All posts by admin

An Official remediation was released (Avoid SQL injection attack encountered in Sophos XG Firewall) – 26th April 2020.

Preface: The modern user friendly functions installed on firewall impact his defense function.

Background: When device provide web page input user credential, perhaps it will facing injection attack. Yes, it is. No matter, SQL injection or command injection. Especially like firewall design. It is capable support and integrate of LDAP authentication or standalone authentication mode. From security point of view, Firewall service daemon should separate with it operating system kernel. And therefore the related firewall admin ID file (shadow) do not save in etc folder. It make in separate area. In the sense that if it function can support SSL VPN services. So, it should a place to store the user credential when user setup in standalone mode. Whereby it should encounter injection attack. If the credential stores in repository. It will effect by SQL injection.

Details: By investigating physical and virtual XG Firewall units, Sophos confirmed its XG Firewall has design weakness. This attack will depending on firewall setup.

Impact: Steal data from the firewall including “usernames and hashed passwords.

Remedy: https://community.sophos.com/kb/en-us/135415

headline news – cyber attackers from exploiting web servers via web shell malware. 23rd Apr 2020

Preface: Web shells are a well-known attacker technique, but they are often difficult to detect because of their proficiency in blending in with an existing web application.

Details: to gain root access to server. Web shells malware are frequently chosen by APT group; however these are just a small number of known used web shells.

Vulnerabilities and Environment executable frequently used by attackers:

CVE-2019-0604 (affecting Microsoft SharePoint)
CVE-2019-19781 (affecting Citrix appliances)
CVE-2019-3396 and CVE-2019-3398 (affecting Atlassian Confluence Server and Data Center Widget Connector)
CVE-2019-9978 (affecting the social-warfare plugin for WordPress)
CVE-2019-18935, CVE-2017-11317 and CVE-2017-11357 (affecting Progress Telerik UI)
CVE-2019-11580 (affecting Atlassian Crowd)
CVE-2020-10189 (affecting Zoho ManageEngine Desktop Central)
CVE-2019-8394 (affecting Zoho ManageEngine ServiceDesk Plus)
CVE-2020-0688 (affecting Microsoft Exchange Server)
CVE-2018-15961 (affecting Adobe ColdFusion).

Remark: Web shells malware are frequently chosen by APT group; however these are just a small number of known used web shells.

Official announcement – https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/

Buffer Overflow (SEH Bypass), perhaps it is easy to encounter in medical software system (20th Apr 2020)

Preface: IoT Enterprise runs on 32-bit and 64-bit x86 chipsets with support for Universal Windows Platform (UWP) apps as well as Classic Windows(e.g. Win32 and .NET) applications. Perhaps you will discover plenty of medical devices still use 32 bit windows application.

Recent security alert on medical product: The ‘DICOM Viewer 2.0’ capable of handling all DICOM files of any modality (X-Ray angiogram, ultrasound, CT, MRI, Nuclear, waveform etc.), compression (lossless and lossy Jpeg, Jpeg200, RLE), depth or color. The proof of concept shown that software encountered buffer overflow (SEH) in specify circumstances.

What is Buffer overflow (SEH): An exception handler is a portion of code contained within an application, designed to handle an exception that may occur during runtime. Windows contains an exception handler by default (SEH) which is designed to catch an exception and generate an error. If the buffer is overflown and data is written to the SEH (located eight bytes after ESP), then all of the CPU registers are set to zero (0) and this prevents us from executing our shellcode successfully. If attacker can removing the eight additional bytes from the stack, and returning execution to the top of the stack, thus allowing execution of the shellcode.

Status: Waiting for official information update.

Reference: https://www.rubomedical.com/

winducms – attacker exploit php feature cause sql injection and REC (20th Apr 2020)

Preface: Why we found vulnerability on apps in frequent? Fundamentally, apps goal provided services and function. Even though you said it is a design weakness. But protection control should relies on other separate service or component. It will increase the difficulties for attacker when you install the antivirus(malware) on your mobile phone.

Vulnerability background: Windu CMS is a simple, lightweight and fun-to-use website content management system for Twitter Bootstrap. Security expert found bug on Windu 3.1. The proof of concept shown that it can exploits on PHP feature trigger SQL injection and remote code execution.

Security Focus: The PoC point out there is important factor cause the vulnerability and thus the developer pay the attention. In high level, it is simple. Software developer should disable eval function in PHP. Other than that, we should install antivirus program on smartphone.

Reference: WinDu CMS official website – http://en.windu.org/

Cisco security advisory – Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data (17-Apr-2020)

Preface: The protocols and the interfaces used by the controller to communicate with the application layer are called the Northbound interface. Protocols used for communication between the controller and forwarding nodes are called Southbound interface. Northbound communication is used to retrieve info or send instructions to the controller using APIs.

Vulnerability details: Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For details, please refer official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E

Other potential impact: The application entry point to the SDN deployment is through the controller via the Northbound Interface (NBI). If the communication is done using REST APIs with lacking proper protection, PUT method can be used to alter configurations or add malicious files that can alter other devices.These attacks are related to the communication over whether the Northbound Interface (NBI) or Southbound Interface (SBI). Some attacks are related to software. For details, please refer to the attached drawings.

Security Focus – April 2020 (Oracle security alert – cve-2020-2959)

Preface: Perhaps you have similar feeling, everytime when you read the cyber security announcement by Oracle. The first impression is that it has too many. Read into details, some items let you know the remediation process is in long run!

Vulnerability detail: An unspecified vulnerability in the Analystics Web General component of Oracle BI Published. An easily exploitable vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. A successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. (CVE-2020-2950)

Observation: Since the official announcement did not describe the detail. So we do the analytic. The online Catalog Manager might fail to connect to Oracle BI Presentation Services when the HTTP web server for Oracle Business Intelligence is enabled for SSO. When you enable SSO, the Oracle Business Intelligence URL becomes protected, and you must point the online Catalog Manager to the URL instead. The URL should remain unprotected. It is configured only to accept SOAP access as used by Oracle BI Publisher, Oracle BI Add-in for Microsoft Office, and the online Catalog Manager.

Potential risk or vulnerability – Session replays are specifically against websites and other systems that generate and store sessions.

Official announcement – https://www.oracle.com/security-alerts/cpuapr2020.html

Security Focus – intel modular server (mfs2600kispp) vulnerability – 14th Apr 2020

Preface: The Global Data Center Blade Server market is projected to grow at a CAGR of 8.35% during the forecast period, reaching a total market size of US$23.535 billion in 2025 from US$14.548 billion in 2019, said ResearchAndMarkets.com’s.

Vulnerability details:

• authenticated attackers to potentially enable escalation of privilege via local access due to improper buffer restrictions (CVE-2020-0600)
• unauthenticated attackers to potentially enable escalation of privilege via adjacent access because of improper conditions checks (CVE-2020-0578)

Observation: Coincidentally, Cisco Blade server has similar of symptom occured in 2015. Did they encounter the same problem?

Synopsis: As DRAM manufacturing scales down chip features to smaller physical dimensions, to fit more memory capacity onto a chip, it has become harder to prevent DRAM cells from interacting electrically with each other. As a result, accessing one location in memory can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells.

Official announcement: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00351.html

To infinity…and beyond! VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service – CVE-2020-3952

Preface: VMware announce that the external Platform Services Controller architecture is deprecated and will not be available in future releases.

Background: Authentication and certificate management is handled by the Platform Services Controller.

See attached diagram, the platform services controller original design place in a standalone box. It is advice to put together ( a vCenter Server with an Embedded Platform Services Controller). From cyber security protection prespective, the remedy reduce the attack surface. Before embedded design, there are lot of matters for worries. For instance, TLS. LDAP directory available on port 389. The service still uses port 11711 for backward compatibility with vSphere 5.5 and earlier systems.
In essence, organizations are being asked to add LDAP channel binding and LDAP signing configuration changes to make authentications via LDAP on Active Directory Domain Controllers more secure. Currently, out-of-box LDAP configurations are subject to an elevation-of-privilege vulnerability, which could get exploited via a “man-in-the-middle” attack.

Official announcement – https://www.vmware.com/security/advisories/VMSA-2020-0006.html

Security Focus – Juniper Networks (9th April 2020)

Preface: Technology cannot fight against coronavirus in the moment.
Easter, commemorating the resurrection of Jesus from the dead.
Wish that human can managed to fight it all. Comparing with coronavirus. The vulnerability in computer system looks easy resolve.

Security focus – Juniper Network product:

A privilege escalation vulnerability in Juniper Networks Junos OS devices configured with dual Routing Engines (RE), Virtual Chassis (VC) or high-availability cluster may allow a local authenticated low-privileged user with access to the shell to perform unauthorized configuration modification. This issue does not affect Junos OS device with single RE or stand-alone configuration.

My observation: Refer to attach diagram, below is the information for supplement.

Fundamental
/bin/sh is an executable representing the system shell. Actually, it is usually implemented as a symbolic link pointing to the executable for whichever shell is the system shell.
Since it is a bash file so commands inside it will get executed, and if we execute the file as root, then all the commands inside it will also get executed as root. So, let’s take advantage of that and append /bin/bash -i to the file. This will execute bash as root, which in turn will open the root shell.

Official announcement of this matter (JunOS vulnerability) – https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11010&cat=SIRT_1&actp=LIST

CVE-2020-10808 Vesta Control Panel Authenticated Remote Code Execution 6th April 2020

Preface: Dockerized Vesta Control Panel aka vestacp. You can download vesta source code and modify it the way you want. You are totally free to do it so to Vesta is licensed under GPL

Background: You are able to install and configure VestaCP on an Alibaba Cloud Elastic Compute Service (ECS) instance with CentOS 7

Vulnerability details: The proof of concept by Metasploit that a Low privileged authenticated users can execute arbitrary commands under the context of the root user. An authenticated attacker with a low privileges can inject a payload in the file name starts with dot. During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As result of that backup process, when an attacker try to list existing backups injected payload will be executed.

Remedy – Remedy looks not release yet, it is suggested to focus in official announcement. https://forum.vestacp.com/viewforum.php?f=25