Preface: The heap is the portion of memory where dynamically allocated memory resides (i.e. memory allocated via malloc ).

Background: Exim is a message transfer agent (MTA). It generally comes with default Debian installation. If you need to use ACL and other features you may need to install exim4-daemon-heavy (see below):
– apt-get install exim4-daemon-heavy

Vulnerability details: The heap is the portion of memory where dynamically allocated memory resides (i.e. memory allocated via malloc ). The component (string.c) contain function to format the input data string and save. However it did not have mechanism to check the length of receiving data. As a result, it trigger a heap base buffer overflow by a extraordinary long EHLO string. The attacker have to find out which unlink() he can “reuse” in glibc. From technical point of view, Unlink() is the classic and probably the simplest one. In short attacker can overwrite arbitrary 4 bytes at two specified places (FD & BK)! This is more than enough to redirect the control flow.

Reference: Maximum length of a DNS name – Exceeded the maximum number of characters. The maximum number is LL (1) + LN (63) + LL (1) + LN (63) + LL (1) + LN (63) + LL (1) + LN (61) + NL (1) = 255 bytes

Remedy: No known mitigation. End user must download and build the fixed version 4.92.3

Preface: Who uses RSA’s BSAFE library? BSAFE uses Dual_EC_DRBG as its default pseudorandom number generator. Dual_EC_DRBG let people hesitation because the algorithm that is suspected to contain a NSA backdoor.

Product background: The Crypto-C ME software development toolkit is designed to enable developers to incorporate cryptographic technologies into applications. Crypto-C ME security software helps to protect sensitive data as it is stored, using strong encryption techniques to ease integration with existing data models.

Vulnerability details: RSA BSAFE Crypto-C Micro Edition, all versions prior to 4.1.4, is vulnerable to three (3) different Improper Clearing of Heap Memory Before Release vulnerability, also known as ‘Heap Inspection vulnerability’. A malicious remote user could potentially exploit this vulnerability to extract information leaving data at risk of exposure.

Additional information: For insatnce, if you software application written in CPython. So you have to implement your own data type in C and wipe memory in its deallocation function. Since BSAFE is one of the oldest cryptography libraries and therefore the original design not contain this clean up function in memory.

Vendor announcement (Reference URL): https://www.dell.com/support/security/zh-hk/details/DOC-107000/DSA-2019-079-RSA-BSAFE®-Crypto-C-Micro-Edition-and-Micro-Edition-Suite-Multiple-Security-Vulnerab

Preface: It is rare that software application do not have design weakness. If there is a perfect software appears. Perhaps we can say, it is created by God.

Background: Ghidra is a software reverse engineering framework developed by NSA that is in use by the agency for more than a decade.

Design weakness: When you run the Ghidra software in experimental mode. Follow below step, you can do a re-engineering of the software and let become a backdoor. This occurs in features (/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java).

1. Select the “DumpFunctionPatternInfoScript”
2. Export the resulted XML file.
3. Follow attached picture add java.lang.Runtime.exec call
4. To bring up the explorer, select Window -> Function Bit Patterns Explorer from the Code Browser. Click “Read XML Files”
5. Then the remote server listen port 1137 can communicate the hosts which installed Ghidra.

Remedy: New version of Ghidra has been released.

Preface: CIS Center for Internet Security Urge PHP customer stay alert of the zero-day vulnerability. It could allow for Arbitrary Code Execution. 27th Sep 2019

Vulnerability details: A vulnerability has been discovered in PHP, which could allow an attacker to execute arbitrary code. PHP is prone to a heap-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Specifically, this issue exists in the ‘mb_eregi()’ function.

SYSTEMS AFFECTED: PHP versions 7.3 prior to 7.3.10

Additional details: The feature of “mb_eredi( )” is executes the case insensitive regular expression match with multibyte support. Since this function did not properly bounds-check user-supplied data. As a result, it will copy string it into sized buffer(array). If no matches are found, regs is set to an empty array. This buffer area (array) is located in heap of memory. We known heap is an area of pre-reserved computer main storage ( memory ) that a program process can use to store data in some variable amount that won’t be known until the program is running.
When this happens, the buffer that is assumed to be freed will be expected to hold two pointers FD and BK in the first 8 bytes of the formerly allocated buffer. BK gets written into FD and can be used to overwrite a pointer.

Reference: The memory unit allocated by malloc is chunk. If the chunk that has been allocated does not use the last two pointers, it will be used to store the data directly. So attacker can use Malloc to do Heap overflow.

Remedy: Reference URL – https://www.php.net/downloads.php#gpg

Background: There are six major modules in harbor. The default components of each harbor are packaged into a docker container, so the harbor can be deployed via compose, which is divided into 8 containers and run through docker-compose ps.

Vulnerability details: A vulnerability in the POST /api/users API of Harbor may allow for a remote escalation of privilege.

The vulnerability exists due to improper access restrictions within “core/api/user.go” when processing HTTP POST requests to “/api/users” API, when Harbor is configured to use DB as authentication backend. A remote non-authenticated attacker can send a specially crafted HTTP request to the vulnerable API endpoint and create an administrative user account.

Reminder:
a. When using LDAP mode, user’s self-registration is disabled.
b. Database(db_auth) – Users are stored in the local database.
A user can register himself/herself in Harbor in this mode.

Official announcement: https://www.vmware.com/security/advisories/VMSA-2019-0015.html

Preface: a motion control system includes at least three basic components — a motor, a drive, and a controller. Second, motion control systems are primarily used in discrete industries such as packaging and semiconductor manufacturing, as opposed to process industries such as chemical manufacturing and power generation.

Product background: Siemens SIMATIC TDC provides the highest degree of competence when it comes to motion control and closed-loop control technology.

Vulnerability details: A vulnerability could allow an attacker to cause a Denial-of-Service condition on the UDP communicationby sending a specially crafted UDP packet to the SIMATIC TDC CP51M1 module.

Example: UDP flood” is a type of Denial of Service (DoS) attack in which the attacker overwhelms random ports on the targeted host with IP packets containing UDP datagrams. The receiving host checks for applications associated with these datagrams and—finding none—sends back a “Destination Unreachable” packet.

Remedy: Firmware Updates for SIMATIC TDC CP51M1 OR

• Restrict network access to affected devices
• Restrict UDP communication to affected devices
• Do not use UDP communication in the user program if not needed
• Apply cell protection concept and implement defense in depth

Security focus – CVE-2019-1367: Microsoft conducted remedy for CVE-2018-8653, but a item not being fixed. Suspected that this is one of the reason let Microsoft Releases Out-of-Band Security Updates on 23th Sep 2019.

Should you have interested of this matter, please refer to attached diagram. The official announcement can be found at: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367

Apart from that out of band update also covered Microsoft Defender Denial of Service Vulnerability CVE-2019-1255. Official announcements can be found at: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1255

Preface: Do you think that VPN solutions will reduce the level of network security risks?

Background: On 10th Sep, 2019, Siemens announce that a multiple vulnerabilities in SINEMA connect server. Our attention this time will be focused CVE-2019-13920 and CVE-2019-13922. Refer to attached diagram, the fundamental design of SINEMA and network switch can form VPN to prevent packet sniffing and tamper the network activities. The VPN tunnel between the device and the SINEMA RC Server is established only after successful authentication. However if the design weakness occurs on front end server. It looks that it doesn’t help!

About CVE-2019-13920 – One simple and effective way to prevent it is to generate a random string when the initial action is loaded and send it to the browser. The browser then sends this instruction, and the server validates it before approving the action. This way, malicious websites cannot post action even if they have access to a valid session in a browser.

About CVE-2019-13922 (residual risk) – If we can manage to get the hash of an administrative user since we can then authenticate with higher privileges by performing an attack known as pass the hash.

Should you have interested to know the details, please refer to the url – https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf

Preface: The SD-WAN is a specific application of software-defined networking (SDN) technology applied to WAN connections such as broadband internet, 4G, LTE, or MPLS.The technology deployment consists of QoS and network resiliance.

Product background: EdgeConnect has following features:

• Extend the micro-segmentation of specific application traffic from the data center to the entire WAN to help maintain security compliance requirements.
• Tunnel Bonding
• Identifying applications on the first packet is especially important when branches are deployed behind Network Address Translation (NAT); the correct path must be selected based on the first packet to avoid session interruption.

Vulnerability details: An administrative user with access to the enable menu of the login subshell may enter a hardcoded string to obtain a bash shell on the operation system. The spsadmin and admin accounts have root privileges. The system cli and web service works under root accounts which can be used for privilege escalation.

Observation: Perhaps this vulnerability might let people ignore. But do not contempt this issue because it shown that the user privileges not define well.

Remedy: Fixed in version 8.1.6.x – 8.1.7.x

Preface: In 1894 Damoizeau developed a panoramic stereoscopic camera with twin-lenses, twin-spools and twin -slits.

Background information: With 3D graphics configured for RDS hosts, both applications in application pools and applications running on RDS desktops can display 3D graphics.

Vulnerability details: This vulnerability can be triggered by providing a tamper-evident pixel shader to the AMD ATIDXX64.DLL driver. An attacker can perform an attack from the VMware guest user mode, causing memory corruption on the vmware-vmx.exe process on the host. Successful exploitation of this issue may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host.

Reminder: Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled.

Official announcement – https://www.vmware.com/security/advisories/VMSA-2019-0014.html