All posts by admin

An issue was discovered in the sized-chucks crate through 0.6.2 for Rust. Software developer should be careful when make use of paypal-rs. (19-09-2020)

Preface: Companies large and small are using Rust in production all over the world, including Mozilla, Dropbox, npm, Postmates, Braintree and others.

Vulnerability details: An issue was discovered in the sized-chucks crate through 0.6.2 for Rust CVE-2020-25791…CVE-2020-25796.
Chunk:
– Array size is not checked when constructed with unit() and pair()
– Array size is not checked when constructed with From<InlineArray<A, T>>.
– Clone and insert_from are not panic-safe (memory safety issues)
InlineArray:
– Generates unaligned references for types with a large alignment requirement.

Rust does not implement Default for all arrays because it does not have non-type polymorphism. Rust does not implement Default for all arrays because it does not have non-type polymorphism. If the design do not contain check array mechanism fo constructing structures (“structs”) by specify type. Perhaps there is no proof of concept to exploit this vulnerability in the moment. However it looks that it provides a way for attacker exploit this design limitation in future. In the moment, it require to waiting for the developer do the remediation.

Should you have doubt for use the NFC on your android phone? (CVE-2020-0374 -17th Sep 2020)

Preface: The popularity of NFC mobile payments is owed to its ease of use and improved security options. Near-field communication (NFC) enables smartphones to exchange data and function as a payment device. It stores the customer’s credit card details and allows the user to pay at NFC POS terminals through smartphones.

Vulnerability details: In NFC, there is a possible permission bypass due to an unsafe “PendingIntent”. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

By giving a “PendingIntent” to another application, you are granting it the right to perform the operation you have specified as if the other application was yourself (with the same permissions and identity). As such, you should be careful about how you build the “PendingIntent”: almost always, for example, the base Intent you supply should have the component name explicitly set to one of your own components, to ensure it is ultimately sent there and nowhere else.

Reference: A PendingIntent is a token that you give to a foreign application (e.g. NotificationManager, AlarmManager, Home Screen AppWidgetManager, or other 3rd party applications), which allows the foreign application to use your application’s permissions to execute a predefined piece of code.

Affected products: AndroidVersions – Android-11Android ID: A-156251602

CVE reference: https://nvd.nist.gov/vuln/detail/CVE-2020-0374

Predict the cause let PAN OS has vulnerability occurred (CVE-2020-2040) – 15th Sep 2020

Preface: The firewall does not display the Captive Portal web form to users until you Configure Authentication Policy rules that trigger authentication when users request services or applications.

Vulnerability details: A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface.

When a program (or subroutine) executes, it has a certain area of memory set aside called a stack (used for storing dynamically allocated variables). The stack also stores a return address to the program that invoked it. This allows a return to the code that was executing before the subroutine was called.

The goal of a buffer overflow attack is to overwrite the area of the stack where the return address is stored. The overwritten data will contain a new memory address pointing to the code that give a way for attacker to execute arbitrary code with privileges.

Official announcement: https://security.paloaltonetworks.com/CVE-2020-2040

Homeland security urge that do not contempt CVE-2020-1472 – 14th Sep 2020 A new story to Overturn “Netlogon” crypto algorithm

Security Focus:
By sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD (refer to Index 1). This can then be used to obtain domain admin credentials and then restore the original DC password.

Index 1: 0 xor 0 = 0 agian, all subsequent blocks fed to AES will be all-zero. And therefore 00 will keep being xorred to the next plaintext bytes.

Important notice by US Homeland Security:
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of publicly available exploit code for CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors. Attackers could exploit this vulnerability to obtain domain administrator access.

Reference: https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472

Visa proactively urge public aware of Baka Skimmer attack. (Baka credit card skimmer bundles stealth, anti-detection capabilities) – Sep 2020

Preface: Visa identified a previously unknown eCommerce skimmer, and named the skimmer ‘Baka’.

Synopsis: The malicious JavaScript code aimed to avoid detection for modern defense system. Baka is stealth, anti-detection capabilities.
According to an alert from Visa’s Payment Fraud Disruption (PFD) division, the skimmer also attempts to avoid detection and analysis by “removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated”.

Reference: Visa security alert – https://usa.visa.com/content/dam/VCOM/global/support-legal/documents/visa-security-alert-baka-javascript-skimmer.pdf

Additional: Briefly describe the concept of attack. The attacker sneaks some malicious JavaScript (usually via a <script> tag) into your html which is then executed.

How to protect against this attack?
– Sanitizing at the url param layer
– Sanitizing at the templating layer

CVE-2020-15802 – Bluetooth vulnerability can cause Bluetooth devices to be attacked by man in the middle, and Bluetooth 4.0/5.0 devices are all affected! (9th Sep 2020).

Preface: Bluetooth Low Energy (BLE) is a low power wireless communication technology that can be used over a short distance to enable smart devices to communicate. … Today, the majority of Android and iOS devices on the market incorporate BLE for communication and interaction with other devices.

Ref I: CTKD pairing allows the devices to pair once using either transport method while generating both the BR/EDR and LE Long Term Keys (LTK) without needing to pair a second time.
Ref II: Bonding: First, do Pairing to have a secure link, then exchange keys for the next time we meet, so that we don’t need to perform Pairing again to have a secure link.

Vulnerability details: Multiple devices supporting both Bluetooth BR/EDR and LE using Cross-Transport Key Derivation (CTKD) for pairing could allow a remote malicious user to conduct a man-in-the-middle attack.

Remedy:The affected devices include all products using Bluetooth 4.0 to 5.0. Bluetooth after version 5.1 will not be affected due to the addition of restrictions on CTKD.

Reference:https://kb.cert.org/vuls/id/589825

CVE-2020-9839 – MacOS cfprefsd Arbitrary File Write / Local Privilege Escalation (NVD Last Modified: 09/07/2020)

Synopsis: The hackers behind the scenes used different vulnerabilities to obtain private information from the iPhone. In fact, they built a complete iPhone vulnerability attack chain. And then use the vulnerability to obtain all unencrypted or APP data on the victim’s device and send it to the attacker’s server.

Technical details: According to below design definition.
XPCService – You can connect to an XPCService strictly through a name
Mach Service – You can also connect to a Mach Service strictly through a name
NSXPCEndpoint – Communicate between two application processes.
The design concept of “com[.]apple[.]cfprefsd[.]daemon” is an XPC service hosted by the cfprefsd daemon.

Vulnerability details: An application may be able to gain elevated privileges. The CFPreferencesSetAppValue function, which is reachable from most unsandboxed processes, can be exploited with a race condition in order to overwrite an arbitrary file as root.

Reference:https://nvd.nist.gov/vuln/detail/CVE-2020-9839

Thomson Reuters Eikon version 4.0.42144 design weakness (9th Sep 2020)

Preface: NVD published date on 09/03/2020. Strongly believe that technical matter was resolved by vendor completely. However we should recording this issue in notes. As we know, hacker jump to client network will hide himself for a period of time. Sometimes such action cater for their data exfiltration activities or ….

Techincal background: Slogan of Thomson Reuters Eikon. Access an incredible depth and breadth of financial analysis data to make smarter decisions. Reuters Eikon is a financial data platform which includes data on financial markets, companies’ (especially listed companies’) financial data, financial news, macro data etc. The product is analogous to the Bloomberg Terminal aka “Open Bloomberg”. It allow client install the Eikon software on their company workstation.

Vulnerability details: The current file permissions of the directory C[:]\Program Files (x86)\Thomson Reuters)\Eikon allow users of the group Authenticated Users to modify files in the folder. As these files are executed by the service that runs with SYSTEM privileges, it is possible to escalate privileges and create a new user with administrator privileges.

If a user has write permission in a folder used by a service, he can replace the binary with a malicious one. When the service is restarted the malicious binary is executed with higher privileges. Please refer to the attached picture for details.

Since Reuters and related terminal will be installed in Investment bank or broker firm dealing room. Perhaps this is the area which lure the hacker interest. And is a typical example of insider threats.
For my point of view, apply advanced cyber security filter and scanning function in this area not a possible solution. It was because it will encounter false alarm and therefore interrupt the services. In order to avoid unknown incident happen in this place, SIEM + (Predictive analysis tools like Darktrace) are the appropriate solution.

Don’t underestimate low-risk vulnerabilities (CVE-2020-15709). A simple method can be circumvented in Linux. 5th Sep 2020

Preface: The current Linux desktop market share is between 1.74 – 2.18%, according to the usage share of operating systems. In April 2019, Linux’s desktop market share was estimated to be 1.63%. Of all Linux users, 38.2% use Ubuntu as of May 2019. 21.5% of users rely on Debian.

Background: PPA – Personal Package Archives allow you to upload Ubuntu source packages to be built and published as an apt repository by Launchpad.

Vulnerability details: Versions of add-apt-repository before 0.98.9.2, 0.96.24.32.14, 0.96.20.10, and 0.92.37.8ubuntu0.1~esm1, printed a PPA (personal package archive) description to the terminal as-is, which allowed PPA owners to provide ANSI terminal escapes to modify terminal contents in unexpected ways.

Design limitation: A terminal escape sequence is a special sequence of characters that is printed. If the terminal understands the sequence, it won’t display the character-sequence, but will perform some action. Please refer to the attached drawings for details.

Official reference: https://nvd.nist.gov/vuln/detail/CVE-2020-15709

Cyber security Focus – Cloud collaboration for OT engineering (4th Sep 2020)

Preface: In line with its Industrie 4.0 effort, Google Cloud will use the OPC UA open standard to incorporate machine data into analytics and AI solutions.

The existing atmosphere of the Internet world – According to the network attack statistics report. Different types of attacks are involved. Nowadays, receiving personal or confidential data illegally is one of the way run aggressive by attackers. In the future, we foreseen that many vendors will be planned to phase out basic authentication using passwords and cookie-based authentication.

Business needs drive the implementation of new technologies – Integrated with IT. OT-BASE allows IT applications to pull asset information via a powerful REST API. This way you can easily leverage OT asset details in SIEM, data analysis and custom built applications.

Genesis of new concept: Cloud collaboration enables people to work simultaneously on documents that live ‘in the cloud’. Consolidation of OT configuration details in a central platform, accessible by web browser and REST API. System details are no longer known to individual engineers only, but are instantly available to every team member, making the team more efficient.

OPC Unified Architecture (OPC UA) is one of the most important communication protocols for Industry 4.0 and the IoT. Let do a quick review of OPC UA security features.

Unlike OPC Classic, OPC UA design is able to working with firewall technology because it support TCP/IP communication protocol. Whereby, it can be managed and governance through standard network technologies.

Remark: OPC Classic using DCOM as a communication protocol. Due to the DCOM technology used, cross-network communication via OPC Classic is very difficult.

In general practice, the OPC UA software application development will using Simple Object Access Protocol (SOAP). SOAP is a simple XML-based protocol that enables applications to exchange information via HTTP. Meanwhile, OPC UA uses a certificate exchange for further security, so that each client has to authenticate with a certificate. In this way it can be controlled which client is allowed to connect to the server. In the sense that it has access control implement.

Advanced System Integration – Data exchange between PLC and REST interface

To create or modify objects using data from a PLC, the PLC can be connected via OPC UA and the OPC Client plug-in. Which objects can be addressed in the target system can be queried and browsed via the OpenAPI / Swagger function by the OPC router. If, for example, a batch can be created via REST, the PLC must provide all data in OPC data points when the batch is created and trigger the REST call. The data points are then transferred as a JSON packet by REST call and the batch is created as an object.

Technical Background: REST or RESTful API design (Representational State Transfer) is designed to take advantage of existing protocols. While REST can be used over nearly any protocol, it usually takes advantage of HTTP when used for Web APIs. This means that developers do not need to install libraries or additional software in order to take advantage of a REST API design. It includes four types most-commonly-used HTTP verbs (see below):

  1. GET” to retrieve a resource.
  2. PUT” to change the state of or update a resource, which can be an object, file or block. 
  3. POST” to create that resource;
  4. DELETE” to remove it.

Additional: “PATCH” applies a partial update to the resource. This means that you are only required to send the data that you want to update, and it won’t affect or change anything else.

Even the flexibility of the design allowed to use a “curl” command. Curl Options shown as below:

   –X , –request – The HTTP method to be used.

   –i , –include – Include the response headers.

   –d , –data – The data to be sent.

   –H , –header – Additional header to be sent.

Example: curl https://xxx[.]restapi[.]com/posts?userId=8

Consolidation of OT configuration details in a central platform, accessible by web browser and REST API. System details are no longer known to individual engineers only, but are instantly available to every team member, making the team more efficient.

Security Focus: REST API has emerged as the most versatile and useful web service API. The major trend in data management today is the move toward cloud integration. REST APIs are most commonly used with SaaS (software as a solution) platforms. Fundamentally speaking, REST focuses on the transferability and consumption of data, rather than providing built-in measures to ensure data security during transmission. Perhaps today it has been enhanced using the HTTPS method. But is this enough to prevent today’s cyber attacks? Below list are some of the known cyber attack. Let take a quick look.

  1. The attacker could be at the client side. Attacker can creates a rogue. It aim to consuming resources from destination server.
  2. For resources exposed by RESTful web services, attacker can exploit application vulnerability (Cross Site Request Forgery) to execute PUT, POST, and DELETE functions.
  3. The attack scenario will be according of the architecture set up. If four types most-commonly-used HTTP verbs do not have access control. As a result, the impact will be included server side and related infrastructure.

How to secure industrial communications with OPC UA (see below):

  1. At least the “Basic256Sha256” security policy should be selected.
  2. Never store private keys or the corresponding certificate files on an unencrypted file system. Use the dedicated certificate stores of your operating system and use operating system capabilities for setting the access rights.
  3. Because Java components sometimes find vulnerabilities. Thereby affecting customized Java applications. Therefore, patch and vulnerability management should follow best practices.

Summary: Since HTTPS is suggest to used to call REST endpoints, the authentications available in the standard system can also be used OAuth1 and OAuth2.Besides the standard authentication options, a so-called AppKey is often exchanged. This key is a secret code created for the client, which is transferred with every call to get the authorization for the call. In General point of view, REST is considered secure due to the use of widely used methods.