Category Archives: Potential Risk of CVE

Path traversal attack poses a major risk to web application security. Do not contempt! Jan 2020.

Technical background: A layer 7 load-balancer takes routing decision based on IPs, TCP or UDP ports or any information it can get from the application protocol (mainly HTTP). It is a Linux operating system based of machine. HTTP and HTTPS are the predominant Layer 7 protocol for website traffic on the Internet. A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder.

Vulnerability: An issue was discovered in Citrix Application Delivery Controller (formly Netscaler) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. If this vulnerability exploited, could allow an unauthenticated attacker to perform arbitrary code execution. The fact is that it will impact the back end, perhaps it is a web portal or web server cluster. The Cybersecurity and Infrastructure Security Agency (CISA) has released a utility to conduct a test on specific product.

For more details, please refer to url. https://github.com/cisagov/check-cve-2019-19781

CVE-2020-1603 vulnerability filed by Juniper, as a matter of fact, it includes all the routing product who make use of linux base OS – 12th Jan 2020

Preface: kdump is a feature of the Linux kernel that creates crash dumps in the event of a kernel crash. When triggered, kdump exports a memory image (also known as vmcore) that can be analyzed for the purposes of debugging and determining the cause of a crash.

Vulnerability details: Improper handling of specific IPv6 packets sent by clients mbuf and let memory leak occurs. This memory leak eventually leads to a kernel crash (vmcore), or the device hanging and requiring a power cycle to restore service, creating a Denial of Service (DoS) condition.

Official announcement and remedy solution:https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10982&cat=SIRT_1&actp=LIST

Additional possibilities – handling IPv6 packet design weakness

a. The server side sets IPV6_RECVPKTINFO on a listening socket, and the client side just sends a message to the server. Then the kernel panic occurs on the server.

b. net.ipv6.conf.eth0.max_addresses=16 It is not recommended to set this value too large (or to zero) because it would be an easy way to crash the kernel by allowing too many addresses to be created.

is it a scenario replay of cve-2019-15975 & cve-2019-15976?

Preface: REST APIs are stateless. Stateful APIs do not adhere to the REST architectural style.

Background: SOAP is a protocol, and REST is an architectural style. A REST API can actually utilize the SOAP protocol, just like it can use HTTP. The Cisco Fabric Automation REST APIs for third party applications enables you to programmatically control Cisco Fabric Automation. All the REST API operations can also be performed using the DCNM GUI as DCNM uses these REST APIs to render the GUI.

Remark: From Release 10.0(1), by default, the Cisco DCNM supports HTTPS only.

Security Focus: Cisco Data Center Network Manager Authentication Bypass Vulnerabilities

Vulnerability Details:
CVE-2019-15975 – Cisco Data Center Network Manager REST API Authentication Bypass Vulnerability
CVE-2019-15976 – Cisco Data Center Network Manager SOAP API Authentication Bypass Vulnerability

If hacker already conducted infiltration to specific workstation before DCNM install. It will make this attack scenario straight forward. Because the network traffic before reach SSL tunnel not require any man-in-the-middle technique can capture the traffic. So it is easy to capture all the details through your web browser.
The design defect retain a secret key in end point during installation, so hacker can perform arbitrary actions through the REST API with administrative privileges. Since he know the user name and password. Therefore he can create a JSON Web Token and sign it using same secret key. Should you be interested, please read the details of attached diagram.

Cisco official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypass

Closer look for OpenBSD Dynamic Loader chpass Privilege Escalation 31st Dec 2019

Preface: Referring to the statistic posted by w3techs. The websites using OpenBSD as operating system less than 0.1 percentage. Perhaps OpenBSD footprints are in industry manufacturing. For instance, heard that oil industry is the heavy duty users of OpenBSD.

Vulnerability details: The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with approximately ARG_MAX colons. This can be abused to load libutil.so from an untrusted path, using LD_LIBRARY_PATH in combination with the chpass set-uid executable, resulting in privileged code execution.

Impact: This module has been tested successfully on OpenBSD 6.1 (amd64) and OpenBSD 6.6 (amd64).

Causes: This vulnerability is in the OpenBSD dynamic link library (ld.so). The reason for the vulnerability is that ld.so cannot properly delete the LD_LIBRARY_PATH environment variable that sets the user ID and group ID programs under insufficient memory conditions. Commands such as chpass and passwd for privilege elevation.

Remedy: After downloading the source code, switch to the old version before patching the vulnerability.

$git clone https://github.com/openbsd/src.git 
$git checkout d2ce55dbd7845b33dafe44529e6ceb6b1c8ec6d5

Closer look of CVE-2019-1491 | Microsoft SharePoint Server Information Disclosure Vulnerability

Preface: Tip – Any system that supports Single-Sign On SSO is affected by the pass the hash attack.

Background: Windows keeps hashes in LSASS memory, making it available for Single Sign On.

Vulnerability details: An information disclosure vulnerability exists in Microsoft SharePoint when an attacker uploads a specially crafted file to the SharePoint Server.An authenticated attacker who successfully exploited this vulnerability could potentially leverage SharePoint functionality to obtain SMB hashes.The security update addresses the vulnerability by correcting how SharePoint checks file content., aka ‘Microsoft SharePoint Information Disclosure Vulnerability’.

Remedy: Please refer to the official announcement – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1491

Logon authentication integrate to AD can make your life easy. But sometimes it doesn’t (1st Dec 2019)

Preface: Modern world favor single sing-on function, SAML & application system authentication integrate with Microsoft active directory. Everybody might know such setup contain risk, but theoretically computer aim to make human life comfortable!

Background: The Alcatel-Lucent OmniVista® 8770 Network Management System (NMS) is an all-in-one graphical management application that offers a unified view of your ALE communication network.

Vulnerability details: No CVE reference number has been assigned to these vulnerabilities yet. But it shown that programming flaws made the loopholes happen.

– 4760 suffers an unauthenticated remote code execution as SYSTEM. No special configuration is required

– 8770 and 4760 both suffer a remote administrative password disclosure. No special configuration required

– 8770 suffer an authenticated remote code execution vulnerability. When chained with the disclosure vulnerability, it becomes an unauth RCE. In this case access to the port 389 and a directory license are required

Should you have any doubt of this matter, please contact vendor to find out the details.

Perhaps WordPress 5.3.1 is a short-cycle maintenance release. But recommend to do a update now (Posted date: 14th Dec 2019).

Preface: WordPress powers 34% of the internet in 2019, a 4% rise from the previous year. If you count only the CMS-built sites, then about 60% of them are WordPress. On Mar 2019, Expert found that a remote code execution vulnerability exists in WordPress. This is our story begin.

Synopsis: The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the WordPress Security and Maintenance Release and upgrade to WordPress 5.3.1. Perhaps from cyber security point of view, it is better to update as soon as fast.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4. This schedule remedy four different vulnerabilities. If you haven’t yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues.

For more information on CVE-2019-9798, please refer to the attached infographic for reference.

The official announcement can be found at this link: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

CVE-2019-17554 Apache Olingo OData 4.0 XML External Entity Injection – 4th Dec 2019

Preface: When you are sitting on the same boat. The risks at the time of the event are equal.

Background: Open Data Protocol (OData) is an open protocol which allows the creation and consumption of queryable and interoperable RESTful APIs in a standard way. Apache Olingo is a Java library that implements the Open Data Protocol (OData). In SAP HANA DB environment, quite a lot of business application system will work with Apache Olingo.

Vulnerability details: The XML content type entity deserializer is not configured to deny the resolution of external entities. Request with content type “application/xml”, which trigger the deserialization of entities, can be used to trigger XXE attacks.

For security advice provided by Symantec, please refer to the link- https://www.symantec.com/security-center/vulnerabilities/writeup/111101?om_rssid=sr-advisories

Intel CPU is charming! But I hate his design defect – 11thDec 2019

Preface: When Meltdown and Spectre discovered, the tech community questioned chip security.

Security Focus: A new class of unprivileged speculative execution attacks to leak arbitrary data across address spaces and privilege boundaries (e.g., process, kernel, SGX, and even CPU-internal operations). Who is he?

Side-channel attack targeting Intel chips, allowing hackers to effectively exploit design flaws rather than injecting malicious code. For instance, hacker can use WebAssembly in both Firefox and Chrome to generate machine code which he can use to perform this attacks. If you are interested in learning more, please refer to the attached picture.

Intel has released security updates to address vulnerability in multiple products. The official announcement can be found at this link – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00317.html

HP urge the customer that it should be acted upon as soon as possible. The “HP Security Update” can be found at this link – https://support.hp.com/us-en/document/c06502052

Critical moment of defense mechanism

Preface: Sometimes while designing a software, you might have a requirement to hold some data (for reprocessing at later stage) for some duration. Some software do it within the memory in which they are running while others may create a temporary file for this purpose.

Technical background: The original design of Trend Micro able transform the malicious data for short duration write to temp file. The quarantine method was strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file. This has the advantage that for the execution of malicious data can be aborted absolutely. The isolation level will be better than memory. Vulnerability details: When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately. But the names of the temp files are sometimes reused. The proof-of-concept shown that the reuse file name can redirect to another file by symbolic link.

Official announcement, please refer to the link: https://success.trendmicro.com/solution/000149495