An attack on media platform causes exposed nearly 50 million user informations – Sep 2018

In 80’s our daily life without any electronic type social media involves. But we understood that we are avoid to talk to the stranger. As time goes by, internet social media fine tune our mind. As a result we make friend and relies on this communication platform.

Since this is a popular open platform. It is hard to avoid scam activities. As a result, the risk factor will growth in such circumstances. Even though you have security awareness . But who can garantee the threat actor only focus to attack the indiviual instead of the social media vendor.

Back in October 2016, the memcached developers fixed three remote code execution vulnerabilities (CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706). The flaws affected memcached’s binary protocol for storing and retrieving data and one of them was in the Simple Authentication and Security Layer (SASL) implementation.

Remark: CVE-2016-8704 – An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.

Do you think the data breaches announced by Facebook yesterday whether it happen earlier last year but nobody know?

Related news – https://www.forbes.com/sites/thomasbrewster/2018/09/29/how-facebook-was-hacked-and-why-its-a-disaster-for-internet-security/#74855f792033

CVE-2018-17082 – PHP Apache2 Component Transfer-Encoding – chunked Request Cross-Site Scripting Vulnerability

XSS vulnerabilities looks common in application world. But do not contempt this issue. A vulnerability in the php_handler function of PHP could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.

XSS attack has different ways. For instance XSS callback,…etc

PHP has confirmed the vulnerability and released software updates.

http://php.net/ChangeLog-5.php

Cisco Releases Security Updates for Multiple Products – September 26 and Oct 17, 2018

 

IOS XE built on Linux and provides a distributed software architecture that moves many operating system responsibilities out of the IOS process and has a copy of IOS running as a separate process.

Since it runs a copy of IOS, all CLI commands are the same between Cisco IOS and IOS XE, in contrast to IOS XR which has a completely different code base and its developers implemented quite a different CLI command set.

IOS XE look like a docker container component.

Cisco has released several updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

Cisco IOS and IOS XE Software OSPFv3 Denial of Service Vulnerability(buffer overflow)

The vulnerability is due to incorrect handling of specific OSPFv3 packets. An attacker could exploit this vulnerability by sending crafted OSPFv3 Link-State Advertisements (LSA) to an affected device. An exploit could allow the attacker to cause an affected device to reload, leading to a denial of service (DoS) condition.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos

Cisco IOS and IOS XE Software SM-1T3/E3 Service Module Denial of Service Vulnerability
Cause the ISR G2 Router or the SM-1T3/E3 module on the ISR4451-X to reload, resulting in a denial of service (DoS) condition on an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-sm1t3e3

Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway Denial of Service Vulnerability
Improper processing of SIP packets in transit while NAT is performed on an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-sip-alg

Cisco IOS Software Precision Time Protocol Denial of Service Vulnerability
The vulnerability is due to insufficient processing of PTP packets. An attacker could exploit this vulnerability by sending a custom PTP packet to, or through, an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ptp

Cisco IOS and IOS XE Software IPv6 Hop-by-Hop Options Denial of Service Vulnerability
The vulnerability is due to incorrect handling of specific IPv6 hop-by-hop options. An attacker could exploit this vulnerability by sending a malicious IPv6 packet to or through the affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipv6hbh

Cisco IOS XE Software Command Injection Vulnerabilities
The vulnerabilities exist because the affected software improperly sanitizes command arguments, failing to prevent access to certain internal data structures on an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-iosxe-cmdinj

Cisco IOS XE Software Errdisable Denial of Service Vulnerability
The vulnerability is due to a race condition that occurs when the VLAN and port enter an errdisabled state, resulting in an incorrect state in the software. An attacker could exploit this vulnerability by sending frames that trigger the errdisable condition. A successful exploit could allow the attacker to cause the affected device to crash, leading to a DoS condition.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-errdisable

Cisco IOS and IOS XE Software Cluster Management Protocol Denial of Service Vulnerability
The vulnerability is due to improper input validation when handling Cluster Management Protocol (CMP) messages. An attacker could exploit this vulnerability by sending a malicious CMP message to an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cmp

Cisco IOS XE Software Cisco Discovery Protocol Memory Leak Vulnerability
The vulnerability is due to incorrect processing of certain CDP packets. An attacker could exploit this vulnerability by sending certain CDP packets to an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-memleak

Cisco Webex Meetings Client for Windows Privilege Escalation Vulnerability
The vulnerability is due to folder permissions that grant a user the permission to read, write, and execute files in the Webex folders. An attacker could exploit this vulnerability to write malicious files to the Webex client directory, affecting all other users of the targeted device. A successful exploit could allow a user to execute commands with elevated privileges.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe

About vulnerabilities for NX-OS – status update 18th Oct 2018

Cisco NX-OS Software Authenticated Simple Network Management Protocol Denial of Service Vulnerability – The vulnerability is due to improper validation of SNMP protocol data units (PDUs) in SNMP packets.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-nxos-snmp

Cisco NX-OS Software for Nexus 5500, 5600, and 6000 Series Switches Precision Time Protocol Denial of Service Vulnerability – The vulnerability is due to a lack of protection against PTP frame flood attacks.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-nexus-ptp-dos

Cisco FXOS and NX-OS Software Link Layer Discovery Protocol Denial of Service Vulnerability – The vulnerability is due to improper input validation of certain type, length, value (TLV) fields of the LLDP frame header.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-fxnx-os-dos

 

Open vSwitch 2.7.x vulnerabilities – Sep 2018

In the past, servers would physically connect to a hardware-based switch located in the data center. When VMware created server virtualization the access layer changed from having to be connected to a physical switch to being able to connect to a virtual switch. This virtual switch is a software layer that resides in a server that is hosting virtual machines (VMs). VMs, and now also containers, such as Docker, have logical or virtual Ethernet ports. These logical ports connect to a virtual switch.

There are total 3 items of vulnerabilities found few months ago (Jun 2018). From security point of view, I focus on CVE-2018-17206 since vulnerability can let attacker relies on maliciously exploited to access privileged information.

References:

CVE-2018-17206 – https://access.redhat.com/security/cve/cve-2018-17206

CVE-2018-17204 – https://access.redhat.com/security/cve/cve-2018-17204

CVE-2018-17205 – https://access.redhat.com/security/cve/cve-2018-17205

Rockwell Automation RSLinx Classic cyber security alert! 20th Sep 2018

Perhaps we believe that the vulnerability of industrial automation system or SCADA merely happens on Microsoft product. As a matter of fact, Linux OS base system do not have exception. They are also vulnerable!

Below vulnerabilties details was found on Rockwell RSLinx Classic. RSLinx Classic is an inclusive communication server which provides plant-floor device connectivity for a wide variety of Rockwell Software applications such as RSLogix 5/500/5000, RSView32, FactoryTalk View Site Edition & FactoryTalk Transaction Manager. RSLinx provides connectivity for client applications using OPC or DDE. OPC is the preferred interface for data acquisition applications because it is the Defacto standard for factory communications.

References:

STACK-BASED BUFFER OVERFLOW – https://www.cvedetails.com/cve/CVE-2018-14829/

HEAP-BASED BUFFER OVERFLOW –https://www.cvedetails.com/cve/CVE-2018-14821/

UNCONTROLLED RESOURCE CONSUMPTION (‘RESOURCE EXHAUSTION’) – https://www.cvedetails.com/cve/CVE-2018-14827/

 

Apple Releases Security Update for macOS Mojave – 24th Sep 2018

The Mid-Autumn Festival is a harvest festival celebrated notably by the Chinese and Vietnamese people. Perhaps this is a specify day for celebration and traditional people will take rest and do the family dinner gathering.Cyber world operation looks does not have holiday. This is the robot life. Perhaps you and me do not want to become a robot. But we are on the way!

Apple Releases Security Update for macOS Mojave – 24thSep2018

Bluetooth – CVE-2018-5383
Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic

App Store – CVE-2018-4324
Impact: A malicious application may be able to determine the Apple ID of the owner of the computer

Application Firewall – CVE-2018-4353
Impact: A sandboxed process may be able to circumvent sandbox restrictions

Auto Unlock – CVE-2018-4321
Impact: A malicious application may be able to access local users AppleIDs

Crash Reporter – CVE-2018-4333
Impact: An application may be able to read restricted memory

Kernel – CVE-2018-4336, CVE-2018-4344
Impact: An application may be able to execute arbitrary code with kernel privileges

Security – CVE-2016-1777
Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm

Reference: https://support.apple.com/en-us/HT209139

Hypothesis – About the cyber attack on Port of Barcelona (Sep 2018)

We heard that the Port of Barcelona suffers an attack of hackers last week (20th Sep 2018). The logistics and transportation industry lure hackers’ interest because they can extort ransom.

There is no official or incident details announcement till today. The following details merely my personal imagination of this incident. Any resemblance to actual events or persons is entirely coincidental.

We noticed that Portic Barcelona uses WebLogic for Private PaaS in 2014. The solution aim to enhance the performance and facilitates interaction between its members through its information services to logistics agents and other customers.

What if below vulnerability occurs, do you think the scenario whether will have similarity to the incident.

ORACLE WEBLOGIC SERVER JAVA DESERIALIZATION REMOTE CODE EXECUTION VULNERABILITY (CVE-2018-2628) BYPASS

Headline News article for reference.

https://www.portseurope.com/barcelona-port-suffers-a-cyber-attack/

SAP security Patch Day – 11th Sep 2018

Nowadays, the trend of business industries are bring their application on top of Cloud services. But some of the firm has reluctant to cloud because they are concerning about data breaches, data ownership and different areas of law regulations. As a matter of fact, doing the cyber security protection on your own or without managed sercurity services looks not in the right direction. As a result , there are more project development priority to select cloud services application platform. The hottest one is the SAP.

Vendor SAP do the vulnerability managment looks fine since they are the market leader. As we know, the security patch day announced on 11th September 2018. Yes, it is above one week ago. I observe this round of patch management have 2 items awaken company CSO thinking. Even the medium piority of vulnerability items also contain potential risk. For instance CVE-2018-2454,CVE-2018-2455 and CVE-2018-2461. The first and second CVE issues (CVE-2018-2454 & CVE-2018-2455 )are lack of authorization check. In the sense that this type of indirect privileges escalation causes by insider threats. So a careless user will be jeopardize or compromised the system.The last one (CVE-2018-2461) indicate the vulnerability happend in SAP HCM. The SAP Fiori app suite for HCM makes use of SAP’s new UX strategy to help your employees, irrespective of any level, to trigger different HR needs, such as paid leave application, viewing of pay stubs. The vulnerability belongs to data privacy is also lack of authorization check. So medium severity of vulnerability sometimes will also be dangerous. Should you have interest to know more, please refer to below url.

SAP Security Patch Day – September 2018

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499356993

Remediation announcement – Cisco Video Surveillance Manager Appliance Default Password Vulnerability 21st Sep 2018

Does it a design flaw or it is a ………..?

While exploring her new home, a girl named Coraline discovers a secret door, behind which lies an alternate world that closely mirrors her own but,…..

Remediation announcement – Cisco Video Surveillance Manager Appliance Default Password Vulnerability – 2018 September 21 (below url for reference)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm

Similar vulnerability found on Cisco products within this year, is it a coincidence? (see below):

CVE-2018-0150 – Cisco IOS XE static credential default account
CVE-2018-0222 – Digital Network Architecture Center Static Credentials Vulnerability
CVE-2018-0268 – bypass for a Kubernetes container management subsystem embedded inside Cisco’s DNA Center.
CVE-2018-0271 – An authentication bypass in the DNA Center’s API gateway.
CVE-2018-0375 – vulnerability in the Cluster Manager of Cisco Policy Suite
CVE-2018-0329 – The hardcoded credentials resides in the read-only SNMP community string in the configuration file of the SNMP daemon,
CVE-2018-15427 – Cisco Video Surveillance Manager Appliance Default Password Vulnerability