Category Archives: Potential Risk of CVE

Closer look of CVE-2020-1953 – it was impact Oracle OHF Self Service Analytics (20th Oct 2020)

Preface: As healthcare organizations look to reduce cost, IT rationalization and process transformation is accelerating as providers adopt cloud strategies.

Background: Oracle Healthcare Foundation is a feature-rich analytics platform that supports more than 35 subject areas relevant to health data analytics,giving healthcare providers more granular data regarding the requirements of individuals and populations.

Vulnerability details: YAML is a human-readable data serialization standard that can be used in conjunction with all programming languages and is often used to write configuration files. A flaw was found in the Apache Commons Configuration, where it uses a third-party library to process YAML files, which by default, allows the instantiation of classes if the YAML includes special statements. Oracle Healthcare Foundation Self-Service Analytics was impact by this vulnerability.

Official announcement https://www.oracle.com/security-alerts/cpuoct2020.html The articles is bulky, use keyword “CVE-2020-1953” find out the details.

Security Focus – ESXi OpenSLP RCE vulnerability (CVE-2020-3992)

Preface: If you like open source application. You should also like the bug he given.

OpenSLP has been ported to a wide variety of systems. For example: Linux (32/64),Windows (32/64),SCO Unix,FreeBSD,Solaris,Tru64,Mac OS X,Darwin,… OpenSLP eliminates the need for users to know the names of network hosts. With OpenSLP, the users need only know the description of the service they want to use. Based on this description, OpenSLP is then able to return the URL of the requested service.

Vulnerability details: A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. To exploit the vulnerability, a malicious user must send a malformed SLP packet to the target system.

Remedy: https://www.vmware.com/security/advisories/VMSA-2020-0023.html

Comment: Regarding to my observation, similar of OpenSLP vulnerability found few years ago. However there is no official patch to do the remediation. Strongly believe that this bug will be exploit by cyber criminal. So it is highly recommended to disable this function.

CVE-2020-16951 – SharePoint users staying alert! (17th Oct 2020)

Preface: Perhaps it is a design limitation. SharePoint did not check the source markup of an application package which provides an opportunity to attacker. However when you read the prerequisite requirement of the proof of concept. You will feel that it might have difficulties to exploit this vulnerability. However it found a way to trigger this vulnerability. So we must be aware of it.

Vulnerability details: An authenticated attacker can craft pages to trigger a server-side include that can be leveraged to leak the web[.]config file. The attacker can leverage this to achieve remote code execution.

Prerequisite: the attacker needs AddAndCustomizePages permission enabled which is the default.

Hints: Add and Customize Pages permission is from site level, the permission is not in list permission level. When you get full control in list permission level, you may not get the permission from site level. You can add a new permission level which only includes Add and Customize Pages permission, and then create new SharePoint group with this permission level. Then add yourself into the SharePoint group and you will get the Add and Customize Pages permission from site level.
If it is in the site level, please make sure you have enable Custom Scripting in SharePoint admin center. Go to SharePoint admin center> Settings> Custom Script.

Remedy: The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952

CVE-2020-13943 – Apache Tomcat HTTP/2 DoS (16th Oct 2020)

Preface: Slow HTTP attacks are denial-of-service (DoS) attacks. It was happened near decade ago. Such vulnerability let the people aware application security.

Background: Why do we need HTTP/2?

HTTP/2 allows the client to synchronously send multiple requests to the server through the same TCP connection, and the server can also use the same TCP connection to send back synchronously, thereby reducing additional RTT (round trip time). More……

Vulnerability details: On Jun 26 2020, vulnerability found on Apache Tomcat – limitation of system resources handling when Apache Tomcat upgrade to HTTP/2.
Above matter cause by the multi protocol function. Such design limitation cause Apache TomCat did not release the HTTP/1.1 resources. Whereby, it let the Apache Tomcat consumed all the memory thus trigger a denial of service.

Remedy (official announcement): Refer to link – http://mail-archives.us.apache.org/mod_mbox/www-announce/202010.mbox/%3C2b767c6e-dcb9-5816-bd69-a3bc0771fef3%40apache.org%3E

Microsoft Addresses Windows TCP/IP RCE/DoS Vulnerability – US Homeland security urge for public attention. (14th Oct 2020)

Preface: Before the release of IP version 6, we had a good impression of its features.

Technical background: The official technical article provides the definition of IPv6 RDNS option address length (Details refer to attached diagram – point 3).

Potential Impact: If an even length value is provided, the attacker intentionally causes the Windows TCP/IP stack to incorrectly increase the size of the network buffer by 8 bytes. Therefore it failing to account for the case where a non-RFC compliant length value is used ( because the stack internally counts in 16-byte increments). This mismatch results in the stack interpreting the last 8 bytes of the current option as the start of a second option, ultimately leading to a buffer overflow and potential RCE.

Remedy: The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898

Comment: Vulnerability hit by Microsoft cause by IP V6 design feature. Perhaps, it is a fundamental design matter. Predict that may be other vendor will encountered same matter soon.

Homograph Attack (Puny-code) – CVE-2020-25779

Preface: In order to avoid malware attack, DNS is the 1st door for quarantine. This step not difficult, see whether the domain name which calling will be included in the black list.

What is Punycode?
Unicode that converts words that cannot be written in ASCII.

Background: There are two different scenarios for the cyber threat actor to exploit.

  1. Attacker build a deceptive IDNs (Internet Domain Name) that are likely to be misled internet user.
  2. Phishing Attack is Almost Impossible to Detect when encounter Puny-code vulnerability.

Synopsis: If the DNS filter mechanism is not convert the IDN domains in its Punycode form to do the verification, it make a possibility, let the blacklist domain ignore by filter.

Example: The domain “xn--eqru1b157l[.]co” is equivalent to “黑名單[.]co”. Whereby “xn--eqru1b157l” is the Puny-code.

Vulnerability details: Trend Micro Antivirus for Mac 2020 (Consumer) Bypass Web Threat Protection via Internationalized Domain Name Homograph Attack (Puny-code) Vulnerability.

Remedy: Trend Micro has released a new build of Trend Micro Antivirus for Mac Security (Consumer). Please refer to link – https://helpcenter.trendmicro.com/en-us/article/TMKA-09949

CVE-2020-26947 – Monero-wallet-gui design weakness (12th Oct 2020)

Preface: Monero price US$132.36 today – (12th Oct 2020). Monero (XMR) stands at the top of the list. This cryptocurrency’s popularity has been on the rise, primarily due to its ability to help anonymize users. Monero transactions are much more difficult to trace because they use ring signatures and stealth addresses.

Vulnerability details: monero-wallet-gui in Monero GUI 0.17.0.1 includes the . directory in an embedded RPATH (with a preference ahead of [/]usr[/]lib), which allows local users to gain privileges via a Trojan horse library in the current working directory.

Supplement: Potential risk: local privilege escalation (similar to dll hijacking on windows)
Condition: if the current directory allow user to have write and execute permission.
And therefore the vulnerability risk level will be depending on default program and .so privileges control. If the specify dynamically linked shared object libraries had granted tight access permission. So, the severity of risk will be significant drop down.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-26947

CVE-2020-12505 & CVE-2020-12506 CODESYS impacting WAGO, not sure who is the next victim? – 7th Oct 2020

Preface: CODESYS is the leading manufacturer-independent IEC 61131-3 automation software for engineering control systems.However the design weakness jeopardize the Industrial world.

Highlights: According to the CVE announcement on 30th September 2020. A series of WAGO PLC-ETHERNET fieldbus controllers are vulnerable to cyber attack.

Vulnerability details: The authentication can be disabled for the port 11740 when it is in use for uploading PLC applications to the device. So it can let attacker to do the authentication bypass. A design flaw occured since it required application logic following IEC 61131 standards, arbitrary code could be executed directly on the device with the privileges associated with the Codesys runtime.”

Official Mitigation method:
– Restrict network access to the device.
– Do not directly connect the device to the internet.
– Disable unused TCP/UDP ports.
– Disable web-based management ports 80/443 after the configuration phase

Reference:

https://cert.vde.com/en-us/advisories/vde-2020-027

https://cert.vde.com/en-us/advisories/vde-2020-028

Security Focus About Samsung mobile phone vulnerabilities. (NVD release date: October 6, 2020)

Preface: So far, it is difficult to detect the PendingIntent vulnerability from a tool.

Background: “PendingIntends” insecure usage can lead to server
BY exploiting vulnerable but benign applications that are in securely using PendingIntents. A malicious application without any permissions can perform many critical operations, such as sending text messages (SMS) to a premium number.

Known design weakness: A PendingIntentitself is simply a reference to a token maintained by the system describing the original data used to retrieve it. This means that even if its owning application’s process is killed, the PendingIntent itself will remain usable from other processes that have been given it.

Ref 1: An explicit intent defines a target component and thus is only delivered to the specified component.
Ref 2: Broadcast intent is broadcast to every registered component instead of only one.
Ref 3: PendingIntents – A PendingIntent is intended for another application to perform a certain action in the context of the sending application.

Vulnerability details – refer to below url:

https://nvd.nist.gov/vuln/detail/CVE-2020-26601

https://nvd.nist.gov/vuln/detail/CVE-2020-26602

https://nvd.nist.gov/vuln/detail/CVE-2020-26604

CVE-2020-24231 – Are you using SymmetricDS for Database Replication on your Docker or cloud environment?

Preface: Cutting-edge technology companies like open source software. Big data analytics companies may need to pay attention.

Observation: According to our observation for advanced technology development firm. No matter they are small size or it is a enterprise firm. They do not mind to use the opensource software application. From business point of view, since they are the business unit and therefore they must have pay for license fees once vendor acknowledge. However, before their new services or products roll out to the market. The software developers are not hesitate to use open source software. And therefore the open source software vulnerability is the key factor they should be alert. Otherwise, the risk carry the impact to your services or products are unpredictable.

Techincal Background: For monitoring and administrative operations of SymmetricDS can be performed using Java Management Extensions (JMX). SymmetricDS uses MX4J to expose JMX attributes and operations that can be accessed from the built-in web console, Java’s jconsole, or an application server. By default, the web management console can be opened from the following address:
http://localhost:31416/

Vulnerability found on SymmetricDS: Symmetric DS uses mx4j to provide access to JMX over http. mx4j, by default, has no auth and available on all interfaces (0.0.0.0). Therefore, an attacker can interact with JMX: get system info, invoke MBean methods.Moreover, it’s possible to install additional MBeans from a remote host using MLet that leads to arbitrary code execution. For more details, please refer to attached picture.

Remedial Status: https://www.symmetricds.org/issues/view.php?id=4263