LIVE555 Streaming Library vulnerability – Oct 2018

 

The VLC is a packet-based media player it plays almost all video content. It can play some, even if they’re damaged, incomplete, or unfinished, such as files that are still downloading via a peer-to-peer (P2P) network. So it is very popular in the IoT Environments especially video streaming in vehicular IoT (VSV-IoT) environments. However security researchers have discovered a serious code execution vulnerability in the LIVE555 streaming media library.

If above vulnerability occurs in your devices, what will be happened?

If the stack buffer is filled with data supplied from an untrusted user then that user can corrupt the stack in such a way as to inject executable code into the running program and take control of the process. As a result this method is able for attacker to gain unauthorized access to a computer.
So your vulnerable IoT device will be involuntary join into the IoT Botnet army. So please be careful.

The vendor released security patches on October 17 (see below):

http://www.live555.com/liveMedia/public/

Remark: RTSP over HTTP tunneling doesn’t mean TCP will be used. As TCP has more overheads than UDP, real time streaming will prefer to use UDP as less traffic will be made.

Libssh Server-Side State Machine Unauthorized Access Vulnerability – 17thOct2018

Background:
Libssh is a library written in C implementing the SSH protocol. It can be used to implement client and server applications.

Vulnerability found on 17th Oct 2018:
By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.

Remediation:
libssh 0.8.4 and 0.7.6 security and bugfix release (Refer below url):

Comment: This bug may found earlier than file a CVE record. Cyber World indeed not safe!

https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/

Yammer Desktop Application Remote Code Execution Vulnerability – 19th Oct 2018

The Yammer desktop app is a native client for Mac and Windows with the full functionality of Yammer. Along with streamlined log in and SSO support, the app integrates with native operating system capabilities such as notifications, shortcuts, and launch on startup.
Microsoft announce vulnerability occurs today. But it looks that it is a old bug found 2013.
Should you have interest of the bud details. Attached diagram can provide hints to you for reference.
If you are going to do the remediation, please refer to below url (Official announcement)

CVE-2018-8569 | Yammer Desktop Application Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8569

Unknown APT reference number ? Suspect that it targeting Advantech WebAccess/SCADA customer

 

Advantech, a leader within the IPC global market. Advantech offers a comprehensive IPC product range that delivers reliability and stability for extreme environments, providing its customers with a one-stop shopping experience implementing Industry 4.0 and fulfilling their Industrial IoT needs.

IoT and SCADA are the APT (Advanced Persistent threat) targeting devices so far. Meanwhile this type of manufacturer will be lured attacker interest. Regarding to the technical details, please refer below url for reference.

https://www.eset.com/int/greyenergy-exposed/

So, It is possible to make people predict the attack may targeting Advantech customer.

Factor:
In Advantech WebAccess/SCADA versions prior to V8.2_20170817.
WebAccess/SCADA does not properly sanitize its inputs for SQL commands.

Synopsis:
Chosen with servers that have a high uptime, where reboots and patch management are rare.
In order to mislead people, threat actor will use the vendor official server cert to conducting data exfiltration.
Since malware alive and therefore C&C server is able to conduct hacker job task (exploit the SQL vulnerability).

Should you have interest to know the specifics vulnerabilities. Please refer below hyperlink for reference.

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445

Oracle Releases October 2018 Security Bulletin – Stay alert!

Oracle has released a gamut security update to address high amounts of vulnerabilities in its various enterprise products. The official vulnerability checklist includes some follow up actions given by 2016 and 2017. Perhaps we focus vulnerability in frequent and do the priority of analysis for the score. Even though the vulnerability score is important. But we must consider the vulnerability which allow the unauthenticated remote attack. For Oracle DB, the update addresses a total of three defects. Two of the vulnerabilities (CVE-2018-3259 and CVE-2018-3299) can be remotely exploited without authentication. For more detail, please see below url:

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

VMWARE ESXi,Workstation and Fusion out-of-bounds read vulnerability in SVGA device – 16thOct2018

Malware authors constantly seek new methods to obfuscate their code so as to evade detection by virus scanners. Have you heard shader code?
In order to avoid the vulnerability occurs, VMware Releases Security Updates on October 16, 2018.
ESXi has an out-of-bounds read vulnerability in the SVGA device that might allow a guest to execute code on the host (CVE-2018-6974).
The side effect of the Out-of-bounds read is serious. It allocates uninitialized Buffers when number is passed in input. An attacker could exploit this vulnerability to take control of an affected system.
Official announcement is shown as below:

https://www.vmware.com/security/advisories/VMSA-2018-0026.html

Buzz Lightyear slogan – To Infinity… and Beyond!

TIBCO Spotfire Statistics Services remote execution vulnerabilities – Oct 2018

Theoretically, big data analytics is the often complex process of examining large and varied data sets to uncover information including hidden patterns and unknown correlation. Basically it can help organizations make informed business decisions. Since you can use the URL API to send administration, expression, or function requests to the TIBCO web server. Use the URL API for testing the health of the server, rather than for creating web-based applications.

As a result, without needing to authenticate, an attacker may be able to remotely execute code with the permissions of the system account used to run the web server component. Meanwhile the web server component ( Spotfire Statistics Services) hits multiple vulnerabilities that may allow the remote execution of code. In order to maintain your operation without any interruption. It is suggest to follow the vendor advisory to do the remediation. Below URL for your reference.

https://www.tibco.com/support/advisories/2018/10/tibco-security-advisory-october-10-2018-tibco-spotfire-statistics

Reflections – New 5G network edge server design

NSA Senior Cybersecurity Advisor questions Bloomberg Businessweek’s China iCloud spy chip claim (see below url)

http://macdailynews.com/2018/10/10/nsa-senior-cybersecurity-advisor-questions-bloomberg-businessweeks-china-icloud-spy-chip-claim/

Now we take a quick discussion but do not related to conspiracy. From technical point of view, if hardware is polluted (spy feature). It is hard to imagine what the impact was?

In the SD-branch, routing, firewall, and WAN optimization are provided as virtual functions in a cloud-like NaaS model, replacing expensive hardware. As a result, the telephone company will use SD-branch to provide virtual CPE and unversal CPE services.

Meanwhile uCPE consists of software virtual network functions (VNFs) running on a standard operating system hosted on an open server. So uCPE in reposible of very import role in future technology. What if there is vulnerability occurs in this place. It make the problem worst, complicated!

Supermicro Designs New Open Software-Defined Networking (SDN) Platform Optimized for 5G and Telco Applications and Launches verified Intel® Select Solution for uCPE

http://ir.supermicro.com/news-releases/news-release-details/supermicro-designs-new-open-software-defined-networking-sdn

Advisory on PHP Vulnerabilities – 12th Oct 2018

The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities today (refer below url):

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-113/

Perhaps PHP program version will make you frustrated. Why? The vulnerabilities addressed by MS-ISAC only for Version 7.2.11 & Version 7.1.23. However there is another fix coming soon (see below):

PHP 7.1.24

Core:

Fixed bug #76946 (Cyclic reference in generator not detected)

Date: unknown

Fixed bug #75851 (Year component overflow with date formats “c”, “o”, “r” and “y”). (Adam Saponara)

FCGI:

Fixed bug #76948 (Failed shutdown/reboot or end session in Windows).

(Anatol)

Fixed bug #76954 (apache_response_headers removes last character from header

name). (stodorovic)

FTP:

. Fixed bug #76972 (Data truncation due to forceful ssl socket shutdown).

(Manuel Mausz)

intl:

. Fixed bug #76942 (U_ARGUMENT_TYPE_MISMATCH). (anthrax at unixuser dot org)

Standard:

. Fixed bug #76965 (INI_SCANNER_RAW doesn’t strip trailing whitespace).

(Pierrick)

XML:

. Fixed bug #30875 (xml_parse_into_struct() does not resolve entities).

Should you have interested, please review above diagram. PHP look likes a game.

Five publicly available tools, which have been used for malicious purposes – Oct 2018

US-Cert urge that there are total five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world (see below):

Remote Access Trojan: JBiFrost
Webshell: China Chopper
Credential Stealer: Mimikatz
Lateral Movement Framework: PowerShell Empire
C2 Obfuscation and Exfiltration: HUC Packet Transmitter

RSA found a malware in 2017 and explore remote access Trojan (RAT) feature with advanced invisible feature.

In this short discussion, I am going to focus the RAT (JBiFrost). Adzok is famous in dark web.

We seen malware exploits the Java archives.

A JAR (Java archive) is a package file format. It can be used as Java library or as standalone application. He is easy to change the shape to evade the detection.

Adzok proviced free download version. Some antivirus vendor already has defensive to avoid the infiltration.

Friendly reminder that still have some vendor do not have this malware signature.