9th Jan 2019 – Security Focus (Juniper Networks)

Preface: Historically, telecommunications companies have been the largest customer segment for Juniper. Juniper has provided them with on-premises hardware — routers and switches — for the purpose.

Background of XML C parser:
Libxml2 is the XML C parser and toolkit developed for the Gnome project. Libxml2 is made of multiple components; some of them are optional, and most of the block interfaces are public.SAX is an event-driven interface. The programmer specifies an event that may happen and, if it does, SAX gets control and handles the situation. SAX works directly with an XML parser.

Multiple vulnerabilities in libxml2:
The xz_decomp function in xzlib.c in libxml2 2.9.8, if –with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.

For more details, please refer below url:

Remark: Companies are moving more of their IT needs to the cloud. Traditional IT appliance business life not easy!

Cisco Releases Security Updates Published Wednesday, January 9, 2019

Preface: Crimes that use computer networks or devices to advance other ends includes Phishing scams and Spam.

S/MIME technical background:
S/MIME is based on asymmetric cryptography to protect your emails from unwanted access. It also allows you to digitally sign your emails to verify you as the legitimate sender of the message, making it an effective weapon against many phishing attacks out there. That’s basically the gist of what S/MIME is all about.

Technical limitation:
Because S/⁠MIME takes into account interoperation in non-MIME environments, several different mechanisms are employed to carry the type information, and it becomes a bit difficult to identify S/⁠MIME messages.

Vulnerabilities found on Cisco Email Security Appliance

Impact: A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition.

Cisco Email Security Appliance URL Filtering Denial of Service Vulnerability:

Cisco Email Security Appliance Memory Corruption Denial of Service Vulnerability

Apple IntelHD5000 Graphics Process Token Privilege Escalation Vulnerability – CVE-2018-4421

Preface: A third of people have a virus on their device from porn, said Dailymail.co.uk

Description: If you like watch the adult movie online and you are Mac book air user. Please staying alert! Hacker Jeopardize your Mac Book Air by Adult movie.

Impact: An application may be able to execute arbitrary code with kernel privileges.
OS X provides a kernel extension mechanism as a means of allowing dynamic loading of code into the kernel, without the need to recompile or relink. Because these kernel extensions (KEXTs) provide both modularity and dynamic loadability, they are a natural choice for any relatively self-contained service that requires access to internal kernel interfaces. A memory corruption vulnerability exists in the IntelHD5000 kernel extension when dealing with graphics resources inside of OSX 10.13.4. A library inserted into the VLC media application can cause an out-of-bounds access inside of the KEXT leading to a use after free and invalid memory access in the context of the kernel. This can be used for privilege escalation.

Official announcement: https://support.apple.com/en-il/HT209341

Microsoft Patch Tue – Security Focus CVE 2019-0556 | Microsoft Office SharePoint XSS vulnerability

SharePoint is unquestionably one of the best and most significant enterprise productivity tools for user. It similar OneDrive for Business and Apps functions.

Vulnerability found on SharePoint – 2019 Jan
CVE 2019-0556 | Microsoft Office SharePoint XSS vulnerability

The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.


  1. Exploit go through email attach with graphic file. The graphic file embedded malicious code simultaneously. This way will have high possibility to evade malware detection.
  2. It can exploit the vulnerability (CVE-2019-0556) when hunt the victim.
  3. Assume sharepoint application user will be the target since they are focus on operation instead of cyber security awareness.
  4. Assume computer compromised by attacker.
  5. I assume that the attacker’s ultimate goal is to steal the victim’s cookies by exploiting an XSS vulnerability in sharepoint. This can be done by having the victim’s browser parse the HTML code.
  6. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. For more detail, please refer to attached diagram

Official announcement:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0556

CVE-2018-17195 – Apache NiFi Template Upload API Endpoint Cross-Site Request Forgery Vulnerability

Preface: What Is Big Data and Why Do We Need It?

A complex reason of this question. In short sentence to describe, business and human being looking for operational efficiency to improve the daily life.

Technical background of Apache NiFi:
Apache NiFi can help you get your S3 data storage into proper shape for analytic processing with EMR, Hadoop, Drill, and other tools.
Drill is primarily focused on non-relational datastores, including Hadoop, NoSQL and cloud storage.

Vulnerability found on Apache NiFi:
A vulnerability in the template upload API endpoint of Apache NiFi could allow an unauthenticated, adjacent attacker to conduct a cross-site request forgery (CSRF) attack on a targeted system which could be used to conduct further attacks.

Reason: The vulnerability is due to improper validation of user-supplied input by the template upload API endpoint used by the affected software.

Remedy: Official announcement shown as below


Vulnerability in Java Deserialization Affecting Cisco Products – 2019 Jan

Cause: A vulnerability in the Java deserialization used by the Apache Commons Collections (ACC) library could allow an unauthenticated, remote attacker to execute arbitrary code.

Remark: Researchers have found complex object graphs which, when deserialized, can lead to remote code execution in most Java software.

Official announcement:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization

Apocalypse – Is that the correct way? But this is the destiny!

Preface: The 2012 phenomenon was a range of eschatological beliefs that cataclysmic or otherwise transformative events would occur on or around 21 December 2012.

In the moment: We are still alive, but climate in the earth running in irregular way. Changes in the amount of sea ice can disrupt normal ocean circulation, thereby leading to changes in global climate.

Prediction: But what my final speculation of Maya calendar? My comment is that Maya calendar inform that the new generation of Artificial Intelligence was born during December 2012 (see below Appendix 1). As a matter of fact we are on the way go to Artificial Intelligence world. However , the truth is that it there is a lot of uncertainty on this AI age. Even though Professor Stephen Hawking’s also urge mankind must staying alert!

Appendix 1: In June 2012, the New York Times reported that a cluster of 16,000 computers dedicated to mimicking some aspects of human brain activity had successfully trained itself to recognize a cat based on 10 million digital images taken from YouTube videos.

Reference: Stephen Hawking’s final warning – https://www.vox.com/future-perfect/2018/10/16/17978596/stephen-hawking-ai-climate-change-robots-future-universe-earth

Exploitation of vulnerability transform to APT (Advanced Persistent threat) facility

Preface: On 4th Jan 2019 CERT/CC Reports Critical Vulnerabilities in Microsoft Windows, Server…

Report details:
The report recall vulnerabilities found on 13th Dec 2018 (see below):
CVE-2018-8626 Windows DNS Server Heap Overflow
Vulnerability – https://www.kb.cert.org/vuls/id/531281/

CVE-2018-8611 Windows Kernel Elevation of Privilege Vulnerability – https://www.kb.cert.org/vuls/id/289907/

But vulnerability (CVE-2018-8611) successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox.

My observations:
Perhaps you applied the MS patch but it is hard to avoid similar evasion of technique in the moment because of the following reason.
C++ Exception Handling. An exception is a problem that arises during the execution of a program. A C++ exception is a response to an exceptional circumstance that arises while a program is running, such as an attempt to divide by zero. Exceptions provide a way to transfer control from one part of a program to another.

Suggestion: Enforce the control by SIEM or deploy MSS services.

2019 headline news – a data breach may impact nearly 2.4 million Blur users

Preface: Data breaches continue to be a threat to consumers. Many companies were hacked and likely had information stolen from them since January 2017.

Headline news Jan 2019:  Abine announced that they learned on 13th December 2018 that a file containing information from customers who had registered prior to January 2016 was exposed online.

Who is Abine? Abine is a Boston-based privacy company. Led by consumer protection, privacy, and identity theft experts.

Official findings of data breaches: The file was in a “mis-configured Amazon S3 storage bucket that was being used for data processing.

User Tips: AWS code of law

  • You can enable Block Public Access settings only for buckets and AWS accounts. Amazon S3 doesn’t support Block Public Access settings on a per-object basis.
  • When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.

Should you have interest to know more details, please refer to official announcement: https://www.abine.com/blog/2018/blur-security-update/