Monthly Archives: February 2020

System

2019 – The security protection of Docker, where are they?

Preface: Sysadmin may unintentionally expose a Docker registry service without enforcing proper access control, said Palo Alto Networks.

Background: Easy to deploy, one of the goal of container-based technology. Docker storing image in a managed collection, with standardized methods of identifying, committing, and pulling individual images. With this feature it is equivalent as a image Repositories. It makes Docker so useful is how easy it is to pull ready-to-use images from a Docker’s Central Registry. Meanwhile you can’t share your repository with other because it contains proprietary code or confidential information.

Technical details: Docker-Registry is a simple Python app. Your Registry can develop as a Private Registries. Besides, in some environments, sysadmin can setup the Registry SRV on port 443 and make it accessible on internet (Registry-dot-com). Such services are popular on AWS S3 or Azure.

Key areas of concern: Compromised Containers, mis-configuration & access control.

What we can do? Perhaps we can reference to NIST SP 800-190 application container security guide. URL display as below: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf

Virus & Malware

HKMA alerting public of the hsbc phishing email – 6th Feb 2020

Preface: Not the first time heard that cyber criminals mimics email from bank to hunting the victims.

Historical record: HSBC’s “Payment Notification” malware email was discovered in 2018.
These emails are designed to confuse people’s vigilance and use the HSBC brand name to reduce the defensive awareness of email recipients. An “auto-generated” email suggests that you open an attachment to view the payment proposal document.
If you open the attached Microsoft word file, you will be prompted to enable macros. If you do allow, a malicious macro will run in the background, The macro will download and install malware on your computer. I believed that cyber criminals hunting the mobile phone users this round.

Staying alert: For more details, please refer to official announcement for reference. https://www.about.hsbc.com.hk/-/media/hong-kong/en/news-and-media/200205-website-hsbc-warns-against-phishing-email-eng-20200205.pdf

Potential Risk of CVE

Learn more about CVE-2019-18634 – sudo vulnerability

Preface: Sudo (substitute user [or superuser] do) is a program used in Unix-like operating systems such as BSD, Mac OS X, and GNU / Linux to allow users to execute programs in a secure manner with special permissions (usually the system Super user).

Highlight: When pwfeedback is set, sudo will provide visual feedback when the user presses a key. This function allows the system to indicate the currently entered character with an asterisk character.

Vulnerability details: In January 2020, CVE-2019-18634 announced a vulnerability that had existed for more than 9 years, pointing out in the pwfeedback feature option. This function allows the system to indicate the currently entered character with an asterisk character. However, after the pwfeedback function is enabled in the sudoer file, it may allow users to trigger a stack buffer overflow attack, allowing users without system management rights, even those not listed in the sudoer file. Users in can be elevated to root account permissions.

Remedy: The bug is fixed in sudo 1.8.31.

Under our observation

F-secure internet gatekeeper 5.40 (heap overflow) – 30th Jan 2020

Preface: Heap overflows are exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated at runtime and typically contains program data.

Product background: F-Secure Internet Gatekeeper for Linux, aim to serve for small and medium business cyber security protection services. It capable to scanning incoming and outgoing including SMTP, HTTP, FTP and POP3 traffic for all types of malware.

Vulnerability details: F-Secure Internet Gatekeeper contains an admin panel that runs on port 9012/tcp. If attacker send a large size “Content-Length” with an unsigned long int through user administration process.
It will causes strtoul return the ULONG_MAX value which corresponds to 0xFFFFFFFF on 32 bit systems.
Adopt to above circumstances, when the fs_httpd_civetweb_callback_begin_request function tries to issue a malloc request to handle the data send by attacker, it first adds 1 to the content_length variable and then calls malloc. This causes a problem as the value 0xFFFFFFFF + 1 will cause an integer overflow. During the overflow, this code will read an arbitrary amount of data onto the heap – without any restraints.

Remedy: This critical issue was tracked as FSC-2019-3 and fixed in F-Secure Internet Gatekeeper versions 5.40 – 5.50 hotfix 8 (2019-07-11).

Potential Risk of CVE

The endless story of the SMTP gateway – CVE-2020-7247

Preface: Ray Tomlinson sent the first email across a network, initiating the use of the “@” sign to separate the names of the user and the user’s machine in 1971, when he sent a message from one DEC-10 computer to another DEC-10.

Synopsis: An SMTP relay is a protocol that allows email to be transmitted through the internet. OpenSMTPD design goals include security, reliability & easy of configuration. If you are OpenBSD ( open-source Unix-like operating system ) user, you can setup OpenSMTPD to relay local emails to Gmail.

Vulnerability details: So called the code blew a hole in relay server.

Privileges escalation: When mail is received by server, it uses the root (superuser account) to deal with it. And therefore anyone who’s can exploit this vulnerability. It similar to “promote” themselves to root.

This vulnerability exists in OpenBSD’s mail server OpenSMTPD’s “smtp_mailaddr()” function, and affects OpenBSD version 6.6. This allows an attacker to execute arbitrary shell commands like “sleep 66” as root user.

Remedy: To remediate this vulnerability, affected OpenBSD users are recommended to install patches for OpenBSD 6.6. See reference 019 in https://www.openbsd.org/errata66.html.

Under our observation

Digital transformation – coronavirus phishing scam email – Feb 2020

Synopsis: Staying alert especially to healthcare and pharmaceutical industry.
Condemn this phishing scam email similar to harm ordinary people during this period of time.

Observation: A sample phishing email detected last Tuesday, by email filter expert firm (Mimecast), shows cyber criminal send email with malicious links and PDFs that claim to contain information on how to protect yourself from the spread of the disease (see attached diagram).
Their goal is stolen the credential and personal information because it found Emotet payloads inside.

To ensure the cyber security awareness of your staff. IT Dept especially healthcare and pharmaceutical industry should be staying alert.