CVE-2019-11577 – dhcpcd up to 7.2.0 dhcp.c DHO_OPTSOVERLOADED memory corruption (29th Apr 2019)

Preface: IT world can’t without DHCP function! It looks like public vehicle in our daily life.

Background: dhcpcd is a DHCP and DHCPv6 client. It is currently the most feature-rich open source DHCP client.

Vulnerabilities Details:
One of the vulnerabilities exists because the dhcp6_findna() function (src / dhcp6.c source code file) does not correctly handle reading specific addresses.
The idea of exploiting this vulnerability involves modifying ebp to point to a part of the buffer where a return address can be read from, and at the same time, points to the payload within the same buffer. We so called 1-byte buffer overflows.R

Remedy:

DHCPv6 – https://roy.marples.name/git/dhcpcd.git/commit/?id=8d11b33f6c60e2db257130fa383ba76b6018bcf6
DHCP – https://roy.marples.name/projects/dhcpcd

Docker Hub hack! 25th Apri, 2019

Preface: Docker Hub hack exposed data of 190,000 users

Incident details: On Thursday, 25th April, 2019 Docker Hub discovered unauthorized access to a single Hub database storing a subset of non-financial user data.

Impact: Data breach includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.

Doubt: Since Docker provides mirror service for Docker users especially Greater China area. Is there any problem found in this place?

Headline News: https://www.zdnet.com/article/docker-hub-hack-exposed-data-of-190000-users/

A Vulnerability in Oracle WebLogic Could Allow for Remote Code Execution – 26th April 2019

Preface: On April 17, 2019, the National Information Security Vulnerability Sharing Platform (CNVD) recorded the Oracle WebLogic wls9-async deserialization remote command execution vulnerability reported by China Minsheng Banking Co., Ltd.

Synopsis: There are reports of this vulnerability being actively exploited in the wild in April 2019.

Vulnerability details:
CVE-2019-2725 – A vulnerability has been discovered in the Oracle WebLogic components (WLS9_ASYNC and WLS-WSAT) that could allow for remote code execution. But this vulnerability seems not a zero-day. The similar vulnerability has been found in 2017.
Perhaps attached diagram can provides hints to you.

Non official remedy:
Option 1: Find and delete ws9_ async_response.war, wIs-wsat.war and restart the Weblogic service.

Option 2: Control access to URLs for /_async/* and /wls-wsat/* (note) paths through access policy control.

Official announcement: https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

PHP Vulnerability Alert – 25th Apr 2019

Preface: Error handling in PHP is still primitive. However you can code your way around most problems.

Synopsis: From technical point of view, a JPEG file with malicious EXIF data, and a PHP code that executes it. This PHP code can be easily inserted into any other PHP file found in the server, probably not noticed as malicious in a quick check.

Vulnerability details:
PHP EXIF exif_iif_add_tag Heap Buffer Overflow Vulnerability – A successful exploit could allow the attacker to access sensitive information, which could be used to conduct additional attacks.
PHP EXIF exif_process_IFD_in_MAKERNOTE Heap Buffer Overflow Vulnerability – A successful exploit could allow the attacker to access sensitive information, which could be used to conduct further attacks.

Remedy: PHP Project has released software updates, please refer url: https://php.net/downloads.php

ISC Releases BIND Security Updates – 25th Apr 2019 (CVE-2019-6467,CVE-2019-6468 & CVE-2018-5743)

Preface: Operating system · Linux, NetBSD, FreeBSD, OpenBSD, macOS, Windows · Type · DNS server · License · Mozilla Public License (ISC license before 9.11). Website, www.isc.org/downloads/bind. BIND is the most widely used Domain Name System (DNS).

Alert: A design limitation of BIND let remote attacker could exploit these vulnerabilities to cause a denial-of-service condition. Official details shown as below:

CVE-2019-6467: https://kb.isc.org/docs/cve-2019-6467
CVE-2019-6468: https://kb.isc.org/docs/cve-2019-6468
CVE-2018-5743: https://kb.isc.org/docs/cve-2018-5743

Technical highlight: CVE-2018-5743 flaw impact the limiting simultaneous TCP clients is ineffective. It potentially lead to exhaustion of all available free file descriptors on that system. That is, when you open a file, the operating system creates an entry to represent that file and store the information about that opened file. So if there are 50 files opened in your OS then there will be 50 entries in OS (somewhere in kernel). So it may potential trigger additional unknown vulnerability.

Apr 2019 – A vulnerability in NTP could allow an unthenticated, remote attack to compromise a target system completely.

Preface: Kiss O’Death Packet and Other NTP Vulnerabilities potentially turn back the Internet’s Clocks and causes unpredictable problem.

NTP vulnerability – historical record: There was a loophole in 2013,, the attack relies on the exploitation of the ‘monlist’ feature of NTP, as described in CVE-2013-5211, which is enabled by default on older NTP-capable devices. This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim.

CVE-2019-11331 vulnerability details: The vulnerability is due to improper use of UDP port 123 by the affected software. Threat actor can make a malicious packet input to the targeted system. A successful exploit could allow the attacker to conduct an off-path attack.

Remedy: NTP.org had not released a security advisory. Stay tuned.

Much of the Python ecosystem already uses urllib3 but no exception. It has vulnerability occurred! CVE-2019-11324 – 23rd Apr 2019.

Preface: An IT ecosystem is “the network of organizations that drives the creation and delivery of information technology products and services.

About urllib3: Much of the Python ecosystem already uses urllib. It brings additional features that are missing from the Python standard libraries. For instance – Client-side SSL/TLS verification, Helpers for retrying requests and dealing with HTTP redirects,……

Vulnerability details: A vulnerability in urllib3 could allow an unauthenticated, remote attacker to bypass security restrictions on a targeted system.

Findings: The vulnerability exists because the affected software mishandles CA certificates that are related to the use of the ssl_context, ca_certs, or ca_certs_dir parameters.

Remedy: Software updates at the following link: https://github.com/urllib3/urllib3/releases

CVE-2019-0228 Apache PDFBox XML Parser XML External Entity Vulnerability – 22nd Apr 2019

Preface: We are all familiar with the .doc and .pdf formats. Because this is our choice in the business world.

Synopsis: Apache PDFBox is an open source pure-Java library that can be used to create, render, print, split, merge, alter, verify and extract text and meta-data of PDF files.

Vulnerability details: A vulnerability in Apache PDFBox could allow an unauthenticated, remote attacker to conduct an XML External Entity (XXE) attack on a targeted system. Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a
crafted XFDF.

Remedy: Apache has released software updates at the following link: https://pdfbox.apache.org/download.cgi

RubyGems Gem Installation Arbitrary Code Execution Vulnerability – CVE-2019-8324 (Apr 2019)

Preface: In general, Ruby is a good language for game development. Apart from that Ruby has been used by companies like Twitter, Airbnb, Shopify, Github, Slideshare, Basecamp and Shopify.

Synopsis: RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a “gem”).

Vulnerability details: CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution. For more details, please refer to attached diagram.

Remedy: RubyGems has released software updates at the following link: https://rubygems.org/pages/download

Magento security consideration – SQL injection (Apr 2019)

Preface: When I was young, I am afraid for Injection therapy. Yes, is my butt. Perhaps such circumstance is also apply to software application system!

Synopsis: Magento Commerce, providing end-to-end solutions that suit clients’ needs.

Vulnerability details: A vulnerability in Magento could allow an unauthenticated, remote attacker to conduct an SQL Injection attack against a targeted system. The vulnerability is due to the insufficient validation of user supplied input submitted to the affected software. An attacker could exploit this vulnerability by sending a request that submits malicious input to the targeted system.

Remediation: https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update