Qualcomm Technologies Security Bulletin – October 2018

Few years ago, when your friend ask you which is the best smartphone in the world. Seems it is easy to answer. Perhaps the zero day attack and malware wreak havoc today. So it is hard to answer those question in quick!

We are now familiar with vulnerability terms especially stack-based buffer overflow, privilege escalation and lack of Input Validation. Qualcomm  Snapdragon is a suite of system on a chip (SoC) semiconductor products for mobile devices designed and marketed by Qualcomm Technologies Inc. The Snapdragon central processing unit (CPU) uses the ARM RISC instruction set.The Snapdragon 800 series is the top tier of Qualcomm’s processor. However the design weakness found on Snapdragon have plenty.  For more details, please find below url for reference.


Remark: We see many people walking on the street daily. However they are insists to look at the smartphone even though cross the road. It is hard to imagine that if their phone has flaw and not able to use for 1 day. What will be happen afterwards?

Apple Releases Multiple Security Updates – 30th Oct 2018

Apple Releases Multiple Security Updates on product especially IOS 12.1.
Are you going to update as soon as possible or observe for a moment then action?
Can we say, we are now alive Insane technology world and suffer with vulnerability daily!

Safari 12.0.1

iCloud for Windows 7.8

iTunes 12.9.1

watchOS 5.1

iOS 12.1

tvOS 12.1

macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra


A flaw was found in xorg-x11-server – Oct 2018

A flaw was found in xorg-x11-server. X.Org Server is the free and open-source implementation of the display server for the X Window System. It is very common in computing environment. But IT administrator must stay alert whether your have Linux Desktop install on top of your VM infrastructure. Since a flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.

Reference shown as below:


Advantech WebAccess remain vulnerable (8.3.1 & 8.3.2) – Oct 2018

Advantech WebAccess remain vulnerable (8.3.1 & 8.3.2)

When vulnerability allows an attacker to execute “arbitrary code”, it typically means that the hacker can run any command. Although critical facilities especially Petroleum, electricity, Gas and water SCADA infrastructure are prohibited setup internet access function. However to cope with modernization. It is hard to avoid to do the network integration. Advantech is a leading brand in IoT intelligent systems, Industry 4.0, machine automation, embedding computing & embedded systems. We found that both two different version of web access function has vulnerabilities occurs. See whether this information is related to your expertise area. For more details, please see below:

Advantech ICSA-18-296-01 WebAccess Multiple Security Vulnerabilities


  • CVE-2018-15703: Multiple Reflected Cross-Site Scripting
  • CVE-2018-15704: Authenticated Stack Buffer Overflow


Off-color humor – Cathay Pacific hack (9.4 million airline passengers data stolen by data thief)

Asia world seems feel shot of the Cathay Pacific Airline cyber security incident. To be honest, it is hard to avoid computer vulnerabilities occurs in business circumstances today. Why? It is a demanding environment includes comprehensive competition. Business man try a way to find out the cost efficiency solution. Meanwhile, it unintended to push a indirect task force to the technology domain. What is it? A short system and software design development cycle. Perhaps the developers cannot stop laughing when they read the text book mention about Maturity Models for Information Systems.
People did not have awareness of personal data privacy last decade. May be the junk email and phone call awake their awareness.
In my personal point of view, data privacy is more important of the rich people especially celebrity and politicians. Oh! yes, they are the frequent travelers.
Attached diagram is my imagination regarding to this incident. Yes, this is only my speculation since nobody know what is happened last few months, right?

Related information:


Cathay Pacific hack: Personal data of up to 9.4 million airline passengers stolen.

From public safety point of view, if a enterprise firm found 9.4 million personal records steal by hacker. Since the firm postpone the announcement schedule. From technical point of view. the law enforcement must require to interview with the firm top management to understand the root cause.

Regarding to my observation, the cyber security incident roadmap in airline industry looks special. Nippon found TLS could allow attacker man-in-the-middle attack on Jun. Thereafter British Airways announce that total 380,000 customers’ bank details stolen by hacker. However both 2 items of cyber security incident announce to public in acceptable manner.

From technical point of view, it was not possible leak such big amount of data from TLS vulnerability and mobile apps programming bug. It shown that such vulnerability most likely given by SQL injection attack. This is so called SQL injection vulnerabilities dumping the DB.

For more details of above cyber security incident records, please refer below url for reference.

Cathay Pacific hack – https://www.scmp.com/news/hong-kong/law-and-crime/article/2170107/hong-kong-privacy-chief-slams-cathay-pacific-taking

British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)

British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)

25th Oct 2018 – BA status update


Jun 2018 – ALL NIPPON Airways Security Advisories

Jun 2018 – ALL NIPPON Airways Security Advisories


Cisco Webex Productivity Tools and the Cisco Webex Meetings Desktop App Releases Security Updates – October 24, 2018

Cisco Webex Productivity Tools and the Cisco Webex Meetings Desktop App Releases Security Updates – October 24, 2018

Due to design weakness of ACL, WebExService that can execute arbitrary commands at SYSTEM-level privilege.

Below remedy only reset the service to the default permission.


But you should update your Cisco Webex Meetings Desktop App installation to a 33.6.0 or later release since WebExService will still be vulnerable to local privilege escalation, though, without the patch!

Below details is the official announcement for your reference.


Security Alert! Moxa ThingsPro IIoT Gateway and Device Management Software (Oct 2018)

Security Alert – Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.

MQTT (formerly MQ Telemetry Transport) is an ISO standard (ISO/IEC PRF 20922) publish-subscribe-based “lightweight” messaging protocol for use on top of the TCP/IP protocol. Since the original design objective of this protocol not for handling confidential information and therefore cyber security not the major focus. Smart City infrastructure work closely with MQTT technology. Moxa products have connected over 30 million devices worldwide in a wide range of applications, including factory automation, smart rail, smart grid, intelligent transportation, oil & gas, marine, and mining. Found vulnerabilities on Moxa ThingsPro IIoT Gateway and Device Management Software recently. If you the end user of Moxa, you must consider to contact your local representative in order to conduct the remedy action.

Official web site url shown as below:


What is a smart city from an security point of view?



The objective of the smart city is design to incorporates information and communication technologies (ICT) to enhance the quality of life. The Smart City derivatives the cost effective solution. As a result, it benefits to urban services such as energy, transportation and utilities in order to reduce resource consumption, wastage and overall costs.

2 Common Focus (Shared Data and Open Data)

People concerning the personal privacy and therefore the key words data sharing make them scare.As a matter of fact the data breach incidents happened so far let people focus their defense idea on how to protect their personal data. And therefore whatever sharing concept will trigger their defense idea. Meanwhile this is the bottleneck to slow down smart city development.

About public data – Public data is information that can be freely used, reused and redistributed by anyone with no existing local, national or international legal restrictions on access or usage.

Understanding of data classification

Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity.

The data classification scheme – definition table shown as below:

If we all agree on above data classification labels definitions. And do not have concerns (hiccups) for the terms of use set up. So do we have any other concern of smart City?

Hidden item – Technology Risk management – Whether follow the regular software patch cycle (zero day) to smart city?

From technical point of view, government facilities must follow the best practice to fulfill the patch management. However hardware manufacturer not guarantee they can remedy the vulnerability in quick manner. From some circumstances, smart city not only covered the fundemental infrastructure operation. It involves AI integration. That is business facilities join venture with government facilities. So how to maintain a secure environment? It is one of key element in smart City.


Internet of Things is growing rapidly, the common standard of smart devices will be designed with Embedded Systems (ESs). Real Time Operating Systems (RTOS) are used in ESs development due to RTOS added important features as RTOS simplifies development and makes systems more reliable. A real-time operating system (RTOS) is an operating system (OS) intended to serve real-time applications that process data as it comes in, typically without buffer delays. Most RTOS applications fall into two broad classifications. They are event response and closed-loop control.

Reference: A closed loop system is one where the output is feed back into the the system as an input in some way. For instance a thermostat.

Continuous closed-loop control

WHILE (Y <> specified_condition) 

Event response applications, such as automated visual inspection of assembly line parts, require a response to a stimulus in a certain amount of time. In this visual inspection system, for example, each part must be photographed and analyzed before the assembly line moves.

Reference: A closed loop system is one where the output is fed back into the the system as an input in some way. For instance a thermostat.

List Of Real Time Operating System in the market

IoT devices potential risk

Threat actors exploit IoT device weakness conduct cyber attack. As a result cyber security guru summarizes the following design weakness of IoT devices. Those devices are heavy deployed in smart city. For instance survillance web cam, sensor, motion detector, … etc. The design weakness are shown as below:

6 Big Security Concerns About IoT For Business

  • Default ‘Raw Data’ Storage
  • Insecure Devices.
  • Lack Of Updates
  • Hard to avoid Data Breaches
  • Difficult to compliant Data Storage policy
  • High hit rate to become a DDoS Attacks tool.

Vulnerabilities & Exposure (recently) – FreeRTOS vulnerabilities awake IoT technology weakness. Vulnerabilities discovered in the FreeRTOS operating system can expose a wide range of systems to attacks, including smart home devices and critical infrastructure.

Risk factor: FreeRTOS TCP/IP Stack Vulnerabilities put a wide range of devices at risk of compromise. Researchers from Zimperium’s zLabs have analyzed FreeRTOS’s TCP/IP stack and AWS secure connectivity modules, and discovered vulnerabilities that also impact OpenRTOS and SafeRTOS.

CVE-2018-16522 Remote Code Execution
CVE-2018-16525 Remote Code Execution
CVE-2018-16526 Remote Code Eexecution
CVE-2018-16528 Remote Code Execution
CVE-2018-16523 Denial of Service
CVE-2018-16524 Information Leak
CVE-2018-16527 Information Leak
CVE-2018-16599 Information Leak
CVE-2018-16600 Information Leak
CVE-2018-16601 Information Leak
CVE-2018-16602 Information Leak
CVE-2018-16603 Information Leak
CVE-2018-16598 Other


In technology world, it is hard to avoid the vulnerability occurs. Perhaps patch management now includes in modern software and system development life cycle. There are two popular ways of disclosing vulnerabilities to software vendors.

  1. The first is called full disclosure – researchers immediately publish their vulnerability to public, giving the vendors absolutely no opportunity to release a fix.
  2. The second is called responsible disclosure, or staggered disclosure. This is where the researcher contacts the vendor before the vulnerability is released. Vendor is given a conventional 30 calendar days to fix vulnerability. Some security holes cannot be fixed easily, and require entire software systems to be rebuilt from scratch.Once both parties are satisfied with the fix that’s been produced, the vulnerability is then disclosed and given a CVE number. Regarding to above FreeRTOS vulnerabilities, Amazon addressed the issues with the release of FreeRTOS 1.3.2.But what is the remedy status of the opensource application? As far as I know, security researcher agree to give another 30 days to allow vendors to deploy the patches. However the potential risks are valid until vendor fix the security hole.

Smart City infrastructure not proprietary for famous vendor. We can use not famous brand name surveillance web cam, senor and motion detector. Could you imagine what is the actual status once the vulnerabilities occurs?


Smart City infrastructure work closely with MQTT technology.

Security Alert – Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.

Security Alert! Moxa ThingsPro IIoT Gateway and Device Management Software (Oct 2018)



Security Advisories and Alerts – LAquis SCADA Versions and prior

Since it build and run on top of Microsoft windows platform and speculated that vulnerabilities might given from Microsoft itself. For instance: LAquis SCADA Versions and prior

Integer overflow to buffer overflow vulnerabilities, which may allow remote code execution.

Hints: Microsoft GDI+ is prone to an integer-overflow vulnerability. An attacker can exploit this issue by enticing unsuspecting users to view a malicious BMP file.

Vulnerabilities checklist:

  • CVE-2018-17895 out-of-bounds read vulnerabilities, which may allow remote code execution.
  • CVE-2018-17911 stack-based buffer overflow vulnerabilities, which may allow remote code execution.
  • CVE-2018-17899 path traversal vulnerability, which may allow remote code execution
  • CVE-2018-17901 when processing project files the application fails to sanitize user input prior to performing write operations on a stack object, which may allow an attacker to execute code under the current process.
  • CVE-2018-17897 integer overflow to buffer overflow vulnerabilities, which may allow remote code execution.
  • CVE-2018-17893 untrusted pointer dereference vulnerability, which may allow remote code execution.

Remedy: Upgrade to or later