All posts by admin

Potential Risk of CVE, Uncategorized

Alert: Cisco CVE-2018-0125,CVE-2018-0117,CVE-2018-0113,CVE-2018-0116

Staying alert – Your Cisco products Cisco

RV132W and RV134W Remote Code Execution and Denial of Service Vulnerability – CVE-2018-0125 (Critical) 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x

Cisco Virtualized Packet Core-Distributed Instance Denial of Service Vulnerability – CVE-2018-0117 (High)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-vpcdi

Cisco UCS Central Arbitrary Command Execution Vulnerability – CVE-2018-0113 (High)

 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-ucsc

Cisco Policy Suite RADIUS Authentication Bypass Vulnerability – CVE-2018-0116 (High) 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-cps

Observation: Since threat actors are around the world today. It is hard to avoid vulnerability happen perhaps it is out of hardware vendor control. In order to avoid unforseen issue occurs, it is better to enhance your IDS YARA rules or invite manage security services vendor to protect your IT campus.

 

Potential Risk of CVE

CVE-2018-4878 (Staying alert with Adobe Flash usage)

Staying alert with Adobe Flash usage! As far as I know, many business firms not going to use adobe flash anymore. However, I noticed that hackers lure victims to a website which require flash install. The victim such a way install the old version of flash. A malware infiltration afterwards. For more detail after this news, please visit adobe official website for review. URL shown as below:

https://helpx.adobe.com/security/products/flash-player/apsb18-03.html

 

Potential Risk of CVE

Multiple XML external entity (XXE) vulnerabilities in the AiCloud feature on ASUS wireless router products

The IT device vulnerabilities looks diversification today. Threat actors will be take advantage of XML. Why? Hundreds of document formats using XML syntax have been developed, including RSS, Atom, SOAP, SVG, and XHTML. XML-based formats have become the default for many office-productivity tools, including Microsoft Office (Office Open XML), OpenOffice.org and LibreOffice (OpenDocument), and Apple’s iWork. ASUS wireless router products more deploy at home, small retail shop and development countries. It is recommended to following hardware instruction to patch the devices.

Vulnerability synopsis:

(1) an UPDATEACCOUNT

or

(2) a PROPFIND request.

What is PROPFIND — used to retrieve properties, stored as XML, from a web resource. It is also overloaded to allow one to retrieve the collection structure (a.k.a. directory hierarchy) of a remote system. For more details, please see below url for reference. Do not ignore this vulnerability.

Reference: https://www.fortify24x7.com/cve-2017-14699/

Potential Risk of CVE

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability – CVE-2018-0101

3 Comments

Perhaps the foundation of java and xml. They are unusual and change the cyber world atmosphere. Cisco found threat actor can crafted xml causes denial of services from Cisco firewall. The official announcement just post last week. Now a additional new issue found on VPN tunnel function. As mentioned last week, XML memory Exploit not a new topic. It announced in RSA conference on 2016.The concept idea shown as below:

MS XML Exploit:

  1. Double free memory vulnerability in MSXML3.dll
  2. Invokable with IE
  3. Validating DTDs (Document Type Defintion) in an XML document
  4. Invalid forward ID references
  5. Memory occupied by a forward reference object is freed twice
  6. Present in older heap manager used

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

Data privacy

Reminder – New EU GDPR will be effective in May 2018

Are you ready for EU-GDPR new data protection regulation yet? The new GDPR established common rules across Europe and gives individuals better control over their personal data held by the organizations and will be effective on May 2018. Below details are the principle for your references. But did you confirm your inhouse strategy align with data protection?

  • Establish data privacy as a fundamental right
  • Clarify the responsibilities for EU data protection
  • Define a base line for data protection
  • Elaborate on the data protection principles
  • Increase enforcement powers

In short, your company needs to:

  • Classify data, tag them, implement encryption.
  • Modify application
  • Manage hardware and software for encryption for distributed platforms

For more details, please refer following url: https://www.eugdpr.org/

 

 

2018, cyber security incident news highlight, Under our observation

CVE-2018-4878 against South Korean Targets. See whether is it true?

In July 2017, Adobe announced that it would end support for Flash Player in 2020, and continued to encourage the use of open HTML5 standards in place of Flash. The announcement was coordinated with Apple, Facebook,Google,Microsoft,and Mozilla. If you would like to know what is the flash vulnerability actual destructive power. Let review the suggestion by Antivirus big brother Kaspersky (Jul 2017). Kaspersky recommends disabling Flash Player, in order to stay protected. Perhaps you may not have interest to read below url. But on-line games and on-line casino still requires Adobe Flash in the moment. We all known South Korea is the leader in the gaming section. And therefore The South Korean Computer Emergency Response Team (KR-CERT) has issued a security alert warning of a zero-day vulnerability affecting Adobe’s Flash Player.

CVE-2018-4878

https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/north-korean-hackers-allegedly-exploit-adobe-flash-player-vulnerability-cve-2018-4878-against-south-korean-targets

Be aware of RTMFP protocol

The silent of the Flash, Be aware of RTMFP protocol! He can exacerbate network attacks.

Let keep our eye open , see whether such vulnerability will be occurs this year. If this nightmare come true. A unforeseen destruction of the reputation to the company includes vendor and customer!

Application Development, System, Under our observation

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445

Preface:

SCADA systems are the backbone of many modern industries, including: Energy, Food and beverage, Manufacturing, Oil and gas, Power, Recycling, Transportation, Water and waste water,….etc

SCADA evolution:

The first generation of SCADA system relies with mainframe computers. As time goes by, the evolutionary of SCADA build on top of open system foundation (Unix) in 80’s. Perhaps the Microsoft product dominate the computer world. And such away engaged the transformation in 90’s. The SCADA software that utilizes the power of SQL databases provides flexibility and advantages to traditional SCADA system.

One big benefit of using SQL databases with a SCADA system is that it makes it easier to integrate into existing MES and ERP systems, allowing data to flow seamlessly through an entire organization.

  • (MES) – Manufacturing execution systems are computerized systems used in manufacturing, to track and document the transformation of raw materials to finished goods.
  • (ERP) – Enterprise resource planning is the integrated management of core business processes, often in real-time and mediated by software and technology.

Evolving from classic program (non web access) to Web Platform

SCADA system on the Cloud (cope with modern technology trend with access anywhere function)

Before we start the discussion in security topic, we do a quick introduction of big-data frameworks. Since the Hadoop and Apache Spark pay the key role on this architecture especially big data function. For more details, please see below:

Big-data frameworks:

Hadoop is essentially a distributed data infrastructure: It distributes massive data collections across multiple nodes within a cluster of commodity servers.

Features: 

  • Indexes and keeps track of that data
  • Enabling big-data processing and analytics

Apache Spark is an open-source cluster-computing framework.

  • Spark can interface with other file system including Hadoop Distributed File System (HDFS).

Remark: From technical point of view, Spark is a data-processing tool that operates on those distributed data collections; it doesn’t do distributed storage.

Go to discussion

As of today, more and more business migrated their system application to Cloud platform including SCADA industry. Since SCADA system belongs to energy, food and beverage, manufacturing, oil and gas, Power, Recycling, Transportation, water and waste water. And therefore cyber security news and articles lack of their news. Perhaps we can hear the news is that after nuclear power station encounter hacker or malware attack.

Actually SCADA now expand their user function to mobile device. Even though a mobile phone can do a remote monitoring of the system. With WebAccess, users can build an information management platform and improve the effectiveness of vertical markets (see below picture for reference) development and management.

Let’s think it over, the WebAccess SCADA system involved in energy, aerospace and public facilities control. However those product sound like your IT devices. The SCADA hits vulnerabilities and recorded in CVE database not the 1st time. We know that hundreds of United flights were delayed after the airline experienced a server malfunction on Jul 2015. Lets reader judge by yourself, let review their vulnerabilities found so far. Does it relate to SCADA vulnerability occurs which causes denied of services. Or it is really server malfunction?

Quote: Hundreds of United flights were delayed after the airline experienced a server malfunction on Jul 2015.

Quote: A United spokeswoman said that the glitch was caused by an internal technology issue and not an outside threat or hacker.

Advantech, a leader within the IPC global market. Advantech offers a comprehensive IPC product range that delivers reliability and stability for extreme environments, providing its customers with a one-stop shopping experience implementing Industry 4.0 and fulfilling their Industrial IoT needs. Let’s take a closer look on Advantech scada webaccess products vulnerabilities so far.

The vulnerabilities found on 2014 include an OS command injection, CVE-2014-8387, in the Advantech EKI-6340 series, a stack-based buffer overflow, CVE-2014-8388, in Advantech WebAccess, and a buffer overflow, CVE-2014-8386, in Advantech AdamView, CVE-2014-0770 – Advantech WebAccess SCADA webvact.ocx UserName Buffer Overflow. It looks that the design weakness keeps appear till today! For more details, please refer below details for references.

https://nvd.nist.gov/vuln/detail/CVE-2015-3947

https://nvd.nist.gov/vuln/detail/CVE-2018-5445

https://nvd.nist.gov/vuln/detail/CVE-2018-5443

Our observation in regards to above known vulnerabilities.

Regarding to WebAccess support specifications. It support the following open real-time data connectivity : OPC, Modbus, BACnet, DDE Server and the following open offline data connectivity: SQL Server, Oracle, MySQL, and Microsoft Access Database. If the repository is the MS SQL server. The IT administrator must staying alert of the SQL injection vulnerability. Since the OS user privilege escalation via Windows Access Token abuse is possible also via SQL injection.

End discussion. Thank you.

Reference:

Information appending on 3rd Feb 2018 – additional technical information supplement. My study on SCADA system risk factors to nuclear facilities (see below):

Potential black force – digitize Godzilla

 

Network (Protocol, Topology & Standard), Potential Risk of CVE, Under our observation

Cisco Aggregation Services Router 9000 Series IPv6 Fragment Header Denial of Service Vulnerability

3 Comments

Cisco Aggregation Services Router 9000 Series IPv6 Fragment Header Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180131-ipv6

IPv6 design limitation highlights by Cisco on 2013 RSA conference. Since ICMP header is in 2nd fragment. Defense mechanism especially RA guard no cue where to find (see my cartoon picture). Perhaps stateful firewall can doing the defense. Meanwhile, this issue told the world there is no real secure Internet Protocol! But this vulnerability occurs on Cisco only causes Denial of Service (reboot). At least no privileges escalation or data leakage.

Under our observation

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability (below url for reference)

severity level – critical

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

We heard denial of service vulnerability to UTM firewall device in frequent. It looks that there is no any strange or feeling surprise. However similar XML Exploit method not new, it announced in RSA conference on 2016. The concept idea shown as below:

MS XML Exploit

1. Double free memory vulnerability in MSXML3.dll

2. Invokable with IE

3. Validating DTDs (Document Type Defintion) in an XML document

4. Invalid forward ID references

5. Memory occupied by a forward reference object is freed twice

6. Present in older heap manager used

2018, Blockchain, cyber security incident news highlight, Under our observation

Doubt – $530 million cryptocurrency heist

3 Comments

As we know the most common cryptocurrencies are Bitcoin, Ethereum,Ethereum Classic, Monero, Litecoin, OmiseGO, Ripple & Zcash. Fundamentally NEM Smart Asset System more secure than bitcoin. The NEM Blockchain utilizes a Proof-of-Importance calculation (rather than Bitcoin’s Proof-of-Work or PIVX’s Proof-of-Stake) to accomplish accord through a procedure that boosts dynamic support in the system. NEM is a peer-to-peercryptocurrency and blockchain platform launched on March 31, 2015. But the value of each coin is underestimation. Why hacker target to NEM. Do you think hacker willing to engage hacking in difficult way ?

Information update on 29th Jan 2018 – CNN claimed that this cryptocurrency heist is the biggest amount. Such huge value of financial lost wasn’t happened before! See below url for reference.

http://money.cnn.com/2018/01/29/technology/coincheck-cryptocurrency-exchange-hack-japan/index.html

Another reference:

My speculation – How’s coincheck loses ¥58 billion dollars value of cryptocurrency