therefore it is portable to any platform in computer world. Deploy a Node.js web application environment using AWS Elastic Beanstalk and Amazon DynamoDB. Elastic Beanstalk provisions and manages the underlying infrastructure.
Solutions Infini is the Leading Bulk SMS & Cloud Telephony service provider. But the front end AWS Lamda function powered by node.js platform.
The organization of node.js announced that node.js (6.x – 10.x) has vulnerabilities occurs.
Official announcement and remediation step shown url below:

https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/

June 20, 2018 – Cisco Releases Security Updates for Multiple Products

A remote attacker could exploit some of these vulnerabilities to take control of an affected system on both NX and FX OS. In the sense that both router, switch and Firewall requires users considerations.

NX-OS Software NX-API Arbitrary Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-bo

FXOS and NX-OS Software Cisco Fabric Services Arbitrary Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxnxos-fab-ace

FXOS and NX-OS Software Cisco Fabric Services Arbitrary Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fx-os-cli-execution

NX-OS Software CLI Arbitrary Command Injection Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-cli-injection

NX-OS Software Authenticated Simple Network Management Protocol Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxossnmp

NX-OS Software Role-Based Access Control Elevated Privileges Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosrbac

NX-OS Software Internet Group Management Protocol Snooping Remote Code Execution and Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosigmp

NX-OS Software Border Gateway Protocol Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosbgp

FXOS and NX-OS Software Unauthorized Administrator Account Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxosadmin

NX-OS Software NX-API Privilege Escalation Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-nxapi

FXOS, NX-OS, and UCS Manager Software Cisco Discovery Protocol Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-cdp

FXOS and NX-OS Software Cisco Fabric Services Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-fabric-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-fabric-services-dos

NX-OS Software CLI Arbitrary Command Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-cli-execution

NX-OS Software NX-API Arbitrary Command Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-api-execution

Cisco Nexus 4000 Series Switch Simple Network Management Protocol Polling Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-n4k-snmp-dos

Cisco Nexus 3000 and 9000 Series CLI and Simple Network Management Protocol Polling Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-n3k-n9k-clisnmp

Cisco FXOS Software and UCS Fabric Interconnect Web UI Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxos-dos

Cisco FXOS Software and UCS Fabric Interconnect Arbitrary Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxos-ace

Cisco FXOS and NX-OS Software Cisco Discovery Protocol Arbitrary Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxnxos-dos

Cisco FXOS and NX-OS Software Cisco Fabric Services Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fx-os-fabric-dos

Cisco Firepower 4100 Series Next-Generation Firewall and Firepower 9300 Security Appliance Path Traversal Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-firepwr-pt

 

Windows SharePoint Services – “To be, or not to be”

Microsoft formalized Patch Tuesday in October 2003 till today. It was focus on workstation, server and software product till today.  Any differences in the Microsoft architecture model in last decade? Perhaps your answer is the cloud platform and collaboration cloud. Yes, the cloud computing technology similar 14th and 17th centuries renaissance. Thus, a major component in existing technology world.

The point of view of IT management avoid of cloud computing in the earlier stage till today they are enjoy of this technology. As times go by, Microsoft SharePoint product widely deploys in IT environment. There is system architect build SharePoint work as data warehouse.

SharePoint design looks fine from Microsoft point of view. Furthermore both authentication and security are coexist with Active directory. It is a popular setup since it is a single sign on.

The vulnerabilities found on SharePoint in 2018 in retrospect (see below), it display that SharePoint are easy to cause remote code execution by attacker.

 

CVE Score Vulnerability Type(s)
CVE-2018-8254 An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.

The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

not yet calculated
CVE-2018-8252 An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.

The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

not yet calculated
CVE-2018-8168 A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka “Microsoft Office Remote Code Execution Vulnerability.” This affects Microsoft Word, Word, Microsoft Office, Microsoft SharePoint. This CVE ID is unique from CVE-2018-8157, CVE-2018-8158. 9.3 Exec Code Overflow
CVE-2018-0922 Microsoft Office 2010 SP2, 2013 SP1, and 2016, Microsoft Office 2016 Click-to-Run Microsoft Office 2016 for Mac, Microsoft Office Compatibility Pack SP2, Microsoft Office Web Apps 2010 SP2, Microsoft Office Web Apps 2013 SP1, Microsoft Office Word Viewer, Microsoft SharePoint Enterprise Server 2013 SP1, Microsoft SharePoint Enterprise Server 2016, Microsoft Office Compatibility Pack SP2, Microsoft Online Server 2016, Microsoft SharePoint Server 2010 SP2, Microsoft Word 2007 SP3, Microsoft Word 2010 SP2, Word 2013 and Microsoft Word 2016 allow a remote code execution vulnerability due to how objects are handled in memory, aka “Microsoft Office Memory Corruption Vulnerability”. 9.3 Exec Code Overflow Mem. Corr.
CVE-2018-0797 Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way RTF content is handled, aka “Microsoft Word Memory Corruption Vulnerability”. 9.3 Exec Code Overflow Mem. Corr.
CVE-2018-0792 Microsoft Word 2016 in Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka “Microsoft Word Remote Code Execution Vulnerability”. This CVE is unique from CVE-2018-0794. 9.3 Exec Code Overflow
CVE-2018-0789 Microsoft SharePoint Foundation 2010, Microsoft SharePoint Server 2013 and Microsoft SharePoint Server 2016 allow an elevation of privilege vulnerability due to the way web requests are handled, aka “Microsoft SharePoint Elevation of Privilege Vulnerability”. This CVE is unique from CVE-2018-0790. 9

Refer to attach Share Point architecture diagram, this is a common practice model deployment integrate to Azure (IaaS) Cloud platform. If coincidentally MS Excel and Share Point has vulnerabilities occurs (similar situation display on diagram). Which item become critical in nowadays IT environment, end point, server or cloud platform?

See whether below high vulnerabilities items happened on Jun 2018 can provides hints to you in this regard.

CVE-2018-8233 | Win32k Elevation of Privilege Vulnerability – An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka “Win32k Elevation of Privilege Vulnerability.” This affects Windows 10, Windows 10 Servers.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8233

CVE-2018-8251 | Media Foundation Memory Corruption Vulnerability – A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory, aka “Media Foundation Memory Corruption Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8251

CVE-2018-8252 | Microsoft SharePoint Elevation of Privilege Vulnerability – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8252

CVE-2018-8254 | Microsoft SharePoint Elevation of Privilege Vulnerability – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8254

— End —