Category Archives: Potential Risk of CVE

Potential Risk of CVE, Under our observation

Published Monday, May 14, 2018 – Adobe Releases Security Updates

 

Death Note is a Japanese manga series. The story describ that if someone’s name is written on it while the writer imagines that person’s face, he or she will die. The computer and smartphone devices who installed adobe acrobat reader are in the similar situation. The vulnerabilities in Adobe Acrobat and Reader and Photoshop CC causes a remote attacker could exploit some of these vulnerabilities to take control of an affected system. As a result the system has been compromised. Please be reminded that the Adobe design flaw are critical level of vulnerabilities. IT admin must be staying extra alert.

See below security updates for reference.

Security updates available for Adobe Acrobat and Reader:

https://helpx.adobe.com/security/products/acrobat/apsb18-09.html

Security updates available for Adobe Photoshop CC:

https://helpx.adobe.com/security/products/photoshop/apsb18-17.html

Potential Risk of CVE

CVE-2018-10548 – allows remote LDAP servers to cause a denial of service (12th May 2018)

13 Comments

Have you watch a movie Saturday night fever. From technology world point of view, they are every night fever. As times go by, Cloud computing, single sign-on system become a base in technology world. Even though security expert concern about the data privacy matters or single sign-on unforeseen cyber security issues.  A intangible force driven the world agree the technology silently. We do not have the right to say no, right? Application developers or CSO must be staying alert of your PHP language application. The design weakness of the PHP looks possible transform himself become a culprit. And thus create trouble to your web application. Should you have interest to know more. Please refer to below url for reference.

CVE-2018-10548:

An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value.

https://www.securityfocus.com/bid/104019

#76248 Malicious LDAP-Server Response causes Crash:

https://bugs.php.net/bug.php?id=76248

 

 

Potential Risk of CVE, Under our observation

Security Alert – Debug Exception May Cause Unexpected Behavior (8thMay2018)

CVE-2018-8897 indicate that an unexpected behavior for debug exceptions. A possibility way causes a local attacker could exploit this bug to obtain sensitive information. Regarding to my observation, this issue found on 2008 by system developer accidentally. However the dangerous issue of this vulnerability is that it is difficult to detect. It is hard to imaginate the actual status when threat actor successful re-engineering this bug transform to cyber attack. In the moment, no idea what will be the next. Should you have interest about the details, please refer below url for reference.

https://www.kb.cert.org/vuls/id/631579

Potential Risk of CVE

Microsoft Patch Tue security Focus – 8th May 2018

Microsoft Patch Tue transform to weekly routine security process. As far as I know, IT technical experts are busy for change management control schedule (time window) weekly. For the evaluation of each vulnerability most likely will be do a quick walk-through. As a  matter of fact, engage the patch updating exercise looks time consuming. IT Dept will be do the patch management out of office hour, earlier morning or Sunday morning. But think it over, our existing business world seems operate in 24 hours. Another new round of patch announcement will be held on coming Tue.  And therefore implement managed security services become a significant pathway.

Remark: We are all under demanding competitions environment!

CredSSP updates for CVE-2018-0886

My security focus for Microsoft Patch Tue this week will be observe the vulnerability of Credential Security Support Provider protocol. Regarding to my observation, vendor doing 3 times of security enhancement last 3 months. For details, please refer to diagram above.

The spectra and meltdown vulnerabilities found this year bring the people focus to CPU design architecture. As a matter of fact, memory management looks critical today because of APT attack. Heterogeneous systems that integrate a multicore CPU and a GPU on the same die are ubiquitous. On these systems, both the CPU and GPU share the same physical memory as opposed to using separate memory dies.

In order to avoid Credential Theft , what is the Secure practice?

  1. Prevent network logon for local accounts
  2. Prevent credentials from remaining in-memory when connecting remotely (out of IT operation control)
  3. Prevent access to in-memory credentials (Control by application developers)
  4. Leverage protected users and control privileged users

In short, please refer to Microsoft official announcement for reference.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886

 

Potential Risk of CVE

Netapp-How I met your Java debugger(CVE-2018-5486)

How I met your Java debugger is not a new hacking technique. It announced in 2014. Hacker is able to turn any open JDWP service into reliable remote code execution. But it can only execute in inside compartment (exploit inside). JDWP is one component of the global Java debugging system, called the Java Platform Debug Architecture. Hardware storage vendor (Netapp) found vulnerabiliy on their product. A design weakness of Java Platform Debug Architecture with their products cause local code execution vulnerability in OnCommand Unified Manager (Linux 7.2 and above). Vendor (Netapp) provides remediation, for more detail please refer below url for reference.

https://security.netapp.com/advisory/ntap-20180425-0001/

Potential Risk of CVE, Under our observation

Hacker also interest of the SIEM operation (CVE-2018-1418)

SIEM functions play an important role in the IT infrastructure. And therefore the security architect plan to design the SIEM not only focusing for log collection, correlation, alert and report templates. Meanwhile, a critical item must be added to the design objective. That is how to hidden your SIEM. For instance, hacker target most likely is the IT admin or CSO because they have confidental data or priviligies ID on hand. Besides, hacker also interest of the SIEM operation.

IBM Q Radar announce that a vulnerability occurs in their SIEM. Q-Radar admin must stay alert!

Since IBM do not mention what is the possible cause of this vulnerability.
Reveiw their windows log event collection method. My speculation is shown as below:
QRadar requires XPath query to communcation with windows server.
An XPath query is a log source parameter that filters specific events when the query communicates with a Windows 2008 or newer event log.
The XPath injection also leads to extracting document structure and modify the document information in addition to escalate privileges.

For more details. please see below url for reference.

CVE-2018-1418 – IBM Security QRadar SIEM privilege escalation

https://exchange.xforce.ibmcloud.com/vulnerabilities/138824

Potential Risk of CVE

2nd May 2018 – Windows Host Compute Service Shim Remote Code Execution Vulnerability

A low level container management API in Hyper-V called the Host Compute Service (HCS). HCS compatible written in Go (and used by Docker), and the other is written in C#.
On 2nd of May, Microsoft official announcement urge end user who deployed Host Computer Service (HCS) requires to do the security update. Microsoft has patched their own infrastructure hosting offerings, as have Microsoft partners with Google among them.

Technical details:

(CVE-2018-8115) –  Duplicate the original CVE technical details.

A remote code execution vulnerability exists when the Windows Host Compute Service Shim (hcsshim) library fails to properly validate input while importing a container image. To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host.

 

For remediation of design limitation, new version of hcsshim v0.6.10 enhance sanitize function. So called sanitize function did not use below command.
Example:

p := xxxxx.UGCPolicy()
user.Name, user.Address = p.Sanitize(user.Name),p.Sanitize(user.Address)

But do you have any idea in regards to below command syntax?

}

func makeError(err error, title, rest string) error {
 // Pass through DLL errors directly since they do not originate from HCS.
 if _, ok := err.(*syscall.DLLError); ok {
 return err
 }
 return &HcsError{title, rest, err}
}

The new release of the hcsschim able to addresses security fixes.For more details, please refer below url for reference.

Change to address CVE-2018-8115

https://github.com/Microsoft/hcsshim/releases/tag/v0.6.10

Potential Risk of CVE

Cisco Releases Security Updates Original release date: May 02, 2018

Cisco WebEx Advanced Recording Format Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-war

Reminder: My comment is that enterprise firm CSO may require to update the security policy on how to use the Cisco webex.

Cisco Prime File Upload Servlet Path Traversal and Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-prime-upload

Cisco Secure Access Control System Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-acs1

Remark: Cisco Secure ACS product offering is no longer being sold after August 30, 2017

Blockchain, Potential Risk of CVE

CVE-2018-10299 – integer overflow jeopardize Ethereum Zone

18 Comments

In the view of cryptocurrency supporter, Ethereum is the best. The cyber incident occured in cryptocurrency world so far shift the security focus to e-wallet (end point). Perhaps the cyrpto platform itself contains design limitation. However the end point design of crypto currency platform looks have more space for improvement.

If you install the MetaMask browser plugin, you can manage your accounts in your browser. The keys are stored only on your browser, so you are the only one who has access to your account and the private key. But when the web browser encounter vulnerability. It may jeopardize your private key. So security urge the crypto currency owner make use of hardware token instead of software.

We understand that web3.js is a collection of libraries which allow you to interact with a local or remote Ethereum node, using a HTTP or IPC connection. Java application encounter  vulnerabilities caused end user encounter cyber attack is not a news. Above informative diagram shown the integer overflow vulnerability of Ethereum case study involves java applet on the client side. As a front end application, Java application may not aware that he is the accomplice with the cryptocurrency cyber security incident.

Return to reality. Below headline news shown the vulnerabilities occurred in Ethereum (see below for reference). I am wishing that above details can provides hints to you for reference.  Let’s us awaken the design weakness of Ethereum cypto currency platform.

Critical EOS Smart Contract Vulnerability Discovered By Auditing Firm

https://bitcoinexchangeguide.com/critical-eos-smart-contract-vulnerability-discovered-by-auditing-firm/

 

Potential Risk of CVE, Public safety

Siemens – (CVE-2018-4832): Siemens Security Advisory by Siemens Product 18th Apr 2018

The Gas and Petroleum industries requires automation to enhance their overall operation in last decade. And therefore the automation system setup requires Supervisory control and data acquisition (SCADA). We noticed that hackers targeted SCADA system installed in nuclear power facilities. We are living in digital age and therefore electricity power supply similar air and water. So system automation hardware vendor has responsibility to hardening their system design. Siemens found vulnerability in their Automation Technology Process control systems (PCS 7) on April last month. For more details, please refer below url for reference.

Vulnerability details

https://cert-portal.siemens.com/productcert/pdf/ssa-348629.pdf

My Speculation:

1. A denial of service vulnerability exists in the remote procedure call (RPC) facility due to a failure in communicating with the NTLM security provider when performing authentication of RPC requests. An anonymous attacker could exploit the vulnerability by sending a specially crafted RPC authentication request to a computer over the network. An attacker who successfully exploited this vulnerability could cause the computer to stop responding and automatically restart.

2. GetMachineName ( ) copies machine name to a fixed 32 byte buffer causes problem occurs.