VMware ESXi patches address Stored Cross-Site Scripting (XSS) vulnerability (CVE-2020-3955) – 28th Apr 2020

Preface: Perhaps when you do the web scan or web penetration test. XSS will be easy to find out. However people has contempt this matter.

How to avoid XSS happen?

1. Input should filter characters especially < > & ‘ ” .

2. Whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS.

3. Sanitizing user input.

About CVE-2020-3955: For whom with access to modify the system properties of a virtual machine from inside the guest os (such as changing the hostname of the virtual machine) may be able to inject malicious script which will be executed by a victim’s browser when viewing this virtual machine via the ESXi Host Client.

Remedy: VMware official announcement – https://www.vmware.com/security/advisories/VMSA-2020-0008.html

Juniper harden itself. Avoid log event services daemon encountered injection attack – 28th Apr 2020

Preface: Friendly speaking, the similar types of attack apply to all Linux base devices including firewall.

The impact of this vulnerability – If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web.

My observation: One of the possibility is that an attacker can craft a kernel message that contains ‘%’ characters between pairs of ‘[<‘ and ‘>]’ symbol markers to gain root access to the system. Perhaps if the attacker goal to do surveillance, he can delete the log events and fool the SIEM system. Since SIEM log event correlation functions relies on log event.

Official announcementhttps://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021

An Official remediation was released (Avoid SQL injection attack encountered in Sophos XG Firewall) – 26th April 2020.

Preface: The modern user friendly functions installed on firewall impact his defense function.

Background: When device provide web page input user credential, perhaps it will facing injection attack. Yes, it is. No matter, SQL injection or command injection. Especially like firewall design. It is capable support and integrate of LDAP authentication or standalone authentication mode. From security point of view, Firewall service daemon should separate with it operating system kernel. And therefore the related firewall admin ID file (shadow) do not save in etc folder. It make in separate area. In the sense that if it function can support SSL VPN services. So, it should a place to store the user credential when user setup in standalone mode. Whereby it should encounter injection attack. If the credential stores in repository. It will effect by SQL injection.

Details: By investigating physical and virtual XG Firewall units, Sophos confirmed its XG Firewall has design weakness. This attack will depending on firewall setup.

Impact: Steal data from the firewall including “usernames and hashed passwords.

Remedy: https://community.sophos.com/kb/en-us/135415

headline news – cyber attackers from exploiting web servers via web shell malware. 23rd Apr 2020

Preface: Web shells are a well-known attacker technique, but they are often difficult to detect because of their proficiency in blending in with an existing web application.

Details: to gain root access to server. Web shells malware are frequently chosen by APT group; however these are just a small number of known used web shells.

Vulnerabilities and Environment executable frequently used by attackers:

CVE-2019-0604 (affecting Microsoft SharePoint)
CVE-2019-19781 (affecting Citrix appliances)
CVE-2019-3396 and CVE-2019-3398 (affecting Atlassian Confluence Server and Data Center Widget Connector)
CVE-2019-9978 (affecting the social-warfare plugin for WordPress)
CVE-2019-18935, CVE-2017-11317 and CVE-2017-11357 (affecting Progress Telerik UI)
CVE-2019-11580 (affecting Atlassian Crowd)
CVE-2020-10189 (affecting Zoho ManageEngine Desktop Central)
CVE-2019-8394 (affecting Zoho ManageEngine ServiceDesk Plus)
CVE-2020-0688 (affecting Microsoft Exchange Server)
CVE-2018-15961 (affecting Adobe ColdFusion).

Remark: Web shells malware are frequently chosen by APT group; however these are just a small number of known used web shells.

Official announcement – https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/

Buffer Overflow (SEH Bypass), perhaps it is easy to encounter in medical software system (20th Apr 2020)

Preface: IoT Enterprise runs on 32-bit and 64-bit x86 chipsets with support for Universal Windows Platform (UWP) apps as well as Classic Windows(e.g. Win32 and .NET) applications. Perhaps you will discover plenty of medical devices still use 32 bit windows application.

Recent security alert on medical product: The ‘DICOM Viewer 2.0’ capable of handling all DICOM files of any modality (X-Ray angiogram, ultrasound, CT, MRI, Nuclear, waveform etc.), compression (lossless and lossy Jpeg, Jpeg200, RLE), depth or color. The proof of concept shown that software encountered buffer overflow (SEH) in specify circumstances.

What is Buffer overflow (SEH): An exception handler is a portion of code contained within an application, designed to handle an exception that may occur during runtime. Windows contains an exception handler by default (SEH) which is designed to catch an exception and generate an error. If the buffer is overflown and data is written to the SEH (located eight bytes after ESP), then all of the CPU registers are set to zero (0) and this prevents us from executing our shellcode successfully. If attacker can removing the eight additional bytes from the stack, and returning execution to the top of the stack, thus allowing execution of the shellcode.

Status: Waiting for official information update.

Reference: https://www.rubomedical.com/

winducms – attacker exploit php feature cause sql injection and REC (20th Apr 2020)

Preface: Why we found vulnerability on apps in frequent? Fundamentally, apps goal provided services and function. Even though you said it is a design weakness. But protection control should relies on other separate service or component. It will increase the difficulties for attacker when you install the antivirus(malware) on your mobile phone.

Vulnerability background: Windu CMS is a simple, lightweight and fun-to-use website content management system for Twitter Bootstrap. Security expert found bug on Windu 3.1. The proof of concept shown that it can exploits on PHP feature trigger SQL injection and remote code execution.

Security Focus: The PoC point out there is important factor cause the vulnerability and thus the developer pay the attention. In high level, it is simple. Software developer should disable eval function in PHP. Other than that, we should install antivirus program on smartphone.

Reference: WinDu CMS official website – http://en.windu.org/

Cisco security advisory – Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data (17-Apr-2020)

Preface: The protocols and the interfaces used by the controller to communicate with the application layer are called the Northbound interface. Protocols used for communication between the controller and forwarding nodes are called Southbound interface. Northbound communication is used to retrieve info or send instructions to the controller using APIs.

Vulnerability details: Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For details, please refer official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E

Other potential impact: The application entry point to the SDN deployment is through the controller via the Northbound Interface (NBI). If the communication is done using REST APIs with lacking proper protection, PUT method can be used to alter configurations or add malicious files that can alter other devices.These attacks are related to the communication over whether the Northbound Interface (NBI) or Southbound Interface (SBI). Some attacks are related to software. For details, please refer to the attached drawings.

Security Focus – April 2020 (Oracle security alert – cve-2020-2959)

Preface: Perhaps you have similar feeling, everytime when you read the cyber security announcement by Oracle. The first impression is that it has too many. Read into details, some items let you know the remediation process is in long run!

Vulnerability detail: An unspecified vulnerability in the Analystics Web General component of Oracle BI Published. An easily exploitable vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. A successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. (CVE-2020-2950)

Observation: Since the official announcement did not describe the detail. So we do the analytic. The online Catalog Manager might fail to connect to Oracle BI Presentation Services when the HTTP web server for Oracle Business Intelligence is enabled for SSO. When you enable SSO, the Oracle Business Intelligence URL becomes protected, and you must point the online Catalog Manager to the URL instead. The URL should remain unprotected. It is configured only to accept SOAP access as used by Oracle BI Publisher, Oracle BI Add-in for Microsoft Office, and the online Catalog Manager.

Potential risk or vulnerability – Session replays are specifically against websites and other systems that generate and store sessions.

Official announcement – https://www.oracle.com/security-alerts/cpuapr2020.html

Security Focus – intel modular server (mfs2600kispp) vulnerability – 14th Apr 2020

Preface: The Global Data Center Blade Server market is projected to grow at a CAGR of 8.35% during the forecast period, reaching a total market size of US$23.535 billion in 2025 from US$14.548 billion in 2019, said ResearchAndMarkets.com’s.

Vulnerability details:

• authenticated attackers to potentially enable escalation of privilege via local access due to improper buffer restrictions (CVE-2020-0600)
• unauthenticated attackers to potentially enable escalation of privilege via adjacent access because of improper conditions checks (CVE-2020-0578)

Observation: Coincidentally, Cisco Blade server has similar of symptom occured in 2015. Did they encounter the same problem?

Synopsis: As DRAM manufacturing scales down chip features to smaller physical dimensions, to fit more memory capacity onto a chip, it has become harder to prevent DRAM cells from interacting electrically with each other. As a result, accessing one location in memory can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells.

Official announcement: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00351.html

To infinity…and beyond! VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service – CVE-2020-3952

Preface: VMware announce that the external Platform Services Controller architecture is deprecated and will not be available in future releases.

Background: Authentication and certificate management is handled by the Platform Services Controller.

See attached diagram, the platform services controller original design place in a standalone box. It is advice to put together ( a vCenter Server with an Embedded Platform Services Controller). From cyber security protection prespective, the remedy reduce the attack surface. Before embedded design, there are lot of matters for worries. For instance, TLS. LDAP directory available on port 389. The service still uses port 11711 for backward compatibility with vSphere 5.5 and earlier systems.
In essence, organizations are being asked to add LDAP channel binding and LDAP signing configuration changes to make authentications via LDAP on Active Directory Domain Controllers more secure. Currently, out-of-box LDAP configurations are subject to an elevation-of-privilege vulnerability, which could get exploited via a “man-in-the-middle” attack.

Official announcement – https://www.vmware.com/security/advisories/VMSA-2020-0006.html