weekly security focus – memory leak vulnerability in vmci module (cve-2020-3959)

Preface: TCP / IP design restrictions have introduced security vulnerabilities to transport protocols.

Security focus: Memory leak vulnerability in VMCI module (CVE-2020-3959) – VMware ESXi, Workstation and Fusion contain a memory leak vulnerability in the VMCI module. It lets local non-administrative user send a malformed packet to a virtual machine. Such action may be able to crash the virtual machine’s vmx process leading to a partial denial of service.

Possible root cause: Attacker send malform packets containing null value in protocol field. The Virtual Machine Communication Interface will let such a packet in as an unclassified one. Though nowadays the null value in the Protocol field is reserved for IPv6 Hop-by-Hop Option (HOPOPT), not every server can receive and correctly process such a packet. And if such packets come in large quantities, their analysis will consume a large percentage of system resources, or exhaust them entirely and cause a server failure.

Remark: According to the RFC rules, the IP packet header should contain information on its transport level protocol in the Protocol field.

Official details please find follow link: https://www.vmware.com/security/advisories/VMSA-2020-0011.html

NSA preemptive curb threats factor – an exploitation of exim design weakness – 29th May 2020

Preface: The severity depends on your configuration, said vendor. It depends on how close to the standard configuration your Exim runtime configuration is. Jun 2019

Headline news on 28th May 2020 – The National Security Agency (NSA) has released a cybersecurity advisory on Russian advanced persistent threat (APT) group Sandworm exploiting a vulnerability—CVE-2019-10149—in Exim Mail Transfer Agent (MTA) software. Exim is growing in popularity because it is open source. An unauthenticated remote attacker can use this vulnerability to send a specially crafted email to execute commands with root privileges, allowing the attacker to install programs, modify data, and create new accounts.

The design weakness origin: The vulnerability was patched in Exim 4.92, released on February 10, 2019. The vulnerable code is in “deliver_message()”. A vulnerability exists because the email address in the deliver_message() function in /src/deliver.c is not fully validated. So local attackers simply send emails to “${run{…}}@localhost”. Since “localhost” is a local domain of Exim) and execute as root (system privileges).

Action: Apply Exim Updates Immediately

NSA official announcement – https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf

Critical Android bug 8,8.1 and 9 (CVE-2020-0096) – 27th May 2020

Preface: As of April 2020, 37.4% of Android devices run Pie, making it the most popular Android version.

Vulnerability details: A critical vulnerability on Android causes privilege-escalation The impact is that it allows attackers to hijack any app on an infected phone, it is much more difficult to detect, the name so called StrandHogg 2.0. For more details, please reference to follow link. https://promon.co/strandhogg-2-0/

Closer look to vulnerability: The bug so called a “StrandHogg 2.0” vulnerability (CVE-2020-0096) found by Promon researchers. This is because the vulnerability is similar to the original StrandHogg bug discovered last year. Like the original, a malicious app installed on a device can hide behind legitimate apps. When a normal app icon is clicked, a malicious overlay is instead executed, which can harvest login credentials for the legitimate app.

Official announcement – Android Security Bulletin May 2020: https://source.android.com/security/bulletin/2020-05-01

Under our investigation – One could potentially recover developer defined permissions by examining the permission checks in application code and the filters declared in the application manifest. Stay tuned!

Ebayer, are you aware someone behind you? 25th may 2020

Preface: Host discovery function embedded detection and vulnerability scan service. Under normal circumstances, since you are on a private network, there is no objection in this setting.

Synopsis: When visiting the eBay, a script will run that performs a local port scan of your computer to detect remote support and remote access applications, said bleeping computer.

Verification: Refer to the “Bleeping Computer” information. (https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/) There is already a program script on the eBay front-end Web portal, which has a scanning function, please refer to the following url (https://src.ebay-us.com/fp/check.js?org_id=usllpic0&session_id=1) . Apart from that this matter lure my interest to know the details. Following my analysis step, it also found current user profile has design weakness (SQL injection). Perhaps this issue was only detected when the user logged in. Now return the focus to the scan function. From technical point of view, it is not 100% guarantee on existing protection mechanism can avoid session fixation. So eBay should be aware of it. For the details of session fixation. Please refer below:

Wiki: Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.

Comment: I am the eBayer since 2000. However I could not find the official announcement that eBay is going to scan my device. Perhaps I am not the only one has this unsatisfied feeling.

Security focus – Bind vulnerability (CVE-2020-8616) – 20th May 2020

Preface: BIND is open source software that enables you to publish your Domain Name System (DNS) information on the Internet, and to resolve DNS queries for your users.

About traditional DNS attack: An example of a DoS attack is the SYN
flood, which uses a the TCP SYN packet to create half open TCP connections on the server, which lead to the server having a massive pool of half open TCP connections and not allowing for anymore connections from legitimate hosts.

Vulnerability details: The recursion refers to the process of having the DNS server itself to make queries to other DNS servers on behalf of the client who made the original request.
In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. But the original design did not have limitation. So such circumstance can potentially degrade the performance of DNS server. Official announcement shown in this url: https://kb.isc.org/docs/cve-2020-8616

Additional vulnerability: https://kb.isc.org/docs/cve-2020-8617

VMware Cloud Director updates address Code Injection Vulnerability (CVE-2020-3956) – 22nd May 2020

Preface: Don’t underestimate the vulnerabilities discovered in the past, it will cause trouble for your cloud or system.

Background: VMware vCloud Director is a management tool for private and hybrid cloud architectures. Top Industries that use VMware vCloud Director are Financial Services, Insurance Program Managers Group, & business technology services provider.

Vulnerability details: VMware officially announced on May 19, 2020. Suppliers urge customers to immediately repair or apply workarounds. The details of the vulnerability pointed out by the vendor is a code injection vulnerability in VMware Cloud Director. The product failed to properly handle the input that led to the code injection vulnerability. For more details, please refer to following url: https://www.vmware.com/security/advisories/VMSA-2020-0010.html

Our observation: With reference to the workaround provided by vendor. The hints of JAR file (org.apache.bval.bundle) and ELF Class can tell us that hacker is able to conduct the arbitrary code execution through the Class Parameter passed To the GetClass vulnerability in the Apache Commons BeanUtils library. And therefore we suggest to do the patching immediately. For more details, please refer to following url: https://kb.vmware.com/s/article/79091

an issue was discovered in smartbear readyapi soapui pro 3.2.5 (20th May 2020)

Preface: SmartBear ReadyAPI and SoapUI are automated testing tools that you can use to create functional and security tests for web service APIs. The easiest way to run ReadyAPI tests from Azure DevOps is to use the SoapUI Pro for Azure DevOps task.

Background: The ReadyAPI platform accelerates functional, security and load testing of RESTful, SOAP, GraphQL and other web services right inside the CI/CD pipeline. The DevOps team is no stranger.

Vulnerability details: The security expert found a possible way to conduct cyber attack. When a insider threat occurs. The threat prepatrator can be figure out the target license setup condition. If victim deployed remote floating license setup by ReadyAPI. They will exploit the design weakness for Licensing Server. Since the communications in between SmartAPI and license server is using Java RMI protocol on port 1099 but without transport security. Meanwhile, Java RMI, and the underlying JRMP protocol, relies on Java serialization to transport method arguments, return values and exception data intensively. And therefore the problem is that there’s no way to know what you’re deserializing before you’ve decoded it. So an attacker can serialize a bunch of malicious objects and send them to your application.

Remedy: Allow deserialization, but make it impossible for attackers to create instances of arbitrary classes.
For instance: limit the input to a maximum of 10 embedded objects and 50 bytes of input. Besides, the official remedy solution not release yet.

Hacker target EU supercomputer – 19th May 2020

Preface: What if your computer is slow? Perhaps it is a sign of malware infection. This scenario also apply to modern supercomputer. Perhaps it is powerful. So no one aware. This is only a assumption. However modern supercomputer will be infected by malware. Why? Because part of the modern supercomputer has deployed a Linux OS system.

Details: It is true. For instance, Cray has Cluster compatibility mode.It is a standard x86/Linux environment. Several affected labs said that only the login portal to the supercomputer were affected, said Swissinfo.ch. Because hacker will be more interested of scientific research result in this period of time. In this case, how the attacker tried to infect the supercomputer. Please refer to the attached drawing. As usual, the attack entry point is the login portal. But the attacker should infect the client workstation on the beginning phase. For example Cryptocurrency mining malware shell script will be saved as /bin/httpdns. A scheduled task is created to run /bin/httpdns every hour. But it need to take the right time to land the script.

Headline Newshttps://www.swissinfo.ch/eng/bloomberg/hackers-target-european-supercomputers-researching-covid-19/45764250

Is it a cyber attack or a design change? (Sunday, May 17, 2020 (EDT))

Preface: High-level state-backed APT groups wreak havoc on cyber world. Does this attack only in short time or it will become a constant activities?

Security focus: Information technology professional will relies on DHS (US Homeland security) news update as a standard security alert indicator. For example, I am the follower. Found by tonight that the cyber security main page has changes. To be honest, my observation feedback to me that it is not normal. Regarding to the web page design, it shown that it do not use iFrame. However, the web site layout looks strange. I do not want to use the key term broken to describe. Because of this matter, I just take a look of the header information. It show to me that it is running Drupal.

Anyway it is recommend to remove this disclosure information. Perhaps the method is straight forward. The simplest method is to remove the header in a custom EventSubscriber. Please refer to diagram. The official information shown in follow URL. https://drupal.stackexchange.com/a/201297/47547

The problem now fixed by homeland security – 18th May 2020 – HKT

Little-Known Linux Exploits is being weaponize – 15th May 2020

Preface: The following information will continue the theme released yesterday. For review the details by yesterday, please follow this link – www.antihackingonline.com/cyber-war/high-level-state-backed-apt-groups-entrenched-in-plenty-of-servers-for-nearly-a-decade-using-little-known-linux-exploits-14th-may-2020/

About the theme: Sound can tell, according to statistic provided by Microsoft. Cyber security attack is rapidly growth especially in education area within past 30 days. Perhaps Healthcare and pharmaceuticals area cyber attack volume not as high as education area. However the details found by Microsoft has similarity with security expert observe in past. There are more and more attacker focus to Linux environment.

Security focus: Backdoor code in the popular Bootstrap. To launch the action, the backdoor must be embedded in a “bootstrap” application (a dropper) that is written in C and called xxx.c. Once compiled and started, the dropper program must infect the first Linux ELF executable that it finds in the current directory. Then, when this newly infected file is executed, your virus code is supposed to run.

The myth said that Linux will be secure than Windows. It will be not correct anymore.