Category Archives: Potential Risk of CVE

Vulnerabilities in VMware (RMI communication in vRealize Operations for Horizon) are also apply for those vendor who is using RMI in Java environment. (20th Feb 2020)

Preface: JMX is often described as the “Java version” of SNMP (Simple Network Management Protocol).

Synopsis: A vulnerability in the Java Management Extensions (JMX) management agent included in the Java Runtime Environment (JRE) may allow a JMX client running on a remote host to perform unauthorized operations on a system running JMX with local monitoring enabled.

Security Focus: CVE-2020-3943 – The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to the affected software uses a JMX RMI service which is not securely configured. A remote attacker can execute arbitrary code in vRealize Operations, with the Horizon Adapter running.

Horizon wiki – The Horizon adapter runs on a cluster node or remote collector node in vRealize Operations Manager. You can create a single Horizon adapter instance to monitor multiple Horizon pods. During broker agent configuration, you pair the broker agent with a Horizon adapter instance.

Attack basis: The attacker would have to trick the victim to open a a specially crafted file.

Official announcement: https://www.vmware.com/security/advisories/VMSA-2020-0003.html

APT Group attack major focus: time window before release and patched (19th Feb 2020)


Preface: In normal circumstance, the remediation of vulnerabilities is time consumption. Even though Software-based vulnerabilities policy allow up to 90 days for the vendor to provide a patch.

Background: It looks that existing period of time can be happen plenty of matters. So far APT Group have talented and knowledge to discover the defect of the I.T product. Refer to cyber security evaluation report found that the new round of cyber attack for specify APT group will be focusing the SSL VPN products vulnerability. Refer to attached diagram, it shown that at least 3 different products of SSL VPN service encountered vulnerabilities last year (2019).

Our Focus: Perhaps vendor will based on the severity level priority the remedy schedule. This gap can provide such a space to hacker engage cyber attack.

The suspected defect like Sonicwall SSL-VPN. APT Group not difficult to conduct this attack.The memcpy function can be overflow the local buffer. So overwriting EIP and using a rop chain to execute commands is simple.

*Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.

FIFO project problem tracker – SEND_FILE_WITH_HEADER Use-After-Free (Feb 2020)

Preface: The security of FIDO deployment largely depends on the choice of underlying security subsystems and their implementation.

Background: An ioctl , which means “input-output control” is a kind of device-specific system call. There are only a few system calls in Linux (300-400), which are not enough to express all the unique functions devices may have. So a driver can define an ioctl which allows a userspace application to send it orders.
Samsung’s kernel tree contains two implementations of device-side MTP. One of them (drivers/usb/gadget/function/f_mtp.c), based on its copyright headers,seems to be from Google, but this one is disabled at build time.
The second one is drivers/usb/gadget/function/f_mtp_samsung.c.
Both of them have ioctl handlers that handle the ioctl command SEND_FILE_WITH_HEADER; the Google version runs this handler under a lock, but Samsung version doesn’t hold any locks.

Impact: If the object has been freed and then filled with data controlled by attacker, the EIP/RIP register for x86/x64 architecture or the register for ARM architecture is to be hijacked to injected shellcode and an arbitrary code execution in kernel will be achieved.

Remedy: Waiting for response by vendor

Perhaps you don’t use Internet Explorer, you could still be at risk. Conduct patch install on IE today – 12th Feb 2020

Preface: If you try to open an .MHT file on a computer including Windows 10, or Windows Server 2012 R2 then it will attempt to load the file using Internet Explorer eventhough of the default browser in place!

Security Focus: Microsoft released an emergency security update on Monday (February 10, 2020) to fix a vulnerability in Internet Explorer (IE) designed to alert business customers. This issue occurs because the ‘scripting engine’ fails to properly handle objects in memory. Attackers can exploit this issue by enticing an unsuspecting user of the affected application to view a specially crafted web page.

Remedy: For more details, please refer to official announcement – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674

Learn more about CVE-2019-18634 – sudo vulnerability

Preface: Sudo (substitute user [or superuser] do) is a program used in Unix-like operating systems such as BSD, Mac OS X, and GNU / Linux to allow users to execute programs in a secure manner with special permissions (usually the system Super user).

Highlight: When pwfeedback is set, sudo will provide visual feedback when the user presses a key. This function allows the system to indicate the currently entered character with an asterisk character.

Vulnerability details: In January 2020, CVE-2019-18634 announced a vulnerability that had existed for more than 9 years, pointing out in the pwfeedback feature option. This function allows the system to indicate the currently entered character with an asterisk character. However, after the pwfeedback function is enabled in the sudoer file, it may allow users to trigger a stack buffer overflow attack, allowing users without system management rights, even those not listed in the sudoer file. Users in can be elevated to root account permissions.

Remedy: The bug is fixed in sudo 1.8.31.

The endless story of the SMTP gateway – CVE-2020-7247

Preface: Ray Tomlinson sent the first email across a network, initiating the use of the “@” sign to separate the names of the user and the user’s machine in 1971, when he sent a message from one DEC-10 computer to another DEC-10.

Synopsis: An SMTP relay is a protocol that allows email to be transmitted through the internet. OpenSMTPD design goals include security, reliability & easy of configuration. If you are OpenBSD ( open-source Unix-like operating system ) user, you can setup OpenSMTPD to relay local emails to Gmail.

Vulnerability details: So called the code blew a hole in relay server.

Privileges escalation: When mail is received by server, it uses the root (superuser account) to deal with it. And therefore anyone who’s can exploit this vulnerability. It similar to “promote” themselves to root.

This vulnerability exists in OpenBSD’s mail server OpenSMTPD’s “smtp_mailaddr()” function, and affects OpenBSD version 6.6. This allows an attacker to execute arbitrary shell commands like “sleep 66” as root user.

Remedy: To remediate this vulnerability, affected OpenBSD users are recommended to install patches for OpenBSD 6.6. See reference 019 in https://www.openbsd.org/errata66.html.

FusionAuth 1.10 Remote Command Execution – JAN 2020

Preface: The biggest differentiator between CIAM and regular (internal) IAM is that in CIAM the consumers of the service manage their own accounts and profile data.

Background: FusionAuth provides all of the features you need without the need to code plugins or purchase an enterprise license. It also capable for SaaS architecture provides maximum flexibility when it comes to deployment. You can also choose the type of database to use and the OS to install on.

Vulnerability details: Who have privileges to modify templates, instead of system admin or root. They can exploit this feature to conduct a Remote Command Execution. Vendor has alert to the user with the following statement. BE CAREFUL! this tag, depending on use, may allow you to set something up so that users of your web application could run arbitrary code on your server. This can only happen if you allow unchecked GET/POST submissions to be used as the command string in the exec tag.

Remedy: This vulnerability has been fixed in version 1.11 of FusionAuth.

CVE-2020-2696 Local privilege escalation via CDE dtsession – JAN 2020

Technical Background: How to manages a CDE session? The dtsession command provides session management functionality, compliant with ICCCM 1.1, during a user session, from login to logout. It starts a window manager and allows users to save a session, restore a session, lock a session, start screen savers, and allocate colors for desktop-compatible clients.

Vulnerability details: A buffer overflow in the CheckMonitor() function in the Common Desktop. It allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file (CVE-2020-2696).

  • All Official Ubuntu variants 12.04 – 18.04
  • Debian 6, 7, 8, 9
  • Fedora 17 at least
  • Archlinux
  • Red Hat
  • Slackware 14.0
  • OpenBSD
  • NetBSD
  • FreeBSD 9.2, 10.x, 11.x
  • openSUSE Tumbleweed (gcc7)
  • openSUSE Leap 4.2 (gcc4)
  • SUSE 12 SP3 (gcc4)
  • Solaris, OpenIndiana

Remedy: The open source CDE 2.x version have issued the following patches for this vulnerability:

https://sourceforge.net/p/cdesktopenv/mailman/message/36900154/

https://sourceforge.net/p/cdesktopenv/code/ci/6b32246d06ab16fd7897dc344db69d0957f3ae08/

MS CryptoAPI spoofing flaw – 15th Jan 2020

Preface: We are all scared of Ransomware!

Background: crypt32.dll is a type of DLL file, with extension of .dll. It is associated with Crypto API32 and is used to run Crypto API32 based applications. Certain sophisticated video games and software applications use crypt32.dll to get access to certain API functionality, as provided by Windows.

Vulnerability details: The bug exploits crypt32.dll signature verification on elliptic curve. crypt32.dll only checks for matching public key and parameters, but not the generator G. An attacker could use your public certificate without owning its private key, combined with some other code-signing certificate issued to someone else, to bypass a publisher check this way.

Special comment: Do you think this vulnerability has relationship with surveillance program?

NSA Official announcementhttps://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

Return to basis – access control (CVE-2020-3941) – Jan 2020

Preface: A race condition allows an attacker to access a shared resource, which can lead to an attack by other participants using the resource.

Background: VMware Tools is a set of services and modules that enable several features in VMware products for better management of, and seamless user interactions with, guests operating systems.

Vulnerability details: The attacker can exploit this vulnerability because standard user entitled write permission from the directory. Apart from that this Common Agent Framework (CAF) subdirectory inherit the priviliges access control.

Remedy: To remediate this issue, it is recommended to upgrade VMware Tools to 11.0.0 or later.
However, if upgrading is not possible, exploitation of this issue can be prevented by correcting the ACLs on “C:\ProgramData\VMware\VMware CAF” directory in the Windows guests running VMware Tools 10.x.y versions. In order to correct ACLs for this directory, remove all write access permissions for Standard User from the directory.

Disable inheritance, remove all inherited permissions, grant “Full control” to local System account and Administrators group Correct the ACL from the Windows UI via Properties of the directory.

Official announcement: Please refer to URL – https://www.vmware.com/security/advisories/VMSA-2020-0002.html