CVE-2019-10063 – Security update for Flatpak, 29th Mar 2019.

Preface: Coding is the process of translating and writing codes from one language to another support operating system platform.

What is Flatpak?

If Linux user found that the new application not available in the App Stores. He can do the installation via the DEB or RPM packages. Some of them are available via PPAs (for Debian based distributions) and if nothing, one can build from the source code. Flatpak provide a 3rd way.

Vulnerability Details: The vulnerability exists because the affected software does not use the seccomp filter to prevent sandbox applications from using TIOCSTI IOCTL.

Reason:

The snapd default seccomp filter for strict mode snaps blocks the use of the ioctl() system call when used with TIOCSTI as the second argument to the system call. But it didn’t! The fact is that restriction could be circumvented on 64 bit architectures because it performs a 64-bit comparison,but the system call is defined with a 32-bit command argument in the kernel.

Similar design flaw discovered in libseccomp package!

Remedy: https://github.com/flatpak/flatpak/releases

Observation: Similar design flaw might found soon in other software.

VMware security updates – 29th Mar 2019

Synopsis: session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session(sometimes also called a session key) to gain unauthorized access to information or services in a computer system.

In software development, time of check to time of use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check.

Out-of-Bounds Read. The program reads data from outside the bounds of allocated memory. Buffer overflow is probably the best known form of software security vulnerability.

Current Status: VMware has been addressed above issues in their product. For more details, please refer to url below:

vCloud Director SP – https://www.vmware.com/security/advisories/VMSA-2019-0004.html

ESXi, Workstation and Fusion – https://www.vmware.com/security/advisories/VMSA-2019-0005.html

CVE-2019-9893 – The libseccomp Project has released an update (28th Mar 2019)

Preface: The libseccomp package provides an easy to use and platform independent interface to the Linux kernel’s syscall filtering mechanism.

Technical background: Syscall filtering is a security mechanism that allows applications to define which syscalls they should be allowed to execute.

Vulnerability detail: The design mistaken doing 64-bit comparisons using 32-bit operators.Whereby, leading to a number of potential problems with filters that used the LT, GT,

LE, or GE operators.
LT(less than)
GT(greater than)
LE(less than or equal to)
GE(greater than or equal to)

Impact: allow an unauthenticated, remote attacker to bypass restrictions and gain elevated privileges on a targeted system.

Fixed Software: https://github.com/seccomp/libseccomp/releases/tag/v2.4.0

CVE-2019-7609 Do not contempt minor flaw, a alert signal for Big data analytic industry – 27th Mar 2019

Preface: Analyzing big data not so easy.

Synopsis: Analyzing big data not so easy. It requires knowledge of enterprise search engines for making content from different sources like enterprise database, social media, sensor data etc. searchable to a defined audience. Elasticsearch is one of the free and open source enterprise search software.

Vulnerability detail: The vulnerability exists because the affected software mishandles user-supplied input. An attacker could exploit this vulnerability by sending requests that submit malicious input to the affected software.

Causes: Timeline uses regular HTML DOM to render the timeline and items put on the timeline. This allows for flexible customization using css styling.
With the HTML DOM, JavaScript can access and change all the elements of an HTML document.
The design limitation allow the attacker to execute arbitrary JavaScript code on the system.

Remedy: Refer to URL – https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077

Security Focus – Cisco design weakness – 27th Mar 2019

Preface: Vendor operate in high visibility, initiate fix vulnerabilities means they are more secure than other products.

Synopsis: From hardware appliance to software base. From Layer 3 to Layer 7, the growth of operations expanded, it is hard to avoid vulnerability occurs.

Vulnerability Details:
Cisco IOS and IOS XE Software Network-Based Application Recognition Denial of Service Vulnerabilities – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-nbar

CVE-2019-1753: Cisco IOS XE Software Privilege Escalation Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-privesc

CVE-2019-1754: Cisco IOS XE Software Privilege Escalation Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-privesc

Remark: Perhaps the total numbers of high severity vulnerability has 19 items. The remaining is address denial of server and command injection. But the privileges escalation merely our focus this time. So the remaining do not display in this discussion.

CVE-2019-3878: Uninett mod_auth_mellon ECP Authentication Bypass Vulnerability (26th Mar 2019)

Preface: The statistic by Netcraft in January 2019, Apache server coverage market reach 30.88%.

Technical background: Apache server not only contain web server service, it can config as a reserve proxy server to enhance the web infrastructure isolation level. Single sign-on authentication method growth significant in past few years. A popular web architecture model, setup Apache become reserve proxy service and thus integrate to single sign on (SAML) function.

Vulnerability detail: If Apache is configured as a reverse proxy with mod_auth_mellon for authentication, the authentication can be bypassed by adding SAML 2.0 ECP headers to the request.

Official announcement and security fixes: https://github.com/Uninett/mod_auth_mellon/releases

Headline News: ASUS Live Update software encounter Advanced Persistent Threat (APT) groups implant backdoor – 26th Mar 2019

Preface (Attack roadmap): Asus Live Update software installed on laptops and PCs encounter cyber attack in between June and November 2018. Hacker implant a backdoor into the live update software!

Observation: ASUS, it configures the network using dynamic host configuration protocol and then makes a plain HTTP request to a remote server to check if a newer version of the UEFI BIOS firmware is available than the version currently running in the system. Thus, there’s no SSL protection nor verification that it’s actually talking to the correct remote server.

Official announcement: ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups (below URL for reference): https://www.asus.com/News/hqfgVUyZ6uyAyJe1

Found CVE-2018-18252, Capmon enhance their privilege command handling technique in new version.

Preface: In order to avoid cyber attack and insider threat. The monitoring feature is a critical feature in IT world.

Background: CapMon monitors and collects information from the infrastructure and applications. The system does not require installation of extra software on other units in the network. CapMon IT monitoring has a Web based user interface, ensuring fast access to the various functionalities.

Vulnerability details:
Design weakness in this software – all priviliges commands “only” grants local administrator privilege. There is a command that allows for even higher privilege escalation – namely the “CALScriptDRUN” command.
The fact is that an issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunElevated.exe provides “NT AUTHORITY\SYSTEM” access to unprivileged users via the –system option.

Should you have interest, please refer to Improsec analytic report, url shown as below: https://improsec.com/tech-blog/cam1

Front end secure, back end negligent! RSA® Authentication Manager – CVE-2019-3711

Preface: RSA Authentication Manager delivers intelligent, transparent, behind-the-scenes authentication to enhance every secure access scenario.

Product advantage: Take full advantage of virtualization in your organization to ease deployment, administration, and on-going system management.

Vulnerability details:
RSA Authentication Manager versions prior to 8.4 P1 contain an Insecure Credential Management Vulnerability. A
malicious Operations Console administrator may be able to obtain the value of a domain password that another Operations Console administrator had set previously and use it for attacks.
Hints: Please refer to attached diagram.

Remedy:
Install RSA Authentication Manager version 8.4 P1 and later version.

Coinbase acquisition hits controversial!

Preface: Coinbase announced that it had acquired Neutrino, a blockchain intelligence startup on Feb 2019. This acquisition aim to analyzing data on public blockchains, Neutrino will help us prevent theft of funds from peoples’ accounts, investigate ransomware attacks, and identify bad actors.

Market status: A tremendous worries by cryptocurrency users because the Neutrino (acquired company) run by Former Spyware Developers. And the Neutrinos key staff have been involved with Hacking Team.

Recalling memories: Do you still remember Italian surveillance company exploit CVE-2013-0633. The attacks Involving DaVinci. HackingTeam sold the zero-day exploit to the parties carrying out these attacks or if they acquired the zero-day exploit that allowed them to install DaVinci from a different source. Hacking team responsible the above action.

In the meantime, no further status update. Should you have interest of this news, please refer headline news by Bloomberg (see below): https://www.bloomberg.com/news/articles/2019-03-04/coinbase-risks-user-losses-after-buying-firm-with-spyware-ties?srnd=cybersecurity