2018-07-18 – Jenkins Security Advisory

Jenkins is the leading open-source automation server. Built with Java, it provides over 1000 plugins to support automation. Is it a robot?

Basically, Jenkins is commonly used for building projects, running tests to detect bugs and other issues as soon as they are introduced, static code analysis and deployment.

For instance combining Jenkins and Docker together can bring improved speed and consistency to your automation tasks.

That is you can configure Jenkins to build Docker Images based on a Dockerfile. You can use Docker within a CI/CD pipeline, using Images as a build artefact that can be promoted to different environments and finally production. Usually, the freestyle automated job can create to accomplish a specific task in the CI pipeline, it can be compile the code, run integration tests or deploy application.

Remark:

A complete CI pipeline is made up of three major parts: Integration: Build code and run unit tests.

Delivery: Deploy your application to a staging or production environment.

If Jenkins is sick (vulnerabilities) today? Any worries about that?

An official announment state the following: https://jenkins.io/security/advisory/2018-07-18/#SECURITY-390

 

Silent security alert – RSA archer (CVE-2018-11059 & CVE-2018-11060)

Archer Technologies provided enterprise governance, risk, and compliance management software. The product aim to reduce enterprise risks, manage and demonstrate compliance, automate business processes, and gain visibility into corporate risk and security controls. Whereby, it integrate with your internal systems equivalent as workflow management especially approval process.

REST API  relies on a stateless, client-server, cacheable communications protocol. The HTTP protocol is use in default.

Recent found vulnerabilities (CVE-2018-11059 and CVE-2018-11060) coincident working together jeopardizing your risk management and cyber security defense. A possible scenario may happens in this way. RSA Archer, versions prior to 6.4.0.1, contain a stored cross-site scripting vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. Then hacker exploit CVE-2018-11060 to to elevate his privileges.

Reference hyperlink shown as below:

https://exchange.xforce.ibmcloud.com/vulnerabilities/147142

CYBER SECURITY ADVISORY – Panel Builder 800,Improper input validation vulnerability (CVE-2018-10616)

Retrospectively cyber attack encountered on Nuclear power facility in past. The SCADA system facilities vendor are working hard to hardening their device and provided cyber security advisory. An cyber security alert announced by ABB that a software engineering tool for configure Panel 800 has vulnerability occurs. ABB Panel Builder 800 all versions has an improper input validation vulnerability which may allow an attacker to insert and run arbitrary code on a computer where the affected product is used. However the vulnerabilites indicated that theattacker could create a specially crafted file and try to trick a person using the Panel Builder 800 to open this file (see below hyperlink – technical note)

http://search-ext.abb.com/library/Download.aspx?DocumentID=3BSE092089&Action=Launch

Perhaps the techincal limitation sometimes was happened in their fundemental design. See Alert B in attached diagram. Since panel 800 is a Intel CPU base with Windows CE OS. My concern is that It is not known whether Intel XScale or Marvell Feroceon cores are affected by these issues (Meltdown and Spectre)? But no worries, tomorrow will be a better day!

 

26th Jul 2018 – CVE-2018-1046 (POWERDNS)

Cyber attack wreak havoc, perhaps this is a digital world. We focus cyber attacks happens in company and personal workstation in past decade. The smartphones and IoT devices market coverage bigger than hardward devices in business world. From business point of view, it is a good oppuntunities. The telcom services providers will be more business growth. Meanwhile the cyber security attacks looks like a heavy burden in their business operations.

DNS services is the major components of internet server. Their services similar a phone book.

f you are the customer of PowerDNS, you must be stay alert! For more details, please see below reference (Hyperlink):

PDNS before version 4.1.2 is vulnerable to a buffer overflow in dnsreplay. In the dnsreplay tool provided with PowerDNS Authoritative, replaying a specially crafted PCAP file can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution. This buffer overflow only occurs when the -ecs-stamp option of dnsreplay is used.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1046

Security Advisory for Vulnerabilities in QNAP (Q’center) Virtual Appliance – Jul 2018

QNAP’s Network Attached Storage(NAS) is the friend from SME users. Even thought IT Dept, they are also satisfy with NAS. Since the price is affordable and provides plug and play function. It is common that NAT on firewall will be deploy with Hide NAT. As a result your QNAP’s will be receive the new patch update. At the same time it benefits to hacker once vulnerability occurs.

Please remind that you have to create firewall rule deny NAS go to internet at this moment.

It is better to do the remediation now. See below:

https://www.qnap.com/zh-tw/security-advisory/nas-201807-10

25th JUl 2018 – Malicious Cyber Activity Targeting ERP Applications (Stay alert!)

 

A consulting firm observe that the abuse of the SAP Invoker Servlet rapidly increase (built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms)). The fact is that customer may not aware or encounter technical difficulties to remediate a former vulnerability. May be a new attack (former vulnerability + Zero day) let the risk happens.

Quick step of remediation in the moment:

1. Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.

2. Analyze systems for malicious or excessive user authorizations.

3. Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.

4. Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.

Should you have interest of the report. You can go to this place to download.

https://www.onapsis.com/research/reports/erp-security-threat-report

 

Lost of civilization – Enterprise MDM solution may not detect these apps

The installation packages of Android apps (.APK files) are deploy with.ZIP files. Because of the fundemental design concept. It let malware has way for infection. Yes, threat actor can place a malicious DEX file at the start of the APK file. But V2 signing mechanism can avoid above types of infection. However of the compatiblity issue, older Android versions with only version 1 of the signing scheme application still alive. We known that risk may occurs in such circumstances. The fact is that Enterprise MDM solutions may not detect these apps.

Reference: https://developer.android.com/about/versions/nougat/android-7.0#apk_signature_v2

23rd Jul 2018 – Bluetooth vulnerability

Elliptic Curve Diffie Hellman (ECDH) make man in the middle attack difficult since hacker would not be able to find out the shared secret and therefore it looks secure. The public keys are either static (and trusted, say via a certificate) or ephemeral (also known as ECDHE, where final ‘E’ stands for “ephemeral”). Ephemeral keys are temporary and not necessarily authenticated, so if authentication is desired, authenticity assurances must be obtained by other means. Authentication is necessary to avoid man-in-the-middle attacks. The truth is that similar type of setup has vulnerability occurs.Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange.

Reference: Vulnerability Note VU#304725 Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchangehttps://www.kb.cert.org/vuls/id/304725

Ethereum carrier Solidity shield – Call abuse vulnerability (CVE-2018-14087)

An Integer Overflow is the condition that occurs when the result of an arithmetic operation, such as multiplication or addition, exceeds the maximum size of the integer type used to store it. Ethereum hits such vulnerability in frequent. The solidity programming language rescue Ethererum in the cryptocurrency world. But no prefect things in the world. A vulnerability found on Ethereum EUC token recently. The EUC token build by solidity programming language. The guru given his nick name “call abused” vulnerability. For details, please see below hyperlink for references.

Ethereum EUC Token (call abused) – CVE-2018-14087

https://github.com/rootclay/Audit-of-smart-contracts/tree/master/0x8810C63470d38639954c6B41AaC545848C46484a

Additional information – Ethereum integer overflow vulnerabilities

Ethereum aditus token (CV-2018-12959):

https://github.com/hellowuzekai/blockchains/blob/master/overflow2.md

Ethereum mkcb_token:

https://github.com/hellowuzekai/blockchains/blob/master/README.md

Ethereum singaporecoinorigin token:

https://github.com/hellowuzekai/blockchains/blob/master/overflow1.md

Ethereum stex white list token:

https://github.com/hellowuzekai/blockchains/blob/master/overflow3.md

Ethereum tracto token:

https://github.com/tracto2/Tracto-ERC20/issues/1

Ethereum virgo zodiactoken token:

https://github.com/hellowuzekai/blockchains/blob/master/transferFrom.md

Not belongs to integer overflow vulnerability:

Ethereum userwallet 0x0a7bca9fb7af-f26c6ed8029b-b6f0f5d291587c42 token:

https://github.com/hellowuzekai/blockchains/blob/master/delegatecall.md