Preface: TFTP was primarily designed to read or write files by using a remote server. It fully compliant with all related RFCs. This include RFC1350, RFC2090, RFC2347, RFC2348 and RFC2349.

Background: It is used where user authentication and directory visibility are not required. So, the design goal is cater for non confidential file sharing because the cyber attack not serious like today.

Vulnerability details: The atftpd Stack-Based Buffer Overflow vulnerability is due to an insecurely implemented strncpy call related to the tftpd_file.c, tftp_file.c, tftpd_mtftp.c, and tftp_mtftp.c source code files of the affected software.

Remark: Strncpy is one of the C library functions, from the C standard library, defined in string.h, char *strncpy (char *dest, const char *src, int n), the string pointed to by src as src address The first n bytes of the beginning are copied into the array pointed to by dest, and the copied dest is returned.

Impact: If attacker can execute arbitrary code on a target, there is often an attempt at a privilege escalation exploit in order to gain additional control (see attached diagram).

The vendor has released software updates via following url: https://sourceforge.net/p/atftp/code/ci/abed7d245d8e8bdfeab24f9f7f55a52c3140f96b/

Preface: The software reads data past the end, or before the beginning, of the intended buffer. It may allow access to sensitive memory. This is so called “out of bounds read”.

Technical background: HHVM is an open-source virtual machine designed for executing programs written in Hack and PHP. HHVM uses a just-in-time (JIT) compilation approach to achieve superior performance. HHVM is developed by Facebook, so software developer for Facebook will select this technology.

Vulnerability details: Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory.

Impact: This affects all supported versions of HHVM (4.0.3, 3.30.4, and 3.27.7 and below).

Facebook HHVM release resolution via following link: https://github.com/facebook/hhvm/commit/46003b4ab564b2abcd8470035fc324fe36aa8c75

Preface: Lua is a powerful, fast, lightweight, embeddable scripting language. So it can work with Geospatial data perfectly.

Technical background: Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker. In order to achieve its outstanding performance, Redis contains different functions.The Redis Lua interpreter loads seven libraries: base, table, string, math, debug, cjson, and cmsgpack. From performance point of view, CJSON library provides extremely fast JSON manipulation within Lua.

Vulnerability details:

CVE-2019-11834 : cJSON Multiline Comments Out-of-Bounds Access Vulnerability (allowing the attacker to compromise the system completely)
CVE-2019-11835: cJSON Out-of-Bounds Access Vulnerability (allowing the attacker to compromise the system completely)

Remediation: The vendor has released software updates at the following link – https://github.com/DaveGamble/cJSON/releases

Preface: PHP is a scripting language that runs on a computer. Its main purpose is to process dynamic web pages, including command-line runtime interfaces or to generate graphical user interface programs.

Vulnerability details: A vulnerability in the EXIF component of PHP could allow an unauthenticated, remote attacker to access sensitive information on a targeted system.

Causes: The vulnerability exists in the exif_process_IFD_TAG function (ext/exif/exif.c source code). But similar flaw was occured in 2011 (CVE-2011-4566).

Official announcement: The PHP Project has released software updates via following url: https://php.net/downloads.php

Preface: A vulnerability in the REST API of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to bypass authentication on the REST API.

About Rest API: The attacker could be at the client side, sometimes it compromise of your REST API and, where the victim is the REST API server, so the attacker can creates a rogue, malicious app. This is exact what Cisco is going to address.

Speculation: Hacker can exploit this way, java org.flowable.CallExternalSystemDelegate package to jar .

Affected Products : Software Release 4.1, 4.2, 4.3, or 4.4 when the REST API is enabled.

Remark: The REST API is not enabled by default.

Official announcement: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190507-esc-authbypass

Preface: 78% of vulnerabilities are found in indirect dependencies, making remediation complex – said snyk.io.

Description: GSO for UDP: Segmentation offload reduces cycles/byte for large packets by amortizing the cost of protocol stack traversal.

Vulnerability details: udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x through 5.0.11 allows remote attackers to cause a denial of service. The vulnerability exists because the udp_gro_receive_segment function, as defined in the net/ipv4/udp_offload.c source code file of the affected software, mishandles padded packets. A successful exploit could cause the system to crash, resulting in a DoS condition.

Remedy: Kernel.org has confirmed the vulnerability and released software updates – https://lwn.net/Articles/787532/