Preface: Cyber attack similar real world. There are different types of ideas and concepts in the world make humans become extreme. So we have war and different arguments. Besides, there are bacteria and virus try to infect our body. Kernel like tiny world, they also hits above circumstances.
CVE-2019-10639 – Linux Kernel IP ID Values Information Disclosure Vulnerability. The vulnerability exists because it is possible to extract the Kernel Address Space Layout Randomization (KASLR) kernel image offset of the affected software using the IP ID values that the kernel produces for connectionless protocols.
CVE-2019-10638 – Linux Kernel Connectionless Protocols IP ID Values Information Disclosure Vulnerability. The vulnerability exists because the affected software uses the IP ID values that the kernel produces for connectionless protocols.
Reference: The IDR provides the ability to map an ID to a pointer, while the IDA provides only ID allocation, and as a result is much more memory-efficient.
CVE-2018-20815 – The vulnerability is due to buffer errors in the deprecated load_image function, as defined in the device_tree.c source code file of the affected software.
Summary: The impact of above vulnerability especially CVE-2018-20815, a large footprint of impact to virtual machine software provider. IP ID Values Information Disclosure Vulnerabilities has been addressed by Kernel.org. But Linux user must staying alert.
Preface: UEFI has slowly come to replace BIOS. Whereby Intel schedule to completely replace BIOS with UEFI on all chipsets by 2020.
Quote: Firmware is software, and is therefore vulnerable to the same threats that typically target software.
Technical details: From technical point of view, EFI Runtime services are usually located below 4GB. As a result it has a way into Linux on high memory EFI booting systems.
What is the different when malware alive into these areas?
Malware injected into the address space is transient, and will be cleaned up on the next boot.
Malware injected into the firmware flash regions is persistent, and will run on every subsequent boot
Using the follow command can display x509 v3 digital certificate and confirm thatgrubx64.efi can read (/boot/efi/EFI/fedora/)grub.cfg. Oh! It is easy to access this file when you have root privileges. But do not contempt this issue.
Preface: Cyber Security expert not suggest access SCADA Dashboard from external area (internet). But we can use VPN establish connection then sign on as a workaround.
Background:Advantech WebAccess/SCADA is a browser-based SCADA software package for supervisory control, data acquisition and visualization.
Vulnerability details: In WebAccess/SCADA Versions 8.3.5 and prior, multiple heap-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data.
CVE-2019-10989 – The specific flaw exists within the implementation of the 0x113d1 IOCTL in the webvrpcs process.
CVE-2019-10991 – The specific flaw exists within bwclient.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process.
CVE-2019-10993 – The specific flaw exists within the implementation of the 0x27E9 IOCTL in the webvrpcs process.
Summary: Stack based & heap based buffer overflow and untrusted pointer dereference Remote Code Execution are all found in this product. Ioctl is a function in the device driver that manages the device’s I/O channels. The so-called I/O channel management is to control some characteristics of the device.
Reference: A stack-based buffer overflow vulnerability exists in a call to strcpy. Strcpy is one of the functions of the C language. It comes from the C standard library, defined in string.h, which can copy a memory block with a null end character into another memory block. So attacker can leverage this vulnerability to execute code under the context of Administrator.
Preface: The string of attacks last month on tankers near Hormuz. It alerting to related industry and countries about bottleneck on supply chain.
Quote: The head of Indonesian Maritime Security Agency, said it’s looking into the issue. And it doesn’t see why China raised the alert status?
From technical point of view: As a matter of fact, it is not difficult to make trouble to world by cyber attack nowadays. For example, Ransomware or exploit the vulnerability on the computer system. As far as we know, on the tankers side, it install GPS and management system. Those systems are the Windows or Linux OS base of machines. If you are belongs to marine industry especially shipping company, see whether you are require to re-cofirm the patch level of your maritime bandwidth management system. Do not let those vulnerabilities causes shipping traffic jam. For more details, please see below url for reference.
Perhaps not merely the specified vulnerability. Should you interested if the Headline news. Please refer below:
Preface:The cloud can be managed with a web-based dashboard or command-line clients, which allow administrators to control.At the same time it lures the arrival of cyber attackers.
Product background: Red Hat OpenStack Platform provides the foundation to build a private or public Infrastructure-as-a-Service (IaaS) cloud on top of Red Hat Enterprise Linux.
A SQL-injection vulnerability was found in openstack-ironic-inspector’s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results An attacker could exploit this vulnerability by submitting malicious introspection data to the targeted system. A successful exploit could allow the attacker to conduct SQL injection attacks on the targeted system.
Remediation: Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.
Preface: Switched Fabric or switching fabric is a network topology in which network nodes interconnect via one or more network switches.
What is Cisco ACI? – Cisco ACI is a tightly coupled policy-driven solution that integrates software and hardware. The hardware for Cisco ACI is based on the Cisco Nexus 9000 family of switches. The software and integration points for ACI include a few components, including Additional Data Center Pod, Data Center Policy Engine, and Non-Directly Attached Virtual and Physical Leaf Switches.
Vulnerability background & details: 802.1AB(LLDP) build in May 2005. LLDP was developed as an open and extendable standard. It was modeled on and borrowed concepts from the numerous vendor proprietary discovery protocols such as Cisco Discovery Protocol (CDP), Extreme Discovery Protocol (EDP) and others. At that time cyber security not as serious today. So the design weakness extend till today and causes an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN.
We seen the impact posted by Cisco. They state that if strict mode is configured, this vulnerability cannot be exploited. Strict mode enforces further firmware security checks before allowing a connection.
Remark: Only Cisco Discovery Protocol provides an additional capability not found in LLDP-MED that allows the switch to extend trust to the phone. That is the phone will be trusted to mark the packets received on the PC port accordingly.
Preface: ESXi is not built upon the Linux kernel, but uses an own VMware proprietary kernel (the VMkernel) and software, and it misses most of the applications and components that are commonly found in all Linux distributions.
In common Linux circumstances to avoid SACK vulnerabilities. The workaround are:
Preface: As time goes by, As time goes by, the common software design mistake found on business computer world now extend to industrial area. The impact includes SCADA , PLC and graphical user interfaces software.
Design defect: On systems, a default administration account exists which is set to a simple default password which is hard-coded into the program or device.From cyber security point of view, it is not the best practices. Meanwhile it boots up the overall risk level.
Vulnerability details: Design limitation encountered on ABB HMI components: A hidden administrative accounts embedded. This credential will be used during the provisioning phase of the HMI interface. Apart from that the credentials allow the provisioning tool “Panel Builder 600” to flash a new interface and Tags (MODBUS coils) mapping to the HMI.
Impact: An attacker can use these credentials to login to ABB HMI to control the operations. Those credentials are used over both HTTP(S) and FTP. Furthermore it let the attacker receive the read/write authority. As a result, it provide a pathway to implant malware into the system.
Preface: If victim is not negligence. Can we give an excuse to him?
Company background: Orvibo, a Chinese smart home solutions provider.
Story begin: A technical report shown to the world that Orvibo (ElasticSearch cluster) leaked more than two billion user logs containing sensitive data of customers from countries all over the world. Does the admin using easy to guess password or………
Impact: Diminished reputation of the company only. Perhaps more, GDPR penalty, phishing scam,..etc. Most likely customer do not aware and let the attacker hunt the victim easier because criminal will counterfeit their personal information.
If you are aware your personal information has been stolen by above incident. What should You do?
Since hacker know your personal details and therefore they will using your information to conducting criminal activities on other public media. Our suggestion is that changing your password and update the virus signature or OS patching are not enough. You must observer your mail box whether scam mail activities is growth rapidly after this incident. If result shown positive, you must contact your email service provider and looking for their recommendations.