A design flaw – The CVE dictionary entry submitted on 2018 (cve-2018-10239), vendor official announcement of the first publication on May 13, 2019.

Preface: You can still find the default username and password on your computer today! Coincidentally, they share common characteristics. They have super user capabilities.

Synopsis: Infoblox delivers essential technology to enable customers to manage, control and optimize DNS, DHCP, IPAM .

Vulnerability Details: A privilege escalation vulnerability in the “support access” feature on Infoblox NIOS 6.8 through 8.4.1 could allow a locally authenticated administrator to temporarily gain additional privileges on an affected device and perform actions within the super user scope.

Enabling this feature allows Infoblox Support (Tier 3 access) to perform root level diagnostics on an appliance that is in severe distress. A special key is required to access the appliance at root level, and only Infoblox Support (Tier 3) can generate this key.

But do you think the following details need attention? Only superusers can access the CLI. To ensure security, access to the CLI is permitted through a direct console connection only. Note that activating the option Enable Remote Console Access in the Grid or Member Properties editor will result in a non-compliant system.

Use the following default user name and password to login.
admin
infoblox

Remark: Default password can be changed.

Remedy: Issue has been resolved in NIOS 8.4.2.

Country to country APT attack mechanism not complex, believe that it exploit design flaw instead of backdoor – Jun 2019

Preface: It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, …

Synopsis: Mongoose is a cross-platform embedded web server and networking library with functions including different protocol (TCP, HTTP, WebSocket, Server MQTT client and broker). Since the footprint is small and capable to enables any Internet-connected device to function as a web server. Whereby, the temperature, weather monitoring device and Smart City sensor will make use of it. Most nuclear reactors use water as a moderator, which can also act as a coolant. So IoT temperate is the major component in this area.

Reference: When temperature senor sense the temperature exceed safety level. It will apply graphite to slows neutrons fission.
So the logarithmic reduction of neutron energy per collision.

Vulnerability details: A vulnerability in Cesanta Mongoose could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. If the newly allocated data chances to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.

Remedy: At the time this alert was first released, the vendor has not issued a security advisory.

Microsoft Exchange server 2013 and new version of product are vulnerable to NTLM relay attacks (2019)

Preface: A privilege escalation is possible from the Exchange Windows permissions (EWP) security group to compromise the entire prepared Active Directory domain.

Vulnerability details: A tool capable for performing ntlm relay attacks on Exchange Web Services (EWS). It spawns an SMBListener on port 445 and an HTTP Listener on port 80, waiting for incoming connection from the victim. Once the victim connects to one of the target, an NTLM negociation occurs and is relayed to the target EWS server.

Hints: Do not contempt the vulnerability on workstation. It is one of the way which assists the hacker to do the privileges escalation. If the compromised workstation is the domain member. Hacker relies on NTLM vulnerability to do the priviliges escalation. That is, they remotely execute malicious code on any Windows machine or authenticate to any HTTP server that supports Windows Integrated Authentication (WIA). For instance, the Exchange server and ADFS (Active Directory Federation Services).

Official announcement:

Apply an update – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686

Disable EWS push/pull subscriptions – In an Exchange Management console, execute the following commands:

  • New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope
  • Organization -EwsMaxSubscriptions 0
  • Restart-WebAppPool -Name MSExchangeServicesAppPool

Linux world worries! CVE-2019-11477 TCP SACK PANIC – Kernel vulnerability (Jun 2019)

Preface: Router, SD-WAN,Load-balancer, Firewall and IDS and virtual machine. Their operations are based on Linux operation system.

Background: A Selective Acknowledgment (SACK) mechanism, combined with a selective repeat retransmission policy, can help to overcome these limitations. The receiving TCP sends back SACK packets to the sender informing the sender of data that has been received.

Vulnerability details: The ‘tcp_gso_segs’ and ‘tcp_gso_size’ fields are used to tell device driver about segmentation offload. Linux SKB can hold up to 17 fragments.
With each fragment holding up to 32KB on x86 (64KB on PowerPC) of data.During this tranmission of data, the SKB structure can reach its maximum limit of 17 fragments and ‘tcp_gso_segs’ parameter can be exploited by hacker and do the overflow effect. As a result an vulnerability occurs.

Remedy: Login as “root”
echo “0” > /proc/sys/net/ipv4/tcp_sack
echo “net.ipv4.tcp_sack = 0” >> /etc/sysctl.conf
sysctl -p

Reference article: https://kb.cert.org/vuls/id/905115/

Status update (26th Jun 2019) – Linux SACK Panic vulnerability CVE-2019-11477 impact F5 Network. The information shows in following url. https://support.f5.com/csp/article/K78234183

CVE-2019-1625 Cisco SD-WAN Solution Privilege Escalation Vulnerability – Jun 2019

Preface: Add the Viptela SD-WAN technology to the IOS XE software running the ISR/ASR routers. Both Cisco ASR and ISR routers offer secure WAN connectivity.

Vulnerability details: A vulnerability in the CLI of Cisco SD-WAN Solution could allow an authenticated, local attacker to elevate lower-level privileges to the root user on an affected device.

Root Cause Analysis: Remote attacker to overwrite arbitrary files on the underlying operating system of an affected device. An attacker could exploit this vulnerability by modifying the “save command in the Command Line Interface (CLI) of an affected device.

Impact: A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system of an affected device and escalate their privileges to the root user .

Reference: To save the user preferences class to an XML file simply create an XML Writer and invoke the Serialize method.

Remedy: Cisco has released free software updates that address the vulnerability described in this advisory. Please refer to url – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-sdwan-privesca

CVE-2019-4103 IBM Tivoli Netcool Impact Arbitrary Command Execution Vulnerability – Jun 2019

Preface – You never know what will be happened tomorrow.

Synopsis: A vulnerability in IBM Tivoli Netcool Impact could allow an authenticated, adjacent attacker to execute arbitrary commands on a targeted system.

Vulnerability details: A vulnerability in IBM Tivoli Netcool Impact could allow an authenticated, adjacent attacker to execute arbitrary commands on a targeted system.At the time this alert was first published, the exploit vector was unknown due to vendor not disclosed the details.We believe that IBM Tivoli Netcool Impact 7.1 has encountered the open source vulnerabilities. The defect might be caused by CVE-2015-0227. Apache WSS4J could allow a remote attacker to bypass security restrictions, caused by the failure to properly enforce the requireSignedEncryptedDataElements property. An attacker could exploit this vulnerability using various types of wrapping attacks to bypass security restrictions and perform unauthorized actions.

IBM has released software updates at the following link: https://www-01.ibm.com/support/docview.wss?uid=ibm10881009

It is hard to judge it was a self defense or attack. New York Times cyber attack news – 16th Jun 2019

Preface: Sometime, the argue in between two countries similar a child. I am going to joke with you then switch off your power.

Highlight: Headline news by the New York Times give a tremendous feeling to the world. It let the people think the cyber war is on the way. Yes, it is true. The plan to implement Astra Linux in Russian defense systems dates back to the beginning of 2018. As far as we know, Russian do not relies on Microsoft operation system anymore especially critical facilities (military, defense system and power grid). Astra Linux compatible with Siemens Simatic IPC427D workstation. And therefore it is secure to implement in power supplier facility. But….

However it is hard to guarantee the vendor hardware vulnerability, right? For instance, Denial-of-Service Vulnerability in SIMATIC S7-1200 CPU and SIMATICS7-1500 CPU.

Remark: SIEMENS SCADA software family consists of three main pillars, WinCC Pro, WinCC 7 and WinCC … WinCC Pro is popular and can be used in any – discrete or process.

Reference: https://cert-portal.siemens.com/productcert/pdf/ssa-584286.pdf

What is your opinion on the headlines of the New York Times? Do you think this is a conspiracy?

Looking back – The Russia hacked the US electric grid. DHS and FBI are characterizing it as a Russian attack, noting that this was a multiyear campaign started in March 2016 by Russian government “cyber actors.”
The unconfirmed accusation of cyber attack to Russia posted by New York Times. Do you think it was a defensive action by US government?

Headline news https://www.nytimes.com/2019/06/17/world/europe/russia-us-cyberwar-grid.html

Astra Linux features:

– Compatibility with the Komrad SIEM system
– FSTEC certificates of the Russian Federation and FSB of the Russian Federation on Astra Linux of SE (release Smolensk)
– Compatibility with the Simatic IPC427D workstation
– Compatibility with Videoselektor
– Minobona’s certificate of the Russian Federation and FSB on Astra Linux of SE (release Leningrad)
– Compatibility with Mellanox Spectrum
– Compatibility with TerraLink xDE
– Tests of BLOK computers running SE 1.6 Astra Linux OS
– Availability of an official mirror of a repository of Astra Linux OS on mirrors.kernel.org
– Compatibility with JaCarta
– Compatibility with CryptoPro CSP on Elbrus and Baikal processors
– Compatibility with Linter DBMS

Vulnerability might jeopardize IoT world – CVE-2019-10160 Python Security Regression Unicode Encoding Vulnerability (Jun 2019)

Preface: IoT device similar a delivery arm of robotic concept. They are the python language heavy duty users.

Python language married with IoT devices – For IoT, there has been a variant of python called Micropython , that lets you program for IoT in Python. Additionally, developer can use Raspberry Pi to program your IoT applications in Python.

Vulnerability details: A vulnerability in the the urllib.parse.urlsplit and urllib.parse.urlparse components of Python could allow an unauthenticated, remote attacker to obtain sensitive information from a targeted system.

Synopsis: Python Web application (Web Frameworks for Python) which accepting Unicode URL will be converted to IDNA (Punycode) or ASCII for processing. This conversion will decompose certain Unicode characters that can affect the netloc part of your URL, potentially resulting in requests being sent to an unexpected host.

Remark: Parse a URL into six components, returning a 6-item named tuple. This corresponds to the general structure of a URL: scheme://netloc/path;parameters?query#fragment.

Remedy: Python has released a patch at the following link – https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468

It will jeopardizing 400,000 Linux system in the world – Exim Releases Security Patches (alert issued in Jun 2019)

Preface: Exim is growing in popularity because it is open source.

Background:It’s the default mail transport agent installed on some Linux systems.It contain feature likes:
Lookups in LDAP servers, MySQL and PostgreSQL databases, and NIS or NIS+ services.

Vulnerability details: The vulnerability was patched in Exim 4.92, released on February 10, 2019. The vulnerable code is in “deliver_message()”. A vulnerability exists because the email address in the deliver_message() function in /src/deliver.c is not fully validated. So local attackers simply send emails to “${run{…}}@localhost”. Since “localhost” is a local domain of Exim) and execute as root (system privileges).

Remark: Deliver_drop_privilege is set to false by default.

Attack synopsis: If the “verify = recipient” ACL is manually deleted then remote attack will be occurred. Attacker can reuse our local-exploitation method with an RCPT TO “xxx+${run{…}} @ localhost”. Where “xxx” is the name of the local user .

For official details, please click on the link – https://www.exim.org/static/doc/security/CVE-2019-10149.txt

CVE-2019-3567 osquery design flaw – unintended create hidden place for malware Jun 2019

Preface: Need to know what processes are running on a given machine? A servers current CPU temperature? Verify a hard drive is encrypted? OSQUERY can do, even though security monitoring.

Technical background: osquery is a tool that exposes an operating system as a high-performance relational database.The design founded by Facebook. It enables developers to write SQL-based queries that explore operating system data includes the following:

  • Running processes
  • Loaded kernel modules
  • Open network connections
  • Browser plugins
  • Hardware events
  • File hashes

Vulnerability detail: Osquery running on windows or Linux system requires the daemon configured to be a system service. Meanwhile, this operation will make service daemon receive the system privileges. The design feature of osquery unintended let attacker has a way pass the file to a hard link parent folder. So it is similar to create a hidden area for malware. Under such circumstances the malware payload can be operate under SYSTEM permissions. The official announcement is as follows: https://www.facebook.com/security/advisories/cve-2019-3567