Category Archives: Potential Risk of CVE

Express-fileupload module design weakness (CVE-2020-7699) – 4th Aug 2020

Preface: A large number of mobile apps and websites allow users to upload profile pictures and other files. Therefore, handling files upload is a common requirement while building a REST API with Node.js & Express (Express-fileupload). Express-fileupload is a middleware.

Technical background: How express-fileupload works? It makes the uploaded files accessible from req[.]files property. For example, if you are uploading a file called my-profile[.]jpg, and your field name is avatar, you can access it via req[.]files[.]avatar.

Vulnerability details: CVE-2020-7699 – This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution. For more details, please refer to attached diagram. Besides, you can find proof of concept details in following link. https://blog.p6.is/Real-World-JS-1/

Umbraco cms 7.12.4 RCE vulnerability overview (3rd Aug 2020)

Preface: When we read the vulnerability article, we will despise those vulnerabilities that require authentication to execute. However, this type of design flaw should be considered because it is not limited to the inside threat area.

Background: Umbraco is the #1 Microsoft open source CMS in the world
Popular Sites Using Umbraco, For example: Instagram,slideshare,flickr,zippyshare,cnblogs,wattpad,…etc.

Technical details: Umbraco is primarily written in C#. It stores all data in relational database (Microsoft SQL Server) working on Microsoft IIS. For preventive protection, IT admin will install Reverse proxy in front of IIS server.

Vulnerability: Umbraco CMS design limitation causes Remote Code Execution. In this discussion, we predict that attackers can exploit previous vulnerabilities. For example: Umbraco CMS 8.2.2 cross-site request forgery CSRF. Exploitation of this vulnerability is usually carried out through malicious social engineering, such as tricking the victim into sending a fake email or link to the server. Therefore, stealing user credentials is not only a theory. For current vulnerabilities, the web server will encounter unknown risks. For details, please refer to attached diagram.

Staying Alert! GRUB2 bootloader design weakness – 31st Jul, 2020.

Preface: From some perspectives, the operating system and related components are designed to provide functionality. Therefore, network security does not involve its design scope. Even if network security has been included in their design. However, product technology changes with each passing day. Therefore, we often hear information about vulnerabilities.

Why do I need a system bootloader?
The bootloader exists because there is no standardized protocol to load the first code, because it depends on the product design. Sometimes, the code can be loaded via a serial port, flash memory or even a hard disk. Locate it as a bootloader function.

Vulnerability details: The GRUB2 boot loader is vulnerable to buffer overflow, which results in arbitrary code execution during the boot process, even when Secure Boot is enabled.
An attacker could use it to plant malware known as bootkit that loads before the operating system (OS).

Hacker can modify “grub [.] cfg” because it lacks any integrity protections such as a digital signature. Since “grub [.] cfg” is a text file.

Official reference: GRUB2 bootloader is vulnerable to buffer overflow. Click on the URL for details – https://www.kb.cert.org/vuls/id/174059

Adobe Releases Security Updated for Magento (29th July, 2020)

Preface: To be precise, over 250,00 active sites use Magento.
Only 11,000 of those run on Magento 2, though. Many well-known international companies have chosen Magento as their e-commerce solutions, including Coca-Cola, Nike, Harpers Bazar, Fiji Water and Olympus.

Vulnerability details: Adobe has released security updates to address vulnerabilities in Magento Commerce 2 (formerly known as Magento Enterprise Edition) and Magento Open Source 2 (formerly known as Magento Community Edition). An attacker could exploit some of these vulnerabilities to take control of an affected system.

Remedy by Magento:

  • The template filter in legacy mode can be vulnerable to remote code execution (RCE). Enabling strict mode by default ensures that RCE attacks cannot be deliberately enabled.
  • In order to avoid the opportunity of execute arbitrary JavaScript, Data rendering for UI data providers is now disabled by default.
  • PHP could allow for arbitrary code execution (Eval class during preload causes class to be only half available)
  • 2FA is enabled by default and cannot be disabled. This extra step of authentication makes it harder for malicious users to log in to the Admin without authorization.

Official announcement: For more details, please refer to the link – https://helpx.adobe.com/security/products/magento/apsb20-47.html

CallStranger – CVE-2020-12695 (Reflected Amplified TCP DDOS via UPnP SUBSCRIBE Callback) – 29th July 2020

Preface: In the cyber world, many defense mechanisms can accomplish tasks well. However, the daily operations involves different business expectations and change management. As a result it create a lot of opportunity to the cyber criminals.

Security focus today: With reference of US CERT announcement on 8th July 2020. US Cert urge the information technology and Operational technology zones that the design weakness of UPnP may have impact to users environment. Down to the details. The Universal Plug and Play (UPnP) protocol in effect prior to April 17, 2020 can be abused to send traffic to arbitrary destinations using the SUBSCRIBE functionality. So the impact of this design weakness shall be wide. For instance, cyber criminals can transform this design weakness as a cyber weapon to conducting the data exfiltration. Besides, it can exploit this feature bypass Proxy server and firewall.
The data stealer will make use of a compromised device as proxy, then establish a secure tunnel (SSL) to external server. Since there is no blacklist database install in this printer. So, it will led the traffic send to external without difficulties. Apart from that , SSL traffic bypass firewall content filtering. So, the data can be exfiltrated. For the details of this matters, please refer to attached diagram for reference.

Reference: Vulnerability Note VU#339275 – https://kb.cert.org/vuls/id/339275

Highlights: An attacker can use this vulnerability for:

  • Bypassing DLP for exfiltrating data
  • Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS / SYN Flood
  • Scanning internal ports from Internet facing UPnP devices

Joint alert from CISA & NCSC – Potential Legacy Risk from Malware Targeting QNAP NAS Devices – 27th JUL, 2020

Preface: Do a simple search in Shodan and you will find many QNAPs on the Internet.

Installation status of NAS(QNAP) around the world: We are not surprised that NAS (QNAP) equipment has a huge customer footprint. Because the price is reasonable (RAID-5), it is cost-effective. As a result, business operations including medium-sized enterprises are willing to use it. Maybe the IT team knows about patch management, so NAS (QNAP) devices will connect to the Internet.

Vulnerability details: All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes.

Important Note: Not exposing your NAS to the internet isn’t going to stop an attack on your write permission SMB shares on your client machine that are attacked. The only solution is to disconnect all your mapped drives once you are finished using them. Or do the patch management.

CISA and NCSC also share the following mitigations to prevent future attacks:
• Verify that you purchased QNAP devices from reputable sources. If sources are in question, run a full factory reset on the device prior to completing the firmware upgrade.
• Block external connections when the device is intended to be used strictly for internal storage.

CISA urges F5 users to stay vigilant to deal with CVE-2020-5902 (24th Jul2020)

Preface: As of today, F5 BIG-IP Platform has market share 72%.

Background: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published on 24th July, 2020. They urge to F5 customers that it should be stay alert. They has evidence proof that attackers are active exploit the vulnerability (CVE-2020-5902 – unauthenticated remote code execution (RCE) vulnerability) on F5 product ADC feature).

Vulnerability detail: With reference to the attached picture, security experts pointed out that attackers can use the HTTP/HTTPS transport protocol to attack. Key flaws include allowing attackers to infiltrate and execute code remotely. In addition, an attacker can also read credential storage or files on the F5 operating system.

CISA alert: CISA recommends all organizations to go through the following action list while hunting for exploitation signs:

Quarantine or take offline potentially affected systems
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections
Deploy a CISA-created Snort signature to detect malicious activity (available in the alert under Detection Methods)

F5 network remedy plan https://support.f5.com/csp/article/K52145254

Corrective control suggested by vendor – To mitigate this vulnerability for affected F5 products, you should permit management access to F5 products only over a secure network.

Citrix Workspace app for Windows Security Update CVE-2020-8207 (23-07-2020)

Preface: Input validation will be difficult if the environment contains different features. Even though software developer follow the guideline. Because it use http or https connection design , so it increase the difficulties!

Background: Citrix Workspace app consists of the Citrix Receiver core, HDX engine, the new embedded browser engine, files view and mobile app aggregation.
By default, Citrix Workspace Updates is disabled on the VDA. This includes RDS multi-user server machines, VDI and Remote PC Access machines.

Vulnerability details: Improper access control in Citrix Workspace app for Windows 1912 CU1 and 2006.1 causes privilege escalation and code execution when the automatic updater service is running. Official details are shown below the URL:

https://support.citrix.com/article/CTX277662

Observation: One of the possible methods – refer below connection method. If suspicious workstation installed Citrix workspace application. Attacker can use https or http connection to exploit SMB design weakness to compromise the Active Directory system. The concept can be found on attached diagram.
Remark: There is a design weakness happened on Citrix workspace application. Seems the input validation requires improvement.

Vulnerabilities in SICAM MMU, SICAM T and SICAM SGU (Jul 2020)

Preface: In industries, power plants and substations, the SICAM MMU
is applied to measure and calculate parameters.

Product background: SICAM T (transducer) is a digital measuring sensor that allows the measurement of electricity in non-electrical networks in a single unit. ICAM-MMU (Measurement and Monitoring Unit) is a power monitoring device that allows the measurement of electricity in the power grid.

Remark: SICAM SGU has been discontinued.

Security Focus: CVE-2020-10042 – A buffer overflow in various positions of the web application might enable an attacker with access to the web application to execute arbitrary code over the network.

My observation:

Fundamental theory: For custom application software, all code that accepts input from users via the HTTP request must be reviewed to ensure that it can properly handle arbitrarily large input.

A buffer overflow in various positions of the web application might enable an attacker with access to the web application to execute arbitrary code over the network.

Possibility: According to the definition of CWE-120. Buffer overflow related to this vulnerability will be caused by looping correction. The function does not work after JavaScript updates the Field (Update fields dynamically in javascript).

Synopsis: By sending carefully crafted input to an application, an attacker can cause the application to execute arbitrary code, possibly taking over the machine.

Official announcement: https://cert-portal.siemens.com/productcert/pdf/ssa-305120.pdf

Sometimes he is a friend, but suddenly….(MAR-10296782-1.v1 – SOREFANG) – 29th Jul 2020 [Recently goal: Targeting COVID-19 Research, Vaccine Development ]

Preface: It looks that who have vaccine of COVID-19 will be grant the dominance of the world.

Reference: DVC APIs will help you to implement modules on the server and client side of a Remote Desktop Services connection that communicate with each other.A remote code execution vulnerability exists in Remote Desktop Services. When an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests,…… (CVE-2019-1182)

Description: Perhaps my research does not clearly reflect the actual status of the current malicious goal. However every people is looking for vaccine. My personal interest bring my attention to a malware so called “SOREFANG”. It looks that a vendor became a victim of this case. It was because attacker or APT group do a re-engineering their VPN software. As a matter of fact, their company footprint a large in China. The details of my observation and research are written down on attached diagram. For those who is interested. Please refer attached diagram for reference.

Highlight: Vendor announcement : The only vulnerable servers are the Sangfor servers running firmware versions M6.1 and M6.3R1. The statement revealed that other servers are clean and are not affected by the zero-day used by attacker.