Preface: SAML implements a secure method of passing user authentications and authorizations between the identity provider and service providers. When a user logs into a SAML enabled application, the service provider requests authorization from the appropriate identity provider.

Design weakness: The design weakness of SAML was not XML edge cases nor attacker stealing your signing keys.
SAML mistaken allowing your users to log in to apps throught they couldn’t access. In order to avoid this matter happen. You should ensure your SAML assertions only work with the right apps, use unique signing keys for each app or service provider.

Palo Alto Releases Security Updates for PAN-OS: Authentication Bypass – details refer to following link. https://security.paloaltonetworks.com/CVE-2020-2021

Preface: Dedicated to the specific industry, so called operation technology.

Details: Schneider Electric announce to public that their Easergy T300 has design weakness. When you go through the document (see below url). It official inform that you have to trust your source and make use of your firewall or VPN enforcing the protection. Perhaps you might ask, why don’t vendor issue a firmware upgrade. Yes, my idea is that this is one of the different in between information technology and operation technology. The standpoint of my idea do not written here because the post here only for short message. In short, the official recommendation should taken. Additional, in order to avoid the malware infection. It is better to enhance the DNS lookup function. As of today, Clean DNS service not expensive and easy to implement. The admin only modify workstation and server DNS IP address. My comment is that this is a cost effective solution to avoid malware infection because it increase the difficult to Mr. Malware contact with their C&C server.

https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2020-161-04_Easergy_T300_Security_Notification.pdf&p_Doc_Ref=SEVD-2020-161-04

Preface: As of June 2020, Apache is used by 37.7% of all the websites.

Versions Affected:
Apache Tomcat 10.0.0 – M1 to 10.0.0 – M5
Apache Tomcat 9.0.0. M1 to 9.0.35
Apache Tomcat 8.5.0 to 8.5.55

Impact: An attacker could exploit this vulnerability to cause a denial-of-service condition.

Background: HTTP/2 uses header compression which requires a strict commitment of resources compared to HTTP/1.1. The attack vectors for the vulnerabilities discovered in HTTP/2 follow a certain pattern. The main goal is to setup a queue of responses to exhaust the resources on a server.

Official announcement: The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apache security advisory for CVE-2019-10072 – http://mail-archives.us.apache.org/mod_mbox/www-announce/202006.mbox/%3Cfd56bc1d-1219-605b-99c7-946bf7bd8ad4%40apache.org%3E

Preface: If you don’t use the VMware 3D graphics feature. Perhaps the remedy solution this week by vendors in 3D features fixed will not your focus. But how about USB feature?

Background: To enable PCI devices to interrupt the CPU, all PCI devices on the PCI bus are assigned an IRQ number. The VMkernel uses discovery and interrupt rerouting mechanisms provided by the BIOS to assign these IRQ numbers. In certain cases due to hardware design, however, two or more devices might be tied to the same interrupt controller pin.

Impact:A malicious actor with local administrative privileges on a virtual machine may be able to exploit this issue to crash the virtual machine’s vmx process leading to a denial of service condition or execute code on the hypervisor from a virtual machine.

Concept: Refer to attached diagram

Remedy: Official announcement -https://www.vmware.com/security/advisories/VMSA-2020-0015.html

Background: Magento is an e-commerce platform written in PHP atop the zend-framework, available under both open-source and commercial licenses. It is written in an advanced object-oriented idiom that uses the MVC pattern and XML configuration files, aiming for flexibility and extensibility.

Vulnerabilities announced this week – Hints
Vendor have the right to remain vulnerability details and not disclose to public. And therefore we only obtain below information.

PHP Object Injection – Arbitrary code execution (Critical) – CVE-2020-9663

Stores cross-site scripting – Sensitive information disclosure (Important) – CVE-2020-9665

Please refer to attached diagram. Perhaps it will let you find out the root causes.

Official announcement: https://helpx.adobe.com/security/products/magento/apsb20-41.html

Preface: On Jul 2019, found vulnerability in the Windows Spatial Data Service could allow file deletion in arbitrary locations on Windows system found The official announcement this week state that Windows Spatial Data Service improperly handles objects in memory causes elevation of Privilege Vulnerability.

Background: The Spatial Data Service is running as NT AUTHORITY\LocalService in a shared process of svchost[.]exe.
This service is used for Spatial Perception scenarios. This service exists in Windows 10 only.

Vulnerability details: If a number is higher or lower than a range of values or there are too many characters in a text entry, a boundary error occurs. The vulnerability exists due to a boundary error when the Windows Spatial Data Service improperly handles objects in memory. A local user can use a specially crafted application to trigger memory corruption and execute arbitrary code on the target system.

Official remedy solution – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1441

Preface: In order to avoid the impact of the vulnerability. VMware do not provide the details for CVE-2020-3961.

Synopsis: This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Vulnerability details: VMware Horizon Client for Windows contains a privilege escalation vulnerability due to folder permission configuration and unsafe loading of libraries.

My observation: Perhaps the idea displayed on attached diagram may also have the way to do the same thing.

Reference: A local dll injection vulnerability has been discovered in the official Notepad++ software.The issue allows local attackers to inject code to vulnerable libraries to compromise the process or to gain higher access privileges.

Official announcement – please refer following link https://www.vmware.com/security/advisories/VMSA-2020-0013.html

Preface: Microsoft has released a security advisory to address a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3) on 11th Mar 2020.

Synopsis: The proof of concept code vulnerability has been made public. Attacker do the exploit is that send a specially crafted packet to a targeted SMBv3 server. (refer to attached diagram). The result would be similar to the WannaCry and NotPetya attacks from 2017, which used the EternalBlue exploit for SMB v1.

Workarounds: Disabling SMBv3 Compression – refer to attached diagram. The solution display in the bottom .

Remedy solution by Microsoft – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

CISA urge to public – Although Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber actors are targeting unpatched systems with the new PoC, according to recent open-source reports. CISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.