Preface: Modern Cyber Defense solution without difficulties detect malicious activities. For instance, applications need approved permissions before installation; and security software can scan files to be written, read, and/or executed to check for known signatures. But we still heard data breach incident occurred. Why?

Detail description: On 26th Aug, 2020, US Homeland security published articles to urge public that at least three different types of malware on the way to approaching banking finance, business and computer end user. By this chance, we are going to focus a malware named “BeagleBoyhz”. The BeagleBoyz use a variety of techniques to run their code on local and remote victim systems. Quite a lot of cyber security services vendor observe that Fileless Malware Execution with PowerShell Is Easier to evade antivirus and firewall. In order to avoid their activities detected by defense mechanism. Attacker will abuse Command and Scripting Interpreter technique to executing arbitrary commands.Meanwhile, this is the security focus highlighted by the Department of Homeland Security. As a large number of articles describe different types of malware. If you want to read the details, please refer to the website link.

https://us-cert.cisa.gov/ncas/alerts/aa20-239a

https://us-cert.cisa.gov/northkorea

Remedy: If your current cyber defense solution capable to support regular expression filter function. You can create generic policies to deny the unknown PowerShell script. For example:

.\bi[“’]*e[“’]x\b.*
blocks Invoke-Expression.
At the end, I would like to thanks for McAfee providing this effective solution.

Preface: A few years ago, ATM attackers might have the opportunity to compromise ATM machines through this method (Raspberry Pi + Python + Wifi). It looks that it is not possible right now.

Study Road Map: From a security perspective, the design weaknesses disclosed by the vendor this time are divided by 3 types.
– Insufficient encryption strength (CVE-2020-10125),
– Main weaknesses in authentication bypass (CVE-2020-10126)
– Lack of data protection (CVE-2020-10124)

Before reading the details of the vulnerability note (VU#815655). We should know the main product specifications.
1. What is XFS?
eXtensions for Financial Services, or XFS, is an open systems middleware international standard promoted by the European Committee for Standardization (CEN) that allows software from multiple vendors to run on different manufacturers’ATMs and other types of payment terminals.

2. What is BNA?
BNA (Bunched Note Acceptor) – Depository that accepts many varied notes without an envelope.

3. Read the vulnerability description (see URL below). Increase your imagination through attached diagram. Maybe you will dig more details, not just the official announcement.

https://kb.cert.org/vuls/id/815655

4. Take your time.

Preface: BIND (Berkeley Internet Name Domain) is the most commonly used DNS software on the Internet today. DNS servers that use BIND as server software account for about 90% of all DNS servers.

Technical background: The BIND nameserver is based on a custom event queueing system that wraps around the libuv library (http://libuv.org) for performing asynchronous I/O as needed by the server. libuv is a multi-platform support library with a focus on asynchronous I/O. It was primarily developed for use by Node.js, but it’s also used by Luvit, Julia, pyuv, and others.

Remark: A DNS zone transfer is a procedure that lets two DNS servers exchange their zones. This is needed for redundancy. There are several zone transfer methods but the most common one uses the AXFR protocol.

Vulnerability details: When handling TCP traffic through the libuv library. Due to a length specified within a callback for the library (lib/isc/netmgr/tcpdns.c), flooding the server TCP port used for larger DNS requests (AXFR) will cause the libuv library to pass the length to the server. Therefore, it will result in a violation of the assertion check in the server verification. This assertion check will terminate the service, resulting in a denial of service condition. An attacker can flood ports with unauthenticated packets to trigger this vulnerability.

For information on CVE-2020-8620, thanks to Cisco TALOS.

Official announcement: https://kb.isc.org/docs/cve-2020-8620

Preface: Struts2 OGNL is the expression language. OGNL is tightly coupled in Struts2 and used to store form parameters as java bean variables in ValueStack and to retrieve the values from ValueStack in result pages. ActionForm has the following responsibilities:Perform data security verification to prevent malicious data from entering the application.

Vulnerability details: However, it hit the design weakness this time. It let attacker modify an specify attribute (skillName) in a request such that a raw OGNL expression gets passed to the skillName property without further validation.

Remedy: upgrading to Struts 2.5.22

Official recommendation: Don’t use forced evaluation of an attribute other than value using %{…} or ${…} syntax unless really needed for a valid use-case.

Recommendation (2): It is recommend to install the application firewall to enhance the preventive control. It can reduce opportunity let hacker conduct the OGNL expression injection attacks.

Reference:http://mail-archives.us.apache.org/mod_mbox/www-announce/202008.mbox/%3C66006167-999e-a1e5-4a3a-5f1c75a1e8a2%40apache.org%3E

Preface: Path traversal vulnerability perhaps will be ignore by some people. But this design weakness similar provide a channel to attacker conduct a search. The vulnerability described in SAP security notes 2934135 contains with two different vulnerabilities.

Background: SAP NetWeaver is a software stack for many of SAP SE’s applications.It can be used for custom development and integration with other applications and systems, and is built primarily using the ABAP programming language, but also uses C, C++, and Java. AS Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.

Vulnerability details:

CVE-2020-6287 – Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)
– Additional CVE – CVE-2020-6286
– Affected Product – SAP NetWeaver AS JAVA (LM Configuration Wizard); Versions – 7.30, 7.31, 7.40, 7.50

Impact: SAP NetWeaver AS JAVA (LM Configuration Wizard), versions – 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to relies on path traversal vulnerability reach EJB Environment and download zip files. After the attack is successful, it can also create user IDs and administrator roles. If you are interested to learn more. Please refer to the diagram.

Official announcement – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345

Preface: In Windows 10, there are two ways to uninstall Internet Explorer.

Option 1:Turn Windows features on or off option
Option 2: Disable IE11 using PowerShell commands

Open PowerShell and Run as administrator. Execute the following command:
Disable-WindowsOptionalFeature -FeatureName Internet-Explorer-Optional-amd64 –Online

Security Focus: CVE-2020-1380 – Scripting Engine Memory Corruption Vulnerability

Even you turn off the Internet Explorer, there still have way let the ongoing works involves related system component of Internet Explorer. The fact is that mshtml.dll is the major component of Internet Explorer. This component manage the HTML, CSS parsing and rendering functionality. For example, when a user browses from an HTML page to a Word document, mshtml. dll is swapped out for the DLL provided by Word, which then renders that document type. In the sense that if vulnerability occurs in Internet Explorer. Perhaps you do not use, but still require to do the patching. Should you have interest to know the details, please refer to attached diagram.

Vulnerability Details: CVE-2020-1380 is a remote code execution vulnerability affecting Internet Explorer 11. According to the official information issued by Microsoft on 12th Feb 2020. The technical details of CVE-2020-0674 explicitly same as design weakness for this vulnerability. Since the official details did not describe the actual technical problem of this matter. I believe that it will let the attacker exploit use-after-free vulnerability.

Official announcement : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1380

Preface: Serialization in Java is a mechanism of writing the state of an object into a byte-stream. It is mainly used in Hibernate, RMI, JPA, EJB and JMS technologies. The reverse operation of serialization is called deserialization where byte-stream is converted into an object.

Product background: Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. About 11 years ago. VMWare has announced the acquisition of SpringSource, a provider of Web application development and management services.

Vulnerability details: When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the “deserialization gadgets” exploit when provided data contains malicious code for execution during deserialization.

Remedy: Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown “deserialization gadgets” when configuring Kryo in code. For more details, please refer to the link – https://spring.io/blog/2020/07/22/spring-integration-4-3-23-5-1-12-5-2-8-5-3-2-available-cve-2020-5413

Preface: Computer technology enlightens the automation industry. Due to modern CNC (Computer Numeric Control) technology, tiny parts are easy to produce. Who is the hero of this industry? I believe it is CAD technology.

Background: CAD administrators use INNEO “Startup TOOLS” to manage working environments including licenses and standardized library elements and maintain their correct configuration. Users are relieved of routine tasks and can easily place many design elements instead of having to design them from scratch.
This is one of the reasons why companies rely on INNEO “Startup TOOLS” to make their work easier and more efficient.

Vulnerability details: An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact.

Observation: INNEO Startup TOOLS (2018 M040 13.0.70.3804) uses PHP version 5.2.13. So attacker can rely on the PHP programming to conduct the null-byte injection attack. Perhaps the intellectual property might at risk.

Remedy: The vendor has a newer version 6.x.x.x and ongoing which is the successor of the deprecated versions of 2018 and before.