Preface: Splunk is powerful, it can extract cookie of web connections. If client connection still alive, hacker can hijack and get the connection.

Vulnerability details: A vulnerability in Splunk Python SDK could allow an unauthenticated, remote attacker to bypass security restrictions on a targeted system. An attacker could exploit this vulnerability by executing a man-in-the-middle attack to bypass access restrictions on the system.

Design weakness: Due to improper verification of untrusted TLS server certificates

Remedy: Splunk has released software updates (refer url) – https://github.com/splunk/splunk-sdk-python/releases

Preface: Linus Benedict Torvalds, he is the principal developer of the Linux kernel, which became the kernel for many Linux distributions and operating systems.

Vulnerability details: An issue was discovered in aio_poll() in fs/aio.c in the Linux kernel through 5.0.4. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(), and this will cause a use-after-free.

Impact: An attacker could exploit this vulnerability by executing an application that submits malicious input to the targeted system. A successful exploit could allow the attacker to execute arbitrary code and completely compromise the system.

Remedy:https://patchwork.kernel.org/patch/10828359/

Preface: Coding is the process of translating and writing codes from one language to another support operating system platform.

What is Flatpak?

If Linux user found that the new application not available in the App Stores. He can do the installation via the DEB or RPM packages. Some of them are available via PPAs (for Debian based distributions) and if nothing, one can build from the source code. Flatpak provide a 3rd way.

Vulnerability Details: The vulnerability exists because the affected software does not use the seccomp filter to prevent sandbox applications from using TIOCSTI IOCTL.

Reason:

The snapd default seccomp filter for strict mode snaps blocks the use of the ioctl() system call when used with TIOCSTI as the second argument to the system call. But it didn’t! The fact is that restriction could be circumvented on 64 bit architectures because it performs a 64-bit comparison,but the system call is defined with a 32-bit command argument in the kernel.

Similar design flaw discovered in libseccomp package!

Remedy: https://github.com/flatpak/flatpak/releases

Observation: Similar design flaw might found soon in other software.

Synopsis: session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session(sometimes also called a session key) to gain unauthorized access to information or services in a computer system.

In software development, time of check to time of use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check.

Out-of-Bounds Read. The program reads data from outside the bounds of allocated memory. Buffer overflow is probably the best known form of software security vulnerability.

Current Status: VMware has been addressed above issues in their product. For more details, please refer to url below:

vCloud Director SP – https://www.vmware.com/security/advisories/VMSA-2019-0004.html

ESXi, Workstation and Fusion – https://www.vmware.com/security/advisories/VMSA-2019-0005.html

Preface: The libseccomp package provides an easy to use and platform independent interface to the Linux kernel’s syscall filtering mechanism.

Technical background: Syscall filtering is a security mechanism that allows applications to define which syscalls they should be allowed to execute.

Vulnerability detail: The design mistaken doing 64-bit comparisons using 32-bit operators.Whereby, leading to a number of potential problems with filters that used the LT, GT,

LE, or GE operators.
LT(less than)
GT(greater than)
LE(less than or equal to)
GE(greater than or equal to)

Impact: allow an unauthenticated, remote attacker to bypass restrictions and gain elevated privileges on a targeted system.

Fixed Software: https://github.com/seccomp/libseccomp/releases/tag/v2.4.0

Preface: Analyzing big data not so easy.

Synopsis: Analyzing big data not so easy. It requires knowledge of enterprise search engines for making content from different sources like enterprise database, social media, sensor data etc. searchable to a defined audience. Elasticsearch is one of the free and open source enterprise search software.

Vulnerability detail: The vulnerability exists because the affected software mishandles user-supplied input. An attacker could exploit this vulnerability by sending requests that submit malicious input to the affected software.

Causes: Timeline uses regular HTML DOM to render the timeline and items put on the timeline. This allows for flexible customization using css styling.
With the HTML DOM, JavaScript can access and change all the elements of an HTML document.
The design limitation allow the attacker to execute arbitrary JavaScript code on the system.

Remedy: Refer to URL – https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077

Preface: Vendor operate in high visibility, initiate fix vulnerabilities means they are more secure than other products.

Synopsis: From hardware appliance to software base. From Layer 3 to Layer 7, the growth of operations expanded, it is hard to avoid vulnerability occurs.

Vulnerability Details:
Cisco IOS and IOS XE Software Network-Based Application Recognition Denial of Service Vulnerabilities – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-nbar

CVE-2019-1753: Cisco IOS XE Software Privilege Escalation Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-privesc

CVE-2019-1754: Cisco IOS XE Software Privilege Escalation Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-privesc

Remark: Perhaps the total numbers of high severity vulnerability has 19 items. The remaining is address denial of server and command injection. But the privileges escalation merely our focus this time. So the remaining do not display in this discussion.

Preface: The statistic by Netcraft in January 2019, Apache server coverage market reach 30.88%.

Technical background: Apache server not only contain web server service, it can config as a reserve proxy server to enhance the web infrastructure isolation level. Single sign-on authentication method growth significant in past few years. A popular web architecture model, setup Apache become reserve proxy service and thus integrate to single sign on (SAML) function.

Vulnerability detail: If Apache is configured as a reverse proxy with mod_auth_mellon for authentication, the authentication can be bypassed by adding SAML 2.0 ECP headers to the request.

Official announcement and security fixes: https://github.com/Uninett/mod_auth_mellon/releases