Category Archives: Potential Risk of CVE

Microsoft Windows MsiAdvertise Product function vulnerable to privilege escalation via race condition – 20th DEC 2018

Preface: MsiAdvertiseProduct function enables the installer to write to a script the registry and shortcut information used to assign or publish a product.

Vulnerability details:
Due to improper validation, the affected function can be abused to force installer service into making a copy of any file as SYSTEM privileges and read its content, resulting in arbitrary file read vulnerability.
A race condition occurs when two or more threads can access shared data and they try to change it at the same time. Because the thread scheduling algorithm can swap between threads at any time, you don’t know the order in which the threads will attempt to access the shared data. As a result it create a chance to attacker to access the shared data. Perhaps the access control list might lost control in such circumstances.

Remedy: Vendor did not release the patch yet since this is a new exploit (Zero-day).

Comment: Suggest to observe Event ID 11707 or 1033 in your SIEM.

Remark: Windows logs has several different events when you install or uninstall software. The Installation events are Event ID of 11707 or 1033.

Wishing you a Merry Christmas and a safe cyber prosperous new year!

OpenSource user mode file system for Windows, software driver contains a stack-based buffer overflow – 20th Dec 2018

Preface: Dokan is a user mode file system for Windows. It allows anyone to safely and easily develop new file systems on Windows operating systems.

Technical details: When you want to create a new file system on Windows you need to develop a file system driver. Developing a device driver that works in the kernel mode on Windows requires highly technical skills. By using Dokan, you can create your own file systems very easily without writing device drivers. Dokan is similar to FUSE (Linux user mode file system) but works on Windows.

Vulnerability synopsis: A Dokan file driver contains a stack-based buffer overflow

Remedy: https://github.com/dokan-dev/dokany/releases

Wishing you a Merry Christmas and a safe cyber prosperous new year!

CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability

Preface: “I Saw Mommy Kissing Santa Claus” is a famous Christmas song.But perhaps that it is the hacker kissing your Internet Explorer web browser before christmas time. Above description has similarity because both two people are the famous guy in the world.

Detail description:
ChakraCore is the core part of Chakra, the high-performance JavaScript engine that powers Microsoft Edge and Windows IE applications written in HTML/CSS/JS. ChakraCore supports Just-in-time (JIT) compilation of JavaScript for x86/x64/ARM, garbage collection, and a wide range of the latest JavaScript features.

Vulnerability found on 20th Dec 2018:
Microsoft Internet Explorer contains a memory corruption vulnerability in the scripting engine JScript component, which can allow a remote attacker to execute arbitrary code on a vulnerable system.

Workaround: Restrict access to JScript.dll execute following command syntax.
cacls %windir%\system32\jscript.dll /E /P everyone:N
cacls %windir%\syswow64\jscript.dll /E /P everyone:N

Official announcement display in below url: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653

Cyber security practitioner must stay alert! (Cisco security advice) – 19th Dec 2018

Preface: Firewall solutions are essential to protect organizations from potential cyber threats. HTTPS is used to make communication between the server and the browser secure.

Key factor of Cyber security:
It is hard to avoid vulnerability will be occured in digital products today. But the most critical issue is that how to know and the efficiency of remedy solution.

Cisco discover a vulnerability occurs in their ASA product on 19th Dec 2018:
A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface.

Remedy solution:
Please refer to Cisco official announcement https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181219-asa-privesc

Webroot BrightCloud SDK HTTP headers-parsing code execution vulnerability – 17th Dec 2018

Preface: Webroot delivers next-generation endpoint security and threat intelligence services to protect businesses and individuals in a connected world.

Technical background: The Webroot BrightCloud® Mobile Security SDK addresses mobile device vulnerabilities by enabling mobile management partners to offer enhanced security .

Vulnerability found on 17th Dec 2018:
CUJO Smart Firewall (ver 7003) provides services to avoid Home users IoT devices potentially connect to malicious websites. An library file (webroot.so) provides by webroot SDK has vulnerability occurs. A heap-based Buffer Overflow was found. In normal circumstances, CUJO accesses the BrightCloud API through bcap15.brightcloud.com over a plain HTTP connection. The function bc_http_read_header incorrectly handles overlong headers, leading to arbitrary code execution which let attacker could impersonate a remote BrightCloud server to trigger this vulnerability.

Reference: BrightCloud – about enquiry
https://www.brightcloud.com/faq

Jenkins Stapler Web Framework Arbitrary Code Execution Vulnerability – 17th Dec 2018

Preface: Vulnerabilities are flaws in computer software that create weaknesses in your computer or network overall security.
Can you imagine that what is the actual situation before vulnerability found?

Background information: Jenkins is the leading open-source automation server. Built with Java, it provides over 1000 plugins to support automation.

Vulnerability announcement on 17th Dec 2018:
The vulnerability is due to improper handling of HTTP requests by the stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java code of the Stapler web framework used by the affected software. An attacker could exploit this vulnerability by persuading a user to access a link that submits malicious input to the targeted system. An exploit could allow the attacker to invoke certain methods that are not intended to be invoked, which the attacker could use to execute arbitrary code.

Official announcement (Remedy): https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595

CVE-2018-19966:Xen Union Data Structure Guest OS Users Privilege Escalation Vulnerability

Preface: Xen Project is a hypervisor using a microkernel design, providing services that allow multiple computer operating systems to execute on the same computer hardware concurrently.

Vulnerability description:
The vulnerability is due to an interpretation conflict for union data structure associated with shadow paging.The XSA-240 introduced a new field into the control structure
associated with each page of RAM. This field was added to a union data structure.Thus dirty bitmap tracking which is used when performing live migration of virtual machines. However a technical conflicts during migration, or L1TF mitigation for PV guests(L1 Terminal Fault speculative side channel mitigation – XSA-273).

Impact: All Xen versions from at least 3.2 onwards are vulnerable. Earlier versions have not been checked

Official remedy solution: https://xenbits.xen.org/xsa/advisory-280.html

Cisco Security Advisory – Texas Instruments Bluetooth Low Energy Denial of Service and Remote Code Execution Vulnerability – Last Updated: 13th Dec 2018.

Preface: Key component of smart city are the IoT devices. The communication protocol of the IoT devices are Lora, SigFox and NarrowBand (NB).

Background: In realistic, smart city cannot lack of wifi setup for assistance. So, WiFi is one the key component in this family (Smart City).

Vendor Cisco follow up TI BLE chips vulnerability – CVE-2018-16986: Suggest verify with the following command on wireless AP device. If device show not support BLE function and therefore confirm device not vulnerable.

ap# show controllers bleRadio 0 interface
BLE not supported on this platform

If it is supported, please review below URL:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap

Pixars Tractor – Vulnerability Note VU#756913 (13th Dec, 2018)

Preface: As time goes by, an evolution in technology offers best-of-class in rendering for both VFX and feature film animation.

What does VFX stand for?
Visual effects (abbreviated VFX) is the process by which imagery is created or manipulated outside the context of a live action shot in film making.
RenderMan offers a combination of unbiased and biased rendering techniques which provide both accuracy and technical efficiency

Vulnerability details:
Pixar’s Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability.

Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.
In most of the cases, cross-site scripting attack is being used to steal the other person‘s cookies. As we know, cookies help us to log in automatically. Therefore with stolen cookies, we can login with the other identities. Cope with above vulnerability, the stored information is displayed when a user requests information about the node. An attacker could insert Javascript into this note field that is then saved and displayed to the end user.

Reference: https://kb.cert.org/vuls/id/756913/

CVE-2018-1002105 (kubernetes) : authentication/authorization bypass in the handling of non-101 responses – Dec 2018

Preface: Since we launched it in 2014, Kubernetes running strong. It is becoming “the Linux of the cloud,” according to Jim Zemlin, Executive Director of the Linux Foundation. Analysts estimate that 54 percent of Fortune 100 companies use Kubernetes across a spectrum of industries including finance, manufacturing, media, and others.

Giant will sick as normal people (so called vulnerability):
Critical – CVE-2018-1002105 kubernetes: authentication/authorization bypass in the handling of non-101 responses. Reference: https://access.redhat.com/security/cve/cve-2018-1002105

CVE-2018-1002101 – In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection. Reference:
Reference:  https://github.com/kubernetes/kubernetes/issues/65750

CVE-2018-1002103 – The attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard, create a new Kubernetes Deployment running arbitrary code. If minikube mount is in use, the attacker could also directly access the host filesystem.
Reference: https://github.com/kubernetes/minikube/issues/3208