Node JS CVE – Aug 2018

Retropective of the programming history, JavaScript was used primarily for client-side scripting, in which scripts written in JavaScript are embedded in a webpage’s HTML and run client-side by a JavaScript engine in the user’s web browser. Node js programming technique lets developers use JavaScript to write command line tools thus transfer script programming function to server-side. It let the programming scripts execute on server-side to produce dynamic web page content before the page is sent to the user’s web browser. As a result, it provides equivalent asynchronous I/O functionality (also non-sequential I/O). Asynchronous is a form of input/output processing that permits other processing to continue before the transmission has finished. But node js itself is difficult ro avoid traditional design bottleneck. For instance memory leakage issues. Found 2 issue on node js this month. However similar Buffer ucs2 and utf16le encoding issue found on 2012. For instance memory leakage issues. Found 2 issue on node js this month. However such similar Buffer ucs2 and utf16le encoding issue was found on 2012.

Official details shown below URL: https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

Quick overview – Microsoft windows task scheduler design weakness

It’s hard to imagine the destructive power of a privilege escalation vulnerability? Security Guru found zero day or system design weakness in Windows OS system. It looks that zero day not rare issue but this time the first pier of announcement was not the vendor. May be we wait for next Patch Tue to do the remediation.

Vulnerability Note VU#906424:Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interfacehttps://www.kb.cert.org/vuls/id/906424

Path Traversal Vulnerability – CVE-2018-0464

In application penatration test environment. A path traversal attack not rare. Most common, it manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system. Nowadays everythings aim to quick and simple. So thin client software design (web application) installed everywhere. And therefore Cisco have the following security advisory announce today.

CVE-2018-0464 – Cisco Data Center Network Manager Path Traversal Vulnerability: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180828-dcnm-traversal

Invalid certificate on your remote access endpoint or a MITM attack presenting an invalid certificate compromise your workstation.

We heard cyber attack causes privileges escalation. Thus technology expert in creative way discover many solution to avoid such behavior happen. Perhaps we are focusing the patch management, antivirus signature update, malware detector yara rules. A silent way similar penetrate to your end point devices, even though server side will be compromised of this attack. Yes, we are talking about the Windows privilege escalation. Sounds like complicate, but it is simple on the other way round. If your remote client access software use SSL certificate establish TLS encryption. One of the possible way shown as below diagram. Be aware and stay alert! There are more products has this vulnerability but not exploit yet!

On the other hand, Adobe announce security updates for Creative Cloud Desktop Application. No specifics details provided. But only know the impact cause by Improper Certificate Validation. Detail shown as below url:

https://helpx.adobe.com/security/products/creative-cloud/apsb18-32.html

SIEMENS Vulnerabilities in SIMATIC STEP 7 (TIA Portal) and SIMATIC WinCC (TIA Portal) – Aug 2018

SIMATIC WinCC is a supervisory control and data acquisition (SCADA) and human-machine interface system from Siemens. Due to threats to actors’ interests, manufacturers have recently paid close attention to cybersecurity attacks. Hackers use Microsoft’s operating system entry point to become a channel for SCADA system facilities network attacks. Even Though Microsoft Office also pulled into SCADA security concerns! As far as we know, the new version of BLACKENERGY malware threat exploit an unpatched Office 2013 form the attack. From technical point of view, malware is hard to survival in 64 bit OS environment. However 32-bit operating system is common in SCADA related industries. So, it requires a longer time to do the design enhancement. The SCADA vendor found 2 items of Vulnerabilities in SIMATIC STEP 7 (TIA Portal) and SIMATIC WinCC (TIA Portal) on Aug 2018 (see below diagram). So, Tenable and Siemens partner to secure critical infrastructure & reduce cybersecurity risks. Please refer to the following URL:

https://www.windpowerengineering.com/business-news-projects/tenable-and-siemens-partner-to-secure-critical-infrastructure-reduce-cybersecurity-risks/

Are 64-bit OS malware proof?

Are 64-bit OS malware proof?

Aug 2018 – CVE-2018-8273 | Microsoft SQL Server Remote Code Execution Vulnerability

Above vulnerability looks complicated. It is only effect SQL server 2016 and 2017.

I do a debug on the download file.

Found the following syntax “ntdll.dll RtlEnterCriticalSection”. It looks that the software patch focus on PageHeap, which is intended for debugging of memory overhead.
In Microsoft SQL server 2016 and 2017 environment, each IAM and PFS page covers lots of data pages, so there are few IAM and PFS pages in a database. So the IAM and PFS pages are generally in memory in the SQL Server buffer pool. As seen, the file provided by Microsoft around 700MB. Not a minor modification. See whether what will be happen on the next stage?

Should you have interest, please reference below diagram.

Official announcement shown below:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8273

 

Aug 2018: Delta CNCsoft client alert – Suggest update to the latest version of CNCSoft v1.01.09

 

Computerized Numerical Control (CNC) Machining is a method used to perform a wide range of manufacturing tasks, which are all carried out by computerized devices. … The new CNC machines were able to be controlled by programming language to carry out a wider variety of tasks with greater accuracy. Delta, a world-class provider of industrial automation solutions includes CNC.

Found Delta CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has two out-of-bounds read vulnerabilities and multiple stack-based buffer overflow problem. To my observation, CNCSoft application looks embedded with a password. May be there is another root cause.

Official recommendation:

Update to the latest version of CNCSoft, v1.01.09. The updated version can be found at: http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=84&DocPath=1&hl=en-US

New alert but old News! Still require attentions (Ghostscript -dSAFER)!

The product name Ghostscript misleading people that it is a undergound hack tool. Actually Ghostscript is a suite of software based on an interpreter for Adobe Systems’ PostScript and Portable Document Format page description languages. And therefore it might install in your computer already. On Oct 2016, Google security expert infomed that we must stay alert for vulnerability found in ghostscript (multiple ghostscript -dSAFER sandbox problems).It looks this issue become serious. US-CERT prompt the alert again! Should you have interest, please refer below:

https://www.kb.cert.org/vuls/id/332928

Aug 2018 – (CVE-2018-12539) – Eclipse OpenJ9 Vulnerabilities

The software expert keen to reduce memory footprint and improve their application performance.Java code can run on different systems, because it relies on the JVM, not on the operational system itself. This is the powerful function of Java plus JVM. Meanwhile, it let’s Java application developers and end users spreading around in the world. The virtual machine creates an independent platform on top of the operating system. Similar the situation of Docker in today’s cloud computing.The JVM is a “simulated machine” that can be installed on different systems.  Furthermore, if vulnerability occurs in JVM. It will jeopardizing the related system facilities since the application run on top of JVM.

CVE-2018-12539 – In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code.

Remediation – Attach API is enabled by default on Windows, Linux and AIX JVMs and can be disabled using the command line option –Dcom.ibm.tools.attach.enable=no.

ABout the details CVE-2018-12539 : https://bugs.eclipse.org/bugs/show_bug.cgi?id=534589

Additional CVE-2018-12537: https://bugs.eclipse.org/bugs/show_bug.cgi?id=536038