Monthly Archives: August 2018

Application Development, Potential Risk of CVE

About vulnerabilities of PHP – Aug 2018

PHP is a popular open source general-purpose scripting language. It capable for web development and can be embedded into HTML. Perhaps a fundamental weakness of PHP and therefore we seen common problem especially SQL Injection and Trusting user input to execute code happens in frequent.

Below details are the php vulnerabilities found on Aug 2018.

(CVE-2018-14883) An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c

https://bugs.php.net/bug.php?id=76423

(CVE-2018-14851) Allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.

https://bugs.php.net/bug.php?id=76557

(CVE-2018-14884) Inappropriately parsing an HTTP response leads to a segmentation fault because http_header_value in ext/standard/http_fopen_wrapper.c can be a NULL value that is mishandled in an atoi call.

https://bugs.php.net/bug.php?id=75535

Reference: Vulnerability found on Jul 2018

Jul 2018 – PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file)

Potential Risk of CVE

KEYCLOAK design weakness – Aug 2018

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties. If you ask me, what is the design objective of SAML. It make your life simple.Also this is the aim for computer system. But a pin does not have two points. For those who use single sign on also provides a benefits to attacker. Keycloak is an open source software product to allow single sign-on with Identity Management and Access Management aimed at modern applications and services. As of March 2018 this JBoss community project is under the stewardship of Red Hat who use it as the upstream project for their RH-SSO product. Docker had already built a great deal of momentum since 2015. Docker product such a way integrated the open source products integrate to business world especially cloud computing platform. So it does not lack of single sign on, right. From technical point of view, take the easy way and make it simple, it coincident equivalent with boolean expression theory.
Keycloak has vulnerability occured. In Keycloak 3.4.3, a handling of certifciate method has design weakness. A expired certificates let a malicious user could use this to access unauthorized data or possibly conduct further attacks. See below url for reference.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10894

2018, cyber security incident news highlight

Aug 2018 – Malware (KEYMARBLE)

My friend informed that a new malware wreak havoc. Meanwhile US-Cert issued the technical articles described the details and let’s the world staying alert! US-CERT also provides the Indicator of compromise (IOC) file for reference. I am interested and therefore I put the this file into the sandbox see whether what exact issue will be happened. The facts is that threat actor embedded malicious code lure victim to open this document. The overall procedure similar word document ask you to excecute a XML contents. The whole procedure may not be trigger the antivirus alert (antivirus may detect this issue now, but not absolute sure) till the infection stage go to phase two. Yes, download a malicious executable file. If similar scenario happen in your company, sounds like you IT campus has a cat doing the monitoring. The cat will catch the mouse once he appears. How does your cat know this Rat appear. All relies on Yara rule (see attached diagram for reference). May be people will be scared of the web page contains hyperlink on top. And therefore this time not provided.

–End–

Potential Risk of CVE, Under our observation

8th Aug 2018 – ISC Releases Security Advisory for BIND

If you are easy nervous, seems IT job not suitable for you! The Domain Name System (DNS) is the backbone of the modern internet. The workstation similar a blind people searching the correct pathway in the dark. ISC releases security advisory for BIND yesterday. My roughly statistic shown to me that this is the third times within this year!

A technical feature so called “Deny-answer-aliases” design to protect end users against DNS rebinding attack. A defact causes an INSIST assertion failure in named. causing the named process to stop execution and resulting in denial of services to client. What is Named. The Named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. Named will read the default configuration file /etc/named.conf, read any initial data, and listen for queries. For more details about this vulnerability. Please refer the following – https://kb.isc.org/article/AA-01639/0

ISC BIND vulnerabilities details on May and June this year.

June 2018

June 13, 2018 – ISC Releases Security Advisory for BIND

 

May 2018

May 18, 2018 – ISC Releases Security Advisories for BIND

Potential Risk of CVE

Aug 2018 – Less than one month, VMware out-of-bounds read vulnerability happen again!

VMware announce that a bug found on their Horizon Connection Server, Horizon Agent, and Horizon Clien. However Horizon Agents on Linux-based systems and Horizon Clients on non-Windows systems are not affected. The symptom is that out-of-Bounds Memory Read Error in Message Framework Lets Local Users View Portions of System Memory on the Target System. From technical point of view, what is out of bound read? That is software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.But the out of bound memory read problem not a new issue. Do you remember? That is CVE-2018-6968 (The Out-of-Bounds Memory Read Error lets Local Users on a Guest System Gain Elevated Privileges on the Guest System). Just happen less than a month.

The key word vulnerability similar human being caugh, flu or headache. No worries!

Offical announcement shown as below:

https://www.vmware.com/security/advisories/VMSA-2018-0019.html

Potential Risk of CVE

Insufficient Input Validation – Intel Distribution for Python (IDP) – Jul 2018

Mozilla’s bleach library is a security-related library. The design goals of Bleach is to sanitize input of malicious content. Furthermore it let software developer safely create links.

IPython is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language, that offers introspection, rich media, shell syntax, tab completion, and history.

Given a fragment of HTML, Bleach will parse it according to the HTML5 parsing algorithm and sanitize any disallowed tags or attributes.

But Intel announce the following statement in Jul 2018 (see below):

Synopsis – Insufficient Input Validation in Bleach module in Intel® Distribution for Python (IDP) version IDP 2018 Update 2 potentially allows an unprivileged user to bypass URI sanitization and cause a Denial of Service via local vector.

Any interest? Perhaps you have this domain knowledge. Should you have interest, please refer below hyperlink.

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00129.html

Potential Risk of CVE, Under our observation

Aug 2018 – Do not contempt this vulnerability (CVE-2018-5390)

The hardware vendors deploy Linux OS on demand growth. Even though your firewall appliances, malware detector, load balancer, network L2 and L3 switch and IoT devices are the Linux. The attacker found a tricks recently. If source device feeds tiny packets completely out of order. The parameter (tcp_collapse_ofo_queue()) might scan the whole rb-tree. As a result , attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions. I think the specfiy vulnerability we can not contempt. The worst case is that attacker is possible to conduct denial of services on non-patch hardware appliances and IoT devices.
In the meantime, we are waiting for hardware vendor responses?

US CERT official announcement shown as below:

Linux Kernel TCP implementation vulnerable to Denial of Service

Original Release date: 06 Aug 2018 | Last revised: 06 Aug 2018

https://www.kb.cert.org/vuls/id/962459

Application Development, System, Under our observation

Aug 2018 – Similar to establish new challenge in IT world, mingw-w64 design limitation!

Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. ASLR function like the last line of defense of the system against cyber attack. Recently, security expert comment that the software application developer might not following guideline issue by CPU vendor. The fact is that an error occur on their software application when apply ASLR or SGX ( Software Guard Extensions – Intel). As a result, the non compliance application products will be available in the cyber world.

The actual scenario is that several tools that check for ASLR compatibility assume that the presence of the “Dynamic base” PE header is sufficient for ASLR compatibility. Because Process Explorer does not check that a relocation table is present, its indication of “ASLR” for a running process may be incorrect, and it may provides room for malware alive. I forseen that it may create the impact to the docker environment.

 

MinGW is an implementation of most of the GNU building utilities, like gcc and make on windows, while gcc is only the compiler. It looks that it has more Linux operating system includes in ASLR non compatible checklist announced by MinGW. The CPU vendor on the way to address the CPU design flaw (Meltdown and Spectre). It looks that a new form of challenge is going to join into the mistaken task force.

Should you have interest. Below hyperlink can provides the detail.

Vulnerability Note VU#307144 : mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR

https://www.kb.cert.org/vuls/id/307144

Application Development, Cell Phone (iPhone, Android, windows mobile), System, Under our observation

Synopsis- NIST plan to retire SMS function deployed for two Factor Authentication

As of today, we are enjoying the security protection of 2 factor authentication with SMS-based one-time passwords (OTP). This protection mechanism was distributed widely. For instance, online banking, Visa,Master credit card online payment system and mobile application payment system. However NIST plan to retire SMS base 2 factor authentication. This decision has similar a open topic for public discussion in related industry since end of 2016. Some of the people queries of the technical standpoint of this decision.

Background – NIST-800-63-3 equivalent a bible for CSO (chief security officer) in the world. Even though you business not focusing US market.  The documentation structure of NIST SP 800-63A is the subset of 800-63-3. This subset of guidelines was specify address digital identity guidelines. Item 4.4.1.6 indicate the address confirmation including SMS. (below hyperlink for official document download).

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63a.pdf

Reference: Two-factor authentication uses two different factors of below namely, “something you have” (e.g. mobile phones), “something you are” (e.g. fingerprints) or “something you know” (e.g. password), to authenticate a user identity.

SMS messages system design limitation (see below):

  1. SIM swap is a type of phishing fraud that poses a serious threat to mobile phone user. As a result, all calls and texts to the victim’s number are routed to the fraudster’s phone, including one-time passwords
  2. SMS Messages Can Be Intercepted in Many Ways (problem in SS7)
  3. ASN.1 design flaw

Should you have interest of item 2 and 3? Please refer below:

SS7 flaw make two factor authentication insecure – Reveal the veil