Category Archives: Potential Risk of CVE

IoT World and Smart City must staying wide-awake!

SmartCity project wide spreading implement in the world. The framework transform existing IT world domain includes Cloud computing, virtual machine, router and network infrastructure. Meanwhile it carry the design flaw so called vulnerability simultaneously. As we know, Microsoft product has famous activities patch Tuesday to do the mitigation of critical risk occurs on their product. Since IoT technology cope with smartCity project. It is hard to avoid to evade not to chosen a brand nae which require frequently doing the patching. Even though you make use of a proprietary product it was hard to evade vulnerabilities occurs. A question has been queries to the world. SmartCity items involves public safety regulations. If the smartCity facilities become the main trend of the society. However the major facilities encountered denial of service through heap corruption. Do you think how worst is the situation will be?

CVE-2017-18187
In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_client_psk_identity() function in library/ssl_srv.c.

CVE-2018-0488
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the truncated HMAC extension and CBC are used, allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption) via a crafted application packet within a TLS or DTLS session.

CVE-2018-0487
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted certificate chain that is mishandled during RSASSA-PSS signature verification within a TLS or DTLS session.

Official announcement for reference.

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

 

 

Adobe Acrobat and Reader CVE-2018-4872 Privilege Escalation

When I was young, I watch the ali baba movie a unforgettable mystery slogan. Yes, it is open sesame. A magic master come out. Perhaps my life journey told me that this is not true. We now living in electronic world. Open electronic file daily like habit forming sequence. It looks that my dream come true today. A PDF document embedded with Privilege Escalation function valid in Adobe reader. But I did not said open sesame slogan!

The similar type of Privilege Escalation vulnerability occurred in 2015 (CVE-2015-4438). The privilege escalation vulnerability repeat this week. IT guy, Life is not easy!

Synopsis:

A privilege escalation vulnerability has been reported in Adobe Acrobat and Reader. The vulnerability is due to an error in Adobe Acrobat or Reader while parsing a specially crafted PDF file. A remote attacker can exploit this issue by enticing a victim to open a specially crafted PDF file.

Below url is the official announcement provides by Adobe.

https://helpx.adobe.com/security/products/acrobat/apsb18-02.html

Perhaps the Meltdown & Spectre vulnerabilities in CPU equivalent to human immunodeficiency virus (HIV)?

Preface:

Human immunodeficiency virus infection and acquired immune deficiency syndrome (HIV/AIDS) is a spectrum of conditions caused by infection with the human immunodeficiency virus (HIV).

Background:

On July 2017, Meltdown was discovered independently by Jann Horn from Google’s Project Zero, Werner Haas and Thomas Prescher from Cyberus Technology, as well as Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology. The same research teams that discovered Meltdown also discovered a related CPU security vulnerability now called Spectre.

Meltdown is a hardware vulnerability affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors.It allows a rogue process to read all memory, even when it is not authorized to do so.

Spectre is a vulnerability that affects modern microprocessors that perform branch prediction. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers.

Remark: On January 28, 2018, Intel was reported to have shared news of the Meltdown and Spectre security vulnerabilities with Chinese technology companies before notifying the U.S. government of the flaws.

A dramatic development

The CPU manufacturer (AMD) claimed that they are not vulnerable to this design flaw. As a result all we are focus and believe that the flaw only given by Intel. Regarding to this CPU design flaw, there are total of three design flaws. They are Spectre (Types 1 and 2) and Meltdown (Type 3). However AMD Zen core based products are only immune to Meltdown. And therefore they are still under the Spectre flaw finally. The official announcement by AMD shown as below:

The announcement by AMD looks that they are not going to take any action in regards to Spectre. Their situation similar comparing to the operating system and computer relationship. The operation itself do not have feature to avoid virus. As a result, it relies on antivirus program. The CPU vendor (AMD) apply the similar idea of concept to this vulnerability and therefore they transfer the responsibility to OS vendor.

Vendors have begun to roll out OS patches

Microsoft

However so called install the remediation CPU patch looks amazed the windows OS user. I am using window 7 instead of windows 10. Perhaps I just did the windows update this morning. It behind my seen that CPU vulnerability still valid on my PC. The cache-misses as compared to missed-branches data collected from Spectre is possible on my PC (see attached screen-shot for reference).

Perhaps my diagnosis executed on 19th Jan 2018. It can’t tell the truth explicitly. Since at least 3 rounds of patch (patch tuesday) has been executed. In order to protect your windows OS. Please refer to below url for references (Microsoft official announcement)

https://portal.msrc.microsoft.com/en-US/security-guidance

Apple iPhone

Apple iPhone released that patch on 23rd Jan 2018. For more details, please refer to below picture diagram for reference.

Apple computer issue the patch on 8th Jan 2018 only for Spectre attack. The remediation products include iPhone, MacOS and Safari.

macOS High Sierra 10.13.2 Supplemental Update

https://support.apple.com/en-hk/HT208397

Safari 11.0.2 includes security improvements to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

https://support.apple.com/en-hk/HT208403

iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

https://support.apple.com/en-hk/HT208401

Linux – Retpoline

In order to mitigate against kernel or cross-process memory disclosure (the Spectre attack), OS developer find the following way. A technical definition so called retpoline. A retpoline is a return trampoline that uses an infinite loop that is never executed to prevent the CPU from speculating on the target of an indirect jump. Technical details shown in below url:

Linux https://lkml.org/lkml/2017/11/22/956

The remediation step will be focus on the following protection technique.

ARM (Protection Unit (PU))

The advantages of this system are:

  • Access control held entirely on-chip (no need for any off-chip tables)
  • Provides four levels of access control, cache and write-buffer control
  • Separate control over instruction and data caches.

The disadvantages are:

• Small number of regions

• Restrictions on region size and alignment.

VMware

Even though mitigation plan has been released. For recent chip design weakness, once the patches are applied, developers have to rewrite code to support the patch. Perhaps VMware programming team cannot address the problem in full scale. But you do not have choices if you are a VM users!

VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52245) – see below url for reference.

https://kb.vmware.com/s/article/52245

Cloud platform service provider

AWS – Amazon

As far as I know, Cloud services provides is the earlier customer to receive the patch provided by Intel. The guidelance release to remediate meltdown and Spectre vulnerabilities start from the 1st version issued on 3rd Jan 2018 to 23rd Jan 2018 (version 17). For more details, please refer below url for reference.

https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

Discussion checkpoint

Regarding to my observation. The similar vulnerability found on Aug 2017. I remember that my article posted here mentioned before (see below url for reference). In the meantime, I personally agree with Intel announcement that based on the CPU features to date, many types of computing devices with many different vendors’ processors and operating systems are susceptible to these exploits. And therefore Intel might not the only victim.

The enemy of ASLR (Address space layout randomization) – memory leak

The cache side channel attack of this security incident on Intel side looks compatible to other chips vendor. The worst scenario is that similar channel attack will be happened once you have cache. So, foreseen that this is the prelude of new form of attack in this year!

Hardware vendor patch announcement on 5th Jan 2018

ARM https://developer.arm.com/support/security-update

Intel https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

F5 https://support.f5.com/csp/article/K91229003

WAN acceleration solution vendor

I speculated that WAN acceleration solution vendor and Software defined network will be the next of the victims but now they are keep silent. Perhaps headline news article comment that no know cyber attacks deployed similar definition of theory utilization in past. But I’m in doubt?

As of today short term summary:

The research report evident that the Meltdown vulnerability occurs on Intel processors only, while the Spectre vulnerability can possibly affect some Intel, AMD, and ARM processors. AMD not vulnerable to GPZ Variant 3 since AMD enforced use of privilege level protections within paging architecture. However AMD is not going to take any action in regards to Spectre. Their situation similar comparing to the operating system and computer relationship. The operation itself do not have feature to avoid virus. As a result, it relies on antivirus program. The CPU vendor (AMD) apply the similar idea of concept to this vulnerability and therefore they transfer the responsibility to OS vendor. As a matter of fact, Intel CPU design flaw lack of permission check. It allows a rogue process to read all memory, even when it is not authorized to do so. Spectre, an attacker may be able to extract information about the private data using a timing attack.

Since the flaw given from CPU design. The alternative taken today is urge OS and application vendor setup the protect front-line to avoid Java, C++ execute the malicious code causes leak passwords and sensitive data. The situation similar the HIV virus attacks a specific type of immune system cell in the body, known as CD4 helper lymphocyte cells. HIV destroys these cells, making it harder for your body to fight off virus. Meltdown and Spectre given from CPU fundamental design flaw. If we are only relies on OS and application remediation. Threat actors still have opportunities jump to CPU side satisfy their wants.

End of topic, thank you.

 

 

Alert: Cisco CVE-2018-0125,CVE-2018-0117,CVE-2018-0113,CVE-2018-0116

Staying alert – Your Cisco products Cisco

RV132W and RV134W Remote Code Execution and Denial of Service Vulnerability – CVE-2018-0125 (Critical) 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x

Cisco Virtualized Packet Core-Distributed Instance Denial of Service Vulnerability – CVE-2018-0117 (High)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-vpcdi

Cisco UCS Central Arbitrary Command Execution Vulnerability – CVE-2018-0113 (High)

 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-ucsc

Cisco Policy Suite RADIUS Authentication Bypass Vulnerability – CVE-2018-0116 (High) 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-cps

Observation: Since threat actors are around the world today. It is hard to avoid vulnerability happen perhaps it is out of hardware vendor control. In order to avoid unforseen issue occurs, it is better to enhance your IDS YARA rules or invite manage security services vendor to protect your IT campus.

 

CVE-2018-4878 (Staying alert with Adobe Flash usage)

Staying alert with Adobe Flash usage! As far as I know, many business firms not going to use adobe flash anymore. However, I noticed that hackers lure victims to a website which require flash install. The victim such a way install the old version of flash. A malware infiltration afterwards. For more detail after this news, please visit adobe official website for review. URL shown as below:

https://helpx.adobe.com/security/products/flash-player/apsb18-03.html

 

Multiple XML external entity (XXE) vulnerabilities in the AiCloud feature on ASUS wireless router products

The IT device vulnerabilities looks diversification today. Threat actors will be take advantage of XML. Why? Hundreds of document formats using XML syntax have been developed, including RSS, Atom, SOAP, SVG, and XHTML. XML-based formats have become the default for many office-productivity tools, including Microsoft Office (Office Open XML), OpenOffice.org and LibreOffice (OpenDocument), and Apple’s iWork. ASUS wireless router products more deploy at home, small retail shop and development countries. It is recommended to following hardware instruction to patch the devices.

Vulnerability synopsis:

(1) an UPDATEACCOUNT

or

(2) a PROPFIND request.

What is PROPFIND — used to retrieve properties, stored as XML, from a web resource. It is also overloaded to allow one to retrieve the collection structure (a.k.a. directory hierarchy) of a remote system. For more details, please see below url for reference. Do not ignore this vulnerability.

Reference: https://www.fortify24x7.com/cve-2017-14699/

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability – CVE-2018-0101

Perhaps the foundation of java and xml. They are unusual and change the cyber world atmosphere. Cisco found threat actor can crafted xml causes denial of services from Cisco firewall. The official announcement just post last week. Now a additional new issue found on VPN tunnel function. As mentioned last week, XML memory Exploit not a new topic. It announced in RSA conference on 2016.The concept idea shown as below:

MS XML Exploit:

  1. Double free memory vulnerability in MSXML3.dll
  2. Invokable with IE
  3. Validating DTDs (Document Type Defintion) in an XML document
  4. Invalid forward ID references
  5. Memory occupied by a forward reference object is freed twice
  6. Present in older heap manager used

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

Cisco Aggregation Services Router 9000 Series IPv6 Fragment Header Denial of Service Vulnerability

Cisco Aggregation Services Router 9000 Series IPv6 Fragment Header Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180131-ipv6

IPv6 design limitation highlights by Cisco on 2013 RSA conference. Since ICMP header is in 2nd fragment. Defense mechanism especially RA guard no cue where to find (see my cartoon picture). Perhaps stateful firewall can doing the defense. Meanwhile, this issue told the world there is no real secure Internet Protocol! But this vulnerability occurs on Cisco only causes Denial of Service (reboot). At least no privileges escalation or data leakage.

CVE-2018-0486 Staying alert with your single sign-on application especially IDP vulnerability

CVE-2018-0486: Shibboleth(SAML IDP) open source vulnerability is currently awaiting analysis. For more details, see below url for reference:

https://nvd.nist.gov/vuln/detail/CVE-2018-0486

During my penetration test engagement in past. I was surprised that no matter airline , financial and retail industries web online application solutions are deployed open source single-sign on resources. An incident occurred in Equifax which awaken the business world that open source application has potential inherent risk. It will jeopardize your firm reputation. It looks that a very popular SAML IdP open source has vulnerability occurs. What is your comment? Remark: You can also find the details on attached picture diagram.

Apple enforce Meltdown and Spectre vulnerabilities remediation

About Apple security updates announcement (see below url for reference)

https://support.apple.com/en-us/HT208463

About security updates announcement, the objectives is going remediate multiple vulnerabilities.As usual, apple released security update but no descriptions are available yet. Perhaps without detail information provided by vendor (Apple). However I  was speculated  that the remediation step will be focus on the following protection technique. ARM (Protection Unit (PU))

The advantages of this system are:

• Access control held entirely on-chip (no need for any off-chip tables)

• Provides four levels of access control, cache and write-buffer control

• Separate control over instruction and data caches.

The disadvantages are:

• Small number of regions

• Restrictions on region size and alignment.

As a result,  the 3rd party unmanaged apps especially game might have problem occurs!