All posts by admin

Linux Kernel before 4.20.8 kvm_ioctl_create_device Use-After-Free Vulnerability – Feb 2019

Preface: Linus Torvalds, he is the principal developer of the Linux kernel. Many Linux distributions and operating systems are based on Linus Torvalds design foundation.

Synopsis: The module (virt/kvm/kvm_main.c) enables machines with Intel VT-x extensions to run virtual machines without emulation or binary translation. The module (virt/kvm/kvm_main.c) enables machines with Intel VT-x extensions to run virtual machines without emulation or binary translation. However a vulnerability occurs in the kvm_ioctl_create_device function of the Linux Kernel.

Details: The vulnerability exists due to a race condition that causes the kvm_ioctl_create_device function.
Affected software: kvm_main.c source code file

Impact: A successful exploit could trigger a use-after-free condition vulnerability. Thus causes the targeted virtual machine crash ( DoS condition). Besides, a successful exploit could allow the attacker to gain elevated privileges on a targeted system.

Remedy action: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=cfa39381173d5f969daf43582c95ad679189cbc9

About Linux kernel flaw (CVE-2018-5391) – Cisco information update

Preface: Cisco provide status update on CVE-2018-5391 on 18th Feb 2019 , it is the follow up action for Linux kernel flaw announced August last year.

Synopsis: A decade ago, we said that the vulnerabilities of Microsoft windows will be jeopardize the IT world. Perhaps this statement not suitable today because Linux and open sources application encountered risks in frequent.

Vulnerability: From technical point of view, this flaw is easy exploit by attacker. They can send a packet trigger time and calculation expensive fragment reassembly algorithms overload the CPU power.

Don’t neglect this vulnerability:
Perhaps you say that your IPS can filter such malicious attack. The specify product has been patched. So your campus will be secure. But Linux base platform of machines are common today in your IT infrastructure. What if similar of attack is a insider threat. What’s the result?

Cisco official announcement – 18th Feb 2019 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180824-linux-ip-fragment

Do we really need cryptocurrency or bitcoin?

Preface: A new survey out of China shows surging interest in the bitcoin and cryptocurrency, with many keen to invest in crypto in the future – said Forbes News.

Synopsis: The behaviour of human relies on banknotes perhaps will be replaced by another style of method substitution soon. It is hard to say that bitcoin is the substitution. But the new generation of technologies can tell. Retrospectively at the decades after the Second World War. The industrial civilization on Earth driven economic growth. Whereby it create a motivation power to payment industry. For instance Telex and SWIFT payment system. As a matter of fact, we have to admit that electronic payment become a the trend in future. As a matter of fact cryptocurrency or blockchain technology is on the way integrate to modern business world.

Prediction: On Feb 2019, JPMorgan became the first major United States bank to introduce its own digital token for real-world use (see below url).
https://www.nytimes.com/2019/02/14/business/dealbook/jpmorgan-cryptocurrency-bitcoin.html
Besides, the initiatives of smart city construction around the world. And believe that old fashion of payment concept and architecture should be replaced!

CVE-2019-7304 – Canonical snapd Local Privilege Escalation Vulnerability – 15th Feb 2019

Preface: Why REST so popular? REST can be used over nearly any protocol, when used for web APIs it typically takes advantage of HTTP.

Canonical snapd technical features: Snap is a software deployment and package management system.It capable to deliver and update your app on any Linux distribution for desktop, cloud, and Internet of Things.

Vulnerability occurred:

  1. Creating a file that contains uid=0 in its name: /tmp/ktgolhtvdk;uid=0;
  2. Binding to socket file – After a UNIX domain socket is created, you must bind the socket to a unique file path by using the bind function.
  3. Then using it to initiate a connection to the snapd socket.
  4. Overwrite the previous user identifier (UID) after the string is parsed and appear to the snapd daemon as a root user.
  5. Allow the attacker to create a new local user with root privileges using the API’s POST /v2/create-user function.

Vendor Announcements: Canonical has released software updates at the following link.

https://github.com/snapcore/snapd/releases

VMware announcement – they resolve mishandled file descriptor vulnerability in runc container runtime (15th Feb 2019)

Preface: Docker containers can be created in VMware. Therefore, VMware and Docker can work together. Therefore, they are not just competitors.

Vulnerability background: Docker announce on 12th Feb 2019 that they are vulnerable for malicious attack. The vulnerability allows a malicious container to overwrite the host runc binary and thus gain root-level code execution on the host.

Impact:
The attacker could trick a user with these permissions into deploying a malicious container or running docker exec for them.

Remedy: VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime (CVE-2019-5736) . For more details, please refer official details shown below: https://www.vmware.com/security/advisories/VMSA-2019-0001.html

Conclusion: VMware is committed to work with the community to help establish common, open standards and specifications for containers on Jul 2017. I think such vulnerability also has impact to Stateful Containers on vSphere with the Orchestrator architecture. Therefore may have announcement will be posted soon!

Container Privilege Escalation Vulnerability (CVE-2019-5736) Affecting Cisco Products – Products under investigation – 15th Feb 2019

Preface: Cisco MSE is distributed as an Open Virtual Appliance (OVA) for installation on a virtual appliance and as an ISO image for installation on a physical appliance. Cisco MSE acts as a platform (physical or virtual Cisco Mobility Services Engine [MSE] appliance) to deploy and run the Cisco services.

Open Container Initiative overview:
OCI currently contains two specifications: the Runtime Specification (runtime-spec) and the Image Specification (image-spec).

Cisco worries that OCI flaw will be affecting his Products:
The /proc/self refers to the current running process’s own environment, exec is actually calling itself. When flaw allow someone improperly handles file descriptors related to /proc/self/exe. In the sense that attacker similar escalate privileges on a targeted system.

For more details, refer below Official announcement: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc

Internet censorship versus Dark Web – 2019

Preface: Have you heard Internet censorship in South Korea?
https://en.wikipedia.org/wiki/Internet_censorship_in_South_Korea

Synopsis: This news seems make people nervous. The fact is that most of the people concern about the freedom of speech. Perhaps this topic not included in this discussion.
Let’s take a look at the recent activities.

  1. Japan is going to execute infiltration to citizens smart home devices on Feb 2019. The goal is hardening the cyber security in their country side.
  2. Internet censorship in South Korea.
  3. The new regulations on China’s Cybersecurity Law on November 2018 grant China cyber security agencies (the legal authority) to conduct remote testing of any Internet-related business operating in China.

Analytic based on current circumstances:
Internet censorship or so-called internet surveillance is a mandatory action for each regime soon. Perhaps such mechanism can’t avoid the illegal activities growth since criminals relocate their playground to other area.
What is that place? It is the dark web.

More than 617 million stolen accounts from 16 hacked websites are supposedly for sale. And believed that this is a possible way to enhance preventive and detection control. What’s your opinion?

Security Focus – CVE-2019-0626 Microsoft Windows DHCP Server Remote Code Execution Vulnerability (12th Feb 2019)

Preface: This vulnerability is included in MS Patch Tue this week. However the vulnerability is more critical than others. Since threat actor can be conduct a remote code execution through social engineering.

Technical highlight: The official announcement told that attacker could exploit the vulnerability by sending a DHCP packet that submits malicious input to the affected software because a design weakness occurs in software (DHCP server) which has a flaw of handles objects in memory. A successful exploit could allow the attacker to execute arbitrary code and compromise the system completely.

My observation: We did not found additional details of this vulnerability. My speculation is that whether windows 2008 DHCP server has non page memory leak flaw which causes this problem. What do you think?

Official remediation: CVE-2019-0626 | Windows DHCP Server Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0626

Romance scams

The Valentine’s Day is coming soon and the romantic atmosphere will always on you mind. You may think you spend a lot on flowers or chocolate, but losing money in a romance scam would cost you even more.
From cyber security point of view, it is a great time for cyber criminals to conducting their action. They are not only a data theft. Their target is the Enterprise firm CEO, politician, military department staff and important persons.
Perhaps hackers can take this opportunity infiltrate to your network infrastructure.

Stay alert!

Advantech WebAccess/SCADA Multiple Security Vulnerabilities – Jan 2019

Preface: Advantech is a leading brand in IoT intelligent systems, Industry 4.0, machine automation, embedding computing, embedded systems, transportation, …

New vulnerabilities found in WebAccess/SCADA Version 8.3:
CVE-2019-6519 – An improper authentication vulnerability exists that could allow a possible authentication bypass allowing an attacker to upload malicious data.
CVE-2019-6521 – Specially crafted requests could allow a possible authentication bypass that could allow an attacker to obtain and manipulate sensitive information.
CVE-2019-6523 – The software does not properly sanitize its inputs for SQL commands.

Status: Vendor do not have patch release in the moment (see below url)

https://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV&Doc_Source=Download

Recommendation: Enforce access control. Meanwhile install SIEM facility to enhance the preventive and detective control.