Preface: If the victim of cybersecurity is a defensive device? What you can do?

Background: Leading players in the Global It Asset Management (Itam) Software Market Research Report are: HP, Cherwell Software, Oracle & Dell KACE .

Vulnerability details: The Dell Kace K1000 Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability.

Comment: As usual, vendor did not provide the vulnerability details. For SQL injection vulnerability. Seems has similarity of the previous vulnerability, see below:

Failure to properly filter the “macAddress” parameter values of the getUploadPath and getKBot SOAP methods can result in the injection of arbitrary SQL code to manipulate SQL queries.

Remedy: Apply patch (SEC2018_20180410) NOTE: KACE SMA versions 9.0.270 and later include these security fixes.

Preface: Use-After-Free vulnerability similar animal ruminating.

Background: SQLite3 is a compact free database you can use easily create and use a database. It has become very popular with smart phone developers. SQLite runs many different computer systems such as Apple OS X, Linux, and Windows. Even though Airbus, they are the SQLite3 user.

Vulnerability details: A vulnerability in SQLite3 could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The vulnerability is due to a use-after-free condition in the window function functionality of the affected software. A possibility may be occurred. It let the attacker to execute arbitrary code and completely compromise the system.

Remedy: At the time this alert was first published, SQLite had not released a software update.

Preface: Business computing architecture now go to virtualization world, perhaps it is hard to imagine in five year ago!

Technical background: The libvirt library is used to interface with different virtualization technologies. It is accessible from C, Python, Perl, Java and more. Meanwhilethe libvirt project supports KVM, QEMU, Xen, Virtuozzo, VMWare ESX, LXC & BHyve. Libvirt’s built-in API is widely used in the virtual machine monitor orchestration layer in cloud solution development.

Vulnerability details: A vulnerability in libvirt could allow an authenticated, remote attacker to escalate privileges on a targeted system. The vulnerability exists because the virtlockd-admin.socket and virtlogd-admin.socket unit files do not set the SocketMode configuration parameter in the affected software.

Workaround: Disable the virtlockd-admin.socket and virtlogd-admin.socket units in systemd. Alternative customize them to add SocketMode=0600 locally.

Remedy: libvirt has released software updates at the following link – https://github.com/libvirt/libvirt/releases

Synopsis: As time goes by, cyber criminals formulated phishing scam through email and website visit. It seems to be a main trend. In order to avoid the attack occurs, home users installing antivirus program including malware detector, virus protection and predictive control. If web browser contains vulnerability? What we can do?

Vulnerability details:
A remote code execution vulnerability exists in the way that the script engine handles memory objects in Microsoft browsers. The vulnerability could corrupt memory and an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged in with administrative user rights, an attacker who successfully exploited the vulnerability could control the affected system.

Remedy: Microsoft has released detailed information at the following link: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0911

Preface: VDI (Virtual Desktop Infrastructure), one of the way make your IT operations secure.

Product overview: Citrix Workspace Suite is a collection of Citrix products that deliver secure access to desktops, data, applications and services to subscribers on any device, and on any network.

Vulnerability details: Citrix Workspace App before 1904 for Windows has Incorrect Access Control.

Beginning August 2018, Citrix Receiver will be replaced by Citrix Workspace app. A vulnerability has been identified in Citrix Workspace app and Receiver for Windows that could result in local drive access preferences not being enforced allowing an attacker read/write access to the clients local drives which could enable code execution on the client device.

Remedy: Official announcement via following link – https://support.citrix.com/article/CTX251986

Preface: We might have had a debate about the definition of a powerful-enough computer to be called a supercomputer or HPC system.

Technical background:

When Docker creates a container, it creates a new instance of the above six namespaces, and then puts all the processes in the container into these namespaces, so that processes in the Docker container can only see isolated system resources.

A process is visible to other processes in its PID namespace, and to the processes in each direct ancestor PID namespace going back to the root PID namespace.

Vulnerability details: A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing//. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.

Remedy: Official announcement via following link – https://github.com/sylabs/singularity/releases/tag/v3.2.0

Preface: DCOM is a proprietary Microsoft technology for communication between software components on networked computers.

Technical background: High-Level applications use the DCOM client to obtain object references and make ORPC calls on the object. The DCOM client uses the RPC Protocol Extensions to communicate with the object server.

Vulnerability details: An authenticated attacker with network access to the DCOM interface could execute arbitrary commands with SYSTEM privileges. The vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires authentication with a low-privileged user account and no user interaction. Do you heard Windows Net-NTLMv2 Reflection DCOM/RPC attack technique? The key element is CLSID string. With the CLSID of each DCOM application, the script attempts to activate each one to check if there is a MemberType Property or Method that indicates a possibility to execute code. So…..

Official announcement – https://cert-portal.siemens.com/productcert/pdf/ssa-697412.pdf

Preface: Gartner Reports give people direction, but sometime as a customer, you can select your appropriate product on your decision. For instance cyber security product

Technical background: SIEM software products provides real-time analysis of security alerts generated by applications and network hardware. Netwitness can investigate data capture and display the real scenario on screen.It is very important in IT world nowadays.

Synopsis: RSA security product pioneer go to the market more than decade. From 2011 acquire Netwitness and conduct a product integration. It was today naming convention security analytic. It contains SIEM, real time network activities data capture (Big data) and malware analysis (ECAT). From technical point of view, the GUI (Dashboard) and web access technology looks did not have any security enhancement.

Vulnerability details: Netwitness Platform versions prior to 11.2.1.1 and RSA Security Analytics versions prior to 10.6.6.1 are vulnerable to an Authorization Bypass vulnerability and command injection vulnerability. For more details please refer to the link below:

https://community.rsa.com/docs/DOC-104202

Preface: Before Kerberos, Microsoft used an authentication technology called NTLM.

Technical background: The biggest difference between the two systems is the third-party verification and stronger encryption capability in Kerberos. Kerberos version 4 was targeted at Project Athena in 80s. Neuman and Kohl published version 5 in 1993 to improve the limitations and enhance the security.
Heimdal is an implementation of Kerberos 5 and large footprint in Sweden.

About PKINIT:
Specifies the Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol. This protocol enables the use of public key cryptography in the initial authentication exchange of the Kerberos Protocol (PKINIT) and specifies the Windows implementation of PKINIT where it differs from [RFC4556].

Vulnerability Details:
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key exchange when anonymous PKINIT is used. Failure to do so can permit an active attacker to conduct MITM.

Comment: This vulnerability not only happen in Heimdal open source product. Believe that it will have more vendor report similar problem afterwards. Heimdal has released updates via following link: https://github.com/heimdal/heimdal/tags

Preface: Intel flaw let VMware become victim (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) ! VMware Workstation update addresses a DLL-hijacking issue (CVE-2019-5526) looks not a news?

VMware Vulnerability details:

VMware Workstation update addresses a DLL-hijacking issue (CVE-2019-5526) – https://www.vmware.com/security/advisories/VMSA-2019-0007.html

VMware product updates enable Hypervisor-Specific Mitigations, Hypervisor-Assisted Guest Mitigations, and Operating System-Specific Mitigations for Microarchitectural Data Sampling (MDS) Vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091)

Technical background: To improve the performance of writing data back to Intel CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. But a design limitation occurs which allows unauthorized users to access data used by other programs, containers, and virtual machines. So called Zombieload. ZombieLoad Attack affects all Intel CPUs since 2011.

VMware Security Advisories – https://www.vmware.com/security/advisories/VMSA-2019-0008.html