should Intel CSME, as stated in the headline, not be solved easily? If the statement is correct, how can we avoid it? Mar 2020

Background: CVE-2019-0090 told that Insufficient access control vulnerability in subsystem for Intel(R) CSME before version 12.0.35, Intel(R) SPS before version SPS_E3_05.00.04.027.0 may allow unauthenticated user to potentially enable escalation of privilege via physical access. On 5th Mar, 2020, cyber security expert firm has following findlings.Intel CSME firmware in the boot ROM first initializes the page directory and starts page translation. IOMMU activates only later. Therefore, there is a period when SRAM is susceptible to external DMA writes (from DMA to CSME, not to the processor main memory), and initialized page tables for Intel CSME are already in the SRAM.

Impact: Nonlinear write will bypass stack protector!

Remedy: When Stack-Protector XORed with Return address implemented, the Nonlinear write to bypass stack protector become difficult.

Current status: Please do the patching even though it is not perfect – https://www.intel.com.au/content/www/au/en/support/articles/000025694/processors/intel-core-processors.html

Political and Justice – 2020

Wyden and Khanna proposed amending the Espionage Act of 1917 to protect journalists, whistleblowers, and security researchers who discover and disclose classified government information. (see below url) https://www.wyden.senate.gov/news/press-releases/wyden-and-khanna-introduce-bill-to-protect-whistleblowers-ensure-journalists-arent-targeted-for-publishing-classified-information-

If you are also interested of cyber security information developing state. Perhaps you will seen the cyber security protection will be transform to preventive instead of defensive. But who can imagine that the computer technology will be transform a weapon style of attack. In our world there is no absolute correct state . If the hostile state doing aggressive activities. Therefore the adjacent side will doing the defense. Conducting the spy in digital technology relies on malware. It conduct the Infiltration . So it is not limit to computer backdoor, email phishing and advanced espionage technologies will be used. But sometimes, it will have contradition. Furthermore it can become a political fight tool.

Meanwhile, we can only give a salute to the Whistleblowers.

“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness,..

Let’s review on cve-2019-11043, it is still valid today! (8th Mar, 2020)

Preface: Let’s review on CVE-2019-11043, it is still valid today!
An underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx.

Background: Too many people have criticized the performance of Apache Server. And therefore , web application developers sometimes will decide turned their architecture focus to Event-driven Server. The design objective of event-driven server typically has a single thread which manages all connections to the server. The thread uses the select() system call to simultaneously wait for events on these connections. As such , event driven architecture greatly increased the volume and speed of connection services.
NGINX uses an event-driven architecture with nonblocking I/O. The design concept waits for events on the listen and connection sockets.

Nginx itself is just a simple HTTP server. If you need to run programs, you have to use the help of CGI.Sometimes use Nginx + PHP-FPM.But a drawback of CGI is that each page load incurs overhead by having to load the programs into memory. Scripts that process remote user input, such as the contents of a form or a “searchable index” command, may be vulnerable to attacks in which the remote user tricks them into executing commands.

Impact: Attack can exploits an underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx. Only servers with certains Nginx PHP-FPM configurations are exploitable. So, be alerted!

PPP daemon vulnerable to buffer overflow due to a flaw in EAP packet processing – 5th Mar 2020

Preface: PPP daemon (pppd) which is used to manage network connections between two nodes on Unix-like operating systems. The EAP extension to PPP was first defined in RFC 2284, now obsoleted by RFC 3748.

Synopsis: A 17-year-old defect in Linux system found! The impact will be included dial-up modems, DSL broadband connections, and Virtual Private Networks. The Linux system including Debian, Ubuntu, SUSE Linux, Fedora, NetBSD and Red Hat Enterprise Linux has been impacted. In the old technology world, PPP over Ethernet, defined in RFC 2516, is a method of transmitting PPP over Ethernet. It provides the ability to connect a network of PPPoE client hosts to a service provider access concentrator over a single bridging access device. Above communication protocol do the interconnect function on automation system and SCADA architecture. The impact of this issue was included different industry especially Manufacturing, Food Production, Electric and Gas Utilities & Waste Water Treatment. Even though the business equipment do not have exception. The business products including Cisco CallManager, TP-LINK products and Synology products. The OpenWrt Project is a Linux operating system targeting embedded devices. Embedded computing platforms are responsible for many of the of the lower-level mechanics that drive the IoT. It seems that the area of impact will be included of this area.

Official announcement – https://www.kb.cert.org/vuls/id/782301/

The CVE-2020-0688 vulnerability affects Exchange Control Panel (ECP) components. Maybe it fixed it. However, because OWA is Internet-oriented, you still worry about it. 5th Mar 2020

Preface: To do the remedy of CVE-2020-0688, you need to install the security update in addition to the Cumulative Updates.

Vulnerability Background: Microsoft using the same set of cryptographic keys on every Exchange Server installation. The keys being stored in plain text in a web.config file on every server.

Details: Microsoft release the patch on 11th Feb, 2020. Less than 2 weeks later. Researchers released proof of concept (POC) exploits for this vulnerability on February 24, 2020. If you have chosen publish Exchange externally. This patch must be applied.
Attacker exploit this vulnerability is easy. The social network sometimes unintentionally leave the finger print (company email address). When attacker got the email address on hand. The elaborate email subject and content presents challenges for traditional security tools, because it is designed specifically to evade detection. If victim fall to the trap (phishing mail) which lure they provide the credential. Even though it is a non privileges user.Attacker can activated this vulnerability to conduct the remote code execution.

“They will try to locate you OWA server. If your existing Exchange SRV is vulnerable. The attack channel can pass through your OWA.”

Remedy: Official announcement – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

Have you been renew and replace your current “Let’s Encrypt” certificate? 4th Mar 2020

Preface: Certificates will begin being revoked at 3 PM EST. 4th Mar 2020

Security Focus: Due to design defect, Let’s Encrypt had to rush to inform users about the revocation the SSL server certification that’ll be completed in less than 24 hours. The SSL/TLS certificates will be revoke by tomorrow, March 4 (at 00:00 UTC at the earliest). Sites with revoked certificates may begin showing insecure icons in browser. Affected site publishers will have to reapply for a new certificate in order to regain secure status.

Official announcement: The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

To check if your domain is affected by this bug and needs to be renewed, you can use the tool at https://checkhost.unboundtest.com/

Monthly news focus – Mar 2020

Preface: Do you have doubt for the road map of application penetration test? I believe that it is a logical step. Sometimes, you will concerning the limit time windows for remediation for different of vulnerability result. The penetration tester will narrow down the work scope especially the high risk rating vulnerability item. Since this is the highest priority job which requires customer to do the remedy.

How do you deal with application vulnerabilities? I also encountered this error because the high-risk level vulnerability made me nervous. Believe it or not, whether an application system can do a good vulnerability management sometimes depends on how hard the penetration tester analyzes the collected information. Below example can let you know my statement is true.

Get for POST (Risk: informational) – A request that was originally observed as a POST was also accepted a a GET. This issue does not represent a securit weakness into itself. However it may facilities simplification of other attacks. For example if the original is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.

Hey Guys, don’t be worry too much. But you should be careful when you do the application penetration test report next time. Be remember that ask your consultant once you got a question.

Windows Kernel Elevation of Privilege Vulnerability + PWN-OS-FAKE UPDATE Windows 10 (Local) – FeB 2020

Preface: You can load a custom dll in system32 via diaghub.

Background: Starting from Windows 10, Microsoft introduced the Update Session Orchestrator service. As a regular user, you can interact with this service using COM, and start an “update scan” (i.e. check whether updates are available) or start the download of pending updates for example. There is even an undocumented built-in tool called usoclient.exe, which serves that purpose.

From an attacker’s standpoint, this service is interesting because it runs as NT AUTHORITY\System and it tries to load a non-existent DLL (windowscoredeviceinfo.dll) whenever an Update Session is created.

Vulnerability details: Cyber criminal can load a custom dll in system32 via diaghub.
So the cyber attacker can exploit diaghub.exe (3rd party tool) load the WindowsCoreDeviceInfo.dll to C:\Windows\System32.
Then use netcat (3rd party tool) and use the command nc.exe 127.0.0.1 1337 to connect to the bindshell.

Remedy CVE-2020-0668 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668