All posts by admin

Magento security consideration – SQL injection (Apr 2019)

Preface: When I was young, I am afraid for Injection therapy. Yes, is my butt. Perhaps such circumstance is also apply to software application system!

Synopsis: Magento Commerce, providing end-to-end solutions that suit clients’ needs.

Vulnerability details: A vulnerability in Magento could allow an unauthenticated, remote attacker to conduct an SQL Injection attack against a targeted system. The vulnerability is due to the insufficient validation of user supplied input submitted to the affected software. An attacker could exploit this vulnerability by sending a request that submits malicious input to the targeted system.

Remediation: https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

GNOME WebKitGTK UIProcess Subsystem Buffer Overflow Vulnerability – Apr 2019

Preface: A browser engine is a core software component of every major web browser. Apart of “browser engine”, two other terms are in common use regarding related concepts: “layout engine” and “rendering engine”

Synopsis:

A rendering engine is used by a Web browser to eender HTML pages, by mail programs that render HTML email message, as well as any other application that needs to render Web page content.
WebKitGTK is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers.
WebKit is the web browser engine used by Safari, Mail, App Store, and many other apps on macOS, iOS, and Linux.

Vulnerability: A vulnerability in GNOME WebKitGTK could allow an unauthenticated, remote attacker to compromise a targeted system completely. The successful exploit could cause a buffer overflow condition, allowing the attacker to compromise the system completely.

Fixed Software: https://github.com/WebKit/webkit/commit/6f9b511a115311b13c06eb58038ddc2c78da5531

Remediation – Cisco IOS XR-64 Software for ASR 9000 series isolation feature vulnerability (17th Apr 2019)

Preface: One of the objective for Aggregation Services aim to provision and manage a huge number of separate physical platforms. As a result, the international vendor like Cisco also doing the transformation of the physical network devices. And therefore we seen VM devices OS system image today.

Synopsis: In order to cope with cloud computing and container environment, IOS XR 64-bit operating system (OS) is able to runs on virtualized environment with underlying 64-bit Linux kernel. As a result, the cisco product services can be extended.

Vulnerability details:
A vulnerability in the sysadmin virtual machine (VM) on Cisco ASR 9000 Series Aggregation Services Routers running Cisco IOS XR 64-bit Software could allow an unauthenticated, remote attacker to access internal applications running on the sysadmin VM.

Official remedy solution: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr

Cisco NX-OS Software Image Signature Verification Vulnerability – Last Updated 15th Apr 2019

Preface: This advisory is part of the March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication, which includes 25 Cisco Security Advisories that describe 26 vulnerabilities.

Synopsis: A digital signature (not digital certificate) is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document.

Vulnerability details: A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device. In order to manipulate the machine, threat actor must meet below conditions:

  • Has a particular product ID (PID)
  • Is running an affected BIOS version
  • Is running a vulnerable release of Cisco NX-OS Software

Official announcement : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-sig-verif


Apache Releases Security Updates for Apache Tomcat Original release – Last revised: April 15, 2019

Preface: public class CGIServlet – extends javax.servlet.http.HttpServlet
(CGI-invoking servlet for web applications, used to execute scripts which comply to the Common Gateway Interface (CGI) specification.)

Synopsis: Tomcat implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a “pure Java” HTTP web server environment in which Java code can run.

Vulnerability details: CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows

Apache Tomcat version for Windows. A design defect in function (enableCmdLineArguments), the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. But this CGI Servlet is disabled by default.
Remark: enableCmdLineArguments – Are command line parameters generated from the query string as per section 4.4 of 3875 RFC? The default is false.

Official announcement shown following url: http://mail-archives.us.apache.org/mod_mbox/www-announce/201904.mbox/%3C13d878ec-5d49-c348-48d4-25a6c81b9605%40apache.org%3E

Do you have any concerns on multiple vulnerabilities in WPA3 Protocol? (Arp 2019)

Preface: WPA3 protocol aim to enhance Wi-Fi security protection. Yes, it does. But something wrong with him this time.

Technology Synopsis: The very damaging DoS attack consists of clogging one peer with bogus requests with forged source IP addresses. Due to computationally intensive nature of modular exponentiation, the DH key exchange is highly vulnerable to clogging (DoS) attack.The SAE handshake of WPA3 also uses a cookie exchange procedure to mitigate clogging attacks.

Vulnerability highlights:

  1. The SAE handshake of WPA3 uses a cookie exchange procedure to mitigate clogging attacks.
    But the design of the cookie exchange mechanism has technical limitation. Since everyone will receive the (supposedly secret) cookies.
  2. An attacker with a rogue access point can force the client connecting to it to use WPA2’s 4-way handshake and, consequently, to get enough information to launch an offline dictionary attack.

Should you have interest, please refer to the following url: https://www.kb.cert.org/vuls/id/871675/

VMware Releases Security Updates Published Friday, April 12, 2019

Preface: A quick walk through on your VMware setup, see whether 3D acceleration feature is enabled. It is recommended to disabling the 3D-acceleration feature to protect your IT environment.

Vulnerability Details:
CVE-2019-5514 – Vulnerability due to certain unauthenticated APIs accessible through a web socket
CVE-2019-5515 – Out-of-bounds write vulnerability in the e1000 and e1000e virtual network adapters
CVE-2019-5518 – Out-of-bounds read/write vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface)
CVE-2019-5519 – Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface)
CVE-2019-5524 – Out-of-bounds write vulnerability in the e1000 virtual network adapter
CVE-2019-5516 – Vertex shader out-of-bounds read vulnerability
CVE-2019-5517 – multiple shader translator out-of-bounds read vulnerabilities
CVE-2019-5520 – out-of-bounds read vulnerability

Official announcement: https://www.vmware.com/security/advisories/VMSA-2019-0006.html

Checkpoint – Regarding to existing vulnerability reporting process, Zero day or new found vulnerabilities has grace period announce to public. Should you have doubts?
Check your managed services provider and identify how do they handling zero-day? For example: Microsoft Active Protections Program member will be know the windows zero day in advance 90 days. As such, you can using this indicator to choosen your MSS.

Who is cookie? Is it cookie monster? Multiple VPN applications insecurely store session cookies – 11th Apr 2019

Preface: Who is cookie? Is it cookie monster? Multiple VPN applications insecurely store session cookies – 11th Apr 2019

Technical background: An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.

Vulnerability details: The following products and versions store the cookie insecurely in memory:

  • Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
  • Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
  • Cisco AnyConnect 4.7.x and prior

Reference: https://kb.cert.org/vuls/id/192371/

My observation: A technical limitation on Clientless SSL VPN. If SSO authentication implement to clientless ssl VPN. The webbase VPN machine must keeps the cookie on behalf of the user and uses it to authenticate the user to secure websites within the domain protected by the SSO server. And therefore VPN applications might store the authentication and/or session cookies insecurely in memory.

Hardcoded credentials concerns – MyCar mobile apps (8th Apr 2019)

Preface: MyCar add smartphone-controlled geolocation, remote start/stop and lock/unlock capabilities to a vehicle with a compatible remote start unit.

Vulnerability details:
MyCar Controls mobile applications prior to v3.4.24 on iOS and prior to v4.1.2 on Android contains hard-coded admin credentials. For specifics details, please refer to diagram.

Reference:https://kb.cert.org/vuls/id/174715/

Samba Releases Security Updates (CVE-2019-3880 & CVE-2019-3870) – Apr 2019

Preface: Samba is an open-source software suite that runs on Unix/Linux based platforms. The design based on SMB network protocol. Samba is able to communicate with Windows clients like a native application.

Synopsis: Windows OS and Linux opensource looks contains their market. A trend shown that Linux base OS well develop in automation industry. Perhaps common printer not compatible with open source Linux. As a result, 3rd party service daemon is going to pick up this responsibility. In fact, vulnerability happens in IT world daily. It is rare that a software or hardware do not have vulnerability. And therefore Samba do not have exception.

Vulnerability details:

CVE-2019-3880 – path/symlink traversal vulnerability, For more details, refer to url.

https://www.samba.org/samba/security/CVE-2019-3880.html

CVE-2019-3870 – During the provision of a new Active Directory DC, some files in the private/ directory are created world-writable. For more details, refer to url.

https://www.samba.org/samba/security/CVE-2019-3870.html