Preface: Sometimes vulnerability causes by misconfiguration.

Vulnerability details: MinGW (http://www.mingw.org/) provides a complete Open Source programming tool set which is suitable for the development of native MS-Windows applications, and which do not depend on any 3rd-party C-Runtime DLLs. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment. Therefore the default prefix for program installation as well as for OPENSSLDIR should be ‘/usr/local’.
Unfortunately when similar concept implement to MS Windows environment. The /use/local will be world writable.
In additional, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own –prefix.
OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue.

By default, the OpenSSL directory is /usr/local/ssl. If you perform a config without –prefix and without –openssldir, that’s what you get by default.

Above vulnerability has been recorded on CVE database (CVE-2019-1552). One years more later software vendor (Macrium) encountered similar of design defect (CVE-2020-10143). Please refer to link – https://kb.cert.org/vuls/id/760767

Workaround: Ensure that the OPENSSLDIR path is set to a location that is only writable by the system itself.

Preface: Integrating Oracle BI Presentation Services into Corporate Environments Using HTTP and JavaScript. Java made business operation perfect. Meanwhile, it make people headache!

Background: When called from within an Oracle BI Presentation Services screen, such as a dashboard or an HTML result view, the URL should begin with the following characters: saw.dll?Go

When called from another screen on the same Web server, the URL should begin with the following characters: /analytics/saw.dll?Go

Vulnerability details: Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation) – The ‘getPreviewImage’ function is used to get a preview image of a previously uploaded theme logo. By manipulating the ‘previewFilePath’ URL parameter an attacker with access to the administration interface is able to read arbitrary system files.

Official announcement: https://www.oracle.com/security-alerts/cpuoct2020.html

Preface: Cloud computing build civilization chain. The strongest of AI, Smart City technology will be according to the foundation of cloud.

Technical background: Google Container Registry (GCR) is a service in Google Cloud Platform (GCP) to manage your own docker container repository. This is fully managed service and you can store your custom container images as well as common images from other image repositories.

Vulnerability details: If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (foreign layer), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers.

Highlights: The manifest supports an optional field for an external URL from which content may be fetched, and it can be any registry or domain.

Remedy: This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected.

Workaround: Ensure that only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.

Preface: Cross-site scripting (XSS), is a type of attack in which malicious scripts are injected into websites and web applications for the purpose of running on the end user’s device.

Background: VMware Horizon provides virtual desktop and app capabilities to users utilizing VMware’s virtualization technology. A desktop operating system – typically Microsoft Windows – runs within a virtual machine on a hypervisor.

Vulnerability details:

CVE-2020-3998 – If Horizon Client for Windows is installed on the client computer, a malicious attacker may be able to exploit victim local privileges to retrieve hashed credentials.

CVE-2020-3997 – Successful exploitation of this vulnerability on Horizon server. It may allow an attacker to inject and execute malicious script.

Should you have interested to know the details, please refer to attached diagram. For Official announcement, please refer to link – https://www.vmware.com/security/advisories/VMSA-2020-0024.html

Preface: As healthcare organizations look to reduce cost, IT rationalization and process transformation is accelerating as providers adopt cloud strategies.

Background: Oracle Healthcare Foundation is a feature-rich analytics platform that supports more than 35 subject areas relevant to health data analytics,giving healthcare providers more granular data regarding the requirements of individuals and populations.

Vulnerability details: YAML is a human-readable data serialization standard that can be used in conjunction with all programming languages and is often used to write configuration files. A flaw was found in the Apache Commons Configuration, where it uses a third-party library to process YAML files, which by default, allows the instantiation of classes if the YAML includes special statements. Oracle Healthcare Foundation Self-Service Analytics was impact by this vulnerability.

Official announcement – https://www.oracle.com/security-alerts/cpuoct2020.html The articles is bulky, use keyword “CVE-2020-1953” find out the details.

Preface: If you like open source application. You should also like the bug he given.

OpenSLP has been ported to a wide variety of systems. For example: Linux (32/64),Windows (32/64),SCO Unix,FreeBSD,Solaris,Tru64,Mac OS X,Darwin,… OpenSLP eliminates the need for users to know the names of network hosts. With OpenSLP, the users need only know the description of the service they want to use. Based on this description, OpenSLP is then able to return the URL of the requested service.

Vulnerability details: A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. To exploit the vulnerability, a malicious user must send a malformed SLP packet to the target system.

Remedy: https://www.vmware.com/security/advisories/VMSA-2020-0023.html

Comment: Regarding to my observation, similar of OpenSLP vulnerability found few years ago. However there is no official patch to do the remediation. Strongly believe that this bug will be exploit by cyber criminal. So it is highly recommended to disable this function.

Preface: Perhaps it is a design limitation. SharePoint did not check the source markup of an application package which provides an opportunity to attacker. However when you read the prerequisite requirement of the proof of concept. You will feel that it might have difficulties to exploit this vulnerability. However it found a way to trigger this vulnerability. So we must be aware of it.

Vulnerability details: An authenticated attacker can craft pages to trigger a server-side include that can be leveraged to leak the web[.]config file. The attacker can leverage this to achieve remote code execution.

Prerequisite: the attacker needs AddAndCustomizePages permission enabled which is the default.

Hints: Add and Customize Pages permission is from site level, the permission is not in list permission level. When you get full control in list permission level, you may not get the permission from site level. You can add a new permission level which only includes Add and Customize Pages permission, and then create new SharePoint group with this permission level. Then add yourself into the SharePoint group and you will get the Add and Customize Pages permission from site level.
If it is in the site level, please make sure you have enable Custom Scripting in SharePoint admin center. Go to SharePoint admin center> Settings> Custom Script.

Remedy: The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952

Preface: Slow HTTP attacks are denial-of-service (DoS) attacks. It was happened near decade ago. Such vulnerability let the people aware application security.

Background: Why do we need HTTP/2?

HTTP/2 allows the client to synchronously send multiple requests to the server through the same TCP connection, and the server can also use the same TCP connection to send back synchronously, thereby reducing additional RTT (round trip time). More……

Vulnerability details: On Jun 26 2020, vulnerability found on Apache Tomcat – limitation of system resources handling when Apache Tomcat upgrade to HTTP/2.
Above matter cause by the multi protocol function. Such design limitation cause Apache TomCat did not release the HTTP/1.1 resources. Whereby, it let the Apache Tomcat consumed all the memory thus trigger a denial of service.

Remedy (official announcement): Refer to link – http://mail-archives.us.apache.org/mod_mbox/www-announce/202010.mbox/%3C2b767c6e-dcb9-5816-bd69-a3bc0771fef3%40apache.org%3E

Preface: Before the release of IP version 6, we had a good impression of its features.

Technical background: The official technical article provides the definition of IPv6 RDNS option address length (Details refer to attached diagram – point 3).

Potential Impact: If an even length value is provided, the attacker intentionally causes the Windows TCP/IP stack to incorrectly increase the size of the network buffer by 8 bytes. Therefore it failing to account for the case where a non-RFC compliant length value is used ( because the stack internally counts in 16-byte increments). This mismatch results in the stack interpreting the last 8 bytes of the current option as the start of a second option, ultimately leading to a buffer overflow and potential RCE.

Remedy: The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898

Comment: Vulnerability hit by Microsoft cause by IP V6 design feature. Perhaps, it is a fundamental design matter. Predict that may be other vendor will encountered same matter soon.

Preface: In order to avoid malware attack, DNS is the 1st door for quarantine. This step not difficult, see whether the domain name which calling will be included in the black list.

What is Punycode?
Unicode that converts words that cannot be written in ASCII.

Background: There are two different scenarios for the cyber threat actor to exploit.

1. Attacker build a deceptive IDNs (Internet Domain Name) that are likely to be misled internet user.
2. Phishing Attack is Almost Impossible to Detect when encounter Puny-code vulnerability.

Synopsis: If the DNS filter mechanism is not convert the IDN domains in its Punycode form to do the verification, it make a possibility, let the blacklist domain ignore by filter.

Example: The domain “xn--eqru1b157l[.]co” is equivalent to “黑名單[.]co”. Whereby “xn--eqru1b157l” is the Puny-code.

Vulnerability details: Trend Micro Antivirus for Mac 2020 (Consumer) Bypass Web Threat Protection via Internationalized Domain Name Homograph Attack (Puny-code) Vulnerability.

Remedy: Trend Micro has released a new build of Trend Micro Antivirus for Mac Security (Consumer). Please refer to link – https://helpcenter.trendmicro.com/en-us/article/TMKA-09949