Preface: Message queues are unnecessary and cause a lot of overhead (setup such system cab be a lot of work).

Product background: Zeromq libzmq
A simple synchronous system will just receive a request from the client, perform an operation (anything from retrieving some data from the server to uploading an image) and return a response.

Vulnerability details: A vulnerability in ZeroMQ libzmq could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The problem was that a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. All versions from 4.0.0 and upwards are affected.

Reference: The stack is the temporary memory where variables are stored while a function is executing. The memory will be cleaned up automatically when job done.

Remedy: ZeroMQ has released a software update. For more information, see url: https://github.com/zeromq/libzmq/releases

Preface: Smart apps like your friend whenever you need one. Download the app and get a ride from a friendly driver within minutes.

Product background: Engine.IO is a lightweight transport protocol that enables real-time bidirectional event-based communication between web browsers and a server. Python-engineio server can form a Eventlet asynchronous server and includes a small Flask application that serves the HTML/Javascript to the client. Flask is a Python framework for creating web applications. It accelerates development of simple web applications by providing the required functionality. There are many companies in the world that use Flask for mobile application development.

Vulnerability details: A vulnerability in python-engineio could allow an unauthenticated, remote attacker to conduct a cross-site websocket hijacking (CSWSH) attack on a targeted system.

Design flaw: Cross-Origin Resource Sharing (CORS) headers are only works in XHR requests, and ignored by clients during a websocket connection.

Current status: The vendor has confirmed the vulnerability; but remedy not available yet!

Preface: What is the difference of APT group and so called cyber attacker? In normal circumstance, the attack of APT group more often target different political factor of countries or benefits.

Background: Physicists and engineers at CERN use the world’s largest and most complex scientific instruments to study the basic constituents of matter.

Vulnerability details: A vulnerability in ClusterLabs libqb could allow a local attacker to overwrite arbitrary files on a targeted system. As far as we know, CERN is deployed with this solution. Perhaps this vulnerability not in critical level. However it will let APT group exploit the vulnerability to stolen the data. We don’t need to explain what kind of data stored in CERN. The simple to say, it is the critical data.

Libqb creates files in world-writable directories (/dev/shm, /tmp) with rather predictable file names (e.g. /dev/shm/qb-usbguard-request-7096-835-12-data in case of USBGuard). Also O_EXCL flag is not used when opening the files. This could be exploited by a local attacker to overwrite privileged system files (if not restricted by sandboxing, MAC or symlinking policies).

Reference – If the file already exists beforehand,
Open(pathname, O_RDWR | O_CREAT, 0666); Open successfully, return a fd greater than 0
Open(pathname, O_RDWR | O_CREAT | O_EXCL,0666); Open failed, return -1

O_EXCL indicates that if the file exists when O_CREAT is used, an error message is returned, which can test whether the file exists.

Remedy: ClusterLab releases ver 1.0.5 for bug fix.

Preface: Artificial intelligence especially custom face recognition will be using (ptrace_link). By attaching to another process using the ptrace call, a tool has extensive control over the operation of its target.

Vulnerability detail: If a malicious unprivileged child uses PTRACE_TRACEME and the parent is privileged, and at a later point, the parent process becomes attacker-controlled (because it drops privileges and calls execve()), the attacker ends up with control over two processes with a privileged ptrace relationship,which can be abused to ptrace a suid binary and obtain root privileges.
Above vulnerability could allow a local attacker to perform unauthorized actions on a targeted system.

Remedy: Kernel.org has released a software update. For more information, please refer to the following URL for reference. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6994eefb0053799d2e07cd140df6c2ea106c41ee

Remark: Perhaps exploit this vulnerability require local user access. But cyber attacker can use scam email or phishing email to conducting this attack.

Preface: Because telnet is not secure, people rely on SSH. Due to design limitations, SSH2 replaces SSH. In fact, SSH2 still has room for improvement.

Technical Background – libssh2 is a client-side C library, which enables applications to connect to an SSH server.

A vulnerability in client-side C library – The vulnerability was triggered when libssh2 is used to connect to a malicious SSH server. The vulnerability is due to an integer overflow condition in the kex_method_diffie_hellman_group_exchange_sha256_key_exchange function, as defined in the kex.c source code file of the affected software.

Remedy – The official statement recommends that users upgrade to version 1.9.0. libssh2 has released software updates at the following link: https://www.libssh2.org/

Differences Between Forward Proxy and Reverse Proxy:The main difference between the two is that forward proxy is used by the client such as a web browser whereas reverse proxy is used by the server such as a web server. Forward proxy can reside in the same internal network as the client, or it can be on the Internet.

About Squid: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages.

Security Focus: CVE-2019-12527 Squid HttpHeader::getAuth Basic Authentication Heap-Based Buffer Overflow Vulnerability – The developer point out that there is a design limitation from Auth function in http header. So a modification on files will be remediate this problem. We only quote part of the parameter. For instance

Remove:

const char *
HttpHeader::getAuth(Http::HdrType id

Append the following:

SBuf
HttpHeader::getAuthToken(Http::HdrType id

Besides, the remediation of CVE-2019-12525 is that it replace the fixed-size buffer for decoding base64 tokens with an SBuf to avoid decoder issues on large inputs.

Squid has released a software patch to end users – http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch

Preface: Fileless malware can resides within volatile storage components such as memory.

About Redis: Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker. It supports data structures such as strings, hashes, lists, sets, sorted sets with range queries, bitmaps, hyperloglogs, geospatial indexes with radius queries and streams.

Vulnerability details: Above vulnerabilities bring our attentions because attacker could perform controlled increments of up to several bytes past the end of a stack-allocated buffer which the attacker could use to execute arbitrary code or cause a DoS condition.

Reference:

The stack is the temporary memory where variables are stored while a function is executing. The memory will be cleaned up automatically when job done.

The heap is memory that the programmer can use for the application in non automatic way. Programmer might build a mechanism to free up memory after use.

Observation: According to above details, if there are 12 bytes in the stack area which could let hacker exploit. Whereby, it will benefit to the attacker evade the defense mechanism easily.

Remedy: Redis has released software updates – http://download.redis.io/releases/

Preface: The product of MatrixSSL is used by many companies. Since MatrixSSL design in low memory footprint.
Whereby, they can partner with smart city infrastructure and IoT devices.

Vulnerability details: A vulnerability in MatrixSSL could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Our speculation:

1. x509 is the name for certificates which are defined for informal internet electronic mail, IPsec, and WWW applications.
2. X.509 original ver 1, and then a ver 2. But now we use the version 3.
3. Reading the corresponding RFC the structure shown as below:
   Certificate ::= SEQUENCE {
   tbsCertificate TBSCertificate,
   signatureAlgorithm AlgorithmIdentifier,
   signatureValue BIT STRING }
4. Above are ASN.1 structures.
5. If attacker send a crafted certificate to the targeted system.
6. An error in parsing a maliciously formatted ASN.1 Bit Field primitive could cause a crash due to a memory read beyond allocated memory.

Vendor release software updates – https://github.com/matrixssl/matrixssl/releases