UTM (all in one) firewall not in good shape! If you are concern cyber security, please forget so called cost effective solution.

Preface: Dynamic memory automatically reclaimed when the garbage collector no longer sees any live reference to it.

Description: A vulnerability in the data acquisition (DAQ) component of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured access control policies or cause a denial of service (DoS) condition.

Official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-firepowertds-bypass

My opinion: For memory that is not associated with a Scheme object, we cannot assume the new memory block can be freed by a garbage collection. FirePower run on top of Cisco ASA appliance.See below bug history, eventhough it is Cisco. The design is better to separate the Snort with CISCO ASA!

A specially crafted username through phpmyadmin can be used to trigger an SQL injection attack through the designer weakness – 30th Jan 2019

Preface: phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web.

Description: Phpmyadmin sometimes similar is a gadget. It can help you reset your WordPress password. It seems to be very useful, but this time the vulnerability is equivalent to the Swiss Army Knife, thus breaking your defense mechanism.

Vulnerability detail: An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature.

Official reference: https://www.phpmyadmin.net/security/PMASA-2019-2/

Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks – 28th Jan 2019

Preface: EWS Push Subscription, you will get notifications as long as you respond to the server and acknowledge that you received the notification.

The CERT Coordination Center (CERT/CC) announcement – 29th Jan 2019: Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks

Vulnerability detail: Exchange allows any user to specify a desired URL for Push Subscription, and the server will attempt to send notifications to this URL….. For more detail, please refer to attached diagram for reference.

Remedy:

  1. Disable EWS push/pull subscriptions.
  2. Remove privileges that Exchange has on the domain object.

Technical article for reference: https://www.kb.cert.org/vuls/id/465632/

Python CVE-2019-5010 Remote Denial of Service Vulnerability – 15th Jan 2019

Preface: Programmer just spend 10 minutes write a python script then can listen UDP traffic. Even though we performing Google Search , the function is using Python code.

Information background:
Python has now become the most taught programming languages in Universities and Academica. Machine learning or artificial intelligence is learning Python because it is the primary language that makes tasks easier.

Vulnerability:
The security expert from Cisco Talos found that a vulnerability will be occured when python parser handling x509 certificate. A handshake failures result in skipping the call to getpeercert(). Under above circumstances, attacker can craft a x.509 certificate with both a blank distributionPoint and cRLIssuer causes a NULL pointer dereference. As a result a denial-of-service occur.

Official details: https://bugs.python.org/issue35746

CVE-2018-20720 Published: 2019-01-15: Terminal Reboot vulnerability in Relion 630 series version 1.3 and earlier release

Preface: IEC 61850 is an international standard defining communication protocols for intelligent electronic devices at electrical substations. Relion products have been designed to implement IEC 61850 standard.

Vulnerability has been recorded to National Vulnerability Database – 15th Jan 2019:
ABB Relion 630 series allow remote attackers to cause a denial of service (reboot) via a reboot command in an SPA message.
Ref: SP command is used to setup the SPA-bus interface, UN command is used to program the unit list, ..

Vendor reference:

http://search.abb.com/library/Download.aspx?DocumentID=1MRS758909&LanguageCode=en&DocumentPartId=&Action=Launch

Remark: The atmosphere shown that in industrial world especially energy, gas, water supply facilities will be the attacked target by APT group once political issue occurs in between different countries. The Natural-gas processing plant and Oil refining facility relies on SCADA system. The cyber security alert awaken the business owner and management group last year. They are now have better understanding of patch management and cyber security awareness.

CISA Releases Blog on Emergency Directive: January 24, 2019

Preface: Cyber security experts predict that global DNS hijacking activities are underway. However, it is not certain who is the attacker (the cyber attack group), FireEye said on January 9, 2019.

Background information:
This cybersecurity incident caught the attention of the Network Security and Infrastructure Security Agency (CISA). Whereby, CISA released their first emergency order on January 22, 2019. They urge the world to understand the current situation (global DNS hijacking campaign). At the same time, they released a mitigation solution for mitigating DNS system.
For more details, please see below: https://cyber.dhs.gov/blog/#why-cisa-issued-our-first-emergency-directive

My observation:
While DNS software is specially designed to fulfill one specific role, applications like Bind are incredibly flexible and can be used as hybrid solutions. However there are plenty of vulnerabilities ( high severity of risk) found on Bind system software.Please refer following url for reference:

http://www.antihackingonline.com/potential-risk-of-cve/bind-9-flaw-krb5-subdomain-and-ms-subdomain-update-policy-rules-ineffective/

By the way, your in house SIEM system can fight against cyber crime.

CVE-2019-1651 – Cisco SD-WAN Solution Buffer Overflow Vulnerability (23rd Jan 2019)

Preface: Cisco SD-WAN key advantage keen to reducing costs with transport independence across MPLS, 3G/4G LTE, etc. Meanwhile it improving business application performance and increasing agility.

Technical background:
The vSmart controller is the brains of the centralized control plane for the Viptela system network architecture. The vSmart controller runs as a virtual machine (VM) on a network server. It can also run as a container within a vContainer host.

Vulnerability found announced on today (23rd Jan 2019)
A vulnerability in the vContainer of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to cause a denial of service (DoS) condition and execute arbitrary code as the root user. The details are as follows: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-bo

TIBCO Security Advisory: January 16, 2019

Preface: Tycoon wants to invest in a football team. He wants to know which is the good team, how many matches they won in years, the revenue they generate,..etc. Believe that analyzing data solution (TIBCO Spotfire ) can help.

TIBCO Spotfire technology Synopsis:
Data virtualization time-to-solution is 5‒10X faster than traditional data warehousing and ETL.You can extend TIBCO Spotfire yourself using TIBCO Spotfire’s publicly published APIs, download extensions from the TIBCO component exchange.

Vulnerabilities found this month (16th Jan 2019)!

TIBCO Spotfire Authentication Vulnerability – https://www.tibco.com/support/advisories/2019/01/tibco-security-advisory-january-16-2019-tibco-spotfire-2018-18814

TIBCO Spotfire Fails To Prevent Write Access to Spotfire Library – https://www.tibco.com/support/advisories/2019/01/tibco-security-advisory-january-16-2019-tibco-spotfire-2018-18812

TIBCO Spotfire Reflected and Persistent Cross-Site Scripting Vulnerabilities – https://www.tibco.com/support/advisories/2019/01/tibco-security-advisory-january-16-2019-tibco-spotfire-2018-18813

22nd Jan 2019 – Apple security updates

Preface: Every computer has a finite amount of memory so OS might actually need to use more than is physically available on your system. As a result, it is hard to avoid sharing resources feature.

Our security focus:
In regard to security update announced by Apple. Our security focus of this topic will be follow closely of malicious application may cause unexpected changes in memory shared between processes.

Under XNU a virtual memory map is represented by a
_vm_map struct, defined in osfmk/vm/vm_map.h. Because not the entire virtual memory address space is mapped at any given moment, the virtual memory map is divided in several entries, each representing a continuous block of mapped memory which share common properties.

Design limitation:
CVE-2019-6205 and CVE-2019-6208: A malicious application may cause unexpected changes in memory shared between processes.

Remedy:
The Apple Security Update covers all of its products. For more information, please see the following: https://support.apple.com/en-hk/HT209446

Who can you trust in the Internet world? Security Issues with LOAD DATA LOCAL in MySQL DB.

Preface: Some organizations that use MySQL include GitHub, US Navy, NASA, Tesla, Netflix, WeChat, Facebook, Zendesk, Twitter, Zappos, YouTube,…etc

Background: Technology writer Ionut Ilascu alert that there is command in MySQL server could be use for steal the personal and web server data without a high level evasion technique.

Technical overview:
Security Issues with LOAD DATA LOCAL on MySQL DB server side:
Such a server could access any file on the client host to which the client user has read access.

Security Issues with LOAD DATA LOCAL on web server side:
In a Web environment where the clients are connecting from a Web server, a user could use LOAD DATA LOCAL to read any files that the Web server process has read access to.

Sounds scary. Should you have interest of this topic, please refer below url: https://dev.mysql.com/doc/refman/8.0/en/load-data-local.html