Closer look for OpenBSD Dynamic Loader chpass Privilege Escalation 31st Dec 2019

Preface: Referring to the statistic posted by w3techs. The websites using OpenBSD as operating system less than 0.1 percentage. Perhaps OpenBSD footprints are in industry manufacturing. For instance, heard that oil industry is the heavy duty users of OpenBSD.

Vulnerability details: The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with approximately ARG_MAX colons. This can be abused to load libutil.so from an untrusted path, using LD_LIBRARY_PATH in combination with the chpass set-uid executable, resulting in privileged code execution.

Impact: This module has been tested successfully on OpenBSD 6.1 (amd64) and OpenBSD 6.6 (amd64).

Causes: This vulnerability is in the OpenBSD dynamic link library (ld.so). The reason for the vulnerability is that ld.so cannot properly delete the LD_LIBRARY_PATH environment variable that sets the user ID and group ID programs under insufficient memory conditions. Commands such as chpass and passwd for privilege elevation.

Remedy: After downloading the source code, switch to the old version before patching the vulnerability.

$git clone https://github.com/openbsd/src.git 
$git checkout d2ce55dbd7845b33dafe44529e6ceb6b1c8ec6d5

about ransomware attack on Maastricht University – 24th Dec 2019

Preface: Maastricht University (UM) encountered serious cyber attack,” the university announced on Christmas Eve, December 24, 2019.

Synopsis: Not known the root cause but if ransomware can spread out in a quick way most likely it exploit of the Microsoft SMB Protocol.
Perhaps it is affected by RYUK Ransomware !
Other than that Maastricht University relies on Github with technology programs development. Meanwhile, it similar create a pathway let the cybercriminals fork other projects, which on Github means producing a copy of someone else’s project, to build upon the project or to use as a starting point and subsequently push a new commit with the malware to the project. Such malware can connecting to a GitHub account to obtain the exact location of its C&C servers. Then activate ransomware infection.

Observation: Has any personal information leaked? Therefore, this will be relevant to GDPR regulations.
It is currently unknown if scientific data was also accessed or exfiltrated by the attackers during the attack.

Headline News: Please refer to https://www.bleepingcomputer.com/news/security/ransomware-hits-maastricht-university-all-systems-taken-down/

CVE 2019-19492 (FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml) Remote command execution – Last update: 26th Dec 2019

Preface: FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a versatile software implementation that runs on any commodity hardware.

Background: FreeSWITCH listens on port 8021 by default and will accept and run commands sent to it after authenticating. By default commands are not accepted from remote hosts.

Design weakness: FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. How do hackers exploit vulnerabilities: Since the design weakness shown the default password in event_socket.conf.xml. By default commands are not accepted from remote hosts. If an attacker do python socket programming. It can use the default password and excute the command remotely.

Remedy: It is recommended to block all untrusted python socket connections with a firewall on this device until the vendor provides an official patch.

Wish you a Merry Christmas 2019 (cyberX’mas).

I believe that the most annoying cyber security attack is the ransomware. We known that unplug or power off is one of the way to suspend the attack spread out. Yes, agree.

Another way to avoid the infection of ransomware is think it over before open unknown email. Yes, During Xmas time you defense idea will be reduced since you will join the ball and parties. So, please be alert of phishing email during Xmas.

By the way, remember to turn off your workstation before you leave the office today.

Merry Xmas and Happy New Year.

Not a serious mistake and could cause more trouble! (21st Dec, 2019)

Preface: Computer technology especially software application is the soul of digital world.

Background: Pingbacks (also known as trackbacks) are a form of automated comment for a page or post, created when another WordPress blog links to that page or post. When you publish a new blog post, WordPress attempts to ‘ping‘ all the sites that were linked to in your post. i.e. Your WordPress website is informing other websites that you’ve linked to them.

Design weakness: Trackbacks and Pingbacks were meant to help inter-blog conversation when the specification was created years ago. These days almost 100% of Trackbacks and Pingbacks are spam, said Akismet. May cause more trouble!

Comments: WordPress release ver 5.3.1 on December 2019. However above concerns seem not been addressed in the moment. Heard that attacker can exploit the weakness of pingback. And work together with XML-RPC. As a result, it will consume system resources causes a denial of service. So we must staying alert!

Remedy: Refer to diagram

5.3.1 Official announcementhttps://wordpress.org/support/wordpress-version/version-5-3-1/

Closer look of CVE-2019-1491 | Microsoft SharePoint Server Information Disclosure Vulnerability

Preface: Tip – Any system that supports Single-Sign On SSO is affected by the pass the hash attack.

Background: Windows keeps hashes in LSASS memory, making it available for Single Sign On.

Vulnerability details: An information disclosure vulnerability exists in Microsoft SharePoint when an attacker uploads a specially crafted file to the SharePoint Server.An authenticated attacker who successfully exploited this vulnerability could potentially leverage SharePoint functionality to obtain SMB hashes.The security update addresses the vulnerability by correcting how SharePoint checks file content., aka ‘Microsoft SharePoint Information Disclosure Vulnerability’.

Remedy: Please refer to the official announcement – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1491

Logon authentication integrate to AD can make your life easy. But sometimes it doesn’t (1st Dec 2019)

Preface: Modern world favor single sing-on function, SAML & application system authentication integrate with Microsoft active directory. Everybody might know such setup contain risk, but theoretically computer aim to make human life comfortable!

Background: The Alcatel-Lucent OmniVista® 8770 Network Management System (NMS) is an all-in-one graphical management application that offers a unified view of your ALE communication network.

Vulnerability details: No CVE reference number has been assigned to these vulnerabilities yet. But it shown that programming flaws made the loopholes happen.

– 4760 suffers an unauthenticated remote code execution as SYSTEM. No special configuration is required

– 8770 and 4760 both suffer a remote administrative password disclosure. No special configuration required

– 8770 suffer an authenticated remote code execution vulnerability. When chained with the disclosure vulnerability, it becomes an unauth RCE. In this case access to the port 389 and a directory license are required

Should you have any doubt of this matter, please contact vendor to find out the details.

Black Friday was happened in New Orleans on 13th Dec 2019

Preface: Once upon a time, without internet. The Black Friday virus through floppy disk infected to your MS-DOS and make a trouble to your personal computer.

Background: New Orleans declared a state of emergency and shut down its computers after a cyber security event. During a press conference on 14th Dec 2019, Mayor Cantrell confirmed that this was a ransomware attack.

Security expert findings: Based on files uploaded to the VirusTotal scanning service, the ransomware attack on the City of New Orleans was likely done by the Ryuk Ransomware threat actors, said cyber security expert.

Personal comment: Ransomware looks horrible! Are you interested in how national supercomputers can defend against cyber attacks, especially ransomware? Have you heard about docker and container technology? May be we do a discussion in coming future.

Headline News – See the link for more details: https://www.forbes.com/sites/daveywinder/2019/12/14/new-orleans-declares-state-of-emergency-following-cyber-attack/#3a12987c6a05

Perhaps WordPress 5.3.1 is a short-cycle maintenance release. But recommend to do a update now (Posted date: 14th Dec 2019).

Preface: WordPress powers 34% of the internet in 2019, a 4% rise from the previous year. If you count only the CMS-built sites, then about 60% of them are WordPress. On Mar 2019, Expert found that a remote code execution vulnerability exists in WordPress. This is our story begin.

Synopsis: The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the WordPress Security and Maintenance Release and upgrade to WordPress 5.3.1. Perhaps from cyber security point of view, it is better to update as soon as fast.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4. This schedule remedy four different vulnerabilities. If you haven’t yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues.

For more information on CVE-2019-9798, please refer to the attached infographic for reference.

The official announcement can be found at this link: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

CVE-2019-17554 Apache Olingo OData 4.0 XML External Entity Injection – 4th Dec 2019

Preface: When you are sitting on the same boat. The risks at the time of the event are equal.

Background: Open Data Protocol (OData) is an open protocol which allows the creation and consumption of queryable and interoperable RESTful APIs in a standard way. Apache Olingo is a Java library that implements the Open Data Protocol (OData). In SAP HANA DB environment, quite a lot of business application system will work with Apache Olingo.

Vulnerability details: The XML content type entity deserializer is not configured to deny the resolution of external entities. Request with content type “application/xml”, which trigger the deserialization of entities, can be used to trigger XXE attacks.

For security advice provided by Symantec, please refer to the link- https://www.symantec.com/security-center/vulnerabilities/writeup/111101?om_rssid=sr-advisories