All posts by admin

CVE-2019-18847 (Something in your eyes): 3rd Sep 2020

Preface: On October 15, 2019, Tesla discovered, and responsibly disclosed, a vulnerability within Akamai’s Enterprise Application Access (EAA) client that allows privilege escalation and remote code execution (RCE) when an attacker is within privileged locations on a network.

Vulnerability details: Enterprise Access Client Auto-Updater allows for Remote Code Execution prior to version 2.0.1.

Possible ways: Perhaps attacker can mimic a email to inform client to update their software. Meanwhile the update server will be connected to attacker compromised host. If user not aware that it is a fake IdP portal. They will download EAAClient and install it locally. Since this software run in privileges level. As a result, attacker can compromise this device.

Impact: Attacker may understand vendor cloud collaboration security service have sensor and alarm. They can take another way round. Steal the data in compromised workstation and or on going activities.
Backdoor[.]Win32[.]Mokes was spread via the same campaign earlier in January.

Official announcement: August 25, 2020 9:45 AM – https://blogs.akamai.com/2020/08/enterprise-application-access-client-eaa-vulnerability-cve-2019-18847.html

CVE-2020-11984: About Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi (2nd Sep 2020)

Preface: uWSGI is a very active project with a fast release cycle. For this reason the code and the documentation maynot always be in sync.

Background: Currently there are three uwsgi-protocol related apache2 modules available. They are mod_uwsgi,mod_proxy_uwsgi and mod_Ruwsgi. uWSGI is often used for serving Python web applications in conjunction with web servers such as Cherokee and Nginx, which offer direct support for uWSGI’s native uwsgi protocol.

Vulnerability details: By sending a small amount of headers (length close to the LimitRequestFieldSize default value of 8190) through uWSGI open port.RCE against a standard UWSGI config is possible if an attacker can put a controlled name or value into “subprocess_env” that is longer than 0xFFFF bytes.
Remark: If UWSGI is explicitly configured in persistent mode (puwsgi), this can also be used to smuggle a second UWSGI request leading to remote code execution.(In its standard configuration UWSGI only supports a single request per connection, making request smuggling impossible).

Official announcement: https://nvd.nist.gov/vuln/detail/CVE-2020-11984

Remedy: CVE-2020-11984: Fixed an information disclosure bug in mod_proxy_uwsgi (bsc#1175074) – https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html

Heads up! Staying Alert! 1st Sep, 2020.

Preface: IP multicast is commonly used today to deliver stock quotes from stock exchanges to financial service providers and then to the stock analysts or brokerages.

Background: The multicast addresses are in the range 224.0.0.0 through 239.255.255.255. Multicast traffic is blocked in the Layer-3 mode by default or by blocking PIM and IGMP under the security rule. The most important multicast routing protocol for the Internet today is PIM sparse mode, defined in RFC 2362.

Vulnerability details:Cisco Releases Security Advisory for DVMRP Vulnerability in IOS XR Software. This design weakness due to insufficient queue management for IGMP packets. As a result attacker could exploit this vulnerability by sending craft IGMP traffic to the vulnerable device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols. Perhaps the drawings can provide an overview for reference.

Official announcement: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz

Remark: IOS XR is a train of Cisco Systems’ widely deployed Internetworking Operating System (IOS), used on their high-end Network Converging System (NCS), carrier-grade routers such as the CRS series, 12000 series, and ASR9000 series.

Maybe this is a outdated news, but Zoom users should pay attention – CVE-2020-9767 (31st Aug 2020)

Preface: Geometric progression up growth in net meeting software product recently because of COVID-19 effect.

Background: We are all concerning of privileges escalation vulnerability. Recap OS vulnerability in past impact Zoom product. The GHOST vulnerability trigger “buffer overflow” bug that affects the gethostbyname () and gethostbyname2 () function calls in the glibc library. The vulnerability could allow remote attackers who could execute arbitrary code with the privileges of the user running the application to invoke any of these functions.

Which components of Zoom may be affected?
You have installed a meeting connector, virtual room connector, or phone connector / gateway that is running.
CentOS Linux versions 5.x, 6.x and 7.x

Remedy: yum update glibc

Recently News: In June 10, 2020 (about 4 months ago). Found that Zoom Sharing Service (Cptservice[.]exe) contains insufficient signature checks of dynamic loaded DLLs and EXEs when loading a signed executable. Such design weakness allow an attacker who had local access to a machine on which the service was running with elevated privileges to elevate their system privileges as well through use of a malicious DLL. NVD Published this vulnerability on 14th Aug 2020. Perhaps quite a lot of users already received alert. For those who do not know. You should upgrade the software immediately.

Remedy: https://support.zoom.us/hc/en-us/articles/360044350792-Security-CVE-2020-9767

Security focus – Fileless malware execution with powershell (27-08-2020)

Preface: Modern Cyber Defense solution without difficulties detect malicious activities. For instance, applications need approved permissions before installation; and security software can scan files to be written, read, and/or executed to check for known signatures. But we still heard data breach incident occurred. Why?

Detail description: On 26th Aug, 2020, US Homeland security published articles to urge public that at least three different types of malware on the way to approaching banking finance, business and computer end user. By this chance, we are going to focus a malware named “BeagleBoyhz”. The BeagleBoyz use a variety of techniques to run their code on local and remote victim systems. Quite a lot of cyber security services vendor observe that Fileless Malware Execution with PowerShell Is Easier to evade antivirus and firewall. In order to avoid their activities detected by defense mechanism. Attacker will abuse Command and Scripting Interpreter technique to executing arbitrary commands.Meanwhile, this is the security focus highlighted by the Department of Homeland Security. As a large number of articles describe different types of malware. If you want to read the details, please refer to the website link.

https://us-cert.cisa.gov/ncas/alerts/aa20-239a

https://us-cert.cisa.gov/northkorea

Remedy: If your current cyber defense solution capable to support regular expression filter function. You can create generic policies to deny the unknown PowerShell script. For example:

.\bi[“’]*e[“’]x\b.*
blocks Invoke-Expression.
At the end, I would like to thanks for McAfee providing this effective solution.

Learn about ATM technology through NCR vulnerabilities (26th Aug 2020)

Preface: A few years ago, ATM attackers might have the opportunity to compromise ATM machines through this method (Raspberry Pi + Python + Wifi). It looks that it is not possible right now.

Study Road Map: From a security perspective, the design weaknesses disclosed by the vendor this time are divided by 3 types.
– Insufficient encryption strength (CVE-2020-10125),
– Main weaknesses in authentication bypass (CVE-2020-10126)
– Lack of data protection (CVE-2020-10124)

Before reading the details of the vulnerability note (VU#815655). We should know the main product specifications.
1. What is XFS?
eXtensions for Financial Services, or XFS, is an open systems middleware international standard promoted by the European Committee for Standardization (CEN) that allows software from multiple vendors to run on different manufacturers’ATMs and other types of payment terminals.

2. What is BNA?
BNA (Bunched Note Acceptor) – Depository that accepts many varied notes without an envelope.

3. Read the vulnerability description (see URL below). Increase your imagination through attached diagram. Maybe you will dig more details, not just the official announcement.

https://kb.cert.org/vuls/id/815655

4. Take your time.

A rapid development of China Cyber Security Law

Preface: Data allows organizations to more effectively determine the cause of problems. Data allows organizations to visualize relationships between what is happening in different locations, departments, and systems.

Background: Perhaps of the Big Data powerful functions. On July 3, 2020, the Standing Committee of the National People’s Congress (NPC) published the draft Data Security Law (Draft Law) for public comment through August 16, 2020.

Reference: Data Security Law of the People’s Republic of China (Draft) 中华人民共和国数据安全法(草案) http://www.ahwx.gov.cn/zcfg/gfxwj/202007/t20200708_4629245.html

Even though the public comment period has passed. But let’s review the history of development: The Cyber security Law of the People’s Republic of China (中华人民共和国网络安全法) was adopted at the 24th meeting of the Standing Committee of the 12th National People’s Congress of the People’s Republic of China on November 7, 2016, and is hereby promulgated as of June 1, 2017 Implement.

Reference: The Cyber security Law of the People’s Republic of China (中华人民共和国网络安全法) http://www.cac.gov.cn/2016-11/07/c_1119867116_3.htm

In accordance with the “National Security Law of the People’s Republic of China (中华人民共和国国家安全法)” and the “Network Security Law of the People’s Republic of China (中华人民共和国网络安全法)”, formulate cyber security review measures. The new cyber security review measures will take effect on June 1, 2020. The “Network Product and Service Security Review Measures (Trial) (网络产品和服务安全审查办法(试行))” was repealed simultaneously. If you want to learn more about the “China Cybersecurity Review Measures (网络安全审查办法)”. Please read the following URL:

http://www.cac.gov.cn/2020-04/27/c_1589535450769077.htm

The Network Security Law of the People’s Republic of China has been implemented for more than two years. Maybe you have query? Refer to attached diagram. As far as we know, the National Security Law and Cyber security Law has defined its own review system. In the moment, Data Security Law of the People’s Republic of China (Draft) looks that do not have relevant information provided. Do you think Data Security Law will be integrated into the existing review structure?

CVE-2020-7711- Pure Go repositories (goxmidsig) vulnerability – 23-08-2020

Preface: SAML 2.0 implementation for Service Providers based on etree and goxmldsig, a pure Go implementation of XML digital signatures.

Background: “nil” in Go that represents zero values for pointers, interfaces, channels, maps, slices and function types.

Vulnerability Details: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Reference: When “Go” initializes the pointer, it assigns the value of pointer i to nil, but the value of i represents the address of *i. If nil, the system has not assigned an address to *i. So at this time, * i assignment will have problem occur.

Remedy: Official announcement not announce yet. See whether it can apply the similar syntax to do a short term remediation of this design weakness? The gosmal2 package has encountered the similar technical matter (nil point dereference) on Aug 14, 2019 . For more details, please refer to diagram.

CVE-2020-8620 can be transformed as a tool to bother DNS sinkhole function – 23 Aug 2020

Preface: BIND (Berkeley Internet Name Domain) is the most commonly used DNS software on the Internet today. DNS servers that use BIND as server software account for about 90% of all DNS servers.

Technical background: The BIND nameserver is based on a custom event queueing system that wraps around the libuv library (http://libuv.org) for performing asynchronous I/O as needed by the server. libuv is a multi-platform support library with a focus on asynchronous I/O. It was primarily developed for use by Node.js, but it’s also used by Luvit, Julia, pyuv, and others.

Remark: A DNS zone transfer is a procedure that lets two DNS servers exchange their zones. This is needed for redundancy. There are several zone transfer methods but the most common one uses the AXFR protocol.

Vulnerability details: When handling TCP traffic through the libuv library. Due to a length specified within a callback for the library (lib/isc/netmgr/tcpdns.c), flooding the server TCP port used for larger DNS requests (AXFR) will cause the libuv library to pass the length to the server. Therefore, it will result in a violation of the assertion check in the server verification. This assertion check will terminate the service, resulting in a denial of service condition. An attacker can flood ports with unauthenticated packets to trigger this vulnerability.

For information on CVE-2020-8620, thanks to Cisco TALOS.

Official announcement: https://kb.isc.org/docs/cve-2020-8620

Remote Access Trojan: BLINDINGCAN – 19th Aug 2020

Preface: The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors.

Techincal details: Perhaps the official report already provide the details. In short, the key point is that APT group exploit the Microsoft Word vulnerability (CVE-2017-0199). As such, APT attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The report described that malware will download [.]dll file from C&C server. The aim is to replace the local workstation iconcache[.]dll. Replace the iconcache[.]dll require privileges access right. So the specifics attack is targeting the machine which do not have patch installed. If it is successful. The unpack iconcache[.]dll will be transformed a variant of Hidden Cobra RAT.

Official announcement: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a

Recommendation: Check your MS office Patch – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

Reference: Perhaps you have doubt that why do the cyber security organization aware the cyber attack in earlier phase. Does it a conspricy? They do a sniffing of your traffic? Or doing surveillance?
No. they have several ways to protect the internet world. For example, relies on DNS Sink Hole activity record in service provider side, cyber crime activities reporting by computer users. Or, through alerts issued by law enforcement agencies, alerting of special types of cyber attacks from hostile entities.