CVE-2019-1867 – Cisco Elastic Services Controller REST API Authentication Bypass Vulnerability (May 2019)

Preface: A vulnerability in the REST API of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to bypass authentication on the REST API.

About Rest API: The attacker could be at the client side, sometimes it compromise of your REST API and, where the victim is the REST API server, so the attacker can creates a rogue, malicious app. This is exact what Cisco is going to address.

Speculation: Hacker can exploit this way, java org.flowable.CallExternalSystemDelegate package to jar .

Affected Products : Software Release 4.1, 4.2, 4.3, or 4.4 when the REST API is enabled.

Remark: The REST API is not enabled by default.

Official announcement: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190507-esc-authbypass

CVE-2019-11683 – A vulnerability in the udp_gro_receive_segment function of the Linux Kernel could cause denial of service (May 2019)

Preface: 78% of vulnerabilities are found in indirect dependencies, making remediation complex – said snyk.io.

Description: GSO for UDP: Segmentation offload reduces cycles/byte for large packets by amortizing the cost of protocol stack traversal.

Vulnerability details: udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x through 5.0.11 allows remote attackers to cause a denial of service. The vulnerability exists because the udp_gro_receive_segment function, as defined in the net/ipv4/udp_offload.c source code file of the affected software, mishandles padded packets. A successful exploit could cause the system to crash, resulting in a DoS condition.

Remedy: Kernel.org has confirmed the vulnerability and released software updates – https://lwn.net/Articles/787532/

May 2019 – Printerlogic shown weak vulnerability management

Preface: Patch management is the best practice of upgrading existing software applications to remove any weak security patches that could be exploited by hackers.

Background: PrinterLogic’s printer and driver management platform reduces infrastructure costs by eliminating print servers and providing centralized management of every printer on the network. Sold in both on-premise and cloud configurations, PrinterLogic also offers secure pull printing, mobile printing, and improved performance in virtual desktop (VDI) environments.

Vulnerability details: For more information on the vulnerability, please visit the following URL – https://www.kb.cert.org/vuls/id/169249/

Comment on CVE-2018-5409: If compromised server connect to a DNS server and perform DNS and DNSSEC protocol-level fuzzing. It may crash the target server.

CVE-2019-1002101: Vulnerabilities found in Kubernetes’ kubectl cp command (3rd May 2019)

Preface: Some supercomputers in the world, they are also using Kubernetes.

Technical background: kubectl controls the Kubernetes cluster manager.Make use of “kubectl cp” command is able to copy files and directories to and from containers.

Vulnerability details: An attacker can fool a user to use the kubectl cp command to copy and store a malicious tar file in a container. Successful exploitation may allow an attacker to overwrite or delete any file in the user’s security context.

Remedy: Kubernetes has released a software update via the following link: https://github.com/kubernetes/kubernetes/releases

Comment: This vulnerability looks has difficulties to compromise the system. However the level of risk depends on the feature of the docker services. So do not contempt the issue because it is hard to predict the level of risk.

2nd May 2019 – Don’t let you SAP facility become a cyber attack target

Preface: Heard that estimated total of 1,000,000 SAP production systems could currently be at risk of being hacked.

Technical details:
When you configure sap router (saprouter) to allow remote (from the Internet) connections via the SAP GUI. The original design will add entries to the route tables for TCP port 3300, 3301, and 3303 the external application they are using (a gateway connection on these ports).

Default TCP gateway port exploit by hacker:
Since a default pathway built, so the hacker might have a channel to compromise the system. For example, send the malicious code try to conduct remote code execution. As a matter of fact, a proof of concept shown that SAP backend response with malicious code.

Remedy: If you outsource your cyber security watch guard responsibility to managed security services provider. They will create the yara rules to deny such malicious activities.
If not, you are require to create yara rules by yourself on IDS system. For more details, please refer to diagram.

Cisco Security Advisories and Alerts – 1st May 2019

Preface: People judge an issue depends on your point of view. A design flaw or limitation of product in normal view point will make people dissatisfy. It is annoying and blame the designer what he is doing, does he dreaming?
From hacker point of view, the flaw can become a backdoor.

Highlight: CVE-2019-1804 – Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Default SSH Key Vulnerability

Vulnerability details: The vulnerability occurs because default SSH key pair that is present in all devices. By default, most SSH implementations (e.g., OpenSSH) allow users to configure their own authorized key files (placing a public key in an account so they can access it using a private key). If organizations don’t keep an up to date inventory of authorized keys and regularly review it, users or even attackers may place authorized keys in unexpected places for future access.

Attention: For user who purchase directly from Cisco but do not hold a Cisco service contract. Do not worry, you should provides the product serial number and CVE reference number to Cisco as evidence of entitlement to a free upgrade. Besides, ther are many security update this week, please contact your cisco partner for update details.

Reference: Official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-nexus9k-sshkey

CVE-2019-11596: Memcached lru Commands NULL Pointer Dereference Vulnerablity – 29th Apr 2019

Preface: In modern smart world, efficiency is the key words. Do we need that?

Background: Memcached is a decentralized cache memory system. Use Memcached can improve database performance. Redis and Memcached are popular today. The reason is that both are the open-source products. And they can boost up database performance. Redis and Memcached are both in-memory data storage systems.

Vulnerability details: A vulnerability in Memcached could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.
The vulnerability exists because the lru mode and lru temp_ttl commands, as implemented in the memcached.c source code file, do not properly perform memory operations, which could result in a NULL pointer dereference memory operation error. NULL pointer dereference erros are common in C/C++ languages. Pointer is a programming language data type that references a location in memory. Once the value of the location is obtained by the pointer, this pointer is considered dereferenced.

Remedy: Remediation at the following links – https://github.com/memcached/memcached/commit/d35334f368817a77a6bd1f33c6a5676b2c402c02