Preface: Switched Fabric or switching fabric is a network topology in which network nodes interconnect via one or more network switches.

What is Cisco ACI? – Cisco ACI is a tightly coupled policy-driven solution that integrates software and hardware. The hardware for Cisco ACI is based on the Cisco Nexus 9000 family of switches. The software and integration points for ACI include a few components, including Additional Data Center Pod, Data Center Policy Engine, and Non-Directly Attached Virtual and Physical Leaf Switches.

Vulnerability background & details: 802.1AB(LLDP) build in May 2005. LLDP was developed as an open and extendable standard. It was modeled on and borrowed concepts from the numerous vendor proprietary discovery protocols such as Cisco Discovery Protocol (CDP), Extreme Discovery Protocol (EDP) and others. At that time cyber security not as serious today. So the design weakness extend till today and causes an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN.

We seen the impact posted by Cisco. They state that if strict mode is configured, this vulnerability cannot be exploited. Strict mode enforces further firmware security checks before allowing a connection.

Remark: Only Cisco Discovery Protocol provides an additional capability not found in LLDP-MED that allows the switch to extend trust to the phone. That is the phone will be trusted to mark the packets received on the PC port accordingly.

Official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-n9kaci-bypass

Preface: ESXi is not built upon the Linux kernel, but uses an own VMware proprietary kernel (the VMkernel) and software, and it misses most of the applications and components that are commonly found in all Linux distributions.

In common Linux circumstances to avoid SACK vulnerabilities. The workaround are:

CVE-2019-11477
Workground – Disable sack:
sudo sysctl -w net.ipv4.tcp_sack=0

CVE-2019-11478
Workground – Disable sack:
sudo sysctl -w net.ipv4.tcp_sack=0

CVE-2019-11479
Filter command:
Sudo iptables -A INPUT -p tcp -m tcpmss –mss 1:500 -j DROP

Turn off tcp_mtu_probing:
Sysctl net.ipv4.tcp_mtu_probing

Perhaps this is VMWARE. So you must follow below solution by vendor.

https://www.vmware.com/security/advisories/VMSA-2019-0010.html

Preface: As time goes by, As time goes by, the common software design mistake found on business computer world now extend to industrial area. The impact includes SCADA , PLC and graphical user interfaces software.

Design defect: On systems, a default administration account exists which is set to a simple default password which is hard-coded into the program or device.From cyber security point of view, it is not the best practices. Meanwhile it boots up the overall risk level.

Vulnerability details: Design limitation encountered on ABB HMI components: A hidden administrative accounts embedded. This credential will be used during the provisioning phase of the HMI interface. Apart from that the credentials allow the provisioning tool “Panel Builder 600” to flash a new interface and Tags (MODBUS coils) mapping to the HMI.

Impact: An attacker can use these credentials to login to ABB HMI to control the operations. Those credentials are used over both HTTP(S) and FTP. Furthermore it let the attacker receive the read/write authority. As a result, it provide a pathway to implant malware into the system.

Official announcement ABB PB610 – https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch

Official announcement ABB CP635 HMI – https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch

Official announcement ABB CP651 HMI – https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch

Preface: The vendor announce that they found vulnerability on their product means they are responsible. Even though it is not a good news. But believe that it is under control.

Product background: Data Center Network Manager (DCNM) is the network management platform for all NX-OS-enabled deployments .

Vulnerability details: Authentication Bypass Vulnerability occurs due to improper session management. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. As a result it bypass credential input and receive victim login connection.

Information supplement: Why should a session be maintained? When there is a series of continuous request and response from a same client to a server, the server cannot identify from which client it is getting requests. Because HTTP is a stateless protocol. When there is a need to maintain the conversational state, session tracking is needed.

Refer to attach diagram, an hints will provide an idea to you what is happen on such design weakness.

Vendor announcement: Please refer to URL https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass

Additional: Arbitrary File Upload and Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex

Preface: You can still find the default username and password on your computer today! Coincidentally, they share common characteristics. They have super user capabilities.

Synopsis: Infoblox delivers essential technology to enable customers to manage, control and optimize DNS, DHCP, IPAM .

Vulnerability Details: A privilege escalation vulnerability in the “support access” feature on Infoblox NIOS 6.8 through 8.4.1 could allow a locally authenticated administrator to temporarily gain additional privileges on an affected device and perform actions within the super user scope.

Enabling this feature allows Infoblox Support (Tier 3 access) to perform root level diagnostics on an appliance that is in severe distress. A special key is required to access the appliance at root level, and only Infoblox Support (Tier 3) can generate this key.

But do you think the following details need attention? Only superusers can access the CLI. To ensure security, access to the CLI is permitted through a direct console connection only. Note that activating the option Enable Remote Console Access in the Grid or Member Properties editor will result in a non-compliant system.

Use the following default user name and password to login.
admin
infoblox

Remark: Default password can be changed.

Remedy: Issue has been resolved in NIOS 8.4.2.

Preface: Router, SD-WAN,Load-balancer, Firewall and IDS and virtual machine. Their operations are based on Linux operation system.

Background: A Selective Acknowledgment (SACK) mechanism, combined with a selective repeat retransmission policy, can help to overcome these limitations. The receiving TCP sends back SACK packets to the sender informing the sender of data that has been received.

Vulnerability details: The ‘tcp_gso_segs’ and ‘tcp_gso_size’ fields are used to tell device driver about segmentation offload. Linux SKB can hold up to 17 fragments.
With each fragment holding up to 32KB on x86 (64KB on PowerPC) of data.During this tranmission of data, the SKB structure can reach its maximum limit of 17 fragments and ‘tcp_gso_segs’ parameter can be exploited by hacker and do the overflow effect. As a result an vulnerability occurs.

Remedy: Login as “root”
echo “0” > /proc/sys/net/ipv4/tcp_sack
echo “net.ipv4.tcp_sack = 0” >> /etc/sysctl.conf
sysctl -p

Reference article: https://kb.cert.org/vuls/id/905115/

Status update (26th Jun 2019) – Linux SACK Panic vulnerability CVE-2019-11477 impact F5 Network. The information shows in following url. https://support.f5.com/csp/article/K78234183

Preface: Add the Viptela SD-WAN technology to the IOS XE software running the ISR/ASR routers. Both Cisco ASR and ISR routers offer secure WAN connectivity.

Vulnerability details: A vulnerability in the CLI of Cisco SD-WAN Solution could allow an authenticated, local attacker to elevate lower-level privileges to the root user on an affected device.

Root Cause Analysis: Remote attacker to overwrite arbitrary files on the underlying operating system of an affected device. An attacker could exploit this vulnerability by modifying the “save” command in the Command Line Interface (CLI) of an affected device.

Impact: A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system of an affected device and escalate their privileges to the root user .

Reference: To save the user preferences class to an XML file simply create an XML Writer and invoke the Serialize method.

Remedy: Cisco has released free software updates that address the vulnerability described in this advisory. Please refer to url – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-sdwan-privesca

Preface – You never know what will be happened tomorrow.

Synopsis: A vulnerability in IBM Tivoli Netcool Impact could allow an authenticated, adjacent attacker to execute arbitrary commands on a targeted system.

Vulnerability details: A vulnerability in IBM Tivoli Netcool Impact could allow an authenticated, adjacent attacker to execute arbitrary commands on a targeted system.At the time this alert was first published, the exploit vector was unknown due to vendor not disclosed the details.We believe that IBM Tivoli Netcool Impact 7.1 has encountered the open source vulnerabilities. The defect might be caused by CVE-2015-0227. Apache WSS4J could allow a remote attacker to bypass security restrictions, caused by the failure to properly enforce the requireSignedEncryptedDataElements property. An attacker could exploit this vulnerability using various types of wrapping attacks to bypass security restrictions and perform unauthorized actions.

IBM has released software updates at the following link: https://www-01.ibm.com/support/docview.wss?uid=ibm10881009