Preface: As healthcare organizations look to reduce cost, IT rationalization and process transformation is accelerating as providers adopt cloud strategies.
Background: Oracle Healthcare Foundation is a feature-rich analytics platform that supports more than 35 subject areas relevant to health data analytics,giving healthcare providers more granular data regarding the requirements of individuals and populations.
Vulnerability details: YAML is a human-readable data serialization standard that can be used in conjunction with all programming languages and is often used to write configuration files. A flaw was found in the Apache Commons Configuration, where it uses a third-party library to process YAML files, which by default, allows the instantiation of classes if the YAML includes special statements. Oracle Healthcare Foundation Self-Service Analytics was impact by this vulnerability.
Preface: If you like open source application. You should also like the bug he given.
OpenSLP has been ported to a wide variety of systems. For example: Linux (32/64),Windows (32/64),SCO Unix,FreeBSD,Solaris,Tru64,Mac OS X,Darwin,… OpenSLP eliminates the need for users to know the names of network hosts. With OpenSLP, the users need only know the description of the service they want to use. Based on this description, OpenSLP is then able to return the URL of the requested service.
Vulnerability details: A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. To exploit the vulnerability, a malicious user must send a malformed SLP packet to the target system.
Comment: Regarding to my observation, similar of OpenSLP vulnerability found few years ago. However there is no official patch to do the remediation. Strongly believe that this bug will be exploit by cyber criminal. So it is highly recommended to disable this function.
Preface: Perhaps it is a design limitation. SharePoint did not check the source markup of an application package which provides an opportunity to attacker. However when you read the prerequisite requirement of the proof of concept. You will feel that it might have difficulties to exploit this vulnerability. However it found a way to trigger this vulnerability. So we must be aware of it.
Vulnerability details: An authenticated attacker can craft pages to trigger a server-side include that can be leveraged to leak the web[.]config file. The attacker can leverage this to achieve remote code execution.
Prerequisite: the attacker needs AddAndCustomizePages permission enabled which is the default.
Hints: Add and Customize Pages permission is from site level, the permission is not in list permission level. When you get full control in list permission level, you may not get the permission from site level. You can add a new permission level which only includes Add and Customize Pages permission, and then create new SharePoint group with this permission level. Then add yourself into the SharePoint group and you will get the Add and Customize Pages permission from site level. If it is in the site level, please make sure you have enable Custom Scripting in SharePoint admin center. Go to SharePoint admin center> Settings> Custom Script.
Preface: Slow HTTP attacks are denial-of-service (DoS) attacks. It was happened near decade ago. Such vulnerability let the people aware application security.
Background: Why do we need HTTP/2?
HTTP/2 allows the client to synchronously send multiple requests to the server through the same TCP connection, and the server can also use the same TCP connection to send back synchronously, thereby reducing additional RTT (round trip time). More……
Vulnerability details: On Jun 26 2020, vulnerability found on Apache Tomcat – limitation of system resources handling when Apache Tomcat upgrade to HTTP/2. Above matter cause by the multi protocol function. Such design limitation cause Apache TomCat did not release the HTTP/1.1 resources. Whereby, it let the Apache Tomcat consumed all the memory thus trigger a denial of service.
Preface: Before the release of IP version 6, we had a good impression of its features.
Technical background: The official technical article provides the definition of IPv6 RDNS option address length (Details refer to attached diagram – point 3).
Potential Impact: If an even length value is provided, the attacker intentionally causes the Windows TCP/IP stack to incorrectly increase the size of the network buffer by 8 bytes. Therefore it failing to account for the case where a non-RFC compliant length value is used ( because the stack internally counts in 16-byte increments). This mismatch results in the stack interpreting the last 8 bytes of the current option as the start of a second option, ultimately leading to a buffer overflow and potential RCE.
Preface: Monero price US$132.36 today – (12th Oct 2020). Monero (XMR) stands at the top of the list. This cryptocurrency’s popularity has been on the rise, primarily due to its ability to help anonymize users. Monero transactions are much more difficult to trace because they use ring signatures and stealth addresses.
Vulnerability details: monero-wallet-gui in Monero GUI 0.17.0.1 includes the . directory in an embedded RPATH (with a preference ahead of [/]usr[/]lib), which allows local users to gain privileges via a Trojan horse library in the current working directory.
Supplement: Potential risk: local privilege escalation (similar to dll hijacking on windows) Condition: if the current directory allow user to have write and execute permission. And therefore the vulnerability risk level will be depending on default program and .so privileges control. If the specify dynamically linked shared object libraries had granted tight access permission. So, the severity of risk will be significant drop down.
Preface: CODESYS is the leading manufacturer-independent IEC 61131-3 automation software for engineering control systems.However the design weakness jeopardize the Industrial world.
Highlights: According to the CVE announcement on 30th September 2020. A series of WAGO PLC-ETHERNET fieldbus controllers are vulnerable to cyber attack.
Vulnerability details: The authentication can be disabled for the port 11740 when it is in use for uploading PLC applications to the device. So it can let attacker to do the authentication bypass. A design flaw occured since it required application logic following IEC 61131 standards, arbitrary code could be executed directly on the device with the privileges associated with the Codesys runtime.”
Official Mitigation method: – Restrict network access to the device. – Do not directly connect the device to the internet. – Disable unused TCP/UDP ports. – Disable web-based management ports 80/443 after the configuration phase
Preface: So far, it is difficult to detect the PendingIntent vulnerability from a tool.
Background: “PendingIntends” insecure usage can lead to server BY exploiting vulnerable but benign applications that are in securely using PendingIntents. A malicious application without any permissions can perform many critical operations, such as sending text messages (SMS) to a premium number.
Known design weakness: A PendingIntentitself is simply a reference to a token maintained by the system describing the original data used to retrieve it. This means that even if its owning application’s process is killed, the PendingIntent itself will remain usable from other processes that have been given it.
Ref 1: An explicit intent defines a target component and thus is only delivered to the specified component. Ref 2: Broadcast intent is broadcast to every registered component instead of only one. Ref 3: PendingIntents – A PendingIntent is intended for another application to perform a certain action in the context of the sending application.
Preface: Cutting-edge technology companies like open source software. Big data analytics companies may need to pay attention.
Observation: According to our observation for advanced technology development firm. No matter they are small size or it is a enterprise firm. They do not mind to use the opensource software application. From business point of view, since they are the business unit and therefore they must have pay for license fees once vendor acknowledge. However, before their new services or products roll out to the market. The software developers are not hesitate to use open source software. And therefore the open source software vulnerability is the key factor they should be alert. Otherwise, the risk carry the impact to your services or products are unpredictable.
Techincal Background: For monitoring and administrative operations of SymmetricDS can be performed using Java Management Extensions (JMX). SymmetricDS uses MX4J to expose JMX attributes and operations that can be accessed from the built-in web console, Java’s jconsole, or an application server. By default, the web management console can be opened from the following address: http://localhost:31416/
Vulnerability found on SymmetricDS: Symmetric DS uses mx4j to provide access to JMX over http. mx4j, by default, has no auth and available on all interfaces (0.0.0.0). Therefore, an attacker can interact with JMX: get system info, invoke MBean methods.Moreover, it’s possible to install additional MBeans from a remote host using MLet that leads to arbitrary code execution. For more details, please refer to attached picture.