Prefect: Headlines new – Critical VxWorks flaws expose millions of devices to hacking.

What is VxWorks? The VxWorks RTOS comprises the core capabilities of the wind microkernel(not monolithic) along with advanced networking support, powerful file system and I/O management, and C++ and other standard run-time support.

Vulnerability details: The vulnerabilities found on Wind River VxWorks so called Urgent11, it include 6 remote code defects and 5 less serious flaws. The design limitation of TCP/IP (IPnet) network stack let hackers to bypass traditional border and device security, remotely exploit and take over Key equipment, including SCADA equipment, industrial controllers, patient monitors, MRI machines, firewalls, VOIP phones and printers, etc.

Vendor response – Please refer to url: https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/

Reference:

The stack is the temporary memory where variables are stored while a function is executing. The memory will be cleaned up automatically when job done.

The heap is memory that the programmer can use for the application in non automatic way. Programmer might build a mechanism to free up memory after use.

Preface: Internet of Vehicles (IoV) growth rapidly, meanwhile they are also the potential target of the cyber attacker.

About Mitsubishi Electric FR Configurator2: From inverter startup to maintenance, FR Configurator2 allows the user to specify settings easily at the computer.

Vulnerability details:

CVE-2019-10976 – This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.

CVE-2019-10972 – This vulnerability can be triggered when an attacker provides the target with a rogue project file (.frc2). Once a user opens the rogue project, CPU exhaustion occurs, which causes the software to quit responding until the application is restarted.

Our comment – The impact of these vulnerabilities depends on the source of the infection. If malicious project file (.frc2) send with large scale of scam email. Because of the software design weakness (XML parser is not sanitized while parsing the XML project). Refer to attached infographic, perhaps it will provide a way to attacker exploit malware to infect the car CPU. Because the interconnect in between Car CPU and inverter is USB. So we must stay alert of these vulnerabilities.

Preface: Refer to market statistic on 2018, the growth in cloud revenues appear to be the strongest for Microsoft and weakest for IBM.

Vulnerability details: In IBM Cloud Private on OpenShift icp-scc SecurityContextContraints is erroneously assigned to all pods in all namespaces

Remedy: For IBM Cloud Private 3.1.1 or 3.1.2:

To resolve the issue, run the following kubectl commands on the master node:

1. kubectl patch scc icp-scc –type=’json’ -p='[{“op”: “remove”, “path”: “/groups”}]’
2. kubectl patch scc icp-scc –type=’json’ -p='[{“op”: “add”, “path”: “/users”, “value”: [“system:serviceaccount:kube-system:default”,”system:serviceaccount:istio-system:default”, “system:serviceaccount:icp-system:default”,”system:serviceaccount:cert-manager:default”] }]’

Reference:

The privileged SCC allows:

• Users to run privileged pods
• Pods to mount host directories as volumes
• Pods to run as any user
• Pods to run with any MCS label
• Pods to use the host’s IPC namespace
• Pods to use the host’s PID namespace
• Pods to use any FSGroup
• Pods to use any supplemental group
• Pods to use any seccomp profiles
• Pods to request any capabilities

The restricted SCC:

• Ensures that pods cannot run as privileged.
• Ensures that pods cannot mount host directory volumes.
• Requires that a pod run as a user in a pre-allocated range of UIDs.
• Requires that a pod run with a pre-allocated MCS label.
• Allows pods to use any FSGroup.
• Allows pods to use any supplemental group.

Supplement: CVE-2019-4439 – IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system.

Remedy – For IBM Cloud Private 3.1.2, apply patch: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.2-build520356-23797&includeSupersedes=0

Preface: Message queues are unnecessary and cause a lot of overhead (setup such system cab be a lot of work).

Product background: Zeromq libzmq
A simple synchronous system will just receive a request from the client, perform an operation (anything from retrieving some data from the server to uploading an image) and return a response.

Vulnerability details: A vulnerability in ZeroMQ libzmq could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The problem was that a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. All versions from 4.0.0 and upwards are affected.

Reference: The stack is the temporary memory where variables are stored while a function is executing. The memory will be cleaned up automatically when job done.

Remedy: ZeroMQ has released a software update. For more information, see url: https://github.com/zeromq/libzmq/releases

Preface: Smart apps like your friend whenever you need one. Download the app and get a ride from a friendly driver within minutes.

Product background: Engine.IO is a lightweight transport protocol that enables real-time bidirectional event-based communication between web browsers and a server. Python-engineio server can form a Eventlet asynchronous server and includes a small Flask application that serves the HTML/Javascript to the client. Flask is a Python framework for creating web applications. It accelerates development of simple web applications by providing the required functionality. There are many companies in the world that use Flask for mobile application development.

Vulnerability details: A vulnerability in python-engineio could allow an unauthenticated, remote attacker to conduct a cross-site websocket hijacking (CSWSH) attack on a targeted system.

Design flaw: Cross-Origin Resource Sharing (CORS) headers are only works in XHR requests, and ignored by clients during a websocket connection.

Current status: The vendor has confirmed the vulnerability; but remedy not available yet!

Preface: What is the difference of APT group and so called cyber attacker? In normal circumstance, the attack of APT group more often target different political factor of countries or benefits.

Background: Physicists and engineers at CERN use the world’s largest and most complex scientific instruments to study the basic constituents of matter.

Vulnerability details: A vulnerability in ClusterLabs libqb could allow a local attacker to overwrite arbitrary files on a targeted system. As far as we know, CERN is deployed with this solution. Perhaps this vulnerability not in critical level. However it will let APT group exploit the vulnerability to stolen the data. We don’t need to explain what kind of data stored in CERN. The simple to say, it is the critical data.

Libqb creates files in world-writable directories (/dev/shm, /tmp) with rather predictable file names (e.g. /dev/shm/qb-usbguard-request-7096-835-12-data in case of USBGuard). Also O_EXCL flag is not used when opening the files. This could be exploited by a local attacker to overwrite privileged system files (if not restricted by sandboxing, MAC or symlinking policies).

Reference – If the file already exists beforehand,
Open(pathname, O_RDWR | O_CREAT, 0666); Open successfully, return a fd greater than 0
Open(pathname, O_RDWR | O_CREAT | O_EXCL,0666); Open failed, return -1

O_EXCL indicates that if the file exists when O_CREAT is used, an error message is returned, which can test whether the file exists.

Remedy: ClusterLab releases ver 1.0.5 for bug fix.

Preface: Artificial intelligence especially custom face recognition will be using (ptrace_link). By attaching to another process using the ptrace call, a tool has extensive control over the operation of its target.

Vulnerability detail: If a malicious unprivileged child uses PTRACE_TRACEME and the parent is privileged, and at a later point, the parent process becomes attacker-controlled (because it drops privileges and calls execve()), the attacker ends up with control over two processes with a privileged ptrace relationship,which can be abused to ptrace a suid binary and obtain root privileges.
Above vulnerability could allow a local attacker to perform unauthorized actions on a targeted system.

Remedy: Kernel.org has released a software update. For more information, please refer to the following URL for reference. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6994eefb0053799d2e07cd140df6c2ea106c41ee

Remark: Perhaps exploit this vulnerability require local user access. But cyber attacker can use scam email or phishing email to conducting this attack.