All posts by admin

CVE-2019-9636 (Python) urlsplit does not handle NFKC normalization

Preface: Python is used quite a lot in robotics. Apply artificial intelligence to robots using Python .

Why choose Python?
Less Code: Python can implement the same logic with as much as 1/5th code as compared to other OOPs languages.

Prebuilt Libraries: include Numpy for scientific computation, Scipy for advanced computing and Pybrain for machine learning.

Vulnerability detail – announce on 6th Mar 2019:
A vulnerability in the the urllib.parse.urlsplit and urllib.parse.urlparse components of Python could allow an unauthenticated, remote attacker to obtain sensitive information from a targeted system.

Official announcement: https://bugs.python.org/issue36216

Highly vulnerable – Moxa customer must be vigilant!

Preface: The MoxaEDS405A/408A are entry-level 5 and 8-port managed Ethernet switches designed especially for industrial applications.

Technical background: Turbo Ring is a self-healing technology that enables fast fault recovery under 20 ms. Moxa’s Turbo Ring and Turbo Chain Ethernet technologies maximize railway network availability with ideal redundancy technology.

Security focus: CVE-2019-6563 (CVSS:10) – Moxa IKS and EDS generate a predictable cookie calculated with an MD5 hash, allowing an attacker to capture the administrator’s password, which could lead to a full compromise of the device.

What is Predictable cookie ? For example: Cookie: JSESSIONID=USER1. A predictable cookie calculated with an MD5 hash bring our attention because MD5 produces a 128-bit hash as an output; only 3 bytes of the hash value are used in the cookie value.

Observation: Moxa products are used in the Korean subway network on 2010. Not sure whether it is still remain usage. But believe that a remedy solution has been taken if it is still in used. Otherwise it will create a cyber security risk in the operations.

Vulnerabilities details please refer to url: https://ics-cert.us-cert.gov/advisories/ICSA-19-057-01

CVE-2019-3778 Pivotal Spring Security OAuth Open Redirector Vulnerability (critical)

Preface: OAuth has become a standard for third-party applications to communicate with the APIs of popular web sites, such as Facebook, Twitter, and Foursquare, to name a few.

Technical background: Currently, the two major versions of OAuth are 1.0(a) and 2.0. With Spring Security and its OAuth 2.0 support, the OAuth (Open Authorisation) is a standard for authorisation of resources. You can set it up to automatically propagate your access tokens from one app to the other, ensuring that everything stays secure and encrypted along the way.

Vulnerability detail: A vulnerability in Pivotal Spring Security OAuth could allow an unauthenticated, remote attacker to conduct an open redirect attack on a targeted system. A successful exploit could cause the authorization server to redirect the resource owner user-agent to an attacker-controlled URI, providing the attacker with sensitive information.

Official announcement: https://pivotal.io/security/cve-2019-3778

Status update for the announcement on 6th Mar 2019 (Cisco NX-OS Software Unauthorized Filesystem Access Vulnerability) – 11th Mar 2019.

Preface: On 6th Mar, 2019, Cisco announcement that there are vulnerabilities found on Cisco FXOS and NX-OS Software. The total 26 of the vulnerabilities have a Security Impact Rating (SIR) of High. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access.

Technical background:
Cisco NX-OS based on Wind River Linux and is inter-operable with other Cisco operating systems. The command-line interface of NX-OS is similar to that of Cisco IOS. Recent NX-OS has both Cisco-style CLI and Bash shell available.

Status update on 11th Mar 2019: The vulnerability is due to a failure to impose strict filesystem permissions on the targeted device.
For more details, please refer url: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-file-access

My speculation: Sometimes if OS platform has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level.

Software tool can deep look into malware and design weakness – Ghidra

Preface: Ghidra is one such well-known software reverse engineering toolkit that the NSA agency has been using for a long time.

Synopsis: He ensured the audience that there’s no backdoor in Ghidra, said Rob Joyce, the cybersecurity adviser to the NSA director.

About installation: Quick and simple way

Prerequisite: Since “Ghidra” relies on JDK 11+ and therefore your Linux OS might require to update. For example: I am using Fedora system. In order to avoid any technical problem occurs during installation. My Fedora upgrade to Fedora 28.

1. Before kick start do the installation, please confirm your current OS whether compatibility with JDK 11+.

2. If you don’t have any technical concerns about item 1, you can download the software by going to the url below.

https://ghidra-sre.org/ghidra_9.0_PUBLIC_20190228.zip

3. Copy file (ghidra_9.0_PUBLIC_20190228.zip) to your decide location (/home/xxxx/ghidra).

Remark: xxxx is your user name in Linux

4. Permission setting

chmod 755 ghidra_9.0_PUBLIC_20190228.zip

5. unzip the download file

unzip ghidra-sre.org/ghidra_9.0_PUBLIC_20190228.zip

Now do the JDK 11+ installation:

6. As said, I am working on Fedora 28.So download the require JDK 11+ source file in the following location:

curl -O https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz

7. After the download, extract the archive

tar zxvf openjdk-11.0.1_linux-x64_bin.tar.gz

8. Move the resulting folder to /usr/local/

sudo mv jdk-11* /usr/local/

9. Set environment variables (create or edit existing jdk11.sh file)

sudo vi /etc/profile.d/jdk11.sh

Add:

export JAVA_HOME=/usr/local/jdk-11.0.1

export PATH=$PATH:$JAVA_HOME/bin

10. Source your profile file and check java command

$ source /etc/profile.d/jdk11.sh

$ java -version

openjdk version “11.0.1” 2018-10-16

OpenJDK Runtime Environment 18.9 (build 11.0.1+13)

OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13, mixed mode)

11. $ which java

/usr/local/jdk-11.0.1/bin/java

12. Installation has been done.

13. You can go to Ghidra now. Go the location which Ghidra in place. Then execute ./ghidraRun .

For users instruction, please refer below url:

https://ghidra-sre.org/InstallationGuide.html

End.


CVE-2019-0187: Apache JMeter Missing client auth for RMI connection when distributed test is used! Mar 2019

Preface: If your company hasn’t been performing load testing, it is hard to know the web application actual performance. Deploying JMeter will display the test results in a graph updated in real time.

Synopsis: Perhaps software developers did not imagine that JMeter design weakness will be hazardous of web server. And therefore we might found Jmeter function still activate after services launch.

Vulnerability detail: Apache JMeter Missing client auth for RMI connection when distributed test is used. And therefore attacker could exploit this vulnerability by establishing a Remote Method Invocation (RMI) connection with a jmeter-server while using the RemotejMeterEngine interface.It such a way let attacker execute arbitrary code on a targeted system.

Remedy: Apache.org has released an update at the following link: https://jmeter.apache.org/download_jmeter.cgi

Cisco confirm OCI flaw only affecting small group of items in their product line – 8th Mar 2019

Preface: Container Privilege Escalation Vulnerability Affecting Cisco Products status update

Description: IT world is safe again, Cisco you are super again! There is only 3 items of Cisco product involves into the Container Privilege Escalation Vulnerability found on last month (Feb 2019). Remedy has been proceed. Further details in below:

Network Management and Provisioning:

  • Cisco Container Platform – Fixed Release Availability: 3.1.0 (Mar 2019)

Cisco Cloud Hosted Services:

  • Cisco Cloudlock – Cisco will update affected systems in Sept 2019
  • Cisco Defense Orchestrator – Cisco updated affected systems
    On-prem: 19.8 (Available)

Official details: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc

Moody’s point of view – cyber attack

Preface:
For companies that are experiencing cyber attacks. Moody said it has the potential to weaken its credit profile.

Analytic result by Moody’s:
About Moody’s findings. Ransomware attack against FedEx and Merck & Co in 2017. The total financial impact of all affected entities reached $10 billion.

Question: Does Moody’s rating only focus on financial losses?

Answer: The key factors for Moody’s do the analysis is based on the following ideas.
To develop a framework for understanding inherent cyber risk at the sector level, Moody’s focuses on the following:
1) vulnerability to the type of attack or event to which entities in a given sector are exposed.
2) potential impact of cyber events via disruption of critical businesses processes or negative reputational effects that lead to a loss of revenue as a result of customer attrition.

For more details on above, please refer below url: https://www.moodys.com/research/Moodys-Credit-implications-of-cyberattacks-will-hinge-on-long-term–PBC_1161216

CVE-2018-11793: Apache Mesos JSON Payload Parsing DoS Vulnerability 5th Mar 2019

Preface: Apache Mesos is an open-source project to manage computer clusters. It was developed at the University of California, Berkeley.

About Payload in Web services: Typically the term payload refers to JSON-formatted text that is either posted (via an http POST) to a web service when a user creates a resource or returned from a web service (via an http GET) when a user requests a resource (or resources).

Vulnerability detail: A vulnerability in the JSON payload parser of Apache Mesos could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition an a targeted system.

Official announcement: https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844@%3Cdev.mesos.apache.org%3E

Remedy: http://mesos.apache.org/downloads/

Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. 6th Mar 2019

Preface: The urgent announcement by Cisco might scare the customer of Cisco. It is about the vulnerabilities found on Cisco FXOS and NX-OS Software. But no worries, Cisco managed it.

Technical background:
Cisco NX-OS based on Wind River Linux and is inter-operable with other Cisco operating systems. The command-line interface of NX-OS is similar to that of Cisco IOS. Recent NX-OS has both Cisco-style CLI and Bash shell available.
Cisco NX-OS Family perform authentication based on roles. Role-based authorization limits access to switch operations by assigning users to roles.

Vulnerability details: 26 of the vulnerabilities have a Security Impact Rating (SIR) of High. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access, gain elevated privileges, execute arbitrary commands, escape the restricted shell, bypass the system image verification checks, or cause a denial of service (DoS) condition on an affected device.

For more details, please refer to url: https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-70757