Prefect: Headlines new – Critical VxWorks flaws expose millions of devices to hacking.
What is VxWorks? The VxWorks RTOS comprises the core capabilities of the wind microkernel(not monolithic) along with advanced networking support, powerful file system and I/O management, and C++ and other standard run-time support.
Vulnerability details: The vulnerabilities found on Wind River VxWorks so called Urgent11, it include 6 remote code defects and 5 less serious flaws. The design limitation of TCP/IP (IPnet) network stack let hackers to bypass traditional border and device security, remotely exploit and take over Key equipment, including SCADA equipment, industrial controllers, patient monitors, MRI machines, firewalls, VOIP phones and printers, etc.
Preface: Internet of Vehicles (IoV) growth rapidly, meanwhile they are also the potential target of the cyber attacker.
About Mitsubishi Electric FR Configurator2: From inverter startup to maintenance, FR Configurator2 allows the user to specify settings easily at the computer.
CVE-2019-10976 – This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.
CVE-2019-10972 – This vulnerability can be triggered when an attacker provides the target with a rogue project file (.frc2). Once a user opens the rogue project, CPU exhaustion occurs, which causes the software to quit responding until the application is restarted.
Our comment – The impact of these vulnerabilities depends on the source of the infection. If malicious project file (.frc2) send with large scale of scam email. Because of the software design weakness (XML parser is not sanitized while parsing the XML project). Refer to attached infographic, perhaps it will provide a way to attacker exploit malware to infect the car CPU. Because the interconnect in between Car CPU and inverter is USB. So we must stay alert of these vulnerabilities.
Preface: The IoT will make the Taxi Industry change.The business concept of Uber is the industrial leader. Perhaps their concept and ideas are advanced and therefore cyber security are their major concerns.
Vulnerability details: Palo Alto Networks PAN-SA-2019-0020 (CVE-2019-1579): Remote Code Execution vulnerability in GlobalProtect Portal/Gateway Interface, especially on SSL Web VPN Applications. Vendor do a preventive action, a survey will be conducted all Palo Alto SSL VPN over the world. See whether is any large corporations using the vulnerable GlobalProtect, and Uber is one of them!
From our survey, Uber owns about 22 servers running the GlobalProtect around the world. For instance – vpn.awscorp.uberinternal.com.
Remark: Uber announce that the vulnerable SSL VPN solution was not the primary VPN in use by the majority of staff members. Their VPN gateway was hosted in AWS rather than embedded within core infrastructure and so the potential impacted will be in low risk.
Our comment: The vendor did not provide the vulnerability details. But do you think that attached infographic details may trigger similar attacks?
Remedy: Available Updates – PAN-OS 7.1.19 and later, PAN-OS 8.0.12 and later, and PAN-OS 8.1.3 and later releases.
Preface: Message queues are unnecessary and cause a lot of overhead (setup such system cab be a lot of work).
Product background:Zeromq libzmq A simple synchronous system will just receive a request from the client, perform an operation (anything from retrieving some data from the server to uploading an image) and return a response.
Vulnerability details: A vulnerability in ZeroMQ libzmq could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The problem was that a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. All versions from 4.0.0 and upwards are affected.
Reference: The stack is the temporary memory where variables are stored while a function is executing. The memory will be cleaned up automatically when job done.
Preface: The invention of the IoT sensor looks like a contingent driving a smart city. At the same time, the python programming language gives life to the Internet of Things.
Security Focus: Even though IoT devices and their back-end facilities deploy SSL certification. It cannot prevent data leakage because of programming language flaw.
Vulnerability details: The vulnerability exists because the affected software does not remove the HTTP Authorization header when performing HTTPS to HTTP redirects with the same hostname, which may allow user credentials to be transmitted in clear text. A successful exploit could allow the attacker to access sensitive information, such as user credentials and web server information. For more details, please refer to attached diagram.
Preface: Smart apps like your friend whenever you need one. Download the app and get a ride from a friendly driver within minutes.
Vulnerability details: A vulnerability in python-engineio could allow an unauthenticated, remote attacker to conduct a cross-site websocket hijacking (CSWSH) attack on a targeted system.
Design flaw: Cross-Origin Resource Sharing (CORS) headers are only works in XHR requests, and ignored by clients during a websocket connection.
Current status: The vendor has confirmed the vulnerability; but remedy not available yet!
Preface: What is the difference of APT group and so called cyber attacker? In normal circumstance, the attack of APT group more often target different political factor of countries or benefits.
Background: Physicists and engineers at CERN use the world’s largest and most complex scientific instruments to study the basic constituents of matter.
Vulnerability details: A vulnerability in ClusterLabs libqb could allow a local attacker to overwrite arbitrary files on a targeted system. As far as we know, CERN is deployed with this solution. Perhaps this vulnerability not in critical level. However it will let APT group exploit the vulnerability to stolen the data. We don’t need to explain what kind of data stored in CERN. The simple to say, it is the critical data.
Libqb creates files in world-writable directories (/dev/shm, /tmp) with rather predictable file names (e.g. /dev/shm/qb-usbguard-request-7096-835-12-data in case of USBGuard). Also O_EXCL flag is not used when opening the files. This could be exploited by a local attacker to overwrite privileged system files (if not restricted by sandboxing, MAC or symlinking policies).
Reference – If the file already exists beforehand, Open(pathname, O_RDWR | O_CREAT, 0666); Open successfully, return a fd greater than 0 Open(pathname, O_RDWR | O_CREAT | O_EXCL,0666); Open failed, return -1
O_EXCL indicates that if the file exists when O_CREAT is used, an error message is returned, which can test whether the file exists.
Remedy: ClusterLab releases ver 1.0.5 for bug fix.
Preface: Artificial intelligence especially custom face recognition will be using (ptrace_link). By attaching to another process using the ptrace call, a tool has extensive control over the operation of its target.
Vulnerability detail: If a malicious unprivileged child uses PTRACE_TRACEME and the parent is privileged, and at a later point, the parent process becomes attacker-controlled (because it drops privileges and calls execve()), the attacker ends up with control over two processes with a privileged ptrace relationship,which can be abused to ptrace a suid binary and obtain root privileges.
Above vulnerability could allow a local attacker to perform unauthorized actions on a targeted system.
Preface: Stolen account information of nearly 750 million users was available for sale on the dark web after hackers breached 24 popular websites. The stolen data, released in two batches, includes names, email addresses and hashed passwords.
Description: Spear phishing email with URL to an archive file containing a .lnk file can misleading receiver to become a cyber victim. The receiving end not aware and let the data thief steal the data in silent mode.
Fileless Malware Advisory: MICROSOFT alerting that a new type of fileless malware found ( Astaroth). This malware can be installed on victims’ PCs without an executable. The Microsoft Defender ATP Research Team lock down Astaroth in May and June 2019. The Canadian Centre for Cyber Security issue a report this week and provide a guidance to do the prevention. This malware has capability to evade the defenses mechanism. Should you have interested of this report. Please refer to the following url – https://cyber.gc.ca/en/alerts/fileless-malware-advisory