Category Archives: Potential Risk of CVE

CVE-2019-17132 vBulletin through 5.5.4 mishandles custom avatars

Preface: vBulletin™ is the world leader in forum and community publishing software. Vbulletin messenger make use of AJAX-based chat functionality.The main benefit of developing websites using Ajax is to help web browsers retrieve more data without causing a Web page to refresh.

Vulnerability details: User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint. Vulnerability found that these input are not properly validated before being used to update users’ avatars.
Hacker relies above flaw do exploitation, inject and execute arbitrary PHP code.

Remark: Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).

How attacker detect web site install vBulletin system.

  • HTTP headers, including cookies
  • Design will insert unique Javascript code into web pages.
  • Detect meta tag within the html pages.

Remedy: patches available for the following versions of vBulletin Connect:

- 5.5.4 Patch Level 2
- 5.5.3 Patch Level 2
- 5.5.2 Patch Level 2

All users of iTerm2 should update immediately – Oct 2019

Preface: iTerm2 not the default Mac terminal

Vulnerability details: A vulnerability, identified as CVE-2019-9535, exists in the way that iTerm2 integrates with tmux’s control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5.

Technical background: iTerm2 with tmux integration since version 3.3.5. The powerful feature of Tmux is able to run tmux as the remote command argument to ssh. Meanwhile Tmux is a terminal multiplexer. Simply put, this allows you to split one terminal session into many.

Remedy: Developer take the following actions:

  • Use session number everywhere rather than session name
  • Do not poll tmux for the set-titles-string, status-left, and status-right and then request the values of the returned format strings.
  • Hex-encode options saved in the tmux server to make them unexploitable

Update iTerm2 to version 3.3.6, which includes mitigations against exploitation of this vulnerability.

RTOS vulnerabilities found on July this year might impacting medical industry, said FDA (1st Oct 2019)

Preface: The Department of Homeland Security (DHS) and FDA are aware that the (URGENT/11) vulnerabilities will be effected medical device and hospital networks. They released announcement to urge specify industry to staying alert.

Vulnerability details: So called (URGENT/11) found on Wind River VxWorks on July 2019. Urgent11, it include 6 remote code defects and 5 less serious flaws. The design limitation of TCP/IP (IPnet) network stack let hackers to bypass traditional border and device security. If your IoT settings are integrated with physical LAN and 802.11 (wireless), but the IoT’s does not have internet communication capabilities. Maybe you also have a headache at the moment. See whether below suggestion can help.

  • If you do not have SIEM on hand. The primitive interim remediation should do the following.
    Turn MAC Filtering on wireless router
  • Turn on port protection on your network switch. If you are using low end network device which do not provide this function. Perhaps you must disable or use the seal tape to block the ethernet port not in used.

The key factor to prevent this vulnerability is enforce the network access control in your network. Do not let the strange (3rd party) plug in his computer to your network infrastructure.

If the internet connectivity function is enabled. So what we can do?
Since those vulnerabilities has CVE reference number assigned. And therefore application firewall can be quarantine the attack. Besides of that you have to apply above method to prevent the insider threat.

Reference: FDA announcement – https://www.fda.gov/news-events/press-announcements/fda-informs-patients-providers-and-manufacturers-about-potential-cybersecurity-vulnerabilities

Backstory: http://www.antihackingonline.com/potential-risk-of-cve/urgent-11-tremendous-design-limitation-jeopardizes-rtos-industry/

Preface: The heap is the portion of memory where dynamically allocated memory resides (i.e. memory allocated via malloc ).

Background: Exim is a message transfer agent (MTA). It generally comes with default Debian installation. If you need to use ACL and other features you may need to install exim4-daemon-heavy (see below):
apt-get install exim4-daemon-heavy

Vulnerability details: The heap is the portion of memory where dynamically allocated memory resides (i.e. memory allocated via malloc ). The component (string.c) contain function to format the input data string and save. However it did not have mechanism to check the length of receiving data. As a result, it trigger a heap base buffer overflow by a extraordinary long EHLO string. The attacker have to find out which unlink() he can “reuse” in glibc. From technical point of view, Unlink() is the classic and probably the simplest one. In short attacker can overwrite arbitrary 4 bytes at two specified places (FD & BK)! This is more than enough to redirect the control flow.

Reference: Maximum length of a DNS name – Exceeded the maximum number of characters. The maximum number is LL (1) + LN (63) + LL (1) + LN (63) + LL (1) + LN (63) + LL (1) + LN (61) + NL (1) = 255 bytes

Remedy: No known mitigation. End user must download and build the fixed version 4.92.3

RSA BSAFE Crypto-C Micro Edition vulnerability CVE-2019-3733

Preface: Who uses RSA’s BSAFE library? BSAFE uses Dual_EC_DRBG as its default pseudorandom number generator. Dual_EC_DRBG let people hesitation because the algorithm that is suspected to contain a NSA backdoor.

Product background: The Crypto-C ME software development toolkit is designed to enable developers to incorporate cryptographic technologies into applications. Crypto-C ME security software helps to protect sensitive data as it is stored, using strong encryption techniques to ease integration with existing data models.

Vulnerability details: RSA BSAFE Crypto-C Micro Edition, all versions prior to 4.1.4, is vulnerable to three (3) different Improper Clearing of Heap Memory Before Release vulnerability, also known as ‘Heap Inspection vulnerability’. A malicious remote user could potentially exploit this vulnerability to extract information leaving data at risk of exposure.

Additional information: For insatnce, if you software application written in CPython. So you have to implement your own data type in C and wipe memory in its deallocation function. Since BSAFE is one of the oldest cryptography libraries and therefore the original design not contain this clean up function in memory.

Vendor announcement (Reference URL): https://www.dell.com/support/security/zh-hk/details/DOC-107000/DSA-2019-079-RSA-BSAFE®-Crypto-C-Micro-Edition-and-Micro-Edition-Suite-Multiple-Security-Vulnerab

cve-2019-16941 (28th Sep 2019)

Preface: It is rare that software application do not have design weakness. If there is a perfect software appears. Perhaps we can say, it is created by God.

Background: Ghidra is a software reverse engineering framework developed by NSA that is in use by the agency for more than a decade.

Design weakness: When you run the Ghidra software in experimental mode. Follow below step, you can do a re-engineering of the software and let become a backdoor. This occurs in features (/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java).

  1. Select the “DumpFunctionPatternInfoScript”
  2. Export the resulted XML file.
  3. Follow attached picture add java.lang.Runtime.exec call
  4. To bring up the explorer, select Window -> Function Bit Patterns Explorer from the Code Browser. Click “Read XML Files”
  5. Then the remote server listen port 1137 can communicate the hosts which installed Ghidra.

Remedy: New version of Ghidra has been released.

Vulnerability in PHP – 27th Sep 2019

Preface: CIS Center for Internet Security Urge PHP customer stay alert of the zero-day vulnerability. It could allow for Arbitrary Code Execution. 27th Sep 2019

Vulnerability details: A vulnerability has been discovered in PHP, which could allow an attacker to execute arbitrary code. PHP is prone to a heap-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Specifically, this issue exists in the ‘mb_eregi()’ function.

SYSTEMS AFFECTED: PHP versions 7.3 prior to 7.3.10

Additional details: The feature of “mb_eredi( )” is executes the case insensitive regular expression match with multibyte support. Since this function did not properly bounds-check user-supplied data. As a result, it will copy string it into sized buffer(array). If no matches are found, regs is set to an empty array. This buffer area (array) is located in heap of memory. We known heap is an area of pre-reserved computer main storage ( memory ) that a program process can use to store data in some variable amount that won’t be known until the program is running.
When this happens, the buffer that is assumed to be freed will be expected to hold two pointers FD and BK in the first 8 bytes of the formerly allocated buffer. BK gets written into FD and can be used to overwrite a pointer.

Reference: The memory unit allocated by malloc is chunk. If the chunk that has been allocated does not use the last two pointers, it will be used to store the data directly. So attacker can use Malloc to do Heap overflow.

Remedy: Reference URL – https://www.php.net/downloads.php#gpg

VMware Cloud Foundation and VMware Harbor Container Registry for PCF address remote escalation of privilege vulnerability (CVE-2019-16097) Sep 2019

Background: There are six major modules in harbor. The default components of each harbor are packaged into a docker container, so the harbor can be deployed via compose, which is divided into 8 containers and run through docker-compose ps.

Vulnerability details: A vulnerability in the POST /api/users API of Harbor may allow for a remote escalation of privilege.

The vulnerability exists due to improper access restrictions within “core/api/user.go” when processing HTTP POST requests to “/api/users” API, when Harbor is configured to use DB as authentication backend. A remote non-authenticated attacker can send a specially crafted HTTP request to the vulnerable API endpoint and create an administrative user account.

Reminder:
a. When using LDAP mode, user’s self-registration is disabled.
b. Database(db_auth) – Users are stored in the local database.
A user can register himself/herself in Harbor in this mode.

Official announcement: https://www.vmware.com/security/advisories/VMSA-2019-0015.html

Siemens – Security Advisory by Siemens ProductCERT SSA-250618: Denial-of-Service Vulnerability in SIMATIC TDC CP51M1

Preface: a motion control system includes at least three basic components — a motor, a drive, and a controller. Second, motion control systems are primarily used in discrete industries such as packaging and semiconductor manufacturing, as opposed to process industries such as chemical manufacturing and power generation.

Product background: Siemens SIMATIC TDC provides the highest degree of competence when it comes to motion control and closed-loop control technology.

Vulnerability details: A vulnerability could allow an attacker to cause a Denial-of-Service condition on the UDP communicationby sending a specially crafted UDP packet to the SIMATIC TDC CP51M1 module.

Example: UDP flood” is a type of Denial of Service (DoS) attack in which the attacker overwhelms random ports on the targeted host with IP packets containing UDP datagrams. The receiving host checks for applications associated with these datagrams and—finding none—sends back a “Destination Unreachable” packet.

Remedy: Firmware Updates for SIMATIC TDC CP51M1 OR

  • Restrict network access to affected devices
  • Restrict UDP communication to affected devices
  • Do not use UDP communication in the user program if not needed
  • Apply cell protection concept and implement defense in depth

23rd Sep 2019 – Microsoft Releases Out-of-Band Security Updates

Security focus – CVE-2019-1367: Microsoft conducted remedy for CVE-2018-8653, but a item not being fixed. Suspected that this is one of the reason let Microsoft Releases Out-of-Band Security Updates on 23th Sep 2019.

Should you have interested of this matter, please refer to attached diagram. The official announcement can be found at: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367

Apart from that out of band update also covered Microsoft Defender Denial of Service Vulnerability CVE-2019-1255. Official announcements can be found at: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1255