CVE-2019-13115(Jul 2019) libssh2 – client-side C library,Integer Overflow Vulnerability

Preface: Because telnet is not secure, people rely on SSH. Due to design limitations, SSH2 replaces SSH. In fact, SSH2 still has room for improvement.

Technical Background – libssh2 is a client-side C library, which enables applications to connect to an SSH server.

A vulnerability in client-side C library – The vulnerability was triggered when libssh2 is used to connect to a malicious SSH server. The vulnerability is due to an integer overflow condition in the kex_method_diffie_hellman_group_exchange_sha256_key_exchange function, as defined in the kex.c source code file of the affected software.

Remedy – The official statement recommends that users upgrade to version 1.9.0. libssh2 has released software updates at the following link: https://www.libssh2.org/

Squid proxy & reverse proxy users staying alert! CVE-2019-12527, CVE-2019-12525 & CVE-2019-12529 (Jul 2019)

Differences Between Forward Proxy and Reverse Proxy:The main difference between the two is that forward proxy is used by the client such as a web browser whereas reverse proxy is used by the server such as a web server. Forward proxy can reside in the same internal network as the client, or it can be on the Internet.

About Squid: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages.

Security Focus: CVE-2019-12527 Squid HttpHeader::getAuth Basic Authentication Heap-Based Buffer Overflow Vulnerability – The developer point out that there is a design limitation from Auth function in http header. So a modification on files will be remediate this problem. We only quote part of the parameter. For instance

Remove:

const char *
HttpHeader::getAuth(Http::HdrType id

Append the following:

SBuf
HttpHeader::getAuthToken(Http::HdrType id

Besides, the remediation of CVE-2019-12525 is that it replace the fixed-size buffer for decoding base64 tokens with an SBuf to avoid decoder issues on large inputs.

Squid has released a software patch to end users – http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch

Redis vulnerabilities CVE-2019-10192 & CVE-2019-10193: staying alert!

Preface: Fileless malware can resides within volatile storage components such as memory.

About Redis: Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker. It supports data structures such as strings, hashes, lists, sets, sorted sets with range queries, bitmaps, hyperloglogs, geospatial indexes with radius queries and streams.

Vulnerability details: Above vulnerabilities bring our attentions because attacker could perform controlled increments of up to several bytes past the end of a stack-allocated buffer which the attacker could use to execute arbitrary code or cause a DoS condition.

Reference:

The stack is the temporary memory where variables are stored while a function is executing. The memory will be cleaned up automatically when job done.

The heap is memory that the programmer can use for the application in non automatic way. Programmer might build a mechanism to free up memory after use.

Observation: According to above details, if there are 12 bytes in the stack area which could let hacker exploit. Whereby, it will benefit to the attacker evade the defense mechanism easily.

Remedy: Redis has released software updates – http://download.redis.io/releases/

CVE-2019-13470 MatrixSSL ASN.1 Handling Out-of-Bounds Read Vulnerability – Jul 2019

Preface: The product of MatrixSSL is used by many companies. Since MatrixSSL design in low memory footprint.
Whereby, they can partner with smart city infrastructure and IoT devices.

Vulnerability details: A vulnerability in MatrixSSL could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Our speculation:

  1. x509 is the name for certificates which are defined for informal internet electronic mail, IPsec, and WWW applications.
  2. X.509 original ver 1, and then a ver 2. But now we use the version 3.
  3. Reading the corresponding RFC the structure shown as below:
    Certificate ::= SEQUENCE {
    tbsCertificate TBSCertificate,
    signatureAlgorithm AlgorithmIdentifier,
    signatureValue BIT STRING }
  4. Above are ASN.1 structures.
  5. If attacker send a crafted certificate to the targeted system.
  6. An error in parsing a maliciously formatted ASN.1 Bit Field primitive could cause a crash due to a memory read beyond allocated memory.

Vendor release software updateshttps://github.com/matrixssl/matrixssl/releases

Tiny world and tiny storm – CVE-2018-20815,CVE-2019-10638 & CVE-2019-10639

Preface: Cyber attack similar real world. There are different types of ideas and concepts in the world make humans become extreme. So we have war and different arguments. Besides, there are bacteria and virus try to infect our body. Kernel like tiny world, they also hits above circumstances.

Vulnerability details:

CVE-2019-10639 – Linux Kernel IP ID Values Information Disclosure Vulnerability. The vulnerability exists because it is possible to extract the Kernel Address Space Layout Randomization (KASLR) kernel image offset of the affected software using the IP ID values that the kernel produces for connectionless protocols.

CVE-2019-10638 – Linux Kernel Connectionless Protocols IP ID Values Information Disclosure Vulnerability. The vulnerability exists because the affected software uses the IP ID values that the kernel produces for connectionless protocols.

Reference: The IDR provides the ability to map an ID to a pointer, while the IDA provides only ID allocation, and as a result is much more memory-efficient.

CVE-2018-20815 – The vulnerability is due to buffer errors in the deprecated load_image function, as defined in the device_tree.c source code file of the affected software.

Summary: The impact of above vulnerability especially CVE-2018-20815, a large footprint of impact to virtual machine software provider. IP ID Values Information Disclosure Vulnerabilities has been addressed by Kernel.org.
But Linux user must staying alert.

CVE-2019-10638, CVE-2019-10639 – https://www.kernel.org/

CVE-2018-20815 – https://git.qemu.org/?p=qemu.git;a=commitdiff;h=da885fe1ee8b4589047484bd7fa05a4905b52b17

it might be new path way in cyber attack. yes, it is uefi.

Preface: UEFI has slowly come to replace BIOS. Whereby Intel schedule to completely replace BIOS with UEFI on all chipsets by 2020.

Quote: Firmware is software, and is therefore vulnerable to the same threats that typically target software.

Technical details: From technical point of view, EFI Runtime services are usually located below 4GB. As a result it has a way into Linux on high memory EFI booting systems.

What is the different when malware alive into these areas?

  • Malware injected into the address space is transient, and will be cleaned up on the next boot.
  • Malware injected into the firmware flash regions is persistent, and will run on every subsequent boot

Using the follow command can display x509 v3 digital certificate and confirm thatgrubx64.efi can read (/boot/efi/EFI/fedora/)grub.cfg. Oh! It is easy to access this file when you have root privileges. But do not contempt this issue.

  • sudo tree /boot/efi
  • sudo hexdump -C /boot/efi/EFI/fedora/shim.efi | egrep -i -C 2 ‘grub|g.r.u.b’
  • sudo strings /boot/efi/EFI/fedora/grubx64.efi | grep grub.cfg

Sound interesting. Should you have interested, please refer below guide book :NIST Special Publication 800-147 BIOS Protection Guidelines https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-147.pdf

Multiple high vulnerabilities in Advantech WebAccess/SCADA -CVE-2019-10989,CVE-2019-10991 & CVE-2019-10993

Preface: Cyber Security expert not suggest access SCADA Dashboard from external area (internet). But we can use VPN establish connection then sign on as a workaround.

Background: Advantech WebAccess/SCADA is a browser-based SCADA software package for supervisory control, data acquisition and visualization.

Vulnerability details: In WebAccess/SCADA Versions 8.3.5 and prior, multiple heap-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data.

CVE-2019-10989 – The specific flaw exists within the implementation of the 0x113d1 IOCTL in the webvrpcs process.

CVE-2019-10991 – The specific flaw exists within bwclient.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process.

CVE-2019-10993 – The specific flaw exists within the implementation of the 0x27E9 IOCTL in the webvrpcs process.

Summary: Stack based & heap based buffer overflow and untrusted pointer dereference Remote Code Execution are all found in this product. Ioctl is a function in the device driver that manages the device’s I/O channels. The so-called I/O channel management is to control some characteristics of the device.

Reference: A stack-based buffer overflow vulnerability exists in a call to strcpy. Strcpy is one of the functions of the C language. It comes from the C standard library, defined in string.h, which can copy a memory block with a null end character into another memory block.
So attacker can leverage this vulnerability to execute code under the context of Administrator.

Advantech has issued an update to correct this vulnerability – https://www.us-cert.gov/ics/advisories/icsa-19-178-05

China raised the security level for its vessels heading through the Strait of Malacca. Perhaps cyber security vulnerabilities causes shipping traffic jam in that place! Jul 2019

Preface: The string of attacks last month on tankers near Hormuz. It alerting to related industry and countries about bottleneck on supply chain.

Quote: The head of Indonesian Maritime Security Agency, said it’s looking into the issue. And it doesn’t see why China raised the alert status?

From technical point of view: As a matter of fact, it is not difficult to make trouble to world by cyber attack nowadays. For example, Ransomware or exploit the vulnerability on the computer system. As far as we know, on the tankers side, it install GPS and management system. Those systems are the Windows or Linux OS base of machines. If you are belongs to marine industry especially shipping company, see whether you are require to re-cofirm the patch level of your maritime bandwidth management system. Do not let those vulnerabilities causes shipping traffic jam. For more details, please see below url for reference.

Perhaps not merely the specified vulnerability. Should you interested if the Headline news. Please refer below:

https://www.bloomberg.com/news/articles/2019-07-03/china-raises-warning-for-shipping-in-malacca-strait-people-say

Status update on 8th July 2019: U.S. Coast Guard recommendation: the maritime community can help strengthen their defenses by implementing the following basic cybersecurity measures:

  • Implement network segmentation.
  • Create network profiles for each employee, require unique login credentials, and limit privileges to only those necessary.
  • Be wary of external media.
  • Install anti-virus software.
  • Keep software updated.

CVE-2019-10141 Red Hat OpenStack openstack-ironic-inspector Introspection SQL Injection Vulnerability – JUl 2019

Preface:The cloud can be managed with a web-based dashboard or command-line clients, which allow administrators to control.At the same time it lures the arrival of cyber attackers.

Product background: Red Hat OpenStack Platform provides the foundation to build a private or public Infrastructure-as-a-Service (IaaS) cloud on top of Red Hat Enterprise Linux.

Vulnerability details:

A SQL-injection vulnerability was found in openstack-ironic-inspector’s node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results
An attacker could exploit this vulnerability by submitting malicious introspection data to the targeted system. A successful exploit could allow the attacker to conduct SQL injection attacks on the targeted system.

Remediation: Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.

802.1AB is the burden of Cisco Nexus 9000 series Fabric switches. it let cisco increase one more vulnerability (CVE-2019-1890) – 3rd Jul 2019

Preface: Switched Fabric or switching fabric is a network topology in which network nodes interconnect via one or more network switches.

What is Cisco ACI? – Cisco ACI is a tightly coupled policy-driven solution that integrates software and hardware. The hardware for Cisco ACI is based on the Cisco Nexus 9000 family of switches. The software and integration points for ACI include a few components, including Additional Data Center Pod, Data Center Policy Engine, and Non-Directly Attached Virtual and Physical Leaf Switches.

Vulnerability background & details: 802.1AB(LLDP) build in May 2005. LLDP was developed as an open and extendable standard. It was modeled on and borrowed concepts from the numerous vendor proprietary discovery protocols such as Cisco Discovery Protocol (CDP), Extreme Discovery Protocol (EDP) and others. At that time cyber security not as serious today. So the design weakness extend till today and causes an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN.

We seen the impact posted by Cisco. They state that if strict mode is configured, this vulnerability cannot be exploited. Strict mode enforces further firmware security checks before allowing a connection.

Remark: Only Cisco Discovery Protocol provides an additional capability not found in LLDP-MED that allows the switch to extend trust to the phone. That is the phone will be trusted to mark the packets received on the PC port accordingly.

Official announcementhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-n9kaci-bypass