Preface: As of today, F5 BIG-IP Platform has market share 72%.

Background: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published on 24th July, 2020. They urge to F5 customers that it should be stay alert. They has evidence proof that attackers are active exploit the vulnerability (CVE-2020-5902 – unauthenticated remote code execution (RCE) vulnerability) on F5 product ADC feature).

Vulnerability detail: With reference to the attached picture, security experts pointed out that attackers can use the HTTP/HTTPS transport protocol to attack. Key flaws include allowing attackers to infiltrate and execute code remotely. In addition, an attacker can also read credential storage or files on the F5 operating system.

CISA alert: CISA recommends all organizations to go through the following action list while hunting for exploitation signs:

• Quarantine or take offline potentially affected systems
• Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections
• Deploy a CISA-created Snort signature to detect malicious activity (available in the alert under Detection Methods)

F5 network remedy plan – https://support.f5.com/csp/article/K52145254

Corrective control suggested by vendor – To mitigate this vulnerability for affected F5 products, you should permit management access to F5 products only over a secure network.

Preface: Input validation will be difficult if the environment contains different features. Even though software developer follow the guideline. Because it use http or https connection design , so it increase the difficulties!

Background: Citrix Workspace app consists of the Citrix Receiver core, HDX engine, the new embedded browser engine, files view and mobile app aggregation.
By default, Citrix Workspace Updates is disabled on the VDA. This includes RDS multi-user server machines, VDI and Remote PC Access machines.

Vulnerability details: Improper access control in Citrix Workspace app for Windows 1912 CU1 and 2006.1 causes privilege escalation and code execution when the automatic updater service is running. Official details are shown below the URL:

https://support.citrix.com/article/CTX277662

Observation: One of the possible methods – refer below connection method. If suspicious workstation installed Citrix workspace application. Attacker can use https or http connection to exploit SMB design weakness to compromise the Active Directory system. The concept can be found on attached diagram.
Remark: There is a design weakness happened on Citrix workspace application. Seems the input validation requires improvement.

Preface: In industries, power plants and substations, the SICAM MMU
is applied to measure and calculate parameters.

Product background: SICAM T (transducer) is a digital measuring sensor that allows the measurement of electricity in non-electrical networks in a single unit. ICAM-MMU (Measurement and Monitoring Unit) is a power monitoring device that allows the measurement of electricity in the power grid.

Remark: SICAM SGU has been discontinued.

Security Focus: CVE-2020-10042 – A buffer overflow in various positions of the web application might enable an attacker with access to the web application to execute arbitrary code over the network.

My observation:

Fundamental theory: For custom application software, all code that accepts input from users via the HTTP request must be reviewed to ensure that it can properly handle arbitrarily large input.

A buffer overflow in various positions of the web application might enable an attacker with access to the web application to execute arbitrary code over the network.

Possibility: According to the definition of CWE-120. Buffer overflow related to this vulnerability will be caused by looping correction. The function does not work after JavaScript updates the Field (Update fields dynamically in javascript).

Synopsis: By sending carefully crafted input to an application, an attacker can cause the application to execute arbitrary code, possibly taking over the machine.

Official announcement: https://cert-portal.siemens.com/productcert/pdf/ssa-305120.pdf

Preface: Perhaps we ignore DNS server side design weakness so far. It is on the way impacting cyber security world.

Background: DNS is a hierarchical client-server protocol. Each domain is served by one or more DNS servers, meaning requests for subdomains are sent to these servers. Replies can also be cached by intermediate servers in order to improve performance.

(CVE-2020-1350) Vulnerability detail: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

Official detail – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

Observation: The RDLENGTH bounds-check design weakness may relate to trigger this flaw. If pointer overflows wrap around (undefined behaviour) this would allow an attacker to circumvent the bounds-check and exposes a buffer overflow vulnerability since the attacker controlled addrlen is later used in memcpy(addr_out, bufpos, addrlen), potentially allowing a code execution.

Preface: Mobile has 50.13%, Desktop has 47.06% – June 2019 – June 2020

Background: MobileIron helps you simplify the configuration of enterprise settings including email, Wi-Fi, and VPN and more. Meanwhile, MobileIron provides unified endpoint and enterprise mobility management (EMM) for mobile devices.

Vulnerabilities details: Please refer to url https://www.mobileiron.com/en/blog/mobileiron-security-updates-available

Comment: The official announcement did not provide a reason for the vulnerability. We can use assumption to understand the popular cyber attack techniques. Apart from scenario displayed on attached diagram. The attacker can exploit malware to do the attack. For instance, attacker can implant malware to the endpoint by phishing attack. It can read the plaintext derived credentials from the flash storage after the software token has been activated, and transmit them to the adversary responsible for the malware, who can then use them at will on a different machine.

Preface: WiFi features from beginning phase a small group of access extended to enterprises infrastructure nowadays. Even the IoT 4.0 and Industrial system especially ICS and IACS system will be found his footprint.

Background: Aruba’s ClearPass Policy Manager, part of the Aruba 360 Secure Fabric, provides role- and device-based secure network access control for IoT, BYOD, corporate devices, as well as employees, contractors and guests across any multivendor wired, wireless and VPN infrastructure.

About the subject: The official announcement has been released on 2nd June 2020 – https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-005.txt

However the details of PoC just released 2 days ago. The PoC shown that it require using the C preprocessor generic programming interface defined in unistd[.]h. In additional it require to use compiler and conduct the re-engineering for payload library.
But the most important thing is that to successfully utilize the PoC code, user authentication is required. However, if the system administrator has not patched CVE-2018-7076 in the past. It will provide benefits for attackers. Easily exploit vulnerabilities discovered in June 2020.