Preface: On August 27, 2015 Cisco announced it has completed the acquisition of OpenDNS (now branded as Cisco Umbrella). Perhaps they predict that this day will come.

Background: dnsmasq is free software providing Domain Name System (DNS) caching, a Dynamic Host Configuration Protocol (DHCP) server,
router advertisement and network boot features, intended for small computer networks. Dnsmasq is common in Internet-of-Things (IoT) and other embedded devices.

Vulnerability details: Dnsmasq is vulnerable to memory corruption and cache poisoning. For more details, please see the follow links: https://kb.cert.org/vuls/id/434904

Workarounds:

• Configure dnsmasqnot to listen on WAN interfaces
• Reduce the maximum queries (–dns-forward-max=). The default is 150.
• Do a patching
• Use protocols that provide transport security for DNS (DoT or DoH)
• Reducing the maximum size of EDNS message (Recommendations related to RFC5625)

Preface: Quite a lot of UEFI vulnerabilities and hardware misconfigurations have been found in past. This is an alert signal. As a matter of fact, the problem is that it’s very difficult to get malicious code into UEFI systems.

Background: Reading the first sector from a disk and loading it to 0x7C00 is a BIOS specific booting protocol. But it never been use. It is a old technology. UEFI bootloaders are loaded from a filesystem. UEFI requires the firmware and operating system loader (or kernel) to be size-matched; for example, a 64-bit UEFI firmware implementation can load only a 64-bit operating system (OS) boot loader or kernel.

Synopsis: A local attacker with access to system memory may exploit the UEFI vulnerability attack. Perhaps this is not the only way.

Dell mitigates design flaws in a specific product (Inspiron 5675). Please refer to the link below. https://www.dell.com/support/kbdoc/zh-hk/000180645/dsa-2020-247-dell-client-platform-security-update-for-uefi-bios-runtimeservices-overwrite-vulnerability

Synopsis:
What is a Reparse Point? According to official information by Microsoft, In NTFS Filesystem, there is a concept called “reparse point. The traditional NTFS junctions and Win10 “Unix-like” symlinks are two different kinds of reparse points.
Starting in Windows 10, version 1607, for the unicode version of this function (FindFirstFileW), you can opt-in to remove the MAX_PATH character limitation without prepending “\\?\”.

Vulnerability details: The existing design weakness affects the function File.getCanonicalPath of the component NTFS File System Handler. The manipulation with an unknown input leads to source code disclosure vulnerability. For details, see attached diagram

Vendor announcement: http://mail-archives.us.apache.org/mod_mbox/www-announce/202101.mbox/%3Cf3765f21-969d-7f21-e34a-efc106175373%40apache.org%3E

Fixed in:
– 10.0.x for 10.0.0-M10 onwards
– 9.0.x for 9.0.40 onwards
– 8.5.x for 8.5.60 onwards
– 7.0.x for 7.0.107 onwards

Background: Linux pam originated from the open source implementation of the software DCE-RFC of Sun, a well-known manufacturer later acquired by Oracle. PAM is called Pluggable Authentication Modules, which can be inserted into authentication modules. Various authentication modules and plug-ins can be dynamically introduced for authentication without reloading the system, very flexible.

Vulnerability details: When the user doesn’t exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.

Reason: The default options set on pam_pwquality above include local_users_only, which tells pam_pwquality to ignore users that are not in the local [/]etc[/]passwd file. However, the blank check could return 1 if root had empty password
because in the second case (refer to diagram) the password hash of root was used.

Remediation: https://github.com/linux-pam/linux-pam/releases

Background: In November 2020, lots of DeFi platforms in Ethereum encounters a security incident, such as Pickle Finance, 88mph.

What Is Decentralized Finance (DeFi)?
By deploying immutable smart contracts on Ethereum, DeFi developers can launch financial protocols and platforms that run exactly as programmed and that are available to anyone with an Internet connection.

What Are Flash Loans in DeFi?
A loan from strangers is possible in DeFi. In order to fulfill this request. The individuals should repay the lender in the same transaction that issued the funds.

Vulnerability details: The Farm contract is deployed in every Seal pool and the function breed() in the contract is used to issue new Seal tokens.However there is no access control designed for the breed() function, anyone can calls the breed() function of the Farm contract.

CVE-2021-3006 Detail – https://nvd.nist.gov/vuln/detail/CVE-2021-3006

Preface: Today’s web design tools are quite mature, and you can complete large websites without even touching HTML syntax. Maybe the vulnerability can happen in this way!

What’s HTTP Method?
OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT

What is the difference between GET and POST?
In HTTP GET Method, it is not allowed to pass data in message-body, because it is GET.
The original POST is to send the form data in the message-body. In addition, multi-part encoding will be used when sending files, and the files and other form fields will be placed in the message-body for sending.

Vulnerability details: It is possible to use various shell metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application’s responses, however it is possible to inject time delay commands to verify the existence of the vulnerability. For more details, please refer below url: https://nvd.nist.gov/vuln/detail/CVE-2020-25494

Preface: Many companies, especially law firms, and financial institutions will choose Citrix thin client functions. The decision seems to be correct, because their function looks perfect. For example, TCP offloading and network security protection. However, in order to cope with on demanding digital technology market. As a result, they are involved in some technologies and zone which will be interest to hackers.

Highlight: Design weakness on specific product:
1. Citrix Gateway Plug-in for Windows: If exploited, could result in a local user escalating their privilege level to SYSTEM.

Design weakness: When the service runs, it executes a periodic PowerShell script, executed as SYSTEM, every five minutes. To exploit this vulnerability, an attacker could create a malicious file, name it powershell.exe and copy it to every directory they have access to. This would allow them to achieve elevation of privileges on system’s running the Citrix Gateway Plug-In for Windows.

2. Starting 1st Oct 2020, ADC MPX and SDX will use serial number of applicance as password

Official announcement: Citrix Gateway Plug-in for Windows Security Update – https://support.citrix.com/article/CTX282684

Preface: When I was young, there were two giants in the mid-range system market. They are IBM and Sun Micro. Over the time, IBM won this market. To this day, the business world likes to use IBM AIX OS the most.

Background: About twenty years ago, a well known buffer overflow vulnerabilities discovered in Kerberos 5 due to buffer overflows in the Kerberos 4 compatibility code. As a result, it impacting the MIT Kerberos 5 releases (1.0.x, 1.1 and 1.1.1) and MIT Kerberos 4 patch level 10.
According to IBM AIX 7.2 security guidebook. It described that when Kerberos authentication is successful. The secldapclntd daemon saves the bind credentials to the [/]etc[/]security[/]ldap[/]krb5cc_secldapclntd directory. Whereby, it shown that AIX 7.2 is using Kerberos 5. Since CVE-2020-4829 not explicitly describe the vulnerability details. Perhaps it let me speculated that the vulnerability announced this month has relationship between flaw found 20 years ago.

Reminder: This bug looks critical in my personal opinion. It is recommended to patch immediately.

Official announcement: https://aix.software.ibm.com/aix/efixes/security/ksu_advisory.asc

Preface: SolarWinds Orion is an IT performance monitoring platform that helps businesses manage and optimize their IT infrastructure.

Vulnerability details: SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds. However, when connection come from trusted vendor (valid signature ) which carry malware. Existing design do not have defense mechanism.

Impact: CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.

Remedy: https://www.solarwinds.com/securityadvisory