Coming GDPR data protection policy penality drive me to draft this sharepoint point vulnerability discussion topic. Microsoft Dynamics CRM and Microsoft SharePoint are two powerful enterprise applications and very popular in the business world. As a matter of fact many enterprise firm integrate their dataware house platform to Microsoft sharepoint system. However Microsoft sharepoint architecture contained fundemental design weakness. You can take a look with your Active directory server and sharepoint server architecture. A common solution installed both web and sharepoint server in the same place (product design limitation). The system architect will install a proxy server as a front end to improve the isolation level. Refer to attached diagram, the sharepoint vulnerabiities merge with Win32k Elevation of Privilege Vulnerability will be compromise whole sharepoint system. The effective day of New GDPR data protection policy will be held on 25th May 2018. The company will be sentence if they are fail to data protection policy. The penality is that for lesser offences, the fine will be halved to €10million, or up to 2 percent of the offending organization’s annual revenue. So we must be stay alert!

Reference:

CVE-2018-8155 | Microsoft SharePoint Elevation of Privilege Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8155

CVE-2018-8168 | Microsoft SharePoint Elevation of Privilege Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8168

CVE-2018-8156 | Microsoft SharePoint Elevation of Privilege Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8156

CVE-2018-8149 | Microsoft SharePoint Elevation of Privilege Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8149

CVE-2018-8164 | Win32k Elevation of Privilege Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8164

Have you watch a movie Saturday night fever. From technology world point of view, they are every night fever. As times go by, Cloud computing, single sign-on system become a base in technology world. Even though security expert concern about the data privacy matters or single sign-on unforeseen cyber security issues.  A intangible force driven the world agree the technology silently. We do not have the right to say no, right? Application developers or CSO must be staying alert of your PHP language application. The design weakness of the PHP looks possible transform himself become a culprit. And thus create trouble to your web application. Should you have interest to know more. Please refer to below url for reference.

CVE-2018-10548:

An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value.

https://www.securityfocus.com/bid/104019

#76248 Malicious LDAP-Server Response causes Crash:

https://bugs.php.net/bug.php?id=76248

Microsoft Patch Tue transform to weekly routine security process. As far as I know, IT technical experts are busy for change management control schedule (time window) weekly. For the evaluation of each vulnerability most likely will be do a quick walk-through. As a  matter of fact, engage the patch updating exercise looks time consuming. IT Dept will be do the patch management out of office hour, earlier morning or Sunday morning. But think it over, our existing business world seems operate in 24 hours. Another new round of patch announcement will be held on coming Tue.  And therefore implement managed security services become a significant pathway.

Remark: We are all under demanding competitions environment!

CredSSP updates for CVE-2018-0886

My security focus for Microsoft Patch Tue this week will be observe the vulnerability of Credential Security Support Provider protocol. Regarding to my observation, vendor doing 3 times of security enhancement last 3 months. For details, please refer to diagram above.

The spectra and meltdown vulnerabilities found this year bring the people focus to CPU design architecture. As a matter of fact, memory management looks critical today because of APT attack. Heterogeneous systems that integrate a multicore CPU and a GPU on the same die are ubiquitous. On these systems, both the CPU and GPU share the same physical memory as opposed to using separate memory dies.

In order to avoid Credential Theft , what is the Secure practice?

1. Prevent network logon for local accounts
2. Prevent credentials from remaining in-memory when connecting remotely (out of IT operation control)
3. Prevent access to in-memory credentials (Control by application developers)
4. Leverage protected users and control privileged users

In short, please refer to Microsoft official announcement for reference.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886

How I met your Java debugger is not a new hacking technique. It announced in 2014. Hacker is able to turn any open JDWP service into reliable remote code execution. But it can only execute in inside compartment (exploit inside). JDWP is one component of the global Java debugging system, called the Java Platform Debug Architecture. Hardware storage vendor (Netapp) found vulnerabiliy on their product. A design weakness of Java Platform Debug Architecture with their products cause local code execution vulnerability in OnCommand Unified Manager (Linux 7.2 and above). Vendor (Netapp) provides remediation, for more detail please refer below url for reference.

https://security.netapp.com/advisory/ntap-20180425-0001/

A low level container management API in Hyper-V called the Host Compute Service (HCS). HCS compatible written in Go (and used by Docker), and the other is written in C#.
On 2nd of May, Microsoft official announcement urge end user who deployed Host Computer Service (HCS) requires to do the security update. Microsoft has patched their own infrastructure hosting offerings, as have Microsoft partners with Google among them.

Technical details:

(CVE-2018-8115) –  Duplicate the original CVE technical details.

A remote code execution vulnerability exists when the Windows Host Compute Service Shim (hcsshim) library fails to properly validate input while importing a container image. To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host.

For remediation of design limitation, new version of hcsshim v0.6.10 enhance sanitize function. So called sanitize function did not use below command.
Example:

p := xxxxx.UGCPolicy()
user.Name, user.Address = p.Sanitize(user.Name),p.Sanitize(user.Address)

But do you have any idea in regards to below command syntax?

}

func makeError(err error, title, rest string) error {
 // Pass through DLL errors directly since they do not originate from HCS.
 if _, ok := err.(*syscall.DLLError); ok {
 return err
 }
 return &HcsError{title, rest, err}
}

The new release of the hcsschim able to addresses security fixes.For more details, please refer below url for reference.

Change to address CVE-2018-8115

https://github.com/Microsoft/hcsshim/releases/tag/v0.6.10

Cisco WebEx Advanced Recording Format Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-war

Reminder: My comment is that enterprise firm CSO may require to update the security policy on how to use the Cisco webex.

Cisco Prime File Upload Servlet Path Traversal and Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-prime-upload

Cisco Secure Access Control System Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-acs1

Remark: Cisco Secure ACS product offering is no longer being sold after August 30, 2017