Preface: The statistic by Netcraft in January 2019, Apache server coverage market reach 30.88%.

Technical background: Apache server not only contain web server service, it can config as a reserve proxy server to enhance the web infrastructure isolation level. Single sign-on authentication method growth significant in past few years. A popular web architecture model, setup Apache become reserve proxy service and thus integrate to single sign on (SAML) function.

Vulnerability detail: If Apache is configured as a reverse proxy with mod_auth_mellon for authentication, the authentication can be bypassed by adding SAML 2.0 ECP headers to the request.

Official announcement and security fixes: https://github.com/Uninett/mod_auth_mellon/releases

Preface: In order to avoid cyber attack and insider threat. The monitoring feature is a critical feature in IT world.

Background: CapMon monitors and collects information from the infrastructure and applications. The system does not require installation of extra software on other units in the network. CapMon IT monitoring has a Web based user interface, ensuring fast access to the various functionalities.

Vulnerability details:
Design weakness in this software – all priviliges commands “only” grants local administrator privilege. There is a command that allows for even higher privilege escalation – namely the “CALScriptDRUN” command.
The fact is that an issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunElevated.exe provides “NT AUTHORITY\SYSTEM” access to unprivileged users via the –system option.

Should you have interest, please refer to Improsec analytic report, url shown as below: https://improsec.com/tech-blog/cam1

Preface: RSA Authentication Manager delivers intelligent, transparent, behind-the-scenes authentication to enhance every secure access scenario.

Product advantage: Take full advantage of virtualization in your organization to ease deployment, administration, and on-going system management.

Vulnerability details:
RSA Authentication Manager versions prior to 8.4 P1 contain an Insecure Credential Management Vulnerability. A
malicious Operations Console administrator may be able to obtain the value of a domain password that another Operations Console administrator had set previously and use it for attacks.
Hints: Please refer to attached diagram.

Remedy:
Install RSA Authentication Manager version 8.4 P1 and later version.

Preface: Cisco has announcement yesterday that there are vulnerabilities found on IP Phone 8800 Series.

About IP Phone 8800 Series: The Cisco IP Phone 8800 Series delivers HD video and VoIP communications, and integrates with your mobile device to meet your business needs.

Vulnerability details are shown as below:

• Cisco IP Phone 8800 Series Path Traversal Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ipptv
• Cisco IP Phone 8800 Series File Upload Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ipfudos
• Cisco IP Phone 8800 Series Authorization Bypass Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ipab
• Cisco IP Phone 7800 Series and 8800 Series Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ip-phone-rce
• Cisco IP Phone 8800 Series Cross-Site Request Forgery Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ip-phone-csrf

Synopsis of 2 items of vulnerability: Perhaps Cisco did not provides the vulnerability details on CVE-2019-1716 and CVE-2019-1763. However there are hints let’s we can speculate those issues. Web applications are highly vulnerable to input validation errors. Inputting the invalid entry “!@#$%^&*()” on a vulnerable web application may cause performance issues or denial of service on a vulnerable system or invalid passwords such as “pwd’” or “1=1— ” may result in unauthorized access.

Preface: To speed up the deployment of your cloud computing readiness. Use the image deployment is faster than mounting an ISO and manually installing a VM.When system admin created images for an OpenStack provider, he will pre-installed cloud-init and haveged. Azure has similar feature, it is so called Azure WaLinuxAgent.

Vulnerability detail: An information disclosure vulnerability exists in the way Azure WaLinuxAgent creates swap files on resource disks. An authenticated attacker who successfully exploited this vulnerability could view data in swap that is normally hidden.

My speculation: In WALA, it uses “fallocate” instead of “dd” to create swapfile. When an ext4 filesystem is used, a local attacker can call the fallocate() function, in order to read fragments of deleted files.

Remedy solution: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0804

Preface: Space Layout Randomization (ASLR) to defend against memory corruption attacks. However, Intel Software Guard Extension (SGX), it is capability protects selected code and data from disclosure or modification. From security point of view, it provides an advance protection than before.

Vulnerability detail: Double free in Intel(R) SGX SDK for Linux before version 2.2 and Intel(R) SGX SDK for Windows before version 2.1 may allow an authenticated user to potentially enable information disclosure or denial of service via local access.

Synopsis: About double free vulnerability
Refer to the scenario of attach diagram, it shown that the same chunk will be returned by two different ‘mallocs’. Both the pointers will point to the same memory address. If one of them is under the control of an attacker, he/she can modify memory for the other pointer leading to various kinds of attacks (including code executions).

Official announcement: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00217.html

Preface: VMware Horizon Client for Android and iPhone makes it easy to work on your VMware Horizon virtual desktop and hosted applications from your smartphone.

About security advisory annoucement by VMware: The VMware Horizon Connection Server contains an information disclosure vulnerability. Successful exploitation of this issue may allow disclosure of internal domain names, the Connection Server’s internal name, or the gateway’s internal IP address.

My observation: Refer to route path 1,2,3 and 4 (refer to diagram). Because this application can run at Layer 4, transparency is enforced. Transparency takes a higher priority than Subnet Originating Requests. Therefore, if transparency is enabled on the Virtual Service and Subnet Originating Requests is enabled globally, the Virtual Service still uses transparency. The Real Server sees traffic from this virtual service originating with the client’s source IP address (transparency).

Reference: VMware announcement – 14th Mar 2019

https://www.vmware.com/security/advisories/VMSA-2019-0003.html

https://www.vmware.com/security/advisories/VMSA-2019-0002.html

Preface: With the exif extension you are able to work with image meta data. PHP capable to update the date in the exif photo headers by script. The headers includes the following: Time taken,Time modified,The camera make,The camera model,..

Design objective of exif_process_IFD_in_TIFF:
Parse the TIFF header.

Vulnerability Found:
When execute test script, Memcheck by valgrind.org determined that an undefined value is being used in a dangerous way from exif_process_IFD_in_TIFF.

My speculation:
Short registration process helps to get more subscribers to your website. Login with Facebook is a quick and powerful way to integrate registration and login system on the website. PHP SDK allow accessing the Facebook API from the web appliction. But to get started with the latest version of Facebook SDK v 5.x, make sure your system meets the following requirements.
PHP version should be 5.4 or greater.
What if, servers whose originally connect to facebook which install PHP version 7.X. They are all compromised because of vulnerability. In the mean time, they will start attack to the facebook. Do you think this is the story began on 14th Mar 2019?

Remedy: Upgrade http://php.net/downloads.php

Preface: The CSP-C’s basic function is to discover the network elements and collect information from those elements.Basically the design goal is to enhance the overall detective and preventive control in the IT infrastructure.

Technical highlight: To perform the Network Discovery and Data Collection operations the CSP-C needs the following credentials: SNMP Read Only community,Telnet or SSH credentials,HTTP or HTTPS credentials.Not every device needs to be accessed via CLI or SOAP; however SNMP is required for all devices.

Vulnerability detail: The affected software has a user account with a default, static password.

Vendor announcement:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190313-cspcscv

Preface: Python is used quite a lot in robotics. Apply artificial intelligence to robots using Python .

Why choose Python?
Less Code: Python can implement the same logic with as much as 1/5th code as compared to other OOPs languages.

Prebuilt Libraries: include Numpy for scientific computation, Scipy for advanced computing and Pybrain for machine learning.

Vulnerability detail – announce on 6th Mar 2019:
A vulnerability in the the urllib.parse.urlsplit and urllib.parse.urlparse components of Python could allow an unauthenticated, remote attacker to obtain sensitive information from a targeted system.

Official announcement: https://bugs.python.org/issue36216