Preface: Cutting-edge technology companies like open source software. Big data analytics companies may need to pay attention.

Observation: According to our observation for advanced technology development firm. No matter they are small size or it is a enterprise firm. They do not mind to use the opensource software application. From business point of view, since they are the business unit and therefore they must have pay for license fees once vendor acknowledge. However, before their new services or products roll out to the market. The software developers are not hesitate to use open source software. And therefore the open source software vulnerability is the key factor they should be alert. Otherwise, the risk carry the impact to your services or products are unpredictable.

Techincal Background: For monitoring and administrative operations of SymmetricDS can be performed using Java Management Extensions (JMX). SymmetricDS uses MX4J to expose JMX attributes and operations that can be accessed from the built-in web console, Java’s jconsole, or an application server. By default, the web management console can be opened from the following address:
http://localhost:31416/

Vulnerability found on SymmetricDS: Symmetric DS uses mx4j to provide access to JMX over http. mx4j, by default, has no auth and available on all interfaces (0.0.0.0). Therefore, an attacker can interact with JMX: get system info, invoke MBean methods.Moreover, it’s possible to install additional MBeans from a remote host using MLet that leads to arbitrary code execution. For more details, please refer to attached picture.

Remedial Status: https://www.symmetricds.org/issues/view.php?id=4263

Preface: On a Linux system, chmod never changes the permissions of symbolic links; the chmod system call cannot change their permissions. This is not a problem since the permissions of symbolic links are never used. However, for each symbolic link listed on the command line, chmod changes the permissions of the pointed-to file.

VULNERABILITY DETAILS: This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Antivirus for Mac. The specific flaw exists within the iTISPlugin module. By creating a symbolic link, an attacker can abuse the product to loosen permissions on a local file. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of root.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25776.

The risk rating of this flaw set to low in CVE database. However, do not contempt this low level rating of risk. And believe that in the computer software world, the similar of flaw will be appear everywhere. So, we must staying alert.

Mitigation: Install updates from vendor’s website.

Vulnerable software versions: Antivirus for Mac: 2019 (v9.x), 2020 (v10.x)

Preface: AVEVA has reached agreement to acquire OSIsoft, a pioneer and global leader in real-time industrial operational data software and services.

Background: Under normal circumstance, authorized user can navigate to the ASMX file through your browser. So, you can fill in the form with the parameters and post to the DB. If attacker finds the URL of this internet facing web portal, is there a way let hacker alter the database.

Reply: If someone else is in the same domain then he can copy the cookie in the referring page then exploit ASMX file to alter the DB.

Vulnerability details:

CVE-2020-13508 – Parameter AliasName in Alias.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13505 – Parameter psClass in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13503 – Parameter AttFilterName in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13501 – Parameter InstanceName in CHaD.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13500 – Parameter ClassName in CHaD.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13499 – Parameter InstancePath in CHaD.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13507 – Parameter OrigID in Alias.asmx is vulnerable to unauthenticated SQL injection attacks

Remark: Specially crafted SOAP web requests can cause SQL injections resulting in data compromise on above items.

Remedy: Waiting for official announcement.

Preface: JerryScript is the lightweight JavaScript engine intended to run on a very constrained devices such as microcontrollers.

Background: In traditional programming environment.The source code is passed through a program called a compiler, which translates it into bytecode that the machine understands and can execute. Internet of Things devices have serious constraints on CPU performance and memory space. Therefore, Samsung designed the JerryScript engine, which can run on less than 64KB of memory, and all codes can be stored in less than 200KB of read-only memory (ROM).
JavaScript has no compilation step. Instead, an interpreter in the browser reads over the JavaScript code, interprets each line, and runs it.

Vulnerability: A vulnerability classified as critical has been found in JerryScript 2.2.0. This affects an unknown function of the file vm/opcodes.c. The manipulation with an unknown input leads to a privilege escalation vulnerability.

Remedy: On GitHub, Developer shown that it fixed. But there is no official announcement yet.

Preface: It is common for application developers to use open source as a reference.

Synopsis: If you are consider or has been used the free source code to develop the seat-reservation-system.
You should stay alert for vulnerabilities in this software product.

Vulnerability details:

Seat Reservation System 1.0 Unauthenticated SQL Injection (CVE-2020-25762)
Seat Reservation System version 1.0 suffers from an unauthenticated file upload vulnerability that allows for remote code execution. (CVE-2020-25763)

Remedy: You can do a config on your firewall or Nginx to restrict the access of ajax.php and admin function pages.

Preface: CFB8 was created to have good error propagation properties over a noisy channel. It is well known that it is not fast; it is actually 16 times as slow, as it requires a block encrypt for each byte.

Details: CVE-2020-1472, also known as “Zerologon,” was given a “critical” security rating from Microsoft. It has possibility let attacker gain fully control all identity services in the AD domain. As a result, any device under the domain will run malicious programs. But this headache will be expand to other 3rd party solution provider. The US government issued an emergency order requiring the Zerologon patch to be completed by next week.

My observation: If you have windows policy applied – accounts locked after invalid login attempts for 3 times. Perhaps it will avoid this attack.

Remediation on Samba server: In samba server config (smb.conf) modify ‘server schannel = yes

Samba official announcement – https://www.samba.org/samba/security/CVE-2020-1472.html

Attached diagram can provide information to you for reference.

Preface: Companies large and small are using Rust in production all over the world, including Mozilla, Dropbox, npm, Postmates, Braintree and others.

Vulnerability details: An issue was discovered in the sized-chucks crate through 0.6.2 for Rust CVE-2020-25791…CVE-2020-25796.
Chunk:
– Array size is not checked when constructed with unit() and pair()
– Array size is not checked when constructed with From<InlineArray<A, T>>.
– Clone and insert_from are not panic-safe (memory safety issues)
InlineArray:
– Generates unaligned references for types with a large alignment requirement.

Rust does not implement Default for all arrays because it does not have non-type polymorphism. Rust does not implement Default for all arrays because it does not have non-type polymorphism. If the design do not contain check array mechanism fo constructing structures (“structs”) by specify type. Perhaps there is no proof of concept to exploit this vulnerability in the moment. However it looks that it provides a way for attacker exploit this design limitation in future. In the moment, it require to waiting for the developer do the remediation.