All posts by admin

CVE-2020-27255 Software vulnerabilities that bypass the address space layout randomization (ASLR) protection (FactoryTalk Linx – Allen Bradley software product) 27th Nov 2020

Preface: To cope with Industrial automation and control system. The technology difference in between IT and OT are small. Perhaps they are close. For cyber security protection matters, seems they are no any difference.

Product background: Formerly known as RSLinx® Enterprise, FactoryTalk® Linx is included with most FactoryTalk software and functions as the premier data server
to deliver information from Allen‑Bradley control products to the control system. While FactoryTalk Linx interfaces with PLC-5®, SLC™ 500 and Micro800™ controllers, it is optimized to communicate with Logix 5000™ controllers using EtherNet/IP.
This gives the fastest data rates and capacity possible, while minimizing the impact on your automation networks and control system operation.
FactoryTalk Linx delivers a solution from small applications running on a single computer with a single controller, to large distributed and
even redundant data server configurations communicating with large automation systems.

Vulnerability details: A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the bypass of address space layout randomization (ASLR).

Observation: Vendor do not explicitly disclose the facts of the vulnerability. But most likely the vulnerability cause by java script based ASLR bypass attack.

Vendor announcement and remedy: https://us-cert.cisa.gov/ics/advisories/icsa-20-329-01

Headline News: A hacker has now leaked the credentials for almost 50,000 vulnerable Fortinet VPNs. (26th Nov 2020)

Do you doubt whether you are a victim? A quick way to confirm the vulnerability of Fortinet SSL-VPN ( CVE-2018-13379).

Preface: VPN client has design limitation causes information leakage not a news by today. However you should confirm your setup do not encounter this flaw.

Background: An unknown person left the information online. The details of such files are related to the IP address and details. However, Fortinet encountered this vulnerability a long time ago (2018). To confirm that he is not a victim. You can easily check the specific situation of the VPN firewall vulnerability status on your device. Please refer to the attached picture.

Headline News: A hacker has now leaked the credentials for almost 50,000 vulnerable Fortinet VPNs – https://www.bleepingcomputer.com/news/security/passwords-exposed-for-almost-50-000-vulnerable-fortinet-vpns/

Perspective VMware CVE-2020-4006

Preface: Within this week, the impression of VMware products vulnerabilities draw attention with a lot of people. It is because the vulnerabilities was found are high risk rating. But VMware is one of the pillar of virtual machine machine world. Do not worry too much. A good product should have space for improvement.

Product background: Workspace ONE Access, (formerly VMware Identity Manager), provides multi-factor authentication, conditional access and single sign-on to SaaS, web and …

Vulnerability details: VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. But do not contempt this design fault because attacker require admin credential. However when attacker successful execute this vulnerability. It can compromise all the back end windows domain controller and critical system. It has workaround only provided by vendor currently. The goal of the workarounds do the hardening of web server config file and enforce the access control. For example, it is recommend to use “su” function instead of root. If you have interested of the details. Please refer to diagram.

Official announcement:

VMware – https://kb.vmware.com/s/article/81731

CERT Coordination Center – https://kb.cert.org/vuls/id/724367

VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (24-11-2020)

Preface: Use After Free scenario can occur when “the memory in question is allocated to another pointer validly at some point after it has been freed.

Background: If there is a process named vmware-vmx[.]exe in the process list then there is a virtual machine that is currently powered on. The Virtual Machine Monitor (VMM) process is in charge of managing the virtual machine memory and transfers virtual machine storage and network I/O requests to the VMkernel. All other, non-critical to performance, I/O requests are forwarded by VMM to VMX.

Vulnerability details: Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004) VMware ESXi contains a use-after-free vulnerability in the XHCI USB controller. VMware ESXi contains a privilege-escalation vulnerability (CVE-2020-4005) that exists in the way certain system calls are being managed. A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system. Successful exploitation of this issue require cooperate with another vulnerability (e.g. CVE-2020-4004). If the attacker successfully exploited two different vulnerabilities. As a result, he can manipulate the entire system, including all VM guest OS.

Official announcement (workarounds): https://www.vmware.com/security/advisories/VMSA-2020-0026.html

Buffer overflow is difficult to avoid, it can easily happen!

Preface: There are two primary types of buffer overflow vulnerabilities: Stack overflow and Heap overflow.

Product background: The administrative commandline client is a program that runs on a file server, workstation, or mainframe. It is installed as part of the Tivoli Storage Manager server installation process. The administrative client can be accessed remotely. From the administrative client, you can issue any server commands.

Vulnerability details: The PoC shown that you can do the following on the IBM Tivoli Storage Manager. In the “id” field paste the Proof of concept text format file (xxx.txt) and press “ENTER.

Below example is the essential command. According to the below details, it will let you know how to execute above syntax.

Official reference: You can bypass this batch mode double quotation mark restriction for Windows clients by using the back slash () escape character. For example, on the OBJECTS parameter of the DEFINE CLIENT ACTION command, you could enter the string with the \ character preceding the double quotation marks in the command.

dsmadmc-id=admin-password=admin define clientaction test_node domain=test_dom action=restore objects=’\”C[:]\program files\test*\”’

The PoC text file details do not display on our discussion. However I would like to bring your focus to the function which appear on the file. It is the jmp esp feature. The details you can find on the picture.

CVE-2020-3985 VMWARE SD-WAN Orchestrator vulnerability (19th Nov 2020)

Preface: Most SD-WAN suppliers have partnerships with leading cloud platforms, and they use a variety of methods to accelerate traffic coming to and from cloud platforms. But IT pros say, it should look for better security.

Background: The Orchestrator provides you with a JSON-RPC API, which means you call it over HTTPS. It’s not a RESTful API, as all calls go through a POST query and authentication is handled in a somewhat special way.

Vulnerability details: The SD-WAN Orchestrator allows an access to set arbitrary authorization levels leading to a privilege escalation issue.

Known Attack Vectors: An authenticated SD-WAN Orchestrator user may exploit an application weakness and call a vulnerable API to elevate their privileges.

Observation: According to VMware SD WAN 4.0 release note published on 18th Nov 2020. The Orchestrator API do the enhancement especially role base access control. A various new APIs used in the creation and management of custom roles. For example: role/getEligiblePrivilegesForCustomization – List privileges that eligible for customization for a given role. It is the effective solution to avoid misconfig of user role and access control.

Official announcement: https://www.vmware.com/security/advisories/VMSA-2020-0025.html

CVE-2020-16846 – SaltStack Salt(6th Nov 2020)

Preface: The interconnect component of the opensource application is the opensource software.

Background: Salt (sometimes referred to as SaltStack) is Python-based, open-source software for event-driven IT automation, remote task execution, and configuration management.

Vulnerability details: An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection. For more details, please refer to attached diagram.

Workaround:

  1. Stop calling Popen with shell=True to prevent shell injection attacks on the netapi salt-ssh client.
  2. Split a command string so that it is suitable to pass to Popen without shell=True. This prevents shell injection attacks in the options passed to ssh or some other command.

How to Mitigate: Install the CVE fix and ensure your Salt-API has been restarted.

Announcement by NIST: https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-16846

What is the impact of CVE-2020-26892? (17-11-2020)

NATS Srv wiki – Cloud native messaging system made for developers and operators who want to spend more time doing their work and less
time worrying about how to do messaging.

End user of this product: Mastercard, Baidu, Alibaba Group, VMware, GE, Pivotal, Telia Company, netlify, htc, GE, Zephyr Project, tinder and ERICSSON

Vulnerability details: Some libraries treated tokens signed with the none algorithm as a valid token with a verified signature. The result? Anyone can create their own “signed” tokens with whatever payload they want, allowing arbitrary account access on some systems.


*In systems using HMAC signatures, verificationKey will be the server’s secret signing key
*In systems using an asymmetric algorithm, verificationKey will be the public key against which the token should be verified

Security focus: If a server is expecting a token signed with RSA, but actually receives a token signed with HMAC, it will think the public key is actually an HMAC secret key.

  1. Targeting JWT library
  2. Choose a payload for your token
  3. Then, get the public key used on the server as a verification key (text-based PEM format).
  4. Sign your token using the PEM-formatted public key as an HMAC key
    forgedToken = sign(tokenPayload, ‘HS256’, serverRSAPublicKey)

Result: Anyone with knowledge of the public key can forge tokens that will pass verification.

Reference: https://www.openwall.com/lists/oss-security/2020/11/02/2/2

Replay Protected Memory Block (RPMB) protocol vulnerability impact may more than expected – 16th Nov 2020.

Preface: With the advent of the 5G era, starting in 2019, UFS 3.0 has gradually been adopted by flagship smartphones.
UFS 3.1 is an optimized version of 3.0.

Background: The RPMB layer aims to provide in-kernel API for Trusted Execution Environment (TEE) devices that are capable to securely compute block frame signature. In case a TEE device wish to store a replay protected data, it creates an RPMB frame with requested data and computes HMAC of the frame, then it requests the storage device via RPMB layer to store the data.

A storage device registers its RPMB (eMMC) partition or RPMB
W-LUN (UFS) with the RPMB layer providing an implementation for
rpmb_cmd_seq() handler. The interface enables sending sequence of RPMB standard frames.

Vulnerability details: The RPMB protocol allows an attacker to replay stale write failure messages and write commands, leading to state confusion between a trusted component and the contents of an RPMB area. Since the impact not explicitly confirm by vendor yet. See below url for reference.

Western Digital – https://www.westerndigital.com/support/productsecurity/wdc-20008-replay-attack-vulnerabilities-rpmb-protocol-applications

Netapp – https://security.netapp.com/advisory/ntap-20201113-0005/

CERT Coordination Center – https://kb.cert.org/vuls/id/231329

Security focus – Multiple vulnerability on SAP solution manager – 11th Nov 2020

Preface: CMDB is a repository that should contain only business critical items that you want to track. It should contain a record of information that allows you to answer business critical questions and helps you to connect business processes. CMDB should contain all the items that are important for your business or a service.

About SAP solution manager: SAP solution manager explicitly assists enterprise to fulfill above objectives. If you are planning to use SAP PI module then you should install Java Stack. Java Stack is currently being on Web based front ends and Stand-alone java portal. SAP NetWeaver Process Integration (SAP PI) is SAP enterprise application integration (EAI) software, a component of the NetWeaver product group used to facilitate the exchange of information among a company’s internal software and systems and those of external parties.

SAP Solution Manager – Multiple vulnerabilities due to lack of authentication check: For vulnerability details, please refer to link below. Apart from this, attached diagram can provide a quick way to understand the whole matters.

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571

Changes related to SAP Solution Manager – Because of the SAP update a new version of SAP Solution Manager will be required starting January 1st 2020. The enhancement shown as below:

SAP solution Manager 7.2 SPS05/SPS06 – Partial connectivity to SAP, manual effort required.