Aveva Edna Enterprise Data Historian Vulnerabilities (CVE-2020-13508,CVE-2020-13505,CVE-2020-13503,CVE-2020-13501,CVE-2020-13500,CVE-2020-13499 & CVE-2020-13507) – Sep 2020

Preface: AVEVA has reached agreement to acquire OSIsoft, a pioneer and global leader in real-time industrial operational data software and services.

Background: Under normal circumstance, authorized user can navigate to the ASMX file through your browser. So, you can fill in the form with the parameters and post to the DB. If attacker finds the URL of this internet facing web portal, is there a way let hacker alter the database.

Reply: If someone else is in the same domain then he can copy the cookie in the referring page then exploit ASMX file to alter the DB.

Vulnerability details:

CVE-2020-13508 – Parameter AliasName in Alias.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13505 – Parameter psClass in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13503 – Parameter AttFilterName in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13501 – Parameter InstanceName in CHaD.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13500 – Parameter ClassName in CHaD.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13499 – Parameter InstancePath in CHaD.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13507 – Parameter OrigID in Alias.asmx is vulnerable to unauthenticated SQL injection attacks

Remark: Specially crafted SOAP web requests can cause SQL injections resulting in data compromise on above items.

Remedy: Waiting for official announcement.

Boeing, U.S. regulator made series of errors ahead of 737 Max crashes: congressional report (SeP 2020)

Preface: From logical point of view, if input only relies on a standalone source (sensor). The integrity of the result all relies on the total amount of variable factors. Perhaps sensor install on airplane is a IoT device. So it lure my interest.

Background: Traditionally the older (NG) 737 variants did not have fly-by-wire technology, and autopilot could be overridden and turned off simply by putting manual pressure on the yoke.

Software that talks to computer like airplanes equipment is often written in a programming language called C. The names of files written in C code usually have .c at the end. This assumes that the MCAS software is contained a file called mcas.c. But this time there was no cyber attack. This is a problem caused by human error.

For the 737 Max crashes (congressional report). Please refer to headline news – https://www.cbc.ca/news/world/us-congress-boeing-crash-report-1.5725876

Cause of incident: In the case of the Lion Air crash, the sensor malfunctioned and caused the flight computer to push the nose down when the flight was level.

From technical point of view, the sensor is IoT device. There are facilities can avoid such disaster happen. Conceptually, even a simple xor gate with two input. Or the combination of NAND gates equivalent a XOR gate setup. The essential of objectives is the suitable logic apply to the Logic Circuit. Whereby, the output is dependant at all times on the combination of its inputs. It simple to say it is the logic design.

CVE-2020-13991 JerryScript 2.2.0 vm/opcodes.c privilege escalation (25th Sep 2020)

Preface: JerryScript is the lightweight JavaScript engine intended to run on a very constrained devices such as microcontrollers.

Background: In traditional programming environment.The source code is passed through a program called a compiler, which translates it into bytecode that the machine understands and can execute. Internet of Things devices have serious constraints on CPU performance and memory space. Therefore, Samsung designed the JerryScript engine, which can run on less than 64KB of memory, and all codes can be stored in less than 200KB of read-only memory (ROM).
JavaScript has no compilation step. Instead, an interpreter in the browser reads over the JavaScript code, interprets each line, and runs it.

Vulnerability: A vulnerability classified as critical has been found in JerryScript 2.2.0. This affects an unknown function of the file vm/opcodes.c. The manipulation with an unknown input leads to a privilege escalation vulnerability.

Remedy: On GitHub, Developer shown that it fixed. But there is no official announcement yet.

Sourcecodester Seat Reservation System Version 1.0 vulnerabilities

Preface: It is common for application developers to use open source as a reference.

Synopsis: If you are consider or has been used the free source code to develop the seat-reservation-system.
You should stay alert for vulnerabilities in this software product.

Vulnerability details:

Seat Reservation System 1.0 Unauthenticated SQL Injection (CVE-2020-25762)
Seat Reservation System version 1.0 suffers from an unauthenticated file upload vulnerability that allows for remote code execution. (CVE-2020-25763)

Remedy: You can do a config on your firewall or Nginx to restrict the access of ajax.php and admin function pages.

APT developing new evasion technique to conducting cyber attack – 23rd Sep 2020

Preface: The APT organization provides a hard-to-detect malware to attack other hostile campus.

Synopsis: The evasion technique found recently by security expert team is that APT 29 exploit the design weakness of detection machanism. They do a re-engineering to covert a zip file to JPEG.
“This technique works because JPEG files are parsed from the beginning of the file and some Zip implementations parse Zip files from the end of the file (since the index is located there) without looking at the signature in the front,” the researchers explain.

Perhaps APT 28 and 29 using different evasion technique aim to delivery the malicious resources to landing. Whereby, the final executor is the power shell.

So called Zebrocy. Its function is mainly Downloader. The evasion effect is better than the technique use by APT 29. After running, it will perform a persistence operation and pop up an error message box to confuse the user. When it is started with specific parameters, a screenshot will be taken. Through the timer callback function, send data to the remote server and wait for the subsequent payload to be downloaded.

Should you disable PowerShell?
No, minimize the risks with PowerShell Constrained Language mode.

Enabling Constrained Language mode ^
PS C:\Users\xxxx> $ExecutionContext.SessionState.LanguageMode = “ConstrainedLanguage”

This could be configured in registry HKLM\System\CurrentControlSet\Control\SESSION MANAGER\Environment__PSLockdownPolicy .

Running PS as Admin you can simple remove this property
Remove-ItemProperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\” -name __PSLockdownPolicy

Recommended article: PSLockDownPolicy and PowerShell Constrained Language Mode – https://docs.microsoft.com/en-us/archive/blogs/kfalde/pslockdownpolicy-and-powershell-constrained-language-mode

Samba 4.0 and later drag in netlogon protocol vulnerability (CVE-2020-1472). As a matter of facts, the flaw not created by Microsoft – 22nd Sep 2020

Preface: CFB8 was created to have good error propagation properties over a noisy channel. It is well known that it is not fast; it is actually 16 times as slow, as it requires a block encrypt for each byte.

Details: CVE-2020-1472, also known as “Zerologon,” was given a “critical” security rating from Microsoft. It has possibility let attacker gain fully control all identity services in the AD domain. As a result, any device under the domain will run malicious programs. But this headache will be expand to other 3rd party solution provider. The US government issued an emergency order requiring the Zerologon patch to be completed by next week.

My observation: If you have windows policy applied – accounts locked after invalid login attempts for 3 times. Perhaps it will avoid this attack.

Remediation on Samba server: In samba server config (smb.conf) modify ‘server schannel = yes

Samba official announcementhttps://www.samba.org/samba/security/CVE-2020-1472.html

Attached diagram can provide information to you for reference.

An issue was discovered in the sized-chucks crate through 0.6.2 for Rust. Software developer should be careful when make use of paypal-rs. (19-09-2020)

Preface: Companies large and small are using Rust in production all over the world, including Mozilla, Dropbox, npm, Postmates, Braintree and others.

Vulnerability details: An issue was discovered in the sized-chucks crate through 0.6.2 for Rust CVE-2020-25791…CVE-2020-25796.
– Array size is not checked when constructed with unit() and pair()
– Array size is not checked when constructed with From<InlineArray<A, T>>.
– Clone and insert_from are not panic-safe (memory safety issues)
– Generates unaligned references for types with a large alignment requirement.

Rust does not implement Default for all arrays because it does not have non-type polymorphism. Rust does not implement Default for all arrays because it does not have non-type polymorphism. If the design do not contain check array mechanism fo constructing structures (“structs”) by specify type. Perhaps there is no proof of concept to exploit this vulnerability in the moment. However it looks that it provides a way for attacker exploit this design limitation in future. In the moment, it require to waiting for the developer do the remediation.

Should you have doubt for use the NFC on your android phone? (CVE-2020-0374 -17th Sep 2020)

Preface: The popularity of NFC mobile payments is owed to its ease of use and improved security options. Near-field communication (NFC) enables smartphones to exchange data and function as a payment device. It stores the customer’s credit card details and allows the user to pay at NFC POS terminals through smartphones.

Vulnerability details: In NFC, there is a possible permission bypass due to an unsafe “PendingIntent”. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

By giving a “PendingIntent” to another application, you are granting it the right to perform the operation you have specified as if the other application was yourself (with the same permissions and identity). As such, you should be careful about how you build the “PendingIntent”: almost always, for example, the base Intent you supply should have the component name explicitly set to one of your own components, to ensure it is ultimately sent there and nowhere else.

Reference: A PendingIntent is a token that you give to a foreign application (e.g. NotificationManager, AlarmManager, Home Screen AppWidgetManager, or other 3rd party applications), which allows the foreign application to use your application’s permissions to execute a predefined piece of code.

Affected products: AndroidVersions – Android-11Android ID: A-156251602

CVE reference: https://nvd.nist.gov/vuln/detail/CVE-2020-0374

Predict the cause let PAN OS has vulnerability occurred (CVE-2020-2040) – 15th Sep 2020

Preface: The firewall does not display the Captive Portal web form to users until you Configure Authentication Policy rules that trigger authentication when users request services or applications.

Vulnerability details: A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface.

When a program (or subroutine) executes, it has a certain area of memory set aside called a stack (used for storing dynamically allocated variables). The stack also stores a return address to the program that invoked it. This allows a return to the code that was executing before the subroutine was called.

The goal of a buffer overflow attack is to overwrite the area of the stack where the return address is stored. The overwritten data will contain a new memory address pointing to the code that give a way for attacker to execute arbitrary code with privileges.

Official announcement: https://security.paloaltonetworks.com/CVE-2020-2040

Homeland security urge that do not contempt CVE-2020-1472 – 14th Sep 2020 A new story to Overturn “Netlogon” crypto algorithm

Security Focus:
By sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD (refer to Index 1). This can then be used to obtain domain admin credentials and then restore the original DC password.

Index 1: 0 xor 0 = 0 agian, all subsequent blocks fed to AES will be all-zero. And therefore 00 will keep being xorred to the next plaintext bytes.

Important notice by US Homeland Security:
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of publicly available exploit code for CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors. Attackers could exploit this vulnerability to obtain domain administrator access.

Reference: https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472