Staying Alert! GRUB2 bootloader design weakness – 31st Jul, 2020.

Preface: From some perspectives, the operating system and related components are designed to provide functionality. Therefore, network security does not involve its design scope. Even if network security has been included in their design. However, product technology changes with each passing day. Therefore, we often hear information about vulnerabilities.

Why do I need a system bootloader?
The bootloader exists because there is no standardized protocol to load the first code, because it depends on the product design. Sometimes, the code can be loaded via a serial port, flash memory or even a hard disk. Locate it as a bootloader function.

Vulnerability details: The GRUB2 boot loader is vulnerable to buffer overflow, which results in arbitrary code execution during the boot process, even when Secure Boot is enabled.
An attacker could use it to plant malware known as bootkit that loads before the operating system (OS).

Hacker can modify “grub [.] cfg” because it lacks any integrity protections such as a digital signature. Since “grub [.] cfg” is a text file.

Official reference: GRUB2 bootloader is vulnerable to buffer overflow. Click on the URL for details – https://www.kb.cert.org/vuls/id/174059

Adobe Releases Security Updated for Magento (29th July, 2020)

Preface: To be precise, over 250,00 active sites use Magento.
Only 11,000 of those run on Magento 2, though. Many well-known international companies have chosen Magento as their e-commerce solutions, including Coca-Cola, Nike, Harpers Bazar, Fiji Water and Olympus.

Vulnerability details: Adobe has released security updates to address vulnerabilities in Magento Commerce 2 (formerly known as Magento Enterprise Edition) and Magento Open Source 2 (formerly known as Magento Community Edition). An attacker could exploit some of these vulnerabilities to take control of an affected system.

Remedy by Magento:

  • The template filter in legacy mode can be vulnerable to remote code execution (RCE). Enabling strict mode by default ensures that RCE attacks cannot be deliberately enabled.
  • In order to avoid the opportunity of execute arbitrary JavaScript, Data rendering for UI data providers is now disabled by default.
  • PHP could allow for arbitrary code execution (Eval class during preload causes class to be only half available)
  • 2FA is enabled by default and cannot be disabled. This extra step of authentication makes it harder for malicious users to log in to the Admin without authorization.

Official announcement: For more details, please refer to the link – https://helpx.adobe.com/security/products/magento/apsb20-47.html

CallStranger – CVE-2020-12695 (Reflected Amplified TCP DDOS via UPnP SUBSCRIBE Callback) – 29th July 2020

Preface: In the cyber world, many defense mechanisms can accomplish tasks well. However, the daily operations involves different business expectations and change management. As a result it create a lot of opportunity to the cyber criminals.

Security focus today: With reference of US CERT announcement on 8th July 2020. US Cert urge the information technology and Operational technology zones that the design weakness of UPnP may have impact to users environment. Down to the details. The Universal Plug and Play (UPnP) protocol in effect prior to April 17, 2020 can be abused to send traffic to arbitrary destinations using the SUBSCRIBE functionality. So the impact of this design weakness shall be wide. For instance, cyber criminals can transform this design weakness as a cyber weapon to conducting the data exfiltration. Besides, it can exploit this feature bypass Proxy server and firewall.
The data stealer will make use of a compromised device as proxy, then establish a secure tunnel (SSL) to external server. Since there is no blacklist database install in this printer. So, it will led the traffic send to external without difficulties. Apart from that , SSL traffic bypass firewall content filtering. So, the data can be exfiltrated. For the details of this matters, please refer to attached diagram for reference.

Reference: Vulnerability Note VU#339275 – https://kb.cert.org/vuls/id/339275

Highlights: An attacker can use this vulnerability for:

  • Bypassing DLP for exfiltrating data
  • Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS / SYN Flood
  • Scanning internal ports from Internet facing UPnP devices

Joint alert from CISA & NCSC – Potential Legacy Risk from Malware Targeting QNAP NAS Devices – 27th JUL, 2020

Preface: Do a simple search in Shodan and you will find many QNAPs on the Internet.

Installation status of NAS(QNAP) around the world: We are not surprised that NAS (QNAP) equipment has a huge customer footprint. Because the price is reasonable (RAID-5), it is cost-effective. As a result, business operations including medium-sized enterprises are willing to use it. Maybe the IT team knows about patch management, so NAS (QNAP) devices will connect to the Internet.

Vulnerability details: All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes.

Important Note: Not exposing your NAS to the internet isn’t going to stop an attack on your write permission SMB shares on your client machine that are attacked. The only solution is to disconnect all your mapped drives once you are finished using them. Or do the patch management.

CISA and NCSC also share the following mitigations to prevent future attacks:
• Verify that you purchased QNAP devices from reputable sources. If sources are in question, run a full factory reset on the device prior to completing the firmware upgrade.
• Block external connections when the device is intended to be used strictly for internal storage.

CISA urges F5 users to stay vigilant to deal with CVE-2020-5902 (24th Jul2020)

Preface: As of today, F5 BIG-IP Platform has market share 72%.

Background: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published on 24th July, 2020. They urge to F5 customers that it should be stay alert. They has evidence proof that attackers are active exploit the vulnerability (CVE-2020-5902 – unauthenticated remote code execution (RCE) vulnerability) on F5 product ADC feature).

Vulnerability detail: With reference to the attached picture, security experts pointed out that attackers can use the HTTP/HTTPS transport protocol to attack. Key flaws include allowing attackers to infiltrate and execute code remotely. In addition, an attacker can also read credential storage or files on the F5 operating system.

CISA alert: CISA recommends all organizations to go through the following action list while hunting for exploitation signs:

Quarantine or take offline potentially affected systems
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections
Deploy a CISA-created Snort signature to detect malicious activity (available in the alert under Detection Methods)

F5 network remedy plan https://support.f5.com/csp/article/K52145254

Corrective control suggested by vendor – To mitigate this vulnerability for affected F5 products, you should permit management access to F5 products only over a secure network.

Citrix Workspace app for Windows Security Update CVE-2020-8207 (23-07-2020)

Preface: Input validation will be difficult if the environment contains different features. Even though software developer follow the guideline. Because it use http or https connection design , so it increase the difficulties!

Background: Citrix Workspace app consists of the Citrix Receiver core, HDX engine, the new embedded browser engine, files view and mobile app aggregation.
By default, Citrix Workspace Updates is disabled on the VDA. This includes RDS multi-user server machines, VDI and Remote PC Access machines.

Vulnerability details: Improper access control in Citrix Workspace app for Windows 1912 CU1 and 2006.1 causes privilege escalation and code execution when the automatic updater service is running. Official details are shown below the URL:

https://support.citrix.com/article/CTX277662

Observation: One of the possible methods – refer below connection method. If suspicious workstation installed Citrix workspace application. Attacker can use https or http connection to exploit SMB design weakness to compromise the Active Directory system. The concept can be found on attached diagram.
Remark: There is a design weakness happened on Citrix workspace application. Seems the input validation requires improvement.

Vulnerabilities in SICAM MMU, SICAM T and SICAM SGU (Jul 2020)

Preface: In industries, power plants and substations, the SICAM MMU
is applied to measure and calculate parameters.

Product background: SICAM T (transducer) is a digital measuring sensor that allows the measurement of electricity in non-electrical networks in a single unit. ICAM-MMU (Measurement and Monitoring Unit) is a power monitoring device that allows the measurement of electricity in the power grid.

Remark: SICAM SGU has been discontinued.

Security Focus: CVE-2020-10042 – A buffer overflow in various positions of the web application might enable an attacker with access to the web application to execute arbitrary code over the network.

My observation:

Fundamental theory: For custom application software, all code that accepts input from users via the HTTP request must be reviewed to ensure that it can properly handle arbitrarily large input.

A buffer overflow in various positions of the web application might enable an attacker with access to the web application to execute arbitrary code over the network.

Possibility: According to the definition of CWE-120. Buffer overflow related to this vulnerability will be caused by looping correction. The function does not work after JavaScript updates the Field (Update fields dynamically in javascript).

Synopsis: By sending carefully crafted input to an application, an attacker can cause the application to execute arbitrary code, possibly taking over the machine.

Official announcement: https://cert-portal.siemens.com/productcert/pdf/ssa-305120.pdf

Trojan under the .NET platform remains unchanged for a hundred years (22nd Jul 2020)

Preface: SharePoint will simply not use Framework versions for which they do not apply. For example, SharePoint 2010 uses .NET 2.0. If you install .NET 4, it will remain unused by SharePoint 2010. SharePoint 2019 uses .NET 4.7 and any lower version will simply not be used.

Background: Using Microsoft sharepoint as CRM, or external protal are popular setup past few years. SharePoint is a web-based platform built atop an ASP.NET framework. It is favored by many companies because the interface can be fully integrated with Microsoft Office.
Remark: SharePoint Server includes a set of web parts that users can add to pages after installing the product. If an organization needs custom web parts, a developer can write custom ASP.NET web parts and install them.

Design weakness: For .NET platform applications. By default, the executable string “Response.Write” after connection establish. Because the code-behind modules are compiled first, all of the output that is generated by Response.Write, Response.WriteFile, or inline server-side <SCRIPT> tags appears before any HTML tags when the HTML output is sent to the browser. Coincidentally, the chopper’s technique have way to conduct the attack to .NET Framework ASP.NET app.

Current status: The cyber criminals will be targeted insecure default configurations in common web servers. General speaking, they used their initial unauthorized access to place malicious web shell programs and credential-stealing software on victim networks, which allowed them to remotely execute commands on victim computers and related entities.

Windows 10 command “wsreset” co-exists with “mklink” generate a way of User Account Control bypass. (21st JUl 2020)

Preface: UAC bypass has following techniques – using Eventvwr and the Registry Key or using COM Handler Hijack

A new way with different technique: WSReset[.]exe open the Windows Store app and clear Windows Store Cache when Windows store cache is damaged or you encounter problems when using Windows Store. If an attacker can create a link that points this \InetCookies path (refer to attached diagram) to a target directory of attacker’s choice, the target directory will be the one deleted when wsreset runs.

Observation: UAC bypass power extend to evade access control. Security expert found this design weakness and conduct a proof of concept to shown on how to delete antivirus folder. Thus make it malfunction after reboot.
This findings awaken myself. The Microsoft UAC a security boundary provides opportunity for attacker.
From technical point of view, quite a lot of antivirus has file lock when the process running. Attacker may not make use of this method to compromise a machine.
However Directory junctions can be performed by any user and does not require administrator privileges making it perfect for exploiting by attacker. We keep our eye open, see whether vendor should address this technical matter.

Sometimes he is a friend, but suddenly….(MAR-10296782-1.v1 – SOREFANG) – 29th Jul 2020 [Recently goal: Targeting COVID-19 Research, Vaccine Development ]

Preface: It looks that who have vaccine of COVID-19 will be grant the dominance of the world.

Reference: DVC APIs will help you to implement modules on the server and client side of a Remote Desktop Services connection that communicate with each other.A remote code execution vulnerability exists in Remote Desktop Services. When an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests,…… (CVE-2019-1182)

Description: Perhaps my research does not clearly reflect the actual status of the current malicious goal. However every people is looking for vaccine. My personal interest bring my attention to a malware so called “SOREFANG”. It looks that a vendor became a victim of this case. It was because attacker or APT group do a re-engineering their VPN software. As a matter of fact, their company footprint a large in China. The details of my observation and research are written down on attached diagram. For those who is interested. Please refer attached diagram for reference.

Highlight: Vendor announcement : The only vulnerable servers are the Sangfor servers running firmware versions M6.1 and M6.3R1. The statement revealed that other servers are clean and are not affected by the zero-day used by attacker.