Urgent 11-Tremendous design limitation jeopardizes RTOS industry

Prefect: Headlines new – Critical VxWorks flaws expose millions of devices to hacking.

What is VxWorks? The VxWorks RTOS comprises the core capabilities of the wind microkernel(not monolithic) along with advanced networking support, powerful file system and I/O management, and C++ and other standard run-time support.

Vulnerability details: The vulnerabilities found on Wind River VxWorks so called Urgent11, it include 6 remote code defects and 5 less serious flaws. The design limitation of TCP/IP (IPnet) network stack let hackers to bypass traditional border and device security, remotely exploit and take over Key equipment, including SCADA equipment, industrial controllers, patient monitors, MRI machines, firewalls, VOIP phones and printers, etc.

Vendor response – Please refer to url: https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/


The stack is the temporary memory where variables are stored while a function is executing. The memory will be cleaned up automatically when job done.

The heap is memory that the programmer can use for the application in non automatic way. Programmer might build a mechanism to free up memory after use.

Mitsubishi electric fr configurator2 – When input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Jul 2019

Preface: Internet of Vehicles (IoV) growth rapidly, meanwhile they are also the potential target of the cyber attacker.

About Mitsubishi Electric FR Configurator2: From inverter startup to maintenance, FR Configurator2 allows the user to specify settings easily at the computer.

Vulnerability details:

CVE-2019-10976 – This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.

CVE-2019-10972 – This vulnerability can be triggered when an attacker provides the target with a rogue project file (.frc2). Once a user opens the rogue project, CPU exhaustion occurs, which causes the software to quit responding until the application is restarted.

Our comment – The impact of these vulnerabilities depends on the source of the infection. If malicious project file (.frc2) send with large scale of scam email. Because of the software design weakness (XML parser is not sanitized while parsing the XML project). Refer to attached infographic, perhaps it will provide a way to attacker exploit malware to infect the car CPU. Because the interconnect in between Car CPU and inverter is USB. So we must stay alert of these vulnerabilities.

CVE-2019-4415 IBM Cloud Private privilege escalation Jul 2019

Preface: Refer to market statistic on 2018, the growth in cloud revenues appear to be the strongest for Microsoft and weakest for IBM.

Vulnerability details: In IBM Cloud Private on OpenShift icp-scc SecurityContextContraints is erroneously assigned to all pods in all namespaces

Remedy: For IBM Cloud Private 3.1.1 or 3.1.2:

To resolve the issue, run the following kubectl commands on the master node:

  1. kubectl patch scc icp-scc –type=’json’ -p='[{“op”: “remove”, “path”: “/groups”}]’
  2. kubectl patch scc icp-scc –type=’json’ -p='[{“op”: “add”, “path”: “/users”, “value”: [“system:serviceaccount:kube-system:default”,”system:serviceaccount:istio-system:default”, “system:serviceaccount:icp-system:default”,”system:serviceaccount:cert-manager:default”] }]’


The privileged SCC allows:

  • Users to run privileged pods
  • Pods to mount host directories as volumes
  • Pods to run as any user
  • Pods to run with any MCS label
  • Pods to use the host’s IPC namespace
  • Pods to use the host’s PID namespace
  • Pods to use any FSGroup
  • Pods to use any supplemental group
  • Pods to use any seccomp profiles
  • Pods to request any capabilities

The restricted SCC:

  • Ensures that pods cannot run as privileged.
  • Ensures that pods cannot mount host directory volumes.
  • Requires that a pod run as a user in a pre-allocated range of UIDs.
  • Requires that a pod run with a pre-allocated MCS label.
  • Allows pods to use any FSGroup.
  • Allows pods to use any supplemental group.

Supplement: CVE-2019-4439 – IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system.

Remedy – For IBM Cloud Private 3.1.2, apply patch: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.2-build520356-23797&includeSupersedes=0

CVE-2019-1579 VPN solution impacts Uber, other enterprises may be at risk Jul 2019

Preface: The IoT will make the Taxi Industry change.The business concept of Uber is the industrial leader. Perhaps their concept and ideas are advanced and therefore cyber security are their major concerns.

Vulnerability details: Palo Alto Networks PAN-SA-2019-0020 (CVE-2019-1579): Remote Code Execution vulnerability in GlobalProtect Portal/Gateway Interface, especially on SSL Web VPN Applications. Vendor do a preventive action, a survey will be conducted all Palo Alto SSL VPN over the world. See whether is any large corporations using the vulnerable GlobalProtect, and Uber is one of them!
From our survey, Uber owns about 22 servers running the GlobalProtect around the world. For instance – vpn.awscorp.uberinternal.com.

Remark: Uber announce that the vulnerable SSL VPN solution was not the primary VPN in use by the majority of staff members. Their VPN gateway was hosted in AWS rather than embedded within core infrastructure and so the potential impacted will be in low risk.

Our comment: The vendor did not provide the vulnerability details. But do you think that attached infographic details may trigger similar attacks?

Remedy: Available Updates – PAN-OS 7.1.19 and later, PAN-OS 8.0.12 and later, and PAN-OS 8.1.3 and later releases.

CVE-2019-13132 Zeromq libzmq Stack Buffer Overflow Arbitrary Code Execution Vulnerability Jul 2019

Preface: Message queues are unnecessary and cause a lot of overhead (setup such system cab be a lot of work).

Product background: Zeromq libzmq
A simple synchronous system will just receive a request from the client, perform an operation (anything from retrieving some data from the server to uploading an image) and return a response.

Vulnerability details: A vulnerability in ZeroMQ libzmq could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The problem was that a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. All versions from 4.0.0 and upwards are affected.

Reference: The stack is the temporary memory where variables are stored while a function is executing. The memory will be cleaned up automatically when job done.

Remedy: ZeroMQ has released a software update. For more information, see url: https://github.com/zeromq/libzmq/releases

Even though you deployed SSL, stay alert in Python Iot world (CVE-2018-18074)

Preface: The invention of the IoT sensor looks like a contingent driving a smart city. At the same time, the python programming language gives life to the Internet of Things.

Security Focus: Even though IoT devices and their back-end facilities deploy SSL certification. It cannot prevent data leakage because of programming language flaw.

Vulnerability details: The vulnerability exists because the affected software does not remove the HTTP Authorization header when performing HTTPS to HTTP redirects with the same hostname, which may allow user credentials to be transmitted in clear text. A successful exploit could allow the attacker to access sensitive information, such as user credentials and web server information. For more details, please refer to attached diagram.

Remedy: Python has released a software update, please refer to the url: https://github.com/psf/requests/releases

CVE-2019-13611 python-engineio Origin Header Cross-Site WebSocket Hijacking Vulnerability – Jul 2019

Preface: Smart apps like your friend whenever you need one. Download the app and get a ride from a friendly driver within minutes.

Product background: Engine.IO is a lightweight transport protocol that enables real-time bidirectional event-based communication between web browsers and a server. Python-engineio server can form a Eventlet asynchronous server and includes a small Flask application that serves the HTML/Javascript to the client. Flask is a Python framework for creating web applications. It accelerates development of simple web applications by providing the required functionality. There are many companies in the world that use Flask for mobile application development.

Vulnerability details: A vulnerability in python-engineio could allow an unauthenticated, remote attacker to conduct a cross-site websocket hijacking (CSWSH) attack on a targeted system.

Design flaw: Cross-Origin Resource Sharing (CORS) headers are only works in XHR requests, and ignored by clients during a websocket connection.

Current status: The vendor has confirmed the vulnerability; but remedy not available yet!

Scientists are busy with scientific development – but should be alert to CVE-2019-12779

Preface: What is the difference of APT group and so called cyber attacker? In normal circumstance, the attack of APT group more often target different political factor of countries or benefits.

Background: Physicists and engineers at CERN use the world’s largest and most complex scientific instruments to study the basic constituents of matter.

Vulnerability details: A vulnerability in ClusterLabs libqb could allow a local attacker to overwrite arbitrary files on a targeted system. As far as we know, CERN is deployed with this solution. Perhaps this vulnerability not in critical level. However it will let APT group exploit the vulnerability to stolen the data. We don’t need to explain what kind of data stored in CERN. The simple to say, it is the critical data.

Libqb creates files in world-writable directories (/dev/shm, /tmp) with rather predictable file names (e.g. /dev/shm/qb-usbguard-request-7096-835-12-data in case of USBGuard). Also O_EXCL flag is not used when opening the files. This could be exploited by a local attacker to overwrite privileged system files (if not restricted by sandboxing, MAC or symlinking policies).

Reference – If the file already exists beforehand,
Open(pathname, O_RDWR | O_CREAT, 0666); Open successfully, return a fd greater than 0
Open(pathname, O_RDWR | O_CREAT | O_EXCL,0666); Open failed, return -1

O_EXCL indicates that if the file exists when O_CREAT is used, an error message is returned, which can test whether the file exists.

Remedy: ClusterLab releases ver 1.0.5 for bug fix.

CVE-2019-13272 Linux Kernel (ptrace_link) Unauthorized Access Vulnerability – Jul 2019

Preface: Artificial intelligence especially custom face recognition will be using (ptrace_link). By attaching to another process using the ptrace call, a tool has extensive control over the operation of its target.

Vulnerability detail: If a malicious unprivileged child uses PTRACE_TRACEME and the parent is privileged, and at a later point, the parent process becomes attacker-controlled (because it drops privileges and calls execve()), the attacker ends up with control over two processes with a privileged ptrace relationship,which can be abused to ptrace a suid binary and obtain root privileges.
Above vulnerability could allow a local attacker to perform unauthorized actions on a targeted system.

Remedy: Kernel.org has released a software update. For more information, please refer to the following URL for reference. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6994eefb0053799d2e07cd140df6c2ea106c41ee

Remark: Perhaps exploit this vulnerability require local user access. But cyber attacker can use scam email or phishing email to conducting this attack.

Fileless Malware Advisory – 17 JUl 2019

Preface: Stolen account information of nearly 750 million users was available for sale on the dark web after hackers breached 24 popular websites. The stolen data, released in two batches, includes names, email addresses and hashed passwords.

Description: Spear phishing email with URL to an archive file containing a .lnk file can misleading receiver to become a cyber victim. The receiving end not aware and let the data thief steal the data in silent mode.

Fileless Malware Advisory: MICROSOFT alerting that a new type of fileless malware found ( Astaroth). This malware can be installed on victims’ PCs without an executable. The Microsoft Defender ATP Research Team lock down Astaroth in May and June 2019. The Canadian Centre for Cyber Security issue a report this week and provide a guidance to do the prevention. This malware has capability to evade the defenses mechanism. Should you have interested of this report. Please refer to the following url – https://cyber.gc.ca/en/alerts/fileless-malware-advisory