All posts by admin

CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication (29th Jun 2020)

Preface: SAML implements a secure method of passing user authentications and authorizations between the identity provider and service providers. When a user logs into a SAML enabled application, the service provider requests authorization from the appropriate identity provider.

Design weakness: The design weakness of SAML was not XML edge cases nor attacker stealing your signing keys.
SAML mistaken allowing your users to log in to apps throught they couldn’t access. In order to avoid this matter happen. You should ensure your SAML assertions only work with the right apps, use unique signing keys for each app or service provider.

Palo Alto Releases Security Updates for PAN-OS: Authentication Bypass – details refer to following link. https://security.paloaltonetworks.com/CVE-2020-2021

If so, how to avoid risk happen. Schneider Electric T300 design weakness (30th Jun 2020)

Preface: Dedicated to the specific industry, so called operation technology.

Details: Schneider Electric announce to public that their Easergy T300 has design weakness. When you go through the document (see below url). It official inform that you have to trust your source and make use of your firewall or VPN enforcing the protection. Perhaps you might ask, why don’t vendor issue a firmware upgrade. Yes, my idea is that this is one of the different in between information technology and operation technology. The standpoint of my idea do not written here because the post here only for short message. In short, the official recommendation should taken. Additional, in order to avoid the malware infection. It is better to enhance the DNS lookup function. As of today, Clean DNS service not expensive and easy to implement. The admin only modify workstation and server DNS IP address. My comment is that this is a cost effective solution to avoid malware infection because it increase the difficult to Mr. Malware contact with their C&C server.

https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2020-161-04_Easergy_T300_Security_Notification.pdf&p_Doc_Ref=SEVD-2020-161-04

Apache Releases Security Advisory for Apache Tomcat (26th Jun 2020)

Preface: As of June 2020, Apache is used by 37.7% of all the websites.

Versions Affected:
Apache Tomcat 10.0.0 – M1 to 10.0.0 – M5
Apache Tomcat 9.0.0. M1 to 9.0.35
Apache Tomcat 8.5.0 to 8.5.55

Impact: An attacker could exploit this vulnerability to cause a denial-of-service condition.

Background: HTTP/2 uses header compression which requires a strict commitment of resources compared to HTTP/1.1. The attack vectors for the vulnerabilities discovered in HTTP/2 follow a certain pattern. The main goal is to setup a queue of responses to exhaust the resources on a server.

Official announcement: The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apache security advisory for CVE-2019-10072 – http://mail-archives.us.apache.org/mod_mbox/www-announce/202006.mbox/%3Cfd56bc1d-1219-605b-99c7-946bf7bd8ad4%40apache.org%3E

VMware conducted remedy in EGCI and xHCI controller. It let us know more about the impact of USB. (25th Jun 2020)

Preface: If you don’t use the VMware 3D graphics feature. Perhaps the remedy solution this week by vendors in 3D features fixed will not your focus. But how about USB feature?

Background: To enable PCI devices to interrupt the CPU, all PCI devices on the PCI bus are assigned an IRQ number. The VMkernel uses discovery and interrupt rerouting mechanisms provided by the BIOS to assign these IRQ numbers. In certain cases due to hardware design, however, two or more devices might be tied to the same interrupt controller pin.

Impact:A malicious actor with local administrative privileges on a virtual machine may be able to exploit this issue to crash the virtual machine’s vmx process leading to a denial of service condition or execute code on the hypervisor from a virtual machine.

Concept: Refer to attached diagram

Remedy: Official announcement -https://www.vmware.com/security/advisories/VMSA-2020-0015.html

Magento users stay alert – 24th Jun 2020

Background: Magento is an e-commerce platform written in PHP atop the zend-framework, available under both open-source and commercial licenses. It is written in an advanced object-oriented idiom that uses the MVC pattern and XML configuration files, aiming for flexibility and extensibility.

Vulnerabilities announced this week – Hints
Vendor have the right to remain vulnerability details and not disclose to public. And therefore we only obtain below information.

PHP Object Injection – Arbitrary code execution (Critical) – CVE-2020-9663

Stores cross-site scripting – Sensitive information disclosure (Important) – CVE-2020-9665

Please refer to attached diagram. Perhaps it will let you find out the root causes.

Official announcement: https://helpx.adobe.com/security/products/magento/apsb20-41.html

Australia (ACSC) urges local citizens to be vigilant against cyber attacks. The so-called copy-paste compromises – 18th June 2020

Preface: Australia’s government and institutions are being targeted by ongoing sophisticated state-based cyber hacks, Prime Minister Scott Morrison says. Mr Morrison did not name specific cases but said it had spanned “government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure”. 19th June 2020

Technical details: Long story short. The nick name of this attack ‘Copy-Paste Compromises. It is derived from the cyber attacker heavy use of proof of concept exploit code, web shells and other tools copied almost identically from open source. For more details, please refer below link to download the report.

https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf

Attack highlights: Web shells are difficult to detect as they are easily modified by attackers and often employ encryption, encoding, and obfuscation. When a potential web shell is detected, administrators should validate the file’s origin and authenticity.

Recommendation: In normal circumstances, firewall locked down rule (deny any source to any destination) is hard to do the analytic through eyeball. But the attack vector designated to Australia. In order to avoid cyber attack in your firm. So firewall administrator should check their SIEM see whether it can find out the hints. If no such facility installed, Perhaps export the web server log see whether you can find out the attack activities details.

Win 10 Spatial Data Service Elevation of Privilege vulnerability – 17th Jun 2020

Preface: On Jul 2019, found vulnerability in the Windows Spatial Data Service could allow file deletion in arbitrary locations on Windows system found The official announcement this week state that Windows Spatial Data Service improperly handles objects in memory causes elevation of Privilege Vulnerability.

Background: The Spatial Data Service is running as NT AUTHORITY\LocalService in a shared process of svchost[.]exe.
This service is used for Spatial Perception scenarios. This service exists in Windows 10 only.

Vulnerability details: If a number is higher or lower than a range of values or there are too many characters in a text entry, a boundary error occurs. The vulnerability exists due to a boundary error when the Windows Spatial Data Service improperly handles objects in memory. A local user can use a specially crafted application to trigger memory corruption and execute arbitrary code on the target system.

Official remedy solution – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1441

US Homeland security urge public alert on “Ripple20” Vulnerabilities (16th June 2020)

Preface: Baxter US, Caterpillar, Digi International, Hewlett Packard Enterprise, Intel, Rockwell Automation, Schneider Electric and Trek are impact by this vulnerability.
There are more vendor which do not know the actual status.

Vulnerability details:
An attacker from outside the network taking control over a device within the network, if internet facing. There are more ways to exploit this vulnerability, please refer below link for reference.

Root causes: The attacker exploit of the IP protocol flexibility. That is the incoming IPv4 fragments over an IP-in-IP tunnel. As we know, IPv4 found early than Internet services. At that period of time the most serious incident is merely virus infection to local machine. Machine to Machine communication will be make use of serial cable or Novell network. In short, it is a simple architecture. But the attacker can be exploit the design weakness engaging the cyber attack to digital world.

Remedy: You can follow cert.org recommendation install IDS (refer below url link) or refer to attached diagram. A quick and dirty solution.
https://kb.cert.org/vuls/id/257161

intel new processor embedded anti malware feature – 15th june 2020

Preface: Starting with Oracle 11g release 1 (11.1), there is a just-in-time (JIT) compiler for Oracle JVM environment. A JIT compiler for Oracle JVM enables much faster execution because, it manages the invalidation, recompilation, and storage of code without an external mechanism.

Background: A way to prevent attack code execution by stack and heap. It marking stack and heap as non-executable. However some apps need executable heap (For instance JIT compiler), so it does not defend against `Return Oriented Programming’ exploits.

What is ROP exploit technique: Returnoriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.

New Intel processor implement new preventive architecture: New Tiger Lake processors provides two new key capabilities to help guard against control-flow hijacking malware: Shadow Stack (SS) and Indirect Branch Tracking (IBT). For more details, please see follow link – https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

Archaeologist & Artificial intelligence – 14th Jun 2020

Preface: The traditional workforce faces the challenge of automation.

Myth and Science: Archeologist don’t understand why Pyramids of Giza directions to Orion’s belt in the sky.
Archeologist do not understand why Pyramids of Giza directions to Orion’s belt in the sky. So far, it has quite a lot of assumptions. The Myth mentioned that it let Pharaoh return to Orion. On the other hand, scientist found two different chemical inside pyramid ventilation shaft. When both chemical mixed, it will generate hydrogen. Thus make hydrogen atoms get energy, and then generate microwave energy beam.

The premise of science is the assumption:
Refer to attached diagram, I assumed technology structure especially smart city, industrial automation, cryptocurrency are the major elements driven artificial intelligence. Then put those elements to pyramid. Authority and decision-making power (Artificial Intelligence) are concentrated at the top of an organizational pyramid. When AI technology become mature. Do you think AI also want to communicate with Orion. Or, it could spell the end of the human race.

Perhaps we all know the disadvantage of artificial intelligence, but we cannot stop. This is the destiny of mankind.