Monthly Archives: October 2019

Potential Risk of CVE

CVE-2019-14379 (Oracle Banking Platform & Oracle Financial Services Analytical Applications Infrastructure) – Oct 2019

4 Comments

Preface: Vendor vulnerability management program sometimes have doubt to public. They frequent ask, how to do the protection before patch release? Perhaps not require worry too much because zero-day vulnerabilities are go with us all the time.

Synopsis: On October 2019, Oracle has released its Critical Patch Update for October 2019 to address 219 vulnerabilities across multiple products. Perhaps FasterXML jackson-databind vulnerability bring my focus. Because this vulnerability was announced to public on August this year.

Vulnerability details: Banking finance business analyser will be familiar with OFSAA. OFSAA out of the box data models continue to be released as Erwin. But it supports Oracle SQL modeler for data model extensions.However the CVE-2019-14379 design weakness has been found on Oracle Banking Platform and Oracle Financial Services Analytical Applications Infrastructure. Data binding is useful for allowing user input to be dynamically bound to the domain model of an application (or whatever objects you use to process user input). SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

What is Fasterxml Jackson Databind?
Contains basic mapper (conversion) functionality that allows for converting between regular streaming json content and Java objects (beans or Tree Model: support for both is via ObjectMapper class, as well as convenience methods included in JsonParser. For more details of oracle security advisory details, please refer to url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Under our observation

Suspected that Podman-Varlink encounter Remote Code Execution – Under observation (14th Oct 2019)

Preface: Red Hat is investing in CRI-O and Podman. Meanwhile they are involved in the Open Container Initiative Standards Organization. The goal is to contribute and introduce drive innovation in their products, such as Red Hat OpenShift and Red Hat Enterprise Linux.

Background: Podman decide to provide a simple CLI for managing pods and containers. The design goal of Varlink aims to make services accessible to both humans and machines in the simplest feasible way. They described its product is an “interface description format and protocol”. It is just such another. Podman decided to build the Podman API based on varlink so users and developers can interact with Podman programmatically.

Design Synopsis: Podman relies on a Systemd feature called socket activation. Systemd allows developers to create socket unit files that tells systemd to listen on a particular socket like the unix domain socket “/run/io.projectatomic.podman”. When a process connects to this socket, systemd will launch the command specified in the service file with the same name. The launched command then handles the socket communications.

Vulnerability details: Depend on how Podman and Varlink are deployed, they can be susceptible to local and remote attacks. There are a few API bugs in Podman itself, as well as a way to execute arbitary commands if one can hit Podman via the Remote API. Running Podman with Varlink over tcp listening either on localhost or the network interface is the most vulnerable setup. For more details, please refer to diagram.

Potential Risk of CVE

CVE-2019-17132 vBulletin through 5.5.4 mishandles custom avatars

Preface: vBulletin™ is the world leader in forum and community publishing software. Vbulletin messenger make use of AJAX-based chat functionality.The main benefit of developing websites using Ajax is to help web browsers retrieve more data without causing a Web page to refresh.

Vulnerability details: User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint. Vulnerability found that these input are not properly validated before being used to update users’ avatars.
Hacker relies above flaw do exploitation, inject and execute arbitrary PHP code.

Remark: Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).

How attacker detect web site install vBulletin system.

  • HTTP headers, including cookies
  • Design will insert unique Javascript code into web pages.
  • Detect meta tag within the html pages.

Remedy: patches available for the following versions of vBulletin Connect:

- 5.5.4 Patch Level 2
- 5.5.3 Patch Level 2
- 5.5.2 Patch Level 2
Network (Protocol, Topology & Standard)

5g, where to go from here?

Preface: Why some people want everything fast. But when a man is having dinner with his girlfriend, he hopes that time will be slower.

5G communication background: In April 2008, NASA partnered with Geoff Brown and Machine-to-Machine Intelligence (M2Mi) Corp to develop 5G communications technology.
As times go by, On 3 April 2019, South Korea became the first country to adopt 5G.

Heard a lot of news of 5G technology. In additional to high speed and low latency. Can the 5G architecture be hacked?

5G is the first generation that was designed with virtualization and cloud-based technology. Nokia said building separate systems to meet future requirements and use cases of 5G was not an option, so the future network needed to be integrated and aligned with software-defined functions, cognitive technology to orchestrate it and distributed content and processing. 5G’s future rests on software-defined networking (SDN), whose main concept is to decouple the infrastructure of wireless networks from expensive, closed hardware and shift it to an intelligent software layer running on commodity hardware. However, software-defined functions are vulnerable to security threats as well. One of the most significant security risk factors is the possibility of a compromised SDN controller attack at the control plane layer. Due to the centralization design of the SDN, the SDN controller becomes the brain of the SDN architecture. Attackers can focus on compromising the SDN controller in an attempt to manipulate the entire network.

Perhaps above prediction was true. Samsung 5G Core NFs are cloud native NFs, which consist of container-based micro-services to enable flexible scaling and upgrade to meet telecom operators’ requirements. For more details, please refer below diagram.

Besides, 5G Service-Based Architecture (SBA) components consists of serveral components (Resource Controller, Subscription Manager, Policy Controller and Exposure Server). The interconnect in between packet core controller to above four different components could make use of HTTP/JSON. From security point of view , it is hard to forseen that this type of interconnection whether will encounter vulnerability in future.

On demand patch management in existing information technology world will be extend to 5G network in future.

Docker and Kubernetes become a main trend in technology world. Both products features can improve the redundancy and fault tolerance level of the system. And therefore it is hard to avoid the 5G services provider install similar architecture. APT attack and ransomware will wreak havoc with cyber world. In order to reduce the the zero-day of attack to Docker and Kubernetes environment. System hardening process and access control policy must be take in this place. So the 5G service based architecture system will be the new hacker target soon.

Summary: The above description is only cover a small part of the 5G network. Let us observe what will happen to the mobile communication world?

Potential Risk of CVE

All users of iTerm2 should update immediately – Oct 2019

Preface: iTerm2 not the default Mac terminal

Vulnerability details: A vulnerability, identified as CVE-2019-9535, exists in the way that iTerm2 integrates with tmux’s control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5.

Technical background: iTerm2 with tmux integration since version 3.3.5. The powerful feature of Tmux is able to run tmux as the remote command argument to ssh. Meanwhile Tmux is a terminal multiplexer. Simply put, this allows you to split one terminal session into many.

Remedy: Developer take the following actions:

  • Use session number everywhere rather than session name
  • Do not poll tmux for the set-titles-string, status-left, and status-right and then request the values of the returned format strings.
  • Hex-encode options saved in the tmux server to make them unexploitable

Update iTerm2 to version 3.3.6, which includes mitigations against exploitation of this vulnerability.

Public safety

How to know your infrastructure under APT attack? NSA provide hints to cyber world (7th oct 2019)

Preface: Before the earthquake, many special phenomena will awaken people. Does a similar situation apply to cybersecurity attacks, especially APT?

Security focus: NSA has announcement a day ago. They urge the company must be extra care of vulnerabilities in Multiple VPN Applications. Are you interested of this article? Following URL can provide the details. https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF

Additional information: UTM is a common firewall design by far. Different kind of services are all in one box. Since the device is a UTM device (all integrated). Therefore, security experts can rely on log events generated by the firewall (Any-Any-Drop Action) to do a prediction.
The modern built in firewall defense and application firewall mechanism can identify the know CVE and shown on the log event. So you can relies on SIEM correlate function send the alert.
If your UTM log event contains a reject operation with following CVE reference number (CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379). It tell you that your company is under APT attack.

What is the next action when above scenario occurs? You should activate the escalation procedure immediately.

Under our observation

NCSC prediction – DNS monitoring will get harder (Sep 2019)

Preface: DNS monitoring can let you predict the user behaviour. According to Cisco’s research, over 90% of attacks are done over DNS and only two-thirds of organizations monitor their DNS records.

Technical details:
Go to options->Advanced->Network->Settings->Automatic proxy configuration url and enter 8.8.8.8 All you Mozilla traffic uses Google dns now. Google Public DNS fully supports DNSSEC for Domain Name Security Extensions which works against cache poisoning attacks. Meanwhile if mobile device leave company network, DDNS given by wireless hotspot might have way to leave your monitoring. Due to above feature, the Dutch National Cyber Security Centre (NCSC) has released a fact sheet on the increasing difficulty of Domain Name System (DNS) monitoring. For more details, please refer to URL: https://english.ncsc.nl/publications/factsheets/2019/oktober/2/factsheet-dns-monitoring-will-get-harder

Potential Risk of CVE

RTOS vulnerabilities found on July this year might impacting medical industry, said FDA (1st Oct 2019)

Preface: The Department of Homeland Security (DHS) and FDA are aware that the (URGENT/11) vulnerabilities will be effected medical device and hospital networks. They released announcement to urge specify industry to staying alert.

Vulnerability details: So called (URGENT/11) found on Wind River VxWorks on July 2019. Urgent11, it include 6 remote code defects and 5 less serious flaws. The design limitation of TCP/IP (IPnet) network stack let hackers to bypass traditional border and device security. If your IoT settings are integrated with physical LAN and 802.11 (wireless), but the IoT’s does not have internet communication capabilities. Maybe you also have a headache at the moment. See whether below suggestion can help.

  • If you do not have SIEM on hand. The primitive interim remediation should do the following.
    Turn MAC Filtering on wireless router
  • Turn on port protection on your network switch. If you are using low end network device which do not provide this function. Perhaps you must disable or use the seal tape to block the ethernet port not in used.

The key factor to prevent this vulnerability is enforce the network access control in your network. Do not let the strange (3rd party) plug in his computer to your network infrastructure.

If the internet connectivity function is enabled. So what we can do?
Since those vulnerabilities has CVE reference number assigned. And therefore application firewall can be quarantine the attack. Besides of that you have to apply above method to prevent the insider threat.

Reference: FDA announcement – https://www.fda.gov/news-events/press-announcements/fda-informs-patients-providers-and-manufacturers-about-potential-cybersecurity-vulnerabilities

Backstory: http://www.antihackingonline.com/potential-risk-of-cve/urgent-11-tremendous-design-limitation-jeopardizes-rtos-industry/

Potential Risk of CVE

Preface: The heap is the portion of memory where dynamically allocated memory resides (i.e. memory allocated via malloc ).

Background: Exim is a message transfer agent (MTA). It generally comes with default Debian installation. If you need to use ACL and other features you may need to install exim4-daemon-heavy (see below):
apt-get install exim4-daemon-heavy

Vulnerability details: The heap is the portion of memory where dynamically allocated memory resides (i.e. memory allocated via malloc ). The component (string.c) contain function to format the input data string and save. However it did not have mechanism to check the length of receiving data. As a result, it trigger a heap base buffer overflow by a extraordinary long EHLO string. The attacker have to find out which unlink() he can “reuse” in glibc. From technical point of view, Unlink() is the classic and probably the simplest one. In short attacker can overwrite arbitrary 4 bytes at two specified places (FD & BK)! This is more than enough to redirect the control flow.

Reference: Maximum length of a DNS name – Exceeded the maximum number of characters. The maximum number is LL (1) + LN (63) + LL (1) + LN (63) + LL (1) + LN (63) + LL (1) + LN (61) + NL (1) = 255 bytes

Remedy: No known mitigation. End user must download and build the fixed version 4.92.3

Potential Risk of CVE

RSA BSAFE Crypto-C Micro Edition vulnerability CVE-2019-3733

Preface: Who uses RSA’s BSAFE library? BSAFE uses Dual_EC_DRBG as its default pseudorandom number generator. Dual_EC_DRBG let people hesitation because the algorithm that is suspected to contain a NSA backdoor.

Product background: The Crypto-C ME software development toolkit is designed to enable developers to incorporate cryptographic technologies into applications. Crypto-C ME security software helps to protect sensitive data as it is stored, using strong encryption techniques to ease integration with existing data models.

Vulnerability details: RSA BSAFE Crypto-C Micro Edition, all versions prior to 4.1.4, is vulnerable to three (3) different Improper Clearing of Heap Memory Before Release vulnerability, also known as ‘Heap Inspection vulnerability’. A malicious remote user could potentially exploit this vulnerability to extract information leaving data at risk of exposure.

Additional information: For insatnce, if you software application written in CPython. So you have to implement your own data type in C and wipe memory in its deallocation function. Since BSAFE is one of the oldest cryptography libraries and therefore the original design not contain this clean up function in memory.

Vendor announcement (Reference URL): https://www.dell.com/support/security/zh-hk/details/DOC-107000/DSA-2019-079-RSA-BSAFE®-Crypto-C-Micro-Edition-and-Micro-Edition-Suite-Multiple-Security-Vulnerab