CVE-2019-15753 OpenStack (os-vif 1.15.x before 1.15.2, and 1.16.0), allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Aug 2019

Preface: Virtual computer world like a fruit punch, anything can mix into it.

Background: OpenStack is a cloud computing software developed by NASA and Rackspace. It is licensed under the Apache license and is a free and open source software. Their customer including Shanghai Electric, China Mobile, LINE and China UnionPay .

Vulnerability details: In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py.

Possible factor: One of the techincal issue might arise when Topology Change Notification (TCN) occurring repeatedly with short intervals. The switches will constantly be fast-aging their forwarding tables so flooding will be nearly constant.

Remedy status: In Progress → Fix Released (30th Aug 2019) https://review.opendev.org/678098

CVE-2019-12643 Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability (Aug 2019)

Preface: Because a stateless API can increase request overhead by handling large loads of incoming and outbound calls, a REST API should be designed to encourage the storage of cacheable data.

Vulnerability details: A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device.

Fundamental design weakness of REST API authentication. For example:

  1. Make POST request to /api/rest/issues, get it working with an API key
  2. Perhaps there is no way to disable the Auth layer
  3. Generating an auth key
  4. Now you have an auth-token for app
  5. cURL GET request (with Authentication)
  6. cURL POST request (with Authentication)
  7. ………

What can Cisco customers do? As follows:

Official announcement by vendorhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-iosxe-rest-auth-bypass

PePe Talk – Linux Kernel driver qedi_dbg.c Out-of-Bounds Read Vulnerability CVE-2019-15090 (Aug 2019)

Preface: PePe the frog, he will never die. PePe could appear anywhere. May be you can see him in political world or your whatsapp communications. Even CVE vulnerability record details.

QLogic offload iSCSI driver (qedi_dbg.c) technical background – For both Windows and Linux operating systems, iSCSI boot can be configured to boot with two distinctive paths: non-offload (also known as Microsoft Open-iSCSI Initiator) and offload (QLogic offload iSCSI driver or HBA). iSCSI Offload uses the TCP Offload Engine (TOE) technology in network interface cards (NICs) to offload the processing of the TCP/IP stack to a network controller.

Vulnerability details: The vulnerability exists in the drivers/scsi/qedi/qedi_dbg.c source code file of the affected software and is due an out-of-bounds read condition in the qedi_dbg_* family of functions.

Common Functions in C/C++ memcpy()memset(). These functions are categorized into the subcategory transfer memory. With memcpy, you not only copy your own out-of-bounds area, such as some malloc block which was previously freed, but also an area from a completely different running program.

Remedy: Kernel.org has released software updates at the following link – https://www.kernel.org/

webmin function critical vulnerability cve-2019-15107 (aug 2019)

Preface: The Amazon rainforest is the lungs of the earth. Even humans are stronger than ancient people. But we rely on oxygen to survive. Amazon rainforest fire, do you think we are heading to the edge?

About webmin software: Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. AWS especially lamp stack web app, the basic function on demand to use webmin software.

Vulnerability details: A vulnerability in Webmin could allow an unauthenticated, remote attacker to execute arbitrary commands with root privileges on a targeted system. See the attached drawing for details.

Remark: This vulnerability will be occured when the changing of expired passwords function is enabled. But this function not enabled by default.

Remedy: upgrading to version 1.930 is strongly recommended. Alternately, if running versions 1.900 to 1.920, edit /etc/webmin/miniserv.conf, remove the passwd_mode= line, then run /etc/webmin/restart.

ABout MasterCard data breach – Aug 2019

Preface: Still remember that when I was work in bank environment. Visa and Master payment solutions looks indeed secure. Those facilities are running in standalone machine. The communication protocol is the IBM SDLC communication. In order to communication with S390 mainframe. We setup data link switch in network switch and define VTAM major nodes on mainframe. Can we say the invention of internet jeopardize the world. Yes, it does.

Incident details: MasterCard said it was investigating a data breach of a loyalty program in Germany. There are about 90000 personal records was steal. Perhaps the actual figure has not been finalize yet! but rumor said that the leaked personal data is selling on darknet now. However, when we manually view the programming source it shown to us there is a lot of weakness on backend server. For instance, the backend system run on vulnerable Apache version. So i am imagine that whether there has possibility let attacker exploit CVE-2017-3167 to bypass the authentication on the front end web server then stolen the data?

Bloomberg headline news https://smg.photobucket.com/user/chanpicco/media/chanpicco001/MasterCard-leak-Aug-2019-1_zps35cvwtvc.jpg.html?sort=3&o=0

Vulnerabilities in SIMATIC S7-1200 and SIMATIC S7-1500 CPU families (Aug 2019)

Preface: In 1885 Westinghouse imported a Siemens AC generator, to begin experimenting with AC networks in Pittsburgh. As of today, the business development of Siemens extend to all industry.

Product background: The Siemens SIMATIC S7-1200 & S7-1500 is the controller for open-loop and closed-loop control tasks in mechanical equipment manufacture and plant construction. Its range of use extends from the replacement of relays and contactors up to complex automation tasks in networks and within distributed structures.

Vulnerability details: Two vulnerabilities have been identified in the SIMATIC S7-1200 and the SIMATIC S7-1500 CPU families. Those vulnerabilities is that when engineer tries to upload (put) the source code on the SIMATIC. However the limitation of the design do not enforce the integrity check.So attacker exploit Man-in-the-Middle hack technique to transfer their counterfeit code and “put” his code to the device.

Official announcement: Please refer to the URL link – https://cert-portal.siemens.com/productcert/pdf/ssa-232418.pdf

CVE-2019-12256 The industrial, and medical devices has been affected by IPV 4 component design flaws in VxWorks 7 & VxWorks 6.9 (Aug 2019)

Background: Wind River’s VxWorks is widely used in communications, military, aerospace, industrial control and other fields for its high reliability and excellent real-time performance. For example, it is used in the US F-16, FA-18 fighters, B-2 stealth bombers and Patriot missiles. The most famous is the Mars probe that landed on the surface of Mars in April 1997 and landed in May 2008. The Phoenix, and the Curiosity Rover, which landed on Mars in August 2012, also used VxWorks 7.

Vulnerability details: Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the IPv4 component. There is an IPNET security vulnerability: Stack overflow in the parsing of IPv4 packets? IP options.

Official announcement: CVE-2019-12256 Not affected by user-application code, this vulnerability resides in the IPv4 option parsing and may be triggered by IPv4 packets containing invalid options.The most likely outcome of triggering this defect is that the tNet0task crashes. In the worst-case scenario, this vulnerability can potentially lead to RCE.

Remedy: Fixed in Vx7 SR620 .Customers are advised to contact Wind River Customer Support.

When CVE-2019-14809 was announced, do you think you need to adjust your e-commerce operations? Aug 2019

Background: Google Go Language is suitable for web development especially front-end development. Quite a lot of companies using GO. For instance Facebook, Twitter, YouTube, Apple, Dropbox, Docker, Soundcloud, Mozilla Firefox, The New York Times, Github, GOV.UK and UBER.

Vulnerability details: A vulnerability in the net/url package in Golang Go could allow an unauthenticated, remote attacker to bypass security restrictions on a targeted system. The affect product inlcudes version prior 12.12.7 and prior 1.11.12.

Observation: CVE-2018-12123 was addressed Hostname spoofing in URL parser for javascript protocol on Node.js.
However CVE-2019-14809 found that vulnerability occurs in the net/url package in Golang Go could allow an unauthenticated, remote attacker to bypass security restrictions on a targeted system. It was because because the net/url package in the affected software mishandles parameter (mishandles malformed “hosts:) in URLs. For more details, please see attached diagram for reference.

Remedy: Golang has released software updates at the following – link: https://github.com/golang/go/releases

Previous NFS 4.1 vulnerability (CVE-2018-16884) show linux kernel design weakness.

Preface: A vulnerability in the NFS41+ subsystem of the Linux Kernel could allow an authenticated, adjacent attacker execute arbitrary code on a targeted system. The vulnerability exists because the bc_svc_process() function of the affected software uses the wrong back-channel ID. use-after-free in svc_process_common

The defect not only affected software uses the wrong back-channel ID. Furthermore it causes access freed memory because of use-after-free vulnerability in svc_process_common(). Perhaps Use-After-Free Vulnerabilities in Linux Kernel are common. Most likely causes by the following factors.

  • use an object without checking whether the pointer is valid
  • free an object without cleaning the pointer

Doubt: If all the objects in a cache are freed, the whole space of the cache is going to be recycled by the kernel.
Was the space definitely to be re-used for a cache storing the objects of the original type? No.
So it is benefit for attacker.

For NFS 4.1 matter, it was highly recommended to following Best Practices guideline. For instance, If you use NFS version 3 and NFS version 4.1, do not mix them on the same volumes/data shares. Separate the backend storage NFS network from any client traffic.

For remedy of the “use after free” vulnerability of NFS41 – Please refer to url: https://patchwork.kernel.org/patch/10733769/

Closer look: CVE-2019-1162 Windows ALPC Elevation of Privilege Vulnerability

Preface: ALPC (Advanced/Asynchronous Local Procedure Call) is a C/S model technology developed by Microsoft to replace LPC for native RPC.

Vulnerability details: Tasks created by the Task Scheduler will create the folder and file in “c:\windows\system32\ tasks”. This function original to be designed to write the discretionary access control list of the task in this place. For some reason, it also checks if the .job file exists under c:\ windows \ tasks and tries to set the DACL

Since users belonging to the guest group, can create files in this folder, we can simply create a hard link to another file (we only need to read access). Due to the hard link, we can let the task scheduler write any DACL (see the second parameter of SchRpcSetSecurity) to the file of our choice. Therefore, any file we read is accessed as a user, and the system has write DACL permissions, we can go to full control and overwrite it.

Vendor announcement : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162