Preface: Quite a lot of cyber security expertise provides their explanation on vulnerability on Exim (A local or remote attacker can execute programs with root privileges). I will do a quick and dirty way to explain. Should you have interested, please refer below:

a. Connect to Exim with TLS and send an SNI that ends with backslash-null.
*unescaped-backslash bug in string_printing2()

b. We exploit the backslash-null bug in string_interpret_escape().

Hints: Brainstorm on above matter
When you do a malloc, it gives you a pointer to a block of memory in the heap
char *p=malloc(2048) – Virtual memory allocated 2048
strcpy(p,”123”) – Although only 3 bytes are used, the memory still allocates 2048 bytes of physical memory for it.
free(p) – Through the virtual address, find the physical page corresponding to it, release the physical page, and release the linear region.use this heap overflow to overwrite the header of a free malloc chunk.

c. use this heap overflow to overwrite the header of a free malloc chunk.

d. allocate this enlarged malloc chunk, and use it to overwrite large parts of the heap (the already-allocated malloc chunks) with arbitrary data:

e. Overwrite the “id” string: (by overwriting “id” with “/../../../../../../../../etc/passwd”)

Official announcement:

Download and build a fixed version:

    Tarballs: https://ftp.exim.org/pub/exim/exim4/
    Git:      https://github.com/Exim/exim.git
              - tag    exim-4.92.2
              - branch exim-4.92.2+fixes

Preface: Quite a number of people think that Mainframe computer no longer exist anymore. However they are still alive.

Background: A 3270 Emulator is a terminal emulator that duplicates the functions of an IBM 3270 mainframe computer terminal on a PC or similar microcomputer.

Vulnerability details: There is Missing SSL Certificate Validation in the pw3270 terminal emulator before version 5.1.

Impact: TLS/SSL certificate validation flaw, leading to attackers in a MitM position being able to affect confidentiality, integrity and availability of traffic between the client and host, including credentials used.

Remedy: Upgrade to version 5.1. For more information, please visit the following URL – https://pkgs.org/download/pw3270

Preface: No matter “WAF” or a traditional Layer 3 firewall. The SSH service daemon will be installed because such service is not uncommon.

Vulnerability details: Memory corruption in PAN-OS 7.1.24 and earlier, PAN-OS 8.0.19 and earlier, PAN-OS 8.1.9 and earlier, and PAN-OS 9.0.3 and earlier will allow a remote, unauthenticated user to craft a message to Secure Shell Daemon (SSHD) and corrupt arbitrary memory.

Additional:

In the current version of the NDcPP there is a cryptographic Security Functional Requirement (SFR) called FCS_SSH*_EXT.1.8.
If your solution involves an OpenSSH server or client, you might be surprised to find out that OpenSSH’s “RekeyLimit” option does not actually fulfill this requirement according to the Application Note. OpenSSH’s RekeyLimit’s volume limiter will rekey on data volume only when one of the incoming or outgoing meets or exceeds the defined limit. It does not check the aggregate.

From technical point of view, attacker is able to consume ssh service daemon memory resources. For instance when using OpenSSH as client, simply enter ~R (capital R!) and rekeying will take place. If they intend to increase the re-key times, the specify process will be in trouble!

Remedy: Only accept SSH connection with trust IP address and trust network.

Preface: As time goes by, youth not familiar with TV at home. Obviously the online video is the new generation of choice.

Product background: With YouPHPTube you can create your own video sharing site, YouPHPTube will help you import and encode videos from other sites like Youtube, Vimeo, etc. and you can share directly on your website.

Vulnerability details: A design weakness was found before version 7.5. The machanism doesn’t checks if someone wanna generate a new config file. So the attacker can exploit on this flaw then generate his own config file with malicious code. As a result, the visitor do not know they already connect to a compromised server.

Remedy: Be reminded that you should remove the “/var/www/YouPHPTube/install/” directory after YouPHPTube installation.

Preface: Virtual computer world like a fruit punch, anything can mix into it.

Background: OpenStack is a cloud computing software developed by NASA and Rackspace. It is licensed under the Apache license and is a free and open source software. Their customer including Shanghai Electric, China Mobile, LINE and China UnionPay .

Vulnerability details: In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py.

Possible factor: One of the techincal issue might arise when Topology Change Notification (TCN) occurring repeatedly with short intervals. The switches will constantly be fast-aging their forwarding tables so flooding will be nearly constant.

Remedy status: In Progress → Fix Released (30th Aug 2019) https://review.opendev.org/678098

Preface: Because a stateless API can increase request overhead by handling large loads of incoming and outbound calls, a REST API should be designed to encourage the storage of cacheable data.

Vulnerability details: A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device.

Fundamental design weakness of REST API authentication. For example:

1. Make POST request to /api/rest/issues, get it working with an API key
2. Perhaps there is no way to disable the Auth layer
3. Generating an auth key
4. Now you have an auth-token for app
5. cURL GET request (with Authentication)
6. cURL POST request (with Authentication)
7. ………

What can Cisco customers do? As follows:

Official announcement by vendor – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-iosxe-rest-auth-bypass

Preface: PePe the frog, he will never die. PePe could appear anywhere. May be you can see him in political world or your whatsapp communications. Even CVE vulnerability record details.

QLogic offload iSCSI driver (qedi_dbg.c) technical background – For both Windows and Linux operating systems, iSCSI boot can be configured to boot with two distinctive paths: non-offload (also known as Microsoft Open-iSCSI Initiator) and offload (QLogic offload iSCSI driver or HBA). iSCSI Offload uses the TCP Offload Engine (TOE) technology in network interface cards (NICs) to offload the processing of the TCP/IP stack to a network controller.

Vulnerability details: The vulnerability exists in the drivers/scsi/qedi/qedi_dbg.c source code file of the affected software and is due an out-of-bounds read condition in the qedi_dbg_* family of functions.

Common Functions in C/C++ memcpy()memset(). These functions are categorized into the subcategory transfer memory. With memcpy, you not only copy your own out-of-bounds area, such as some malloc block which was previously freed, but also an area from a completely different running program.

Remedy: Kernel.org has released software updates at the following link – https://www.kernel.org/

Preface: The Amazon rainforest is the lungs of the earth. Even humans are stronger than ancient people. But we rely on oxygen to survive. Amazon rainforest fire, do you think we are heading to the edge?

About webmin software: Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. AWS especially lamp stack web app, the basic function on demand to use webmin software.

Vulnerability details: A vulnerability in Webmin could allow an unauthenticated, remote attacker to execute arbitrary commands with root privileges on a targeted system. See the attached drawing for details.

Remark: This vulnerability will be occured when the changing of expired passwords function is enabled. But this function not enabled by default.

Remedy: upgrading to version 1.930 is strongly recommended. Alternately, if running versions 1.900 to 1.920, edit /etc/webmin/miniserv.conf, remove the passwd_mode= line, then run /etc/webmin/restart.

Preface: In 1885 Westinghouse imported a Siemens AC generator, to begin experimenting with AC networks in Pittsburgh. As of today, the business development of Siemens extend to all industry.

Product background: The Siemens SIMATIC S7-1200 & S7-1500 is the controller for open-loop and closed-loop control tasks in mechanical equipment manufacture and plant construction. Its range of use extends from the replacement of relays and contactors up to complex automation tasks in networks and within distributed structures.

Vulnerability details: Two vulnerabilities have been identified in the SIMATIC S7-1200 and the SIMATIC S7-1500 CPU families. Those vulnerabilities is that when engineer tries to upload (put) the source code on the SIMATIC. However the limitation of the design do not enforce the integrity check.So attacker exploit Man-in-the-Middle hack technique to transfer their counterfeit code and “put” his code to the device.

Official announcement: Please refer to the URL link – https://cert-portal.siemens.com/productcert/pdf/ssa-232418.pdf