All posts by admin

Potential Risk of CVE

Cyber Security focus: Node.js – Nov 2018

Preface:

Who use Node JS?
Node.js build various applications such as social media apps, video and text chat engines, real-time tracking apps, online games and collaboration tools. CiscoDevNet has sample to guide the developer how to integrate integrate Webex with node.js.

Technology background:
Node.js is an open-source, cross-platform JavaScript run-time environment that executes JavaScript code outside of a browser.

Severity of impact:

Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default. A debug menu or debug mode is a user interface implemented in a computer program that allows the user to view and/or manipulate the program’s internal state for the purpose of debugging.

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers

Severity – High severity

Node.js Official announcement for reference:

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Uncategorized

SamSam Ransomware variant – December 3, 2018

Preface:

The Department of Homeland Security urge the world and United state staying alert of new wave of cyber attack.

Technical details:
SamSam ransomware is a custom infection used in targeted attacks, often deployed using a wide range of exploits or brute-force tactics. Most likely the goal of the action is interfere the society stability. It can widespread impact on political stability.

Recommendations:
1. Maintain up-to-date antivirus signatures and engines.
2. Keep operating system patches up-to-date.
3. Disable File and Printer sharing services.
4. Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
5. Enforce Awareness training.

2018, cyber security incident news highlight, Under our observation

Credit reporting agency TransUnion – personal data security flaw (Nov 2018)

Preface:
Transunion offers total credit protection all in one place from credit score, credit report and credit alert. On June 25, 2015, TransUnion became a publicly traded company for the first time, trading under the symbol TRU.

Who is CreditGo?
CreditGo provides free access to credit circular reports and credit scores for Hong Kong residents. Meanwhile the credit information provided by CreditGo comes from TransUnion.

Data privacy leakage incident:
The Hong Kong arm of American consumer credit reporting agency TransUnion was forced to suspend its online services on Thursday after a local newspaper was easily able to access the personal data of the city’s leader and finance minister.

What is the reason?
Incorrect program logic from online web application cause database leak.

Remedy:
Suspend online services.

Comments:
Refer to attached diagram, it is hard to avoid your data personal privacy leakage since when bank or financial institute check the information of a person. It is because a duplicate copy will be generate.
Business world and our daily life is insane now!

Headline news:

https://www.scmp.com/news/hong-kong/hong-kong-economy/article/2175654/credit-agency-transunion-suspends-online-services

IoT

Who hinder smart city development?

Preface:

The desire of human being is infinite. It create motivation and innovation. However it embedded greedy and selfishness.

Smart city major domains

In high level point of view, it is easy to interpret smart city major domains. They are Analytics,Transportation,Health & Environment.

You might ask, where is cyber security? I assumed that cyber security equivalent as a hidden parameter. They will pop up during you conduct a gap analysis (see below diagram for reference).

Who causes security gap?

When functional requirements hits design limitation, you can set out strategic solution conduct the remedy, along with a time frame for meeting those objectives.

However the unknown parameters will impact business decisions because of their expectation and budget concerns. As a result, the technology and cyber security gap will carry forward with development cycle.

A study from Hewlett Packard in 2016 concluded that 70 percent of IoT devices contain serious vulnerabilities.

The IoT devices and smart city relationship

IoT involves adding internet connectivity to a system of interrelated computing devices, mechanical and digital machines, objects, animals and/or people. The Internet of Things (IoT) form a bridge in between human and machine. As of today, key terms so called ECO system explicitly describe above mechanism. The key technology behind the success of smart city initiatives is the IoT devices. Thereby IoT devices similar an organ inside the human body. The communication in between IoT devices and IoT ECO system like human blood vessel. So, if the smart city infrastructure characteristics like human. And therefore it is hard to avoid sick and illness.

IoT security

When a electronic device has ability for external communications. A specific TCP or UDP port will operate in listen state. The traditional best practice will deploying Firewall and antivirus software. Since IoT devices OS footprint is small. For example a webcam, even though the manufacturer want to install a defense mechanism. However the design limitation restrict or without space. It could not fulfill the requirement. So IoT devices are the top attack target by cyber criminals. As we know, a so called botnet army will be control by attacker command and control server remotely.

For my observation by far, the IoT security awareness was alerted by security researcher since 2010 (see below diagram for reference).

Perhaps the product development and business trend run in fast way. The smart city and artificial intelligence boots up the growth. As of today, IoT devices implementation covered all around the world. Moreover IoT device owner learn from practice in result reduced the cyber attack hit rate. For instance do the patch management. But due to on demand business economic model (multi vendor, without common standard). It has difficult to sharpen the preventive and detective control in IoT world.

IoT now transform to 4th generation (IIoT). The Industrial Internet of Things (IIoT) or Industry 4.0 refers to interconnected sensors, instruments, and other devices networked together with computers’ industrial applications. The IIoT manufacturer especially SCADA system keen to partnership with famous antivirus vendor. For instance Siemens electronic in high priority installed Trend Micro antivirus products. However the fundamental design of SCADA systems did not focus cyber security . In light of that, on Aug 2018, the Internet Society’s Internet Engineering Task Force is working on IoT standards in areas including authentication and authorization, cryptography for IoT use cases and device life cycle management. Do you think the plethora of IoT security standards could make it difficult for a global IoT standard to emerge?

Internet of Things Embedded Operating Systems is Bad News for the Safety

IoT devices tend to use a type called RTOS, which officially is short for Real-Time Operating System. Unofficially it stands for Not-a-Full-Featured Operating System.

Below diagram bring an idea to you for reference. The Smart TVs, new generation of washing machines, Smart doorbells, Artifical intelligence lawn sprinkler systems, CCTV cameras, smart meter, motion, humidity and temprature sensor and webcam has embedded OS installed. Above IoT devices are capable for WiFi or TCP/IP connection protocol function. TCP protocol integrate to electonic devices was the best of times. But it was the worst of times since it will encountered vulnerability and Zero day attack. But it was the age of wisdom!

FreeRTOS – A real-time operating system microkernel has been developed by chip companies for over 15 years. As of today, IoT industry especially webcam, Smart home devices are deploy this operating system. But serious security flaws in FreeRTOS. The most recent known vulnerabilities are shown as below:

Remote code execution vulnerabilities: CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, CVE-2018-16528.

Denial of service: CVE-2018-16523

Design flaw allow information disclosure: CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, and CVE-2018-16603

Smart city open data platform

Basically Open data is just that – open. The baseline definition is anyone can access, share and use it free of charge to better connect and interact with their cities. Applications include real-time bus timetables, weather report and public safety information sharing initiatives. Basically Open data is just that – open. The baseline defintion is anyone can access, share and use it free of charge to better connect and interact with their cities. Applications include real-time bus timetables, weather report and public safty information sharing initiatives. But the open data platform not limit above data criteria. So it make people including myself has personal data privacy concerns.

It was the worst of times since it make people concerning personal data privacy . But it was the age of wisdom!

In New York City, open data is law, rather than just a policy. In order to driven the development of smart city. The Domain knowledge expert has the following recommendations.

https://www.scmp.com/comment/insight-opinion/article/2127946/new-york-shows-open-data-key-smart-traffic-solutions

Summary:

Who hinder smart city development? We can say it is the technology limitation and personal data privacy concerns. Whether it was the worst of times on these matters . But it was the age of wisdom!

Reference:

What is a smart city from an security point of view?

 

Potential Risk of CVE

Cisco Prime License Manager SQL Injection Vulnerability – 28th Nov 2018

 

Preface: Cisco Prime License Manager provides simplified, enterprise-wide management of user-based licensing, including license fulfillment. Cisco Prime License Manager handles licensing fulfillment, supports allocation and reconciliation of licenses across supported products, and provides enterprise-level reporting of usage and entitlement.

Vulnerability synopsis:
A vulnerability in the web framework code of Cisco Prime License Manager (PLM) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries.

Official announcement:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181128-plm-sql-inject

Potential Risk of CVE

Samba release security update – 27th Nov 2018

Preface: Samba is an implementation of the Server Message Block (SMB)/Common Internet File System (CIFS) protocol for Unix systems, providing support for cross-platform file and printer sharing with Microsoft Windows, OS X, and other Unix.

Vulnerabilities highlights:
Double free error is caused by freeing same memory location twice by calling free() on the same allocated memory. A NULL pointer dereference is a sub type of an error causing a segmentation fault. It occurs when a program attempts to read or write to memory with a NULL pointer. This design limitation was happen in a lot of software application. Found above vulnerabilities occurs in Samba server. For more details, please refer below:

Unprivileged adding of CNAME record causing loop in AD Internal DNS server : https://www.samba.org/samba/security/CVE-2018-14629.html

Double-free in Samba AD DC KDC with PKINIT

https://www.samba.org/samba/security/CVE-2018-16841.html

NULL pointer de-reference in Samba AD DC LDAP server

https://www.samba.org/samba/security/CVE-2018-16851.html

NULL pointer de-reference in Samba AD DC DNS servers

https://www.samba.org/samba/security/CVE-2018-16852.html

Samba AD DC S4U2Self Crash in experimental MIT Kerberos configuration (unsupported)

https://www.samba.org/samba/security/CVE-2018-16853.html

Bad password count in AD DC not always effective

https://www.samba.org/samba/security/CVE-2018-16857.html

 

Potential Risk of CVE

CVE-2018-18955 kernel: Privilege escalation in map_write() in kernel/user_namespace.c

Preface: Linux makes very efficient use of the system’s resources.You can give new life to your old and slow Windows system by installing a lightweight Linux system. Variants of Linux are most widely used in the Internet of things and smart devices.

Vulnerability synopsis:
Namespaced mapping – when the two sorted arrays are used, the new code omits the ID transformation for the kernel . Found design flaw in kernel that DAC security controls on files whose IDs aren’t mapped in namespace.
So, user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace.

Official details: https://github.com/torvalds/linux/commit/d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd

Comment: The Linux operating system is heavily used in modern computer equipment. Will it have an impact soon?

 

Application Development, System

He is a bird – Taiwan supercomputer (Nov 2018)

Preface: There are many reasons for wanting to combine the two parallel programming approaches of MPI and CUDA. A common reason is to enable solving problems with a data size too large to fit into the memory of a single GPU, or that would require an unreasonably long compute time on a single node. The message passing interface (MPI) architecture successful exchanging messages between multiple computers running a parallel program across distributed memory. Thereby single system can group together form a big power.

Synopsis:
The open source refers to any program whose source code is made available for public use. Open MPI is a Message Passing Interface library project combining technologies and resources from several other projects. Meanwhile it is a potential power driving the technology world in this century. It is hard to imagine that Xeon processor type computer machine will go to supercomputers world. With assist of QuantaGrid D52G-4U GPU. The dream come true now. Tesla V100 can deliver up to 896 tensor Tflops to training deep learning model with 8 NVIDIA Tesla V100 (dual-width 10.5″). Taiwania 2 supercomputer take the role to handle big data , AI and scientific research functions.

Ref: https://www.taiwannews.com.tw/en/news/3575187

Application Development, System

Supercomputer – You focus the speed of CPU, but my design goal is efficiency (Nov 2018)

Preface:

The art of driving a car in a race comes from the ability to maximize the performance of the car. Everything you do on a track takes skill when you are reaching the limits of performance. This concept also suitable on computer design.

Japan supercomputer rating:

Fujitsu ranks supercomputers seventh in the world.

Cores: 391,680

Memory: 417,792 GB

Processor: Xeon Gold 6148 20C 2.4GHz

Historical background:

The traditional supercomputer architecture contains HIGH SPEED VECTOR PROCESSORS, crossbar switch, LPARs architecture. Since CPU speed is most important element on calculation. Meanwhile LPARs design can let system allocate the function feature and requirements.
Remark: Logical partitions (LPARs) are, in practice, equivalent to separate mainframes.

Synopsis:

But the military, scientific and public safety requirements of the world in today more demanding. The traditional Supercomputer LPARs design still have space for improvement. And therefore Linux high performance cluster and docker infrastructure become a key components. It boostup the system efficiency. Even though Fujitsu ranks supercomputers seventh in the world. But it maximum the efficiency.

Potential Risk of CVE

CVE-2018-6983 VMware Workstation and Fusion updates address an integer overflow issue – 22nd Nov 2018

1 Comment

Preface:
VMware Workstation is a hosted hypervisor that runs on x64 versions of Windows and Linux operating systems[4] (an x86 version of earlier releases was available);[3] it enables users to set up virtual machines (VMs) on a single physical machine, and use them simultaneously along with the actual machine.

Findings:
VMware Workstation and Fusion contain an integer overflow vulnerability in the virtual network devices. This issue may allow a guest to execute code on the host.

Official announcement and Remedy:
https://www.vmware.com/security/advisories/VMSA-2018-0030.html

Comment:
Since the public announcement did not provide the technical details. However I suspected that a design weakness on True type font parser (embedded in the TPView.dll) not been remediated. The similar vulnerability found last year. The CVE reference number is CVE-2017-4913.

Remark: Be a happy black Friday but not for this vulnerability. Yes, this is the shopping on AWS,..etc. Happy hunting.