All posts by admin

CVE-2019-3567 osquery design flaw – unintended create hidden place for malware Jun 2019

Preface: Need to know what processes are running on a given machine? A servers current CPU temperature? Verify a hard drive is encrypted? OSQUERY can do, even though security monitoring.

Technical background: osquery is a tool that exposes an operating system as a high-performance relational database.The design founded by Facebook. It enables developers to write SQL-based queries that explore operating system data includes the following:

  • Running processes
  • Loaded kernel modules
  • Open network connections
  • Browser plugins
  • Hardware events
  • File hashes

Vulnerability detail: Osquery running on windows or Linux system requires the daemon configured to be a system service. Meanwhile, this operation will make service daemon receive the system privileges. The design feature of osquery unintended let attacker has a way pass the file to a hard link parent folder. So it is similar to create a hidden area for malware. Under such circumstances the malware payload can be operate under SYSTEM permissions. The official announcement is as follows: https://www.facebook.com/security/advisories/cve-2019-3567

CVE-2019-12243 Istio improper internet access control vulnerability (Jun 2019)

Preface: Independently deployable is the strongest feature of microservices. Docker is one of the technology vendor keen to develop the microservice.

What is Istio? An open platform to connect, manage, and secure microservices. Istio is easy to deploy. User merely install a proxy (side-car proxy) and complete the configuration.

Vulnerability details: The vulnerability was impacting the TCP Authorization feature. A vulnerability in Istio could allow an unauthenticated, adjacent attacker to gain unauthorized access to a targeted system. Per vendor announcement, a self diagnose can find whether you are vulnerable of this bug. For details, please refer to the following.

Check the status of policy enforcement for your mesh with the following command:

$ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks

If the output shows that disablePolicyChecks is set to true, it will not be affected by this vulnerability. 

Vendor released software updates at the following link: https://istio.io/about/notes/1.1.7/

It looks very vague – Oracle Vulnerability CVE-2019-2517 (Jun 2019)

Preface: Every time you review Oracle security advisory. Your feeling is vague since no details will be provided!

Vulnerability details: A vulnerability in the Core RDBMS component of Oracle Database Server could allow an authenticated, remote attacker with high privileges to compromise a targeted system completely.

More details: The vulnerability resides in the Java Virtual Machine component of the Oracle Database Server and does not require user interaction. The vulnerability allows low-privileged attackers that have Create Session privilege with network access via Oracle Net to compromise the Java VM component.

How to identify your JVM for Oracle:

select * from all_registry_banners;

Impact: Since the vulnerability happen on JVM. Therefore successful exploit could allow the attacker to compromise the system completely.

Affected products: Oracle Database Server 12c12.2 (.0.1), Oracle Database Server 18cRelease Update 6 (18.6) (Base)

Remedy: Oracle released software updates at the following link – https://www.oracle.com/downloads/index.html

Configure a strong PSK to avoid wireless offline cryptographic attack

Preface: Maybe people won’t use WPA because it’s not safe. However, WPA2 can also collect PSK through tools.

Technical details:

WPA and WPA2 offline attack technique are well known today. For instance, penetration test conduct the WiFi penetration test will relies on tool (Aircrack-NG). As a matter of fact, the attacker first obtains a man-in-the-middle (MitM) position between the victim and the real Wi-Fi network. However it does not enable the attacker to decrypt packets! One of the way use a password recovery tool work with “wordlist”. The mechanism is read line by line from a textfile (aka “dictionary” or “wordlist”) and try each line to find out the password.

Reference: The dictionary pass-phrase attack is one of the popular attacks on WPA2-PSK. Since PSK will be the main key to protect WLAN, the attacker will try to guess the pass-phrase used to generate PSK. This can be done by capturing the initial WPA2-PSK handshaking between a legitimate wireless client and the AP.

Remedy: Sounds like not difficult to crack. In our world, IoT devices do not use 802.1x for authentication. What can we do?

If not possible change to 802.1x, configure a strong PSK with a minimum length of 19 characters or more.

Did you have trouble accessing internet on Sat (8th Jun 2019 GMT+8)

Synopsis: The users were temporarily unable to reach adjacent countries internet web sites for short period of time (less than 1 – 3 minutes) due to an issue of Internet BGP backbone.

Description: On Sat, I was surprise that some internet web site looks unstable. It is not only happens on a single web site.

What do you think about or do you aware?
There are likely to be similar problems that you can find below:

  1. The ABC ISP (AS __xx) configured a static route 66.220.144.0/24 pointing to null in order to block Facebook access for ABC ISP customers. However, the ISP started to announce the prefix 66.220.144.0/20 towards its upstream provider CDEF (AS xxxx) that propagated the announcement to its peers. Meanwhile Facebook (AS32934) that had been announcing prefix 66.220.144.0/20 so far, started to fight back. Facebook began to announce more specific prefix 66.220.144.0/24. They kept announcing 66.220.145.0/24, however the service would still not be available for a large part of Facebook users. Those were the users whose traffic took a path towards ABC ISP (AS__xx), thus it could not reach Facebook. The traffic was being backhauled by a static route configured on ABC (AS__xx) edge router.
  2. Bogus AS Path

We may ignore the vulnerabilities that happened in the past! Jun 2019

Preface: The virtual table is created in the same SQLite database in wich the Core Data content resides. To keep this table as light as possible only object properties relevant to the search query are inserted.

Vulnerability details: A vulnerability in the rtreenode() function of SQLite3 could allow an unauthenticated, remote attacker to access sensitive information .

Bug Fixed – When opening an existing rtree, determine the node size by inspecting the root node of the r-tree structure (instead of assuming it is a function of the page-size). SQLite has released a software update at the following link: https://www.sqlite.org/download.html

CVE-2019-10981 AVEVA Security Advisory LFSEC00000136 (May 2019)

Preface: In the Ukraine hack, the utilities not only lost their visibility but also ceded control of their networks to remote attackers later linked to APT Group (Dec 2015).

About AVEVA : AVEVA Group plc is a British multinational information technology company headquartered in Cambridge, United Kingdom. It provides engineering and industrial software. Schneider Electric is now the largest shareholder with a 60% ownership interest.

Vulnerability details:

In Vijeo Citect 7.30 and 7.40 and CitectSCADA 7.30 and 7.40 versions, it could allow a malicious entity to obtain the Citect User Credentials because Citect User Credentials in memory are stored in clear text.
Remark: If the client deploy above solution and does not integrate workstation with internet function. The cyber security risk will be retained similar vendor opinion. It is a medium risk. Properly require adjust the rating if client workstation has internet web browsing function.

The official announcement is as follows: https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityAdvisory_LFSec136.pdf

Microsoft Windows RDP Network Level Authentication can bypass the Windows lock screen – Jun 2019

Vulnerability Note VU#576688
Original Release Date: 2019-06-04 | Last Revised: 2019-06-04

Preface: The more the power you have, the greater the risk is being infected.

Synopsis: Microsoft Windows RDP Network Level Authentication can allow an attacker to bypass the lock screen on remote sessions.

My observation: Observing that Microsoft re-engineering the RDP with create a channel with MS_T120 and Index 31.
But vulnerability occurs when someone send data to the system’s MS_T120 channel and reference the closed channel again.

Interim remediation step:

  • RDP is disabled if not needed.
  • SIEM firing rule – client requests with “MST-T120′ on any channel other than 31

Reference: https://kb.cert.org/vuls/id/576688/

CVE-2019-12439 Project Atomic Bubblewrap bubblewrap.c Arbitrary Code Execution Vulnerability – MAy 2019

Preface: With sandbox technology, Security DevOps team might have easy to conduct test. Since the user can specify exactly what parts of the filesystem should be visible in the sandbox.

Technical Background: The introduction of user namespaces in the Linux kernel has opened the doors to running containers as default user logins via e.g. ssh or desktop. Bubblewrap, a computing sandbox technology. The goal of bubblewrap is to run an application in a sandbox, where it has restricted access to parts of the operating system or user data such as the home directory. Unlike sandboxes, containers are not a time-limited solution for testing whether code is malicious.

Vulnerability details: A vulnerability in Project Atomic Bubblewrap could allow a local attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to the insecure use of the /tmp directory by the bubblewrap.c source code file of the affected software.

Remedy: Vendor released software updates at the following link https://github.com/projectatomic/bubblewrap/releases

When the Chinese mythology Shan Hai Jing 《山海經》meets aliens.

Preface: In ancient China, there was not only ancient times. Before ancient times, there was a ancient era that we could difficult to explore. With regard to the myth book of China, because of the many legends and myths left. It let me tirelessly exploring.

Background of the Shan Hai Jing:

Shan Hai Jing《山海經》, Chinese pre-Qin (先秦 221 BC) ancient books. A book with an unbelievable ancient historical details. So the Chinese people general opinion categorized that it is a myth book. The are different kinds of strange monsters with total seventy five recorded in “Shan Hai Jing” .

The pictures in Shan Hai Jing are strange. If you read the book, you will found that all the animals looks different compaing with our modern world. For instance a chicken have three legs and double heads. Even though a character looks like a human being but without head. As far as I remember a TV program interview with a professor (Asia country). When the journalist mentions the Shan Hai Jing. Professor reply with simple. It is not true.

Creation of mankind

With different of civilizations in our earth. However, the definition of human creation have similar of ideas. It is create by god? Do you have doubt? Whether it is create by bio-technology (DNA genes)?

In modified form, Darwin’s scientific discovery is the unifying theory of the life sciences, explaining the diversity of life. The mankind evolution discovered by darwin, it coincidence proof the relationship of Shan Hai Jing between mankind.

Reproductive cloning is expensive and highly inefficient. More than 90% of cloning attempts fail to produce viable offspring. So our evolution of civilization is a long run. Even though another planet advanced technology do not have exception. Till long long ago, the reproductive cloning was started. But who can do, I believed that it is a advance technology from other planet. So we find special animals in myth books especially Shan Hai Jing《山海經》, this is the way I speculate that the intention of ancient Chinese people written down their live experiences.

Shan Hai Jing 《山海經》 has pictures, the text described according to the content of the picture. However, ancient pictures have been lost. The earliest pictures of Shan Hai Jing came from the Ming Dynasty. And it is a draft version not the original. Perhaps people concerns about the integrity of data (genuine)! For more details, please refer following link: https://en.wikipedia.org/wiki/Classic_of_Mountains_and_Seas

But when we compare Shan Hai Jing 《山海經》 pictures with the civilization of Babylon. Their ancient history also described monster type human and how god create man kind. The monster similar Shan Hai Jing 《山海經》 pictures ideas. The monster looks like mixed with bird, fish and wild animal (see below).

Remark: In biology, cloning is the process of producing similar populations of genetically identical individuals that occurs in nature when organisms such as bacteria, insects or plants reproduce asexually. Following the definition of Darwin evolution theory (see below):

With reference of Babylon ancient history by archeologist. Babylon was the largest city in the world c. 1770 – c. 1670 BC, and again c. 612 – c. 320 BC). The historical record of Shan Hai Jing was founded in Chinese pre-Qin (先秦 221 BC) discovered by archeologist. So I predict that the picture of record by Shan Hai Jing recorded the seen of the witness before 221 BC. From technical point of view, it match with Babylon ancient civilization. Ancient traveler from China to Babylon can go through Silk Road.

Regarding to the findings by archeologist, they believe that Shan Hai Jing 《山海經》written by Bashu巴蜀 people. Meanwhile, they share the experience through oral communications. The cultural relics shown that Bashu巴蜀 has advanced civilization. For instance Sanxingdui Ruins (三星堆遗址). Although the ancient Shu (古蜀) civilization and the two river civilizations (Euphrates River幼發拉底河, Tigris River底格里斯河) are far apart in absolute age and geographical location, there are many cultural connections and similarities between the two. Perhaps the civilization of ancient Shu State (古蜀國) has relationship with Mesopotamia.

Summary: We are living in modern world, perhaps nobody going to find out the secret of old ancient book. However it is hard to believe that clone a human or create a mankind do not requires bio-chemical technology. Above description mention that reproductive cloning is expensive and highly inefficient. More than 90% of cloning attempts fail to produce viable offspring. So our evolution of civilization is a long run. Even though another planet advanced technology do not have exception. So the advanced intelligent creature may try and error. Our mainstream of thinking that a human only have one head. Birds has one pair of wings. But before creation of everything, human do not have such thinking. So it requires to conduct Test. And therefore the strange animals and ugly monster was born in this period of time. Dinosaur has large scale of body and not suitable living in the earth. So you can say the nature do not allow they live on earth. But why some ancient civilization disappeared? For instance Chichen Itza (Maya) and Mohenjo Daro Ancient City. After this dicussion, do you interest to read Shan Hai Jing 《山海經》?

Reference A: The Yangtze(長江) River Delta, the two lakes, and the Sichuan-Yunnan region (川滇地區),which originated in the Yangtze River, are the general term for these regional civilizations. They were formed in 2000 BC, respectively, by Lingjiatan Culture 凌家灘文化- – Liangzhu Culture 良渚文化, Daxi Culture大溪文化 – Qujialing Culture屈家嶺文化 – Shijiahe Culture石家河文化, Baodun Culture 寶墩文化 – Sanxingdui Culture. After the decline of early civilization, the culture of the late Yangtze River developed Wucheng culture吳城文化, Bashu巴蜀, Jingchu荊楚, Xuguo徐國 and Wuyue吳越.

Reference B: In biology, cloning is the process of producing similar populations of genetically identical individuals that occurs in nature when organisms such as bacteria, insects or plants reproduce asexually.